Netflow on Juniper

Juniper routers can generate and send flow records to a management server. This feature allows the administrator to monitor all the traffic that flows through the router, giving him a better picture of the users’ behavior and also enabling every connection originated or destined to that particular autonomous system to be recorded for compliance requirements.

The following tutorial shows how to configure the router and how to set up a management server to receive and store the data using open source tools. In addition, it will also  show how to query the information base.

Configuring the Router

1. Define and configure an interface to export flow data, like ge-1/1/0. The flow collector server must be reachable through this same interface, since flow records cannot be exported if the flow collector is reachable through a management interface like fxp0. 1)http://www.juniper.net/techpubs/en_US/junos13.3/topics/task/configuration/inline-flow-monitoring.html#VT5jL4VmFUHwaj4i.97

set interfaces ge-1/1/0 unit 0 family inet address 172.16.200.4/16

2. Define a template for Netflow version 9.

set services flow-monitoring version9 template template1 flow-active-timeout 120
set services flow-monitoring version9 template template1 flow-inactive-timeout 60
set services flow-monitoring version9 template template1 template-refresh-rate packets 100
set services flow-monitoring version9 template template1 template-refresh-rate seconds 600
set services flow-monitoring version9 template template1 option-refresh-rate packets 100
set services flow-monitoring version9 template template1 option-refresh-rate seconds 600
set services flow-monitoring version9 template template1 ipv4-template

3. Define a “sampling instance” (instance-1) that will assign the defined template (template1) to the flow listener (10.100.2.250) and any additional required properties (TCP port, source address, input rate and export rate).

set forwarding-options sampling instance instance-1 input rate 1
set forwarding-options sampling instance instance-1 family inet output flow-server 10.100.2.250 port 9995
set forwarding-options sampling instance instance-1 family inet output flow-server 10.100.2.250 version9 template template1
set forwarding-options sampling instance instance-1 family inet output inline-jflow source-address 172.16.200.4
set forwarding-options sampling instance instance-1 family inet output inline-jflow flow-export-rate 10

The configuration above, with the sampling rate set to 1, causes the sampled process to consume a lot of router’s memory. A sampling rate as big as 1000 should be used to avoid the excessive consumption of router’s resources by this single feature.

After finishing all the configurations suggested here, it is recommended to check the router’s performance using the commands suggested in this article.

4. Associate the sampling instance (instance-1) to the Taz Forwarding Engine Board (tfeb).

set chassis tfeb slot 0 sampling-instance instance-1

5. Configure a firewall filter that only will be responsible for collectiong Netflow (“sample”).

set firewall family inet filter netflow-ipv4 term captura-flow then sample
set firewall family inet filter netflow-ipv4 term captura-flow then accept

6. Assign the above created firewall filter to the interface that will be monitored:

set interfaces ge-1/0/1 unit 0 family inet filter input netflow-ipv4
set interfaces ge-1/0/1 unit 0 family inet filter output netflow-ipv4

Configuring the Management Server

Installation of NFDump and NFSen:

1. NFDump 2)http://nfdump.sourceforge.net/ is an open source solution to receive and store flow data.

2. NFsen 3)http://nfsen.sourceforge.net/ is also an open source solution that shows traffic reports based on flows on a web interface.

3. Both tools can be easily installed following this tutorial.

4. To collect flow data from more than one router, the file /data/nfsen/etc/nfsen.conf must be edited as shown below.

vi /data/nfsen/etc/nfsen.conf

#Add a new line in section "Netflow Sources" following the instructions available in that same section

5. Reload the NFSen with the new configuration.

/data/nfsen/bin/nfsen reconfig

Querying the Information Base

NFDump can be used in the command line to query the netflow information base, that is stored by default in the directory /data/nfsen/profiles-data/. This section shows some examples of commands to generate useful reports.

