traffic accounting

Hi all,

Imagine you have a number of GE and 10GE interfaces spread across multiple MX-class Juniper routers, and for each interface you want to maintain an accurate count of bytes sent, categorised by destination address.

There is no layer-2 aggregation going on beyond the router, so no opportunity to create span ports on which to measure over on the side.

Using optical splitters on each and every router interface and listening on the side using dedicated sniffers is an option, although it means tangles of fibre and potentially lots of sniffer boxes with lots of interfaces.

I don't necessarily need a free or tremendously cheap solution, although it's always nice not to have to spend money.

What are better approaches?

Off-list would be fine if people have experience of this kind of thing; I can summarise if there is interest.


Flow telemetry.

Can you use cflow/jflow/ipfix exports with 1:1 sampling on an MX480 without an MS-DPC?


probably.. depending on how much traffic you actually get the DPC/FPC
-> RE path is limited.

An important question that may impact possible solutions - exactly how
accurate does it have to be?

Ideally I'd count every byte, and any deficiencies in the data would be due to unplanned outage rather than systematic short-cutting.

Sampling 1 in 10 packets and multiplying the observed byte count by 10 might be better than nothing, though.

Off-list, someone suggested DCU ("destination class accounting"), but that's limited to 126 classes of counters; another parameter I forgot to mention at the beginning is that there are thousands of destination addresses reached through each of these interfaces, and I'm looking for accounting by destination address, so 126 isn't going to cut it.


"Specify the threshold traffic value by using themax-packets-per-secondstatement. The value is the maximum number of packets to be sampled, beyond which the sampling mechanism begins dropping packets. The range is 0 through 65,535. A value of 0 instructs the Packet Forwarding Engine not to sample any packets. The default value is 1000."

If you use MPC/trio with appropriate licensing, you might be able to hit 1:1 with ipfix. They were still working on IPv6 and other features when I looked a year ago, but the trio ipfix maximums outclassed the MS-DPC by a lot.


I'm not a Juniper person, so I'm not sure; note however that a) MS-DPC is necessary for NetFlow v9 (which is required for IPv6, for example), and b) sampled NetFlow (i.e., not 1:1, but higher ratios) is widely used and accepted in the industry.

I guess if you are only counting bytes is possible to use firewall filters with counters? I guess it depends on how many match conditions vs lookup time are acceptable?