Traffic Sampling

Traffic sampling is a critical feature for network monitoring, analysis, and troubleshooting. On Juniper devices, the sampling feature allows you to capture a portion of the traffic flowing through the router and export it to flow collectors for analysis. This enables network administrators to gain visibility into traffic patterns, detect anomalies, and plan network capacity without the overhead of capturing all traffic.

This guide covers how to configure traffic sampling on Juniper devices using jflow (Juniper's implementation of netflow/IPFIX).

Components of Traffic Sampling

Juniper's traffic sampling configuration consists of several key components:

Groups Configuration: Defines reusable configuration blocks
Chassis Configuration: Defines hardware-level sampling settings
Services Configuration: Configures flow monitoring templates
Forwarding Options: Configures sampling instances and export parameters

Groups Configuration

The groups configuration allows you to define a configuration template that can be applied to multiple interfaces:

groups {
    sampling {
        interfaces {
            <*> {                       # Wildcard to match any interface
                unit <*> {              # Wildcard to match any unit
                    family inet {       # IPv4 configuration
                        sampling {
                            input;      # Sample incoming IPv4 traffic
                        }
                    }
                    family inet6 {      # IPv6 configuration
                        sampling {
                            input;      # Sample incoming IPv6 traffic
                        }
                    }
                }
            }
        }
    }
}

Key points about this group configuration:

The <*> wildcards allow this configuration to be applied to any interface and unit
input indicates that only incoming traffic will be sampled
Both IPv4 and IPv6 traffic are configured for sampling

Chassis Configuration

The chassis configuration defines hardware-level settings for sampling:

chassis {
    fpc 0 {                             # Flexible PIC Concentrator (line card) 0
        sampling-instance sample-ins;   # Associate FPC with sampling instance "sample-ins"
        inline-services {               # Enable inline flow monitoring
            flow-table-size {           
                ipv4-flow-table-size 3; # IPv4 flow table size (scale 0-9)
                ipv6-flow-table-size 1; # IPv6 flow table size (scale 0-9)
            }
        }
    }
}

Key points about the chassis configuration:

sampling-instance associates the FPC with a specific sampling instance
inline-services enables inline jflow processing
flow-table-size configures the size of flow tables for IPv4 and IPv6:
- Values range from 0 (smallest) to 9 (largest)
- Larger values consume more memory but allow tracking more flows

Services Configuration

The services section configures the flow monitoring templates:

services {
    flow-monitoring {
        version9 {                      # Use NetFlow v9 format
            template ipv4 {             # Template for IPv4 flows
                flow-active-timeout 10; # Export active flows every 10 seconds
                flow-inactive-timeout 10; # Export inactive flows after 10 seconds
                template-refresh-rate {
                    packets 30;         # Resend template every 30 packets
                    seconds 30;         # or every 30 seconds
                }
                option-refresh-rate {
                    packets 30;
                    seconds 30;
                }
                ipv4-template;          # Use standard IPv4 template
            }
            template ipv6 {             # Template for IPv6 flows
                flow-active-timeout 10;
                flow-inactive-timeout 10;
                template-refresh-rate {
                    packets 30;
                    seconds 30;
                }
                option-refresh-rate {
                    packets 30;
                    seconds 30;
                }
                ipv6-template;          # Use standard IPv6 template
            }
        }
    }
}

Key points about the services configuration:

version9 specifies NetFlow version 9 format (industry standard)
flow-active-timeout defines when active flows are exported (in seconds)
flow-inactive-timeout defines when inactive flows are exported (in seconds)
template-refresh-rate controls how often the template is sent to the collector
option-refresh-rate controls how often option templates are sent

Forwarding Options Configuration

The forwarding-options section defines the sampling instance, rate, and export destinations:

forwarding-options {
    sampling {
        instance {
            sample-ins {                # Name of sampling instance
                input {
                    rate 2048;          # Sample 1 packet out of 2048
                    max-packets-per-second 65535; # Maximum packets to sample per second
                }
                family inet {           # IPv4 configuration
                    output {
                        flow-server 192.168.88.101 { # Flow collector IP address
                            port 2055;  # NetFlow collector port
                            autonomous-system-type origin; # AS path origin
                            source-address 192.168.88.100; # Source IP for flow packets
                            version9 {
                                template {
                                    ipv4; # Use IPv4 template
                                }
                            }
                        }
                        inline-jflow {
                            source-address 192.168.88.100; # Source IP for inline jflow
                        }
                    }
                }
                family inet6 {          # IPv6 configuration
                    output {
                        flow-server 192.168.88.101 {
                            port 2055;
                            autonomous-system-type origin;
                            source-address 192.168.88.100;
                            version9 {
                                template {
                                    ipv6; # Use IPv6 template
                                }
                            }
                        }
                        inline-jflow {
                            source-address 192.168.88.100;
                        }
                    }
                }
            }
        }
    }
}

Key points about the forwarding options configuration:

rate 2048 means 1 out of every 2048 packets will be sampled (sampling ratio of 1:2048)
max-packets-per-second limits the number of sampled packets to prevent overwhelming the system
flow-server specifies the IP address and port of the NetFlow collector
autonomous-system-type origin includes the origin AS in flow records (useful for BGP analysis)
source-address defines the source IP address to use when sending flow records
inline-jflow configures inline flow processing (more efficient than service PIC-based sampling)

Applying Sampling to Interfaces

To apply sampling to interfaces, you use the apply-groups command at the interface level:

interfaces {
    ae0 {
        unit 10 {
            apply-groups sampling;      # Apply the "sampling" group to this interface
            vlan-id 10;
            family inet {
                address 192.0.2.127/24;
            }
        }
    }
}

This applies all the configuration in the "sampling" group to this specific interface unit.

Verification Commands

To verify that traffic sampling is working correctly, you can use these commands:

show services accounting flow inline-jflow    # Show inline jflow statistics
show services accounting errors inline-jflow  # Show any inline jflow errors
show services accounting status inline-jflow  # Show inline jflow status
show services accounting usage               # Show accounting usage statistics
show forwarding-options sampling instance sample-ins # Show sampling instance details

Best Practices

Sampling Rate: Choose an appropriate sampling rate based on your traffic volume and monitoring needs
- High-volume networks may need higher sampling rates (e.g., 1:8192)
- Lower sampling rates provide more accuracy but increase processing load
Resource Considerations: Monitor CPU and memory usage to ensure sampling doesn't impact performance
- Adjust max-packets-per-second to limit resource consumption
Flow Export: Configure multiple flow collectors for redundancy
Template Refresh: Set appropriate template refresh rates
- Too frequent refreshes add overhead
- Too infrequent refreshes may cause the collector to miss templates
Source Address: Use a stable, dedicated IP address for flow export
- Ideally from a loopback interface
Flow Table Size: Set appropriate flow table sizes based on your network's flow diversity
- Larger networks with many unique flows need larger flow tables
Interface Selection: Apply sampling only to interfaces where flow data is valuable
- Avoid sampling on management or internal interfaces

Common Applications

Traffic Analysis: Understand traffic patterns and top talkers
Capacity Planning: Track traffic growth and plan network expansion
Security Monitoring: Detect DDoS attacks and unusual traffic patterns
Performance Troubleshooting: Identify sources of latency or packet loss
Billing and Accounting: Track usage for billing purposes

Properly configured traffic sampling provides valuable network visibility with minimal impact on router performance.

PreviousInterface NextRouting Instance

Last updated 9 months ago