Friday, May 24, 2013

Netflow on juniper SRX

In this blog we will discuss netflow(jflow)  and enabling this feature with regards to the SRX platform.


What is netflow? 

It’s a means to delivery statistics pertaining to  traffic via flow information,  & exports from a L3 device. Netflow was develop by cisco , but since than, "it has been adopted by most L3 router/switch manufactures". Even some opensource router/firewalls has netflow supported in their products.
Juniper has confused the general public,  in that they call  netflow...... jflow. It's also known as cflow ( cisco flow ).

I guess the marketing people  took the  approach of  not to use netflow or cisco flow in their materials. But bottom line; netflow,jflow,&cflow is the same damm flow.

Another new contender;   is known as IPFIX.  We will not discuss that version here,  since it's not as commonly used, and  has very limited support.

IPFIX  it's gaining in recognition and deployment. And most  vendors are adding support for IPFIX in their routers and layer3 switches. It ( IPFIX ) is  similar to version 9 , but it's not the same & is a  different beast.

http://en.wikipedia.org/wiki/IP_Flow_Information_Export
The parts of any netflow  deployment,  consists of at least two pieces;

  1. The exporter ( router/firewall/switch )
  2. The flow collector ( the device that decodes and store the flow details on )

Now why do we use netflow? 

Simple, netflow is used for numerous reason to include some of the following;
  • host/server traffic accounting
  • traffic & capacity planning
  • growth tracking 
  • network behavioral analysis
  • DDoS detection, Forensic and Mitigation

Here's a typical netflow layout;





A few  consideration for netflow that you will need to know before running off and configuration your SRX for netflow ;

  •    do you need sampling, and if so at what rate
  •    what direction as regards to the interface  ( ingress/egress )
  •    what version of netflow does your exporter and collector support
  •    the purpose of the flow collection
  •    what udp/port does the collector sits  at
  •    collector ip_address

The above items will be required,  before we can attempt to configure netflow in the enterprise or service provider realm.

You will find netflow is simple to configure on a juniper device, and very well supported across most of the  juniper line up.  Juniper Network does impose certain restrictions  when configuring options within netflow, so it's best to research what these limitations are & with regards to the enabling of flow accounting.

In my lab we are using a SRX 210H branch firewall, which are very basic models in the SRX lineup. A bigger SRX or MX will offer more features and supported versions.





This unit supports  only netflow versions 5 , 8, 9 and 500. We will run thru  some of these  configuration and the gotchas.


1st netflow version 8,

This version is not as widely use as with version 5. But the configuration is about  the same & similar, so I'm demo'ing it.

BTW,  Version 5 is used in  most business and very well supported. It provides  the option to include AS origin information in the flow records. And most collectors supports this version to include the commercial ( Solarwinds, Lancope, ArborNetworks, Plixer,etc ) and most opensource deployments  supports this version ( nflowd, ntop,etc....)

With netflow on juniper we need to 1st enable NTP. If you don't you will be  welcome to this error message.


Next we enable the  v8  forwarding output and flow-server, plus enabling collection on the interfaces of interest. Here we are doing our inside vlan0 (ingress) for the inet-family.

note: we can't enable flow collection for inet6 ( ipv6) in this version of Junos. And ipv6 is only supported within  v9 or IPFIX.


 

set interafce vlan unit 0 family inet sampling input

and

set forwarding-options sampling input rate 0 run-length 0
set forwarding-options sampling family inet output  aggreggate-export-interval 90
set forwarding-options sampling family inet output  flow-server 10.98.10.10 port 5000 source 1.0.0.1 version 8
set forwarding-options sampling family inet output  flow-server 10.98.10.10 aggregation source-destination-prefix


With  version 8 you have to  enable the aggregation method, with out this you will get errors.

 
 NOTE: This is the one configurable item that version 5 , 500 or even 9 does not require.

So their you have it, you just seen  the main items for netflow configuration. Version5 would be the same as of above but with the version being "5"  and no requirement for "aggregationmethod".

Okay let's look at  netflow v9.

Version 9 is a template based netflow. What this means, we send a template on a set interval by the number of seconds,  or based on how many flows where exported. The collector will receive this template, and the template tells the collector how to decode the flow.

So you guess it , we need to 1st define our  template;


set services flow-monitoring  version9 template mynetflow option-refresh-rate seconds 120
set services flow-monitoring  version9 template mynetflow template-refresh-rate seconds 60
set services flow-monitoring  version9 template mynetflow ipv4-template

The template configuration has options to adjust the refresh rates. In the above example, I named my template "mynetflow" and set the refresh rates for this template and it's options at  60/120 secs respectively. The template refresh is a tweakable item & various  collector will be  more or less tolerant of the template refresh rate.  The template must be sent on some  type of interval in order to decode the v9 flow records.

Now we will build the forwarding options and specify the netflow template ( mynetflow ) from the above.


set forwarding-options sampling input rate 1 run-length 0
set forwarding-options sampling family inet output  flow-server 10.98.10.10 port 5000 source 1.0.0.1 version9 template mynetflow

 As you can clearly see, we get an error indicating a Service PIC or inline-jflow must be specified.



So in this model of hardware,  we would be limited in regards to configuring netflow 9. So this is what I mean that juniper has verison restrictions and limitations across all of the  juniper hardware devices,  from support of hardware and software/licenses.

Okay let's look at  AS500 configuration, it's the same for the most part to netflow  v5 minus the version number is now "500".


set forwarding-options sampling input rate 50 run-length 0
set forwarding-options sampling family inet output  flow-server 10.98.10.10 port 5000  version500
 
Okay now that you have been thru a few netflow configurations,  you can now capture and/or decode the flow data to ensure it's working as planned.



and a simple decode using tshark;



Okay to recap;

  • we deploy netflow for various  reason
  • Netflow has a few version
  • Depending on the version selected you might have more configurable items
  • v9 and IPFIX are template based
  • Sampling is an option to consider
  • NTP must be enable
  • netflow systems are always made up at least a collector and the exporter
 

Ken Felix
Freelance Network/Security Engineer
kfelix ---at--hyperfeed ---dot--com

    ^       ^
= (  x    x ) =
         O
         ~

2 comments: