Re: [j-nsp] inline-jflow monitoring

[A. Camci]

Hi all,

Thanks for supporting.

After the change of flow-table-size we now get to see flows on the GENIEATM
box.

result:
Received Flows/sec: 5126

 Flow information
FPC Slot: 0
Flow Packets: 42833914564, Flow Bytes: 37364742189748
Active Flows: 235206, Total Flows: 1015377662
Flows Exported: 674921468, Flow Packets Exported: 199134442
Flows Inactive Timed Out: 357574653, Flows Active Timed Out: 657564976
Total Flow Insert Count: 357812686

Fortunately, the FPC card has not been rebooted :)

regards

ap


Op wo 2 jan. 2019 om 17:06 schreef Aaron Gould :

> I recently did this on operational/live MX960's on my 100 gig mpls ring
> with
> no problem.  ...no service impact, no card reboots.
>
> set chassis fpc 0 inline-services flow-table-size ipv4-flow-table-size 4
>
> I run...
>
> agould@960> show system information
> Model: mx960
> Family: junos
> Junos: 17.4R1-S2.2
> Hostname: 960
>
> {master}
> agould@960> show chassis hardware models | grep "fpc|engine"
> Routing Engine 0 REV 15   750-054758   (removed)  RE-S-X6-64G-S
> Routing Engine 1 REV 15   750-054758   (removed)  RE-S-X6-64G-S
> FPC 0REV 43   750-056519   (removed)  MPC7E-MRATE
> FPC 11   REV 43   750-056519   (removed)  MPC7E-MRATE
>
> Yeah, prior to this, you see lots of creation failures...
>
> {master}[edit]
> agould@ 960# run show services accounting errors inline-jflow fpc-slot 0 |
> grep creation
> Flow Creation Failures: 1589981308
> IPv4 Flow Creation Failures: 1582829194
> IPv6 Flow Creation Failures: 7152114
>
> During change, if you look closely, you will see PFE-0 and PFE-1
> "reconfiguring"then "steady"
>
> And flow count will change from 1024 to whatever you change it to
>
> show services accounting status inline-jflow fpc-slot 0
>
> these are my notes when I did this a few months ago...
>
> ...these numbers didn't look right at first considering they say that the
> unit is a multiplier for 256K base number i set v4 to 4 and v6 to 1...
> so i thought the number would simply be...
>
> 256k * 4 ... (but "k" = 1024) so... (256 * 1024 = 262,144) 262,144 * 4
> =
> 1,048,576
>
> but new ipv4 flow limit is  1,466,368 so 1,466,368 - 1,048,576 =
> 417,792
>
> ...what is this strange extra 417,792 ?  interestling if you divide it be
> 1024 you get... 408
>
> 417,792 / 1024 = 408
>
> and i know i used a 4 for ipv4 multiplier...so i assume 408 / 4 = 102
>
> so let's check ipv6...
>
> 256 * 1024 = 262,144
>
> ipv6 flow limit is now 366,592
>
> 366,592 - 262,144 = 104,448
>
> 104,448 / 1024 = 102
>
> there's our nice little 102 again :)
>
>
>
> - Aaron
>
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] inline-jflow monitoring

[Aaron Gould]

I recently did this on operational/live MX960's on my 100 gig mpls ring with
no problem.  ...no service impact, no card reboots.

set chassis fpc 0 inline-services flow-table-size ipv4-flow-table-size 4

I run...

agould@960> show system information
Model: mx960
Family: junos
Junos: 17.4R1-S2.2
Hostname: 960

{master}
agould@960> show chassis hardware models | grep "fpc|engine"
Routing Engine 0 REV 15   750-054758   (removed)  RE-S-X6-64G-S
Routing Engine 1 REV 15   750-054758   (removed)  RE-S-X6-64G-S
FPC 0REV 43   750-056519   (removed)  MPC7E-MRATE
FPC 11   REV 43   750-056519   (removed)  MPC7E-MRATE

Yeah, prior to this, you see lots of creation failures...

{master}[edit]
agould@ 960# run show services accounting errors inline-jflow fpc-slot 0 |
grep creation
Flow Creation Failures: 1589981308
IPv4 Flow Creation Failures: 1582829194
IPv6 Flow Creation Failures: 7152114

During change, if you look closely, you will see PFE-0 and PFE-1
"reconfiguring"then "steady"

And flow count will change from 1024 to whatever you change it to

show services accounting status inline-jflow fpc-slot 0

these are my notes when I did this a few months ago...

