Olá
Hoje vamos desmontar como configurar o seu roteador Juniper para exportar Netflow (jFlow). No final do artigo está a configuração utilizando o IPFIX (Netflow v10).
Aqui temos a topologia da Rede e as informações do Servidor de Netflow
Estes são os passos necessários para configuração do Roteador Juniper para exportar Netflow v5
- Configurar o Servidor de NTP
- Configurar o Forwarding Options com o Sampling Rate
- Configurar o Host que irá receber os Flows vindo do Roteador
- Configurar a interface para habilitar o Netflow na interface
Vamos para a Configuração passo a passo
- Configurar o Servidor de NTP
É importante configurar um Servidor de NTP pois os dados Flows usam timestamp de acordo com a hora do Roteador, caso o roteador esteja com uma hora diferente do servidor os dados não irão estar de acordo com a hora, gerando um desencontro de informações.
É importante que seja configurado no mínimo 2 servidores de NTP e também o timezone de seu roteador.
## Utilizando os Servidores do a.ntp.br e b.ntp.br
set system ntp server 200.160.0.8
set system ntp server 200.189.40.8
## Configurando o Time-Zone
set system time-zone America/Sao_Paulo
## Forma padrão de visualizar a configuração do Juniper
guilherme@vMX-BGP> show configuration system
system {
time-zone America/Sao_Paulo;
ntp {
server 200.160.0.8;
server 200.189.40.8;
}
}
2. Configurar o Forwarding Options com o Sampling Rate
O sampling rate para evitar a sobrecarga da CPU de sua Routing Engine, ele cria uma amostra do trafego e exporta, assim o sistema de Netflow consegue receber os dados e aplicar um fator de multiplicação para que os dados fiquem com números reais.
Para configurar utilize os comandos. O valor ideal do rate é dependendo de quanto trafego voce utiliza, um dica é importante é usar os valores acima de 200 e ir analisando a CPU de seu Roteador.
## Aplicando o valor de Rate em 500
set forwarding-options sampling input rate 500
## Forma de visualização do Juniper sem display-set
forwarding-options {
sampling {
input {
rate 500;
}
3. Configurar o Host que irá receber os Flows vindo do Roteador
Para configurar seu roteador para exportar o Netflow é necessário informar qual endereço IP do servidor irá receber os fluxos e qual porta UDP ele irá receber esse trafego.
Para isso utilize os comandos:
## Exportando para o IP 192.168.210.47 na porta 2055 e utilizando a versão 5 do netflow
set forwarding-options sampling family inet output flow-server 192.168.210.47 port 2055
set forwarding-options sampling family inet output flow-server 192.168.210.47 version 5
## Visualização do Show sem display set
guilherme@vMX-BGP> show configuration forwarding-options
sampling {
family inet {
output {
flow-server 192.168.210.47 {
port 2055;
version 5;
}
}
}
}
4. Configurar a interface para habilitar o Netflow na interface
Após configurar o sampling rate e o flow server ainda é necessário ativar o Netflow nas interface que ele gerará os dados. Lembrando que é necessário configurar dentro de cada unit o comando.
Para isso configure as interface dentro de cada unit com o seguinte comando:
### Aplicar o comando sampling input
set interfaces ge-0/0/1 unit 0 family inet sampling input
Configuração completa fica da seguinte forma:
guilherme@vMX-BGP> show configuration | display set
set system time-zone America/Sao_Paulo
set system ntp server 200.160.0.8
set system ntp server 200.189.40.8
set interfaces ge-0/0/0 description "Fala com o Netflow"
set interfaces ge-0/0/0 unit 0 family inet address 192.168.210.49/24
set interfaces ge-0/0/1 description "INTERFACE WAN - TRANSITO IP"
set interfaces ge-0/0/1 unit 0 family inet sampling input
set interfaces ge-0/0/1 unit 0 family inet address 200.200.200.1/30
set forwarding-options sampling input rate 500
set forwarding-options sampling family inet output flow-server 192.168.210.47 port 2055
set forwarding-options sampling family inet output flow-server 192.168.210.47 version 5
## Forma de show do Juniper
guilherme@vMX-BGP> show configuration
Last commit: 2019-01-30 13:30:01 BRST by guilherme
version 17.1R2.7;
system {
host-name vMX-BGP;
time-zone America/Sao_Paulo;
ntp {
server 200.160.0.8;
server 200.189.40.8;
}
}
interfaces {
ge-0/0/0 {
description "Fala com o Netflow";
unit 0 {
family inet {
address 192.168.210.49/24;
}
}
}
ge-0/0/1 {
description "INTERFACE WAN - TRANSITO IP";
unit 0 {
family inet {
sampling {
input;
}
address 200.200.200.1/30;
}
}
}
}
forwarding-options {
sampling {
input {
rate 500;
}
family inet {
output {
flow-server 192.168.210.47 {
port 2055;
version 5;
}
}
}
}
}
Para facilitar ainda mais temos o video demonstrando a configuração de cada comando aplicado nesse tutorial
Como bonus vamos postar as configuração de IPFIX para alguns tipos de roteadores
Juniper MX204
A configuração para roteadores como o MX204, é possível utilizar o IPFIX (Netflow v10). Para configurar no MX204 utilize os comandos, alterando os IP’s Flow-server e source address.