1. Viewing the top 20 conversations report:

For the last 24 hours:
nfdump -R /data/nfsen/profiles-data/live/MX5-RT/2017/ -t -86400 -A srcip,dstip -O bytes | head -n 21

For a given date:
nfdump -R /data/nfsen/profiles-data/live/MX5-RT/2017/01/23/ -A srcip,dstip -O bytes | head -n 21

2. Top 20 source addresses:

For the last 24 hours:
nfdump -R /data/nfsen/profiles-data/live/MX5-RT/ -t -86400 -s srcip/bytes -n 20 | head -n 22

For a given date:
nfdump -R /data/nfsen/profiles-data/live/MX5-RT/2017/01/23/ -s srcip/bytes -n 20 | head -n 22

3. Traffic to or from a given IP address or subnet:

nfdump -R /data/nfsen/profiles-data/live/MX5-RT/ -t -60 -A srcip,dstip -O bytes 'dst net 137.36.34.0/23'

-t defines how many seconds are considered in the search.

The expression 'dst net 137.36.34.0/23' can be replaced by 'src net 137.36.34.0/23', 'dst ip 137.36.34.70','src ip 137.36.34.70', between others.

4. Generates a custom report:

nfdump -R /data/nfsen/profiles-data/live/MX5-RT/2017/01 -t 2017/01/01 -o "fmt:%ts %te %td %pr %sap -> %dap %flg %tos %pkt %byt %fl" 'dst net 31.13.73.0/24' | less

Other examples are available in this website.

References   [ + ]

1. http://www.juniper.net/techpubs/en_US/junos13.3/topics/task/configuration/inline-flow-monitoring.html#VT5jL4VmFUHwaj4i.97
2. http://nfdump.sourceforge.net/
3. http://nfsen.sourceforge.net/

RADIUS Authentication on Juniper

This article shows how to configure a Juniper router to authenticate users on a RADIUS server.

1. Configure the router with the RADIUS server information:

[edit system]
set system radius-server 10.0.12.1 port 1812
set system radius-server 10.0.12.1 secret yourpassword
set system radius-server 10.0.12.1 timeout 5
set system radius-server 10.0.12.1 retry 3
set system radius-server 10.0.12.1 source-address 192.168.120.4

In this case, the RADIUS server is with the IP address of 10.0.12.1, UDP port 1812.

Continue reading “RADIUS Authentication on Juniper”

Adding a Netflow Listener to Cacti

This article explains how to add new Netflow listeners to Cacti. By default, Cacti is not able to show Netflow reports. So, to follow the steps in this article, the Flowview plugin have to be installed on Cacti.

1. Configure Cacti server to receive and store the netflow files adding the lines shown below, one line for each router:

vi /etc/flow-tools/flow-capture.conf

-V 5 -w /var/flow/ABC-Router -n 275 -N 3 -E500M 0/0/3001
-V 5 -w /var/flow/DEF-Router -n 275 -N 3 -E500M 0/0/3002
-V 5 -w /var/flow/GHI-Router -n 275 -N 3 -E500M 0/0/3003
-V 5 -w /var/flow/JKL-Router -n 275 -N 3 -E500M 0/0/3004
-V 5 -w /var/flow/MNO-Router -n 275 -N 3 -E500M 0/0/3005
-V 5 -w /var/flow/PQR-Router -n 275 -N 3 -E500M 0/0/3006
-V 5 -w /var/flow/STU-Router -n 275 -N 3 -E500M 0/0/3007
-V 5 -w /var/flow/VWX-Router -n 275 -N 3 -E500M 0/0/3008
-V 5 -w /var/flow/XYZ-Router -n 275 -N 3 -E500M 0/0/3009

Continue reading “Adding a Netflow Listener to Cacti”

Traffic Classification and Marking on HP Switches

1. The QoS service offered by the ISP allows for control of how traffic is prioritised and bandwidth is reserved, with three queues available (multimedia – VoIP, critical data and normal data). Packets must be remarked with the following values to be classified on a each queue:

Continue reading “Traffic Classification and Marking on HP Switches”

Limiting Application Bandwidth on HP Switches

In this article we will configure the HP7510 switch to limit the bandwidth for two specific applications. The switch is placed in the company central building and is connected to the WAN router that provides access to offices in different remote locations. Continue reading “Limiting Application Bandwidth on HP Switches”

Traffic Classification and Marking on Cisco IOS

In this article I will show how to mark IP packets to prioritize multimedia and critical applications following a QoS policy that will be later enforced inside the ISP cloud.

1. The QoS service offered by the ISP allows for control of how traffic is prioritized and bandwidth is reserved, with three queues available as shown in the figure below.

Continue reading “Traffic Classification and Marking on Cisco IOS”