...these numbers didn't look right at first considering they say that the
unit is a multiplier for 256K base number i set v4 to 4 and v6 to 1...
so i thought the number would simply be...

256k * 4 ... (but "k" = 1024) so... (256 * 1024 = 262,144) 262,144 * 4 =
1,048,576

but new ipv4 flow limit is  1,466,368 so 1,466,368 - 1,048,576 =
417,792  

...what is this strange extra 417,792 ?  interestling if you divide it be
1024 you get... 408

417,792 / 1024 = 408

and i know i used a 4 for ipv4 multiplier...so i assume 408 / 4 = 102

so let's check ipv6... 

256 * 1024 = 262,144

ipv6 flow limit is now 366,592

366,592 - 262,144 = 104,448

104,448 / 1024 = 102

there's our nice little 102 again :)



- Aaron


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] inline-jflow monitoring

[Tobias Heister]

Hi,

On 02.01.2019 13:18, sth...@nethelp.no wrote:

 From 16.1R1 and up you should also configure the ip flow table sizes
as the default is 1024 entries for v4 if I'm not mistaken. Not sure if
this is your current issue but is something to consider as well. Also
check flex-flow-sizing as an option.


Note that changing the flow table sizes has traditionally resulted in
a reboot of the line card.


https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/ipv4-flow-table-size.html

"NOTE: Prior to Junos OS Release 16.1R1 and 15.1F2, any changes in the configured 
size of the flow table initiates an automatic reboot of the FPC, and we recommend that 
you run this command in a maintenance window."

Whatever this means for now ;)
I kind of remember that we changed that without reboot on 16.x and 17.x code on 
some routers.

--
Kind Regards
Tobias Heister
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] inline-jflow monitoring

[Tobias Heister]

Hi,

On 02.01.2019 11:49, Saku Ytti wrote:

Trio does IPFIX in HW, it can inspect each and every packet with no
different cost. So if your flow table can survive it, do 1:1 and get
more visibility.


AFAIK not all Trio Generations and variants are able to do 1:1 at Line Rate.
IIRC MPC5E and newer are very close to 1:1 in all scenarios while older 
MPC/TRIO were lower (in the 1:4 - 1:10 range worst case)
I think it was one of the marketed benefits of MPC5 and MPC2/3-NG that they now 
can do 1:1 while the older stuff was not able to do so.

Of course you can argue whether line rate 64k packets are actually a typical 
use case or not ;)

--
Kind Regards
Tobias Heister
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] inline-jflow monitoring

[sthaug]

> From 16.1R1 and up you should also configure the ip flow table sizes
> as the default is 1024 entries for v4 if I'm not mistaken. Not sure if
> this is your current issue but is something to consider as well. Also
> check flex-flow-sizing as an option.

Note that changing the flow table sizes has traditionally resulted in
a reboot of the line card.

Steinar Haug, Nethelp consulting, sth...@nethelp.no
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] inline-jflow monitoring

[Luis Balbinot]

>From 16.1R1 and up you should also configure the ip flow table sizes
as the default is 1024 entries for v4 if I'm not mistaken. Not sure if
this is your current issue but is something to consider as well. Also
check flex-flow-sizing as an option.

Luis

On Wed, Jan 2, 2019 at 7:51 AM A. Camci  wrote:
>
> Hi all,
>
> Does anyone have experience with GENIEATM ( 6.3.2 ) and Juniper MX480 MPCE
> Type 2 3D ( 16.1R4-S3.6).
> recently we use the inline-jflow monitoring.
>
> it works but we receive too little sampling.
> expect a 10k of sampling per second instead of 100 samples
>
>
> Border Router:
> Flow information
> FPC Slot: 0
> Flow Packets: 39566361752, Flow Bytes: 34679308997163
> Active Flows: 2478, Total Flows: 484673089
> Flows Exported: 384265866, Flow Packets Exported: 131910524
> Flows Inactive Timed Out: 103861379, Flows Active Timed Out: 380809232
> Total Flow Insert Count: 103863857
>
> IPv4 Flows:
> IPv4 Flow Packets: 39206606168, IPv4 Flow Bytes: 34296101187914
> IPv4 Active Flows: 2048, IPv4 Total Flows: 449829603
> IPv4 Flows Exported: 365283923, IPv4 Flow Packets exported: 117813878
> IPv4 Flows Inactive Timed Out: 87622231, IPv4 Flows Active Timed Out:
> 362205324
> IPv4 Flow Insert Count: 87624279
>
> IPv6 Flows:
> IPv6 Flow Packets: 359755584, IPv6 Flow Bytes: 383207809249
> IPv6 Active Flows: 430, IPv6 Total Flows: 34843486
> IPv6 Flows Exported: 18981943, IPv6 Flow Packets Exported: 14096646
> IPv6 Flows Inactive Timed Out: 16239148, IPv6 Flows Active Timed Out:
> 18603908
> IPv6 Flow Insert Count: 16239578
>
>
> GENIEATM
> Received Flows/sec: 93
>
>
> thanks
> ap
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] inline-jflow monitoring

