Documentation to integrate FastNetMon with inline jFlow / IPFIX using Juniper MX Series routers.

To get the most reliable Netflow / IPFIX export we recommend enabling option flex-flow-sizing It provides very convenient way to automatically adjust size of flow tables according to amount of traffic in your network. If you cannot use it for some reasons please check our manual configuration guide fine tuning for flow tables.

If you want to achieve better DDoS attack detection speed we recommend checking this article instead.

In this example, we use rate=500. It works well for amount of traffic from 100 Mbits/s. But you can increase to rate=1000, depending on your traffic.

FastNetMon can learn sampling rate automatically and you do not need to configure it on FastNetMon side.

We recommend capturing traffic telemetry from transit / upstream port. In this example it will be ge-1/0/0.0

Setting sampling on transit interfaces. Run that on those interfaces on each router.

set interfaces ge-1/0/0.0 family inet sampling input

Check interfaces configuration:

r1# show interfaces ge-1/0/4  
unit 0 {
    description netflow-collector;
    family inet {
        address 10.50.1.1/30;
    }
}



r1# show interfaces ge-1/0/4 | display set 
set interfaces ge-1/0/4 unit 0 description netflow-collector
set interfaces ge-1/0/4 unit 0 family inet address 10.50.1.1/30

Now add templates configuration on r1 and r2. Take care of flow-active-timeout and flow-inactive-timeout it should be less than average_calculation_time.

For FastNetMon Advanced you could use command line interface to configure it:

sudo fcli set main average_calculation_time 20
sudo fcli commit

Full configuration:

set services flow-monitoring version-ipfix template ipv4 flow-active-timeout 15
set services flow-monitoring version-ipfix template ipv4 flow-inactive-timeout 15
set services flow-monitoring version-ipfix template ipv4 template-refresh-rate packets 1000
set services flow-monitoring version-ipfix template ipv4 template-refresh-rate seconds 30
set services flow-monitoring version-ipfix template ipv4 option-refresh-rate packets 1000
set services flow-monitoring version-ipfix template ipv4 option-refresh-rate seconds 30
set services flow-monitoring version-ipfix template ipv4 ipv4-template
set chassis tfeb slot 0 sampling-instance ipfix


flow-monitoring {
    version-ipfix {
        template ipv4 {
            flow-active-timeout 15;
            flow-inactive-timeout 15;
            template-refresh-rate {
                packets 1000;
                seconds 10;
            }
            option-refresh-rate {
                packets 1000;
                seconds 10;
            }
            ipv4-template;
        }
    }
}

slot 0 {
    sampling-instance ipfix;
}

Now setup IPFIX exports:

r1# show forwarding-options 
sampling {
    instance {
        ipfix {
            input {
                rate 500;
            }
            family inet {
                output {
                    flow-server 10.50.1.2 {
                        port 2055;
                        version-ipfix {
                            template {
                                ipv4;
                            }
                        }
                    }
                    inline-jflow {
                        source-address 10.50.1.1;
                    }
                }
            }
        }
    }
}

r1# show forwarding-options | display set 
set forwarding-options sampling instance ipfix input rate 500
set forwarding-options sampling instance ipfix family inet output flow-server 10.50.1.2 port 2055
set forwarding-options sampling instance ipfix family inet output flow-server 10.50.1.2 version-ipfix template ipv4
set forwarding-options sampling instance ipfix family inet output inline-jflow source-address 10.50.1.1

Majority of DDoS attacks involve fragmented traffic and we recommend enabling this option to deliver fragmentation flags to FastNetMon this way.

24/7 Tech Support

support@fastnetmon.com

Email Us

sales@fastnetmon.com