set services flow-monitoring version-ipfix template MADE4FLOW flow-active-timeout 60
set services flow-monitoring version-ipfix template MADE4FLOW flow-inactive-timeout 15
set services flow-monitoring version-ipfix template MADE4FLOW template-refresh-rate seconds 30
set services flow-monitoring version-ipfix template MADE4FLOW option-refresh-rate seconds 30
set services flow-monitoring version-ipfix template MADE4FLOW ipv4-template
set services flow-monitoring version-ipfix template MADE4FLOW-v6 flow-active-timeout 60
set services flow-monitoring version-ipfix template MADE4FLOW-v6 flow-inactive-timeout 15
set services flow-monitoring version-ipfix template MADE4FLOW-v6 template-refresh-rate seconds 30
set services flow-monitoring version-ipfix template MADE4FLOW-v6 option-refresh-rate seconds 30
set services flow-monitoring version-ipfix template MADE4FLOW-v6 ipv6-template
set chassis fpc 0 sampling-instance MADE4FLOW
set chassis fpc 0 inline-services flow-table-size ipv4-flow-table-size 10
set chassis fpc 0 inline-services flow-table-size ipv6-flow-table-size 5
set forwarding-options sampling instance MADE4FLOW input rate 1000
set forwarding-options sampling instance MADE4FLOW input run-length 0
set forwarding-options sampling instance MADE4FLOW input max-packets-per-second 10000
set forwarding-options sampling instance MADE4FLOW family inet output flow-inactive-timeout 15
set forwarding-options sampling instance MADE4FLOW family inet output flow-active-timeout 60
set forwarding-options sampling instance MADE4FLOW family inet output flow-server 10.1.1.1 port 2055
set forwarding-options sampling instance MADE4FLOW family inet output flow-server 10.1.1.1 autonomous-system-type origin
set forwarding-options sampling instance MADE4FLOW family inet output flow-server 10.1.1.1 version-ipfix template MADE4FLOW
set forwarding-options sampling instance MADE4FLOW family inet output inline-jflow source-address 10.1.1.2
set forwarding-options sampling instance MADE4FLOW family inet6 output flow-inactive-timeout 15
set forwarding-options sampling instance MADE4FLOW family inet6 output flow-active-timeout 60
set forwarding-options sampling instance MADE4FLOW family inet6 output flow-server 10.1.1.1 port 2055
set forwarding-options sampling instance MADE4FLOW family inet6 output flow-server 10.1.1.1 autonomous-system-type origin
set forwarding-options sampling instance MADE4FLOW family inet6 output flow-server 10.1.1.1 version-ipfix template MADE4FLOW-v6
set forwarding-options sampling instance MADE4FLOW family inet6 output inline-jflow source-address 10.1.1.2
### Em cada interface e cada unit adicionar os comandos
set interfaces xe-2/0/0 unit 151 family inet sampling input
set interfaces xe-2/0/0 unit 151 family inet6 sampling input
Juniper MX104
Para configuração do Juniper MX104 utilize os comandos abaixo. Lembrando que o MX104 só suporta exportar para 1 Servidor de Netflow com IPFIX.
set services flow-monitoring version-ipfix template MADE4FLOW flow-active-timeout 60
set services flow-monitoring version-ipfix template MADE4FLOW flow-inactive-timeout 30
set services flow-monitoring version-ipfix template MADE4FLOW template-refresh-rate seconds 30
set services flow-monitoring version-ipfix template MADE4FLOW option-refresh-rate seconds 30
set services flow-monitoring version-ipfix template MADE4FLOW ipv4-template
set services flow-monitoring version-ipfix template MADE4FLOW-v6 flow-active-timeout 60
set services flow-monitoring version-ipfix template MADE4FLOW-v6 flow-inactive-timeout 30
set services flow-monitoring version-ipfix template MADE4FLOW-v6 template-refresh-rate seconds 30
set services flow-monitoring version-ipfix template MADE4FLOW-v6 option-refresh-rate seconds 30
set services flow-monitoring version-ipfix template MADE4FLOW-v6 ipv6-template
set forwarding-options sampling instance MADE4FLOW input rate 500
set forwarding-options sampling instance MADE4FLOW input run-length 0
set forwarding-options sampling instance MADE4FLOW family inet output flow-inactive-timeout 15
set forwarding-options sampling instance MADE4FLOW family inet output flow-active-timeout 60
set forwarding-options sampling instance MADE4FLOW family inet output flow-server 10.1.1.1 port 2055
set forwarding-options sampling instance MADE4FLOW family inet output flow-server 10.1.1.1 version-ipfix template MADE4FLOW
set forwarding-options sampling instance MADE4FLOW family inet output inline-jflow source-address 10.1.1.2
set forwarding-options sampling instance MADE4FLOW family inet6 output flow-inactive-timeout 15
set forwarding-options sampling instance MADE4FLOW family inet6 output flow-active-timeout 60
set forwarding-options sampling instance MADE4FLOW family inet6 output flow-server 10.1.1.1 port 2055
set forwarding-options sampling instance MADE4FLOW family inet6 output flow-server 10.1.1.1 version-ipfix template MADE4FLOW-v6
set forwarding-options sampling instance MADE4FLOW family inet6 output inline-jflow source-address 10.1.1.2
set chassis afeb slot 0 sampling-instance MADE4FLOW
## Em cada interface do seu roteador utilizar os comandos
set interfaces xe-2/0/0 unit 151 family inet sampling input
set interfaces xe-2/0/0 unit 151 family inet6 sampling input
Caso tenham algum roteador não mencionado aqui, envie um email: comercial@made4it.com.br que iremos lhe enviar as configurações.
Espero ter ajudado e até a próxima.
Grande abraço.