This is currently specific to an mx204 with the nfdump toolkit.
chassis {
fpc 0 {
sampling-instance default;
inline-services {
flow-table-size {
ipv4-flow-table-size 10;
ipv6-flow-table-size 5;
}
}
}
}
services {
flow-monitoring {
version-ipfix {
template v4 {
ipv4-template;
}
template v6 {
ipv6-template;
}
}
}
}
forwarding-options {
sampling {
sample-once;
instance {
default {
input {
rate 100;
}
family inet {
output {
flow-server 192.0.2.1 {
port 9995;
version-ipfix {
template {
v4;
}
}
}
inline-jflow {
source-address 198.51.100.1;
}
}
}
family inet6 {
output {
flow-server 192.0.2.1 {
port 9995;
version-ipfix {
template {
v6;
}
}
}
inline-jflow {
source-address 198.51.100.1;
}
}
}
}
}
}
}
# measurement rules are good to add as the first in interface filter input-list
firewall {
family inet {
filter measurement-v4 {
interface-specific;
# ...
term default {
then {
count packets;
sample;
next term;
}
}
# ...
}
family inet6 {
filter measurement-v6 {
interface-specific;
#...
term default {
then {
count packets;
sample;
next term;
}
}
# ...
}
}
- flow export statistics:
show services accounting flow inline-jflow fpc-slot 0 - flow export status:
show services accounting status inline-jflow fpc-slot 0 - flow export errors:
show services accounting errors inline-jflow fpc-slot 0 - clear flow state:
clear services accounting flow inline-jflow fpc-slot 0 - show routing engine CPU, memory, and related state:
show chassis routing-engine - show FPC CPu, memory, and related state:
show chassis fpc
See notes below for a deeper look at flow table sizing information and FPC detail.
- IETF RFC 5153 - IP Flow Information Export (IPFIX) Implementation Guidelines
- IETF RFC 5474 - A Framework for Packet Selection and Reporting
- IETF RFC 5655 - Specification of the IP Flow Information Export (IPFIX) File Format
- IETF RFC 7011 - Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information
- IETF RFC 7012 - Information Model for IP Flow Information Export (IPFIX)
- An introduction to IP flow information export (IPFIX) - Trammel, B., Boschi, E., IEEE Communications Magazine, Volume 49, Issue 4
- Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and IPFIX - Hofstede, R., et al., IEEE Communications Surveys & Tutorials, Volume 16, Issue 4
- Flow-Based Measurement: IPFIX Development and Deployment - Brownlee, Neil, IEICE Transactions on Communications, Volume E94-B, Number 8
- Measurement Artifacts in NetFlow Data - Hofstede, R., et al., PAM 2013
- A survey of network flow applications - Li, B., et al., Journal of Network and Computer Applications, March 2013
- Tracking incidents with NfSen - Haag, P., TNC 2008
- An Overview of IP Flow-Based Intrusion Detection - Sperotto, A., et al., IEEE Communications Survey & Tutorials, 2010
- The Network Data Handling War: MySQL vs. NfDump - Hofstede, R., et al., EUNICE 2010
- IANA registry of IP Flow Information Export (IPFIX) Entities
- Junos Monitoring, Sampling, and Collection Services Interfaces Feature Guide
- Configuring Flow Aggregation to Use IPFIX Flow Templates on MX, vMX and T Series Routers, EX Series Switches and NFX250
- Junos flow-monitoring configuration documentation
- Configuring Traffic Sampling on MX, M and T Series Routers
- Configuring Inline Active Flow Monitoring Using Routers, Switches or NFX250
- Multiservices MIC and Multiservices MPC (MS-MIC and MS-MPC) Overview
- Router Flow Configs - router configuration guidance from Kentik
- Using NfSen - workshop presentation from NSRC
Juniper provided the followed additional technical information about the flow tables and FPC support.
Flow table size is defined in blocks of 256*1024 flows. The memory is calculated different. Sampling flows records are created and stored in hash tables stored in EDMEM and OMEM (Optional Memory):
- OMEM is used to store JFLOW information
- EDMEM is used as bucket memory (counters for the flows stored on OMEM)
OMEM is reserved for Hash Table (record memory). Size is 256MB. Hash table size define the maximum number of flows that might be recorded at any given time. For example, if you configure 15 blocks for IPv4, you will sample ~3.96 Mflows (256102415). We have two mutually exclusive modes of flow table sizing:
- Manually specify per family flow table size.
- Only one block is created with the sum of block sizes specified for all the families.
- Separate space reserved for each family
- New knob “chassis fpc inline-services flex-flow-sizing”
- 4M entries allocated to single flow table
- Flows are added on a first-come-first-served basis
- If flow table becomes full an error counter will be incremented
- No separate space reserved for any family
In the following image, you will see the difference between the mode of flow table sizing:
