3 Replies Latest reply on Dec 25, 2014 10:06 AM by choly

    Looking to purchase NTA, but it's not accounting for Netflow sample rate

    underphil

      Hi there,

       

      I wonder if someone could help-- I'm pushing out V5 Netflow data from our Juniper SRX1400 using a sample rate of 100, but NTA is not accounting for the sample rate. I have to multiply all amounts by 100 to get the actual figure.

       

      According to the changelog in NTA 3.11, this version should detect the sample rate. I certainly can't see anywhere to change it.

       

      Any help much appreciated, this is the only blocker left to a purchase.

       

      Thanks, Phil.

        • Re: Looking to purchase NTA, but it's not accounting for Netflow sample rate
          fcaron

          I'm assuming you mean Juniper jflow or sflow, (Netflow is specific to Cisco)

           

          v3.11 (as well as recently released v4.0) , should have the following behavior:

          - sflow should work (sflow is by nature sampled)

          - sampled jflow should work, but we know that we have some issues with some devices (e.g. JunOS versions) that export flows without specifying that it is being sampled (so NTA processes those flows as unsampled ones=wrong stats).

          Whatever your case maybe, if you encounter an issue in this area, we need a pcap, because these are usually NTA "not understanding" how the routers is telling us whether the traffic is sampled or not.

           

          You can contact me directly with pcaps.

            • Re: Looking to purchase NTA, but it's not accounting for Netflow sample rate
              underphil

              Thanks for the reply. It amazes me somewhat that I can't just force NTA to treat the flow data as if it were sampled if it is indeed able to process sampled data.

               

              Sadly we need to get something up and running soon so we're probably going to go with a different solution.

               

              Thankyou for your assistance anyway.

                • Re: Looking to purchase NTA, but it's not accounting for Netflow sample rate
                  choly

                  In some cases switching to jflow v9 may help (unless you are already exporting v9). jflow v9 is available in JunOS 10.4 and newer. Follow steps below on SRX device (Juniper Networks - SRX Getting Started - Configure J-Flow - Knowledge Base):

                  Configuration example for J-Flow version 9:

                  The following procedure provides an example of the J-Flow configuration for version 9:

                  Note:  For more information about this example, refer to the Application Note.

                  1. Configure the J-Flow v9 template (as of now, only the IPv4 template is supported):
                    user@host# set services flow-monitoring version9 template ipv4-test ipv4-template
                  2. Specify the sampling rate and run length:
                    user@host# set forwarding-options sampling input rate 1 user@host# set forwarding-options sampling input run-length 0
                  3. Configure the external flow collector and its port address. The J-Flow v9 template is associated with the external flow collector. Up to eight flow collectors can be simultaneously configured:
                    user@host# set forwarding-options sampling family inet output flow-server 10.10.10.1 port 2222 user@host# set forwarding-options sampling family inet output flow-server 10.10.10.1 version9 template ipv4-test
                  4. Configure the inline-jflow, so that the sampling and the J-Flow service thread are implemented in the forwarding engine:
                    user@host# set forwarding-options sampling family inet output inline-jflow source-address 10.10.10.10
                  5. Configure the sampling filter on an interface (or interfaces) in the direction, on which the J-Flow service is required:
                    user@host# set interfaces ge-0/0/14 unit 0 family inet sampling input user@host# set interfaces ge-0/0/14 unit 0 family inet address 2.2.2.1/24
                  1 of 1 people found this helpful