[sthaug]

> see the config:
> 
> set services flow-monitoring version-ipfix template ipv4 ipv4-template
> set services flow-monitoring version-ipfix template ipv6 ipv6-template

We have a bit more, e.g.

template ipv4 {
flow-active-timeout 60;
flow-inactive-timeout 15;
template-refresh-rate {
packets 1;
seconds 20;
}
option-refresh-rate {
packets 1;
seconds 20;
}
ipv4-template;
}

> set forwarding-options sampling instance inline input rate 128

We have also defined "run-length 0".

No reboot is necessary after applying the configuration.

Steinar Haug, Nethelp consulting, sth...@nethelp.no
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] inline-jflow monitoring

[Saku Ytti]

On Wed, 2 Jan 2019 at 12:32, Dave Bell  wrote:

> Netflow/Jflow/IPFIX does not sample packets. It samples flows. A flow is
> (could be?) made up of many packets.

Everyone probably means the same thing here, but the way you are
saying it, is very confusing to me.

Sampling means we do not look at every packet, we use some algorithm
like 'every nTh' to choose which _packet_ gets looked at.

After we've chosen which _packet_ gets looked at, we store state or
flow for that packet, if we already have applicable flow stored, we
add packet/byte count in that stored flow.

Further, ipfix receiver will then multiply packet and byte count of
flows by sampling ratio, to approximate actual amount of packets/bytes
seen in given flow.

There are few reasons to choose non 1:1 sampling algorithm:

- regulatory requirements
- HW can't support 1:1
- desire to see fewer flows

In absence of specific reason to not do 1:1, you should do 1:1. Even
with 1:100 many flows will be just invisible to you, because there are
lot of short flows and statistically you'll never pick any packet out
of that flow, so you'll never record it. Sampling will necessarily
hide information, which is fine for traffic volume trending, ddos etc.

Trio does IPFIX in HW, it can inspect each and every packet with no
different cost. So if your flow table can survive it, do 1:1 and get
more visibility.



-- 
  ++ytti
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] inline-jflow monitoring

[A. Camci]

 you're right, but that's what I meant.



Op wo 2 jan. 2019 om 11:29 schreef Dave Bell :

> i want samples of a every 128 packets
>>
>
> Netflow/Jflow/IPFIX does not sample packets. It samples flows. A flow is
> (could be?) made up of many packets.
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] inline-jflow monitoring

[Dave Bell]

>
> i want samples of a every 128 packets
>

Netflow/Jflow/IPFIX does not sample packets. It samples flows. A flow is
(could be?) made up of many packets.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] inline-jflow monitoring

[A. Camci]

 This sets a sampling rate of 128:1. Is that intentional?
yes.

i want samples of a every 128 packets

i have also tried with 100 and 512 but still same output.

Op wo 2 jan. 2019 om 11:16 schreef Dave Bell :

