Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. nsp>
  3. juniper
netflow config clue needed
randy at psg
Sep 6, 2003, 6:07 PM
Post #1 of 5 (971 views)
Permalink
having trouble exporting flow data.

'tcpdump -i xx port 20666' on the host foo.bar shows no packets
inbound.

config is


forwarding-options {
monitoring foo-cflow {
family inet {
output {
cflowd foo.bar port 20666;
export-format cflowd-version-5;
interface so-0/1/0 {
source-address 666.42.7.11;
}
interface fe-0/0/2 {
source-address 666.42.7.11;
}
}
}
}
}


fe-0/0/2 {
...
unit 0 {
family inet {
...
address 11.7.42.666/30;
sampling {
input;
output;
}
}
}
}


so-0/1/0 {
...
unit 0 {
...
address 11.7.666.42/30;
sampling {
input;
output;
}
}
}
}


and searching the juniper web site did not help, nor did google.
though i admit i am not a search term expert (just because i
helped build the highway does not mean i can drive a car:-).

randy
netflow config clue needed [ In reply to ]
plonka at doit
Sep 7, 2003, 12:09 AM
Post #2 of 5 (956 views)
Permalink
Randy,

There is an example of how we configure sampling and cflowd version 5
export under JUNOS in the FlowScan mailing list archive here:

http://net.doit.wisc.edu/~plonka/list/flowscan/archive/0792.html

It's been working well for us by using the "sample" directive in
firewall filters, as in:

firewall {
filter CampusIO {
term all {
then {
sample;
accept;
}
}
}
}

That is we essentially apply that filter on every interface that we
want forwared traffic to be sampled.

I've never tried the method you showed below, using a sample stanza
within the sub-interface definition.

Dave

On Sat, Sep 06, 2003 at 03:07:02PM -0700, Randy Bush wrote:
> having trouble exporting flow data.
>
> 'tcpdump -i xx port 20666' on the host foo.bar shows no packets
> inbound.
>
> config is
>
>
> forwarding-options {
> monitoring foo-cflow {
> family inet {
> output {
> cflowd foo.bar port 20666;
> export-format cflowd-version-5;
> interface so-0/1/0 {
> source-address 666.42.7.11;
> }
> interface fe-0/0/2 {
> source-address 666.42.7.11;
> }
> }
> }
> }
> }
>
>
> fe-0/0/2 {
> ...
> unit 0 {
> family inet {
> ...
> address 11.7.42.666/30;
> sampling {
> input;
> output;
> }
> }
> }
> }
>
>
> so-0/1/0 {
> ...
> unit 0 {
> ...
> address 11.7.666.42/30;
> sampling {
> input;
> output;
> }
> }
> }
> }
>
>
> and searching the juniper web site did not help, nor did google.
> though i admit i am not a search term expert (just because i
> helped build the highway does not mean i can drive a car:-).
>
> randy
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp

--
plonka@doit.wisc.edu http://net.doit.wisc.edu/~plonka ARS:N9HZF Madison, WI
netflow config clue needed [ In reply to ]
randy at psg
Sep 7, 2003, 1:11 AM
Post #3 of 5 (954 views)
Permalink
> firewall {
> filter CampusIO {
> term all {
> then {
> sample;
> accept;
> }
> }
> }
> }

this approximates what i changed to and it works. as i already
had an edge firewall filter to keep my own address space on the
right side of the edge, i just added to the ruleset.

> I've never tried the method you showed below, using a sample stanza
> within the sub-interface definition.

came off the juniper web site. :-(

randy
netflow config clue needed [ In reply to ]
pekkas at netcore
Sep 7, 2003, 9:58 AM
Post #4 of 5 (948 views)
Permalink
On Sat, 6 Sep 2003, Randy Bush wrote:
> > firewall {
> > filter CampusIO {
> > term all {
> > then {
> > sample;
> > accept;
> > }
> > }
> > }
> > }
>
> this approximates what i changed to and it works. as i already
> had an edge firewall filter to keep my own address space on the
> right side of the edge, i just added to the ruleset.

That's how we do it too.

> > I've never tried the method you showed below, using a sample stanza
> > within the sub-interface definition.
>
> came off the juniper web site. :-(

I think the "interface sampling" only works for specific interfaces only,
namely monitoring services PIC and adaptive services PIC.

Allowing it to be configured on your regular interfaces is likely a bug..

--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
netflow config clue needed [ In reply to ]
hannes at juniper
Sep 7, 2003, 5:39 PM
Post #5 of 5 (961 views)
Permalink
On Sat, Sep 06, 2003 at 03:07:02PM -0700, Randy Bush wrote:
| having trouble exporting flow data.
|
| 'tcpdump -i xx port 20666' on the host foo.bar shows no packets
| inbound.

randy,

watch out - inbound BPF expressions do not work as the FPC removes
the link layer headers and hence the offset pointing to the port
field is calculated wrong;

/hannes

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal