Netflow with Juniper

Juniper routers can generate and send flow records to a management server. This feature allows the administrator to monitor all the traffic that flows through the router, giving him a better picture of the users’ behavior and also enabling every connection originated or destined to that particular autonomous system to be recorded for compliance requirements.

The following tutorial shows how to configure the router and how to set up a management server to receive and store the data using open source tools. In addition, it will also  show how to query the information base.

Configuring the Router

1. Define and configure an interface to export flow data, like ge-1/1/0. The flow collector server must be reachable through this same interface, since flow records cannot be exported if the flow collector is reachable through a management interface like fxp0. 1)http://www.juniper.net/techpubs/en_US/junos13.3/topics/task/configuration/inline-flow-monitoring.html#VT5jL4VmFUHwaj4i.97

set interfaces ge-1/1/0 unit 0 family inet address 172.16.200.4/16

2. Define a template for Netflow version 9.

set services flow-monitoring version9 template template1 flow-active-timeout 120
set services flow-monitoring version9 template template1 flow-inactive-timeout 60
set services flow-monitoring version9 template template1 template-refresh-rate packets 100
set services flow-monitoring version9 template template1 template-refresh-rate seconds 600
set services flow-monitoring version9 template template1 option-refresh-rate packets 100
set services flow-monitoring version9 template template1 option-refresh-rate seconds 600
set services flow-monitoring version9 template template1 ipv4-template

3. Define a “sampling instance” (instance-1) that will assign the defined template (template1) to the flow listener (10.100.2.250) and any additional required properties (TCP port, source address, input rate and export rate).

set forwarding-options sampling instance instance-1 input rate 1
set forwarding-options sampling instance instance-1 family inet output flow-server 10.100.2.250 port 9995
set forwarding-options sampling instance instance-1 family inet output flow-server 10.100.2.250 version9 template template1
set forwarding-options sampling instance instance-1 family inet output inline-jflow source-address 172.16.200.4
set forwarding-options sampling instance instance-1 family inet output inline-jflow flow-export-rate 10

The configuration above, with the sampling rate set to 1, causes the sampled process to consume much more memory. A sampling rate as big as 1000 should be used instead to avoid excessive consumption of router’s resources.

4. Associate the sampling instance (instance-1) to the Taz Forwarding Engine Board (tfeb).

set chassis tfeb slot 0 sampling-instance instance-1

5. Configure a firewall filter that will be responsible just for collectiong Netflow (“sample”).

set firewall family inet filter netflow-ipv4 term captura-flow then sample
set firewall family inet filter netflow-ipv4 term captura-flow then accept

6. Assign the above created firewall filter to the interface that will be monitored:

set interfaces ge-1/0/1 unit 0 family inet filter input netflow-ipv4
set interfaces ge-1/0/1 unit 0 family inet filter output netflow-ipv4

At this point with the router’s configuration ready, it is recommended to check its performance using the commands suggested in this article as there will be an increase in memory and CPU usage.

Configuring the Management Server

NFDump and NFSen will be used on the server to receive and report the data received from the router. NFDump 2)http://nfdump.sourceforge.net/ is an open source solution to receive and store flow data. NFsen 3)http://nfsen.sourceforge.net/ is also open source and is used for displaying traffic reports based on flow data through a web interface.

Both tools can be easily installed following this tutorial.

To collect flow data from more than one router, the file /data/nfsen/etc/nfsen.conf must be edited as shown below.

vi /data/nfsen/etc/nfsen.conf

Add a new line to section “Netflow Sources” in the file above. The default file comes with instructions on how to add data to each section of it.

Then, reload NFSen with the new configuration.

/data/nfsen/bin/nfsen reconfig

Querying the Information Base

NFDump can be used in the command line to query the netflow information base, that is stored by default in the directory /data/nfsen/profiles-data/. This section shows some examples of commands to generate useful reports.

1. Viewing the top 20 conversations report:

For the last 24 hours:
nfdump -R /data/nfsen/profiles-data/live/MX5-RT/2017/ -t -86400 -A srcip,dstip -O bytes | head -n 21

For a given date:
nfdump -R /data/nfsen/profiles-data/live/MX5-RT/2017/01/23/ -A srcip,dstip -O bytes | head -n 21

2. Top 20 source addresses:

For the last 24 hours:
nfdump -R /data/nfsen/profiles-data/live/MX5-RT/ -t -86400 -s srcip/bytes -n 20 | head -n 22

For a given date:
nfdump -R /data/nfsen/profiles-data/live/MX5-RT/2017/01/23/ -s srcip/bytes -n 20 | head -n 22

3. Traffic to or from a given IP address or subnet:

nfdump -R /data/nfsen/profiles-data/live/MX5-RT/ -t -60 -A srcip,dstip -O bytes 'dst net 137.36.34.0/23'

-t defines how many seconds are considered in the search.

The expression 'dst net 137.36.34.0/23' can be replaced by 'src net 137.36.34.0/23', 'dst ip 137.36.34.70','src ip 137.36.34.70', between others.

4. Generates a custom report with indicated columns:

nfdump -R /data/nfsen/profiles-data/live/MX5-RT/2017/01 -t 2017/01/01 -o "fmt:%ts %te %td %pr %sap %dap %flg %tos %pkt %byt %fl" 'dst net 31.13.73.0/24' | less

More examples available in this link.

References   [ + ]

1. http://www.juniper.net/techpubs/en_US/junos13.3/topics/task/configuration/inline-flow-monitoring.html#VT5jL4VmFUHwaj4i.97
2. http://nfdump.sourceforge.net/
3. http://nfsen.sourceforge.net/

Leave a Reply

Your email address will not be published. Required fields are marked *