> set forwarding-options sampling instance inline input rate 128
>
> This sets a sampling rate of 128:1. Is that intentional?
>
> Dave
>
> On Wed, 2 Jan 2019 at 10:08, A. Camci  wrote:
>
>> Hi Steinar,
>>
>> see the config:
>>
>> set services flow-monitoring version-ipfix template ipv4 ipv4-template
>> set services flow-monitoring version-ipfix template ipv6 ipv6-template
>>
>>
>> set forwarding-options sampling instance inline input rate 128
>> set forwarding-options sampling instance inline family inet output
>> flow-server xx.xx.10.34 port 2055
>> set forwarding-options sampling instance inline family inet output
>> flow-server xx.xx.10.34 version-ipfix template ipv4
>> set forwarding-options sampling instance inline family inet output
>> inline-jflow source-address xx.xx.0.238
>>
>> set forwarding-options sampling instance inline family inet6 output
>> flow-server xx.xx.10.34 port 2055
>> set forwarding-options sampling instance inline family inet6 output
>> flow-server xx.xx.10.34 version-ipfix template ipv6
>> set forwarding-options sampling instance inline family inet6 output
>> inline-jflow source-address xx.xx.0.238
>>
>> set chassis fpc 0 sampling-instance inline
>> set forwarding-options sampling instance inline family inet output
>> flow-server xx.xx.10.34 version-ipfix template ipv4
>> set forwarding-options sampling instance inline family inet6 output
>> flow-server xx.xx.10.34 version-ipfix template ipv6
>> set protocols bgp group fulltable-2-genie neighbor xx.xx.10.34
>>
>> set interfaces ae0 unit 0 family inet sampling input
>> set interfaces ae0 unit 0 family inet6 sampling input
>> set interfaces ae1 unit 0 family inet sampling input
>> set interfaces ae1 unit 0 family inet6 sampling input
>> set interfaces ae5 unit 0 family inet sampling input
>> set interfaces ae5 unit 0 family inet6 sampling input
>>
>>
>> is a reboot necessary after the configuration ?
>>
>> thanks
>> ap
>>
>> Op wo 2 jan. 2019 om 10:56 schreef :
>>
>> > > Does anyone have experience with GENIEATM ( 6.3.2 ) and Juniper MX480
>> > MPCE
>> > > Type 2 3D ( 16.1R4-S3.6).
>> > > recently we use the inline-jflow monitoring.
>> > >
>> > > it works but we receive too little sampling.
>> > > expect a 10k of sampling per second instead of 100 samples
>> >
>> > We have quite a bit of experience with inline-jflow/IPFIX. It mostly
>> > works just fine. Show your JunOS config, please.
>> >
>> > Steinar Haug, Nethelp consulting, sth...@nethelp.no
>> >
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] inline-jflow monitoring

[Dave Bell]

set forwarding-options sampling instance inline input rate 128

This sets a sampling rate of 128:1. Is that intentional?

Dave

On Wed, 2 Jan 2019 at 10:08, A. Camci  wrote:

> Hi Steinar,
>
> see the config:
>
> set services flow-monitoring version-ipfix template ipv4 ipv4-template
> set services flow-monitoring version-ipfix template ipv6 ipv6-template
>
>
> set forwarding-options sampling instance inline input rate 128
> set forwarding-options sampling instance inline family inet output
> flow-server xx.xx.10.34 port 2055
> set forwarding-options sampling instance inline family inet output
> flow-server xx.xx.10.34 version-ipfix template ipv4
> set forwarding-options sampling instance inline family inet output
> inline-jflow source-address xx.xx.0.238
>
> set forwarding-options sampling instance inline family inet6 output
> flow-server xx.xx.10.34 port 2055
> set forwarding-options sampling instance inline family inet6 output
> flow-server xx.xx.10.34 version-ipfix template ipv6
> set forwarding-options sampling instance inline family inet6 output
> inline-jflow source-address xx.xx.0.238
>
> set chassis fpc 0 sampling-instance inline
> set forwarding-options sampling instance inline family inet output
> flow-server xx.xx.10.34 version-ipfix template ipv4
> set forwarding-options sampling instance inline family inet6 output
> flow-server xx.xx.10.34 version-ipfix template ipv6
> set protocols bgp group fulltable-2-genie neighbor xx.xx.10.34
>
> set interfaces ae0 unit 0 family inet sampling input
> set interfaces ae0 unit 0 family inet6 sampling input
> set interfaces ae1 unit 0 family inet sampling input
> set interfaces ae1 unit 0 family inet6 sampling input
> set interfaces ae5 unit 0 family inet sampling input
> set interfaces ae5 unit 0 family inet6 sampling input
>
>
> is a reboot necessary after the configuration ?
>
> thanks
> ap
>
> Op wo 2 jan. 2019 om 10:56 schreef :
>
> > > Does anyone have experience with GENIEATM ( 6.3.2 ) and Juniper MX480
> > MPCE
> > > Type 2 3D ( 16.1R4-S3.6).
> > > recently we use the inline-jflow monitoring.
> > >
> > > it works but we receive too little sampling.
> > > expect a 10k of sampling per second instead of 100 samples
> >
> > We have quite a bit of experience with inline-jflow/IPFIX. It mostly
> > works just fine. Show your JunOS config, please.
> >
> > Steinar Haug, Nethelp consulting, sth...@nethelp.no
> >
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] inline-jflow monitoring

