Juniper routers can generate and send flow records to a management server. This feature allows the administrator to monitor all the traffic that flows through the router, giving him a better picture of the users’ behavior and also enabling every connection originated or destined to that particular autonomous system to be recorded for compliance requirements.
The following tutorial shows how to configure the router and how to set up a management server to receive and store the data using open source tools. In addition, it will also show how to query the information base.
Configuring the Router
1. Define and configure an interface to export flow data, like ge-1/1/0. The flow collector server must be reachable through this same interface, since flow records cannot be exported if the flow collector is reachable through a management interface like fxp0. 1)http://www.juniper.net/techpubs/en_US/junos13.3/topics/task/configuration/inline-flow-monitoring.html#VT5jL4VmFUHwaj4i.97
set interfaces ge-1/1/0 unit 0 family inet address 172.16.200.4/16
2. Define a template for Netflow version 9.
set services flow-monitoring version9 template template1 flow-active-timeout 120 set services flow-monitoring version9 template template1 flow-inactive-timeout 60 set services flow-monitoring version9 template template1 template-refresh-rate packets 100 set services flow-monitoring version9 template template1 template-refresh-rate seconds 600 set services flow-monitoring version9 template template1 option-refresh-rate packets 100 set services flow-monitoring version9 template template1 option-refresh-rate seconds 600 set services flow-monitoring version9 template template1 ipv4-template
3. Define a “sampling instance” (instance-1) that will assign the defined template (template1) to the flow listener (10.100.2.250) and any additional required properties (TCP port, source address, input rate and export rate).
set forwarding-options sampling instance instance-1 input rate 1 set forwarding-options sampling instance instance-1 family inet output flow-server 10.100.2.250 port 9995 set forwarding-options sampling instance instance-1 family inet output flow-server 10.100.2.250 version9 template template1 set forwarding-options sampling instance instance-1 family inet output inline-jflow source-address 172.16.200.4 set forwarding-options sampling instance instance-1 family inet output inline-jflow flow-export-rate 10
The configuration above, with the sampling rate set to 1, causes the sampled process to consume a lot of router’s memory. A sampling rate as big as 1000 should be used to avoid the excessive consumption of router’s resources by this single feature.
After finishing all the configurations suggested here, it is recommended to check the router’s performance using the commands suggested in this article.
4. Associate the sampling instance (instance-1) to the Taz Forwarding Engine Board (tfeb).
set chassis tfeb slot 0 sampling-instance instance-1
5. Configure a firewall filter that only will be responsible for collectiong Netflow (“sample”).
set firewall family inet filter netflow-ipv4 term captura-flow then sample set firewall family inet filter netflow-ipv4 term captura-flow then accept
6. Assign the above created firewall filter to the interface that will be monitored:
set interfaces ge-1/0/1 unit 0 family inet filter input netflow-ipv4 set interfaces ge-1/0/1 unit 0 family inet filter output netflow-ipv4
Configuring the Management Server
Installation of NFDump and NFSen:
1. NFDump 2)http://nfdump.sourceforge.net/ is an open source solution to receive and store flow data.
2. NFsen 3)http://nfsen.sourceforge.net/ is also an open source solution that shows traffic reports based on flows on a web interface.
3. Both tools can be easily installed following this tutorial.
4. To collect flow data from more than one router, the file /data/nfsen/etc/nfsen.conf must be edited as shown below.
vi /data/nfsen/etc/nfsen.conf #Add a new line in section "Netflow Sources" following the instructions available in that same section
5. Reload the NFSen with the new configuration.
Querying the Information Base
NFDump can be used in the command line to query the netflow information base, that is stored by default in the directory /data/nfsen/profiles-data/. This section shows some examples of commands to generate useful reports.
1. Viewing the top 20 conversations report:
For the last 24 hours: nfdump -R /data/nfsen/profiles-data/live/MX5-RT/2017/ -t -86400 -A srcip,dstip -O bytes | head -n 21 For a given date: nfdump -R /data/nfsen/profiles-data/live/MX5-RT/2017/01/23/ -A srcip,dstip -O bytes | head -n 21
2. Top 20 source addresses:
For the last 24 hours: nfdump -R /data/nfsen/profiles-data/live/MX5-RT/ -t -86400 -s srcip/bytes -n 20 | head -n 22 For a given date: nfdump -R /data/nfsen/profiles-data/live/MX5-RT/2017/01/23/ -s srcip/bytes -n 20 | head -n 22
3. Traffic to or from a given IP address or subnet:
nfdump -R /data/nfsen/profiles-data/live/MX5-RT/ -t -60 -A srcip,dstip -O bytes 'dst net 22.214.171.124/23' -t defines how many seconds are considered in the search. The expression 'dst net 126.96.36.199/23' can be replaced by 'src net 188.8.131.52/23', 'dst ip 184.108.40.206','src ip 220.127.116.11', between others.
4. Generates a custom report:
nfdump -R /data/nfsen/profiles-data/live/MX5-RT/2017/01 -t 2017/01/01 -o "fmt:%ts %te %td %pr %sap -&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; %dap %flg %tos %pkt %byt %fl" 'dst net 18.104.22.168/24' | less
Other examples are available in this website.
References [ + ]