[A. Camci]

Hi Steinar,

see the config:

set services flow-monitoring version-ipfix template ipv4 ipv4-template
set services flow-monitoring version-ipfix template ipv6 ipv6-template


set forwarding-options sampling instance inline input rate 128
set forwarding-options sampling instance inline family inet output
flow-server xx.xx.10.34 port 2055
set forwarding-options sampling instance inline family inet output
flow-server xx.xx.10.34 version-ipfix template ipv4
set forwarding-options sampling instance inline family inet output
inline-jflow source-address xx.xx.0.238

set forwarding-options sampling instance inline family inet6 output
flow-server xx.xx.10.34 port 2055
set forwarding-options sampling instance inline family inet6 output
flow-server xx.xx.10.34 version-ipfix template ipv6
set forwarding-options sampling instance inline family inet6 output
inline-jflow source-address xx.xx.0.238

set chassis fpc 0 sampling-instance inline
set forwarding-options sampling instance inline family inet output
flow-server xx.xx.10.34 version-ipfix template ipv4
set forwarding-options sampling instance inline family inet6 output
flow-server xx.xx.10.34 version-ipfix template ipv6
set protocols bgp group fulltable-2-genie neighbor xx.xx.10.34

set interfaces ae0 unit 0 family inet sampling input
set interfaces ae0 unit 0 family inet6 sampling input
set interfaces ae1 unit 0 family inet sampling input
set interfaces ae1 unit 0 family inet6 sampling input
set interfaces ae5 unit 0 family inet sampling input
set interfaces ae5 unit 0 family inet6 sampling input


is a reboot necessary after the configuration ?

thanks
ap

Op wo 2 jan. 2019 om 10:56 schreef :

> > Does anyone have experience with GENIEATM ( 6.3.2 ) and Juniper MX480
> MPCE
> > Type 2 3D ( 16.1R4-S3.6).
> > recently we use the inline-jflow monitoring.
> >
> > it works but we receive too little sampling.
> > expect a 10k of sampling per second instead of 100 samples
>
> We have quite a bit of experience with inline-jflow/IPFIX. It mostly
> works just fine. Show your JunOS config, please.
>
> Steinar Haug, Nethelp consulting, sth...@nethelp.no
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] inline-jflow monitoring

[sthaug]

> Does anyone have experience with GENIEATM ( 6.3.2 ) and Juniper MX480 MPCE
> Type 2 3D ( 16.1R4-S3.6).
> recently we use the inline-jflow monitoring.
> 
> it works but we receive too little sampling.
> expect a 10k of sampling per second instead of 100 samples

We have quite a bit of experience with inline-jflow/IPFIX. It mostly
works just fine. Show your JunOS config, please.

Steinar Haug, Nethelp consulting, sth...@nethelp.no
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] inline-jflow monitoring

[A. Camci]

Hi all,

Does anyone have experience with GENIEATM ( 6.3.2 ) and Juniper MX480 MPCE
Type 2 3D ( 16.1R4-S3.6).
recently we use the inline-jflow monitoring.

it works but we receive too little sampling.
expect a 10k of sampling per second instead of 100 samples


Border Router:
Flow information
FPC Slot: 0
Flow Packets: 39566361752, Flow Bytes: 34679308997163
Active Flows: 2478, Total Flows: 484673089
Flows Exported: 384265866, Flow Packets Exported: 131910524
Flows Inactive Timed Out: 103861379, Flows Active Timed Out: 380809232
Total Flow Insert Count: 103863857

IPv4 Flows:
IPv4 Flow Packets: 39206606168, IPv4 Flow Bytes: 34296101187914
IPv4 Active Flows: 2048, IPv4 Total Flows: 449829603
IPv4 Flows Exported: 365283923, IPv4 Flow Packets exported: 117813878
IPv4 Flows Inactive Timed Out: 87622231, IPv4 Flows Active Timed Out:
362205324
IPv4 Flow Insert Count: 87624279

IPv6 Flows:
IPv6 Flow Packets: 359755584, IPv6 Flow Bytes: 383207809249
IPv6 Active Flows: 430, IPv6 Total Flows: 34843486
IPv6 Flows Exported: 18981943, IPv6 Flow Packets Exported: 14096646
IPv6 Flows Inactive Timed Out: 16239148, IPv6 Flows Active Timed Out:
18603908
IPv6 Flow Insert Count: 16239578


GENIEATM
Received Flows/sec: 93


thanks
ap
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp