Blog :: Network Operations :: Security Operations

Juniper MX IPFIX Reporting

We recently had the opportunity to work with an exciting Juniper IPFIX MX Series export.  It provides traffic details that we haven’t seen before from this vendor.  The export is available in release 14.1X55 and release 17.1 in Q1 2017, but you also need the MX with subscriber/application awareness (using MS-MPC cards).

We were able to report on details such as TCP Round Trip Time, Packet Loss and DNS response time.  These metrics can come in very handy when troubleshooting slow applications.  Speaking of applications, their DPI engine identified apps such as Office365, Twitter, Hotmail, Lync, Yahoo, and Apple iOS updates.  It also provided the Internet host being requested, which may not be what the destination IP address resolves to.

juniper-ipfix-application-dpi

Looking a bit deeper into the flows they provided us, we found several HTTP details that will prove useful to Juniper customers.  These details included:

  • HTTP Method: a set of commands used in the protocol.  The two most popular are GET and POST. Other methods include HEAD, PUT, DELETE, CONNECT, OPTIONS, and TRACE.
  • HTTP Referer: identifies the address of the web page (i.e. the URI or IRI) that linked to the resource being requested.
  • HTTP Response Code: a response by the server to the client indicating how it is treating the request.
  • HTTP URI: a Uniform Resource Identifier is a standard for identifying documents using a short string of numbers, letters, and symbols.  It should not be confused with a URL which stands for Uniform Resource Locator.  A URL refers to the subset of URIs that, in addition to identifying a resource, provide a means of locating the resource by describing its primary access mechanism (e.g., its network “location”).

juniper-ipfix-http-details-02

A partial listing of the details exported in the template can be found on the Juniper IPFIX template web page as well as the router configuration.  Below is an example of IPv4, but IPv6 is also supported:

  • IPv4 Source Address
  • IPv4 Destination Address
  • IPv4 TOS
  • IPv4 Protocol
  • L4 Source Port
  • L4 Destination Port
  • ICMP Type and Code
  • Input Interface
  • VLAN ID
  • IPv4 Source Mask
  • IPv4 Destination Mask
  • Source AS
  • Destination AS
  • IPv4 Next Hop Address
  • TCP Flags
  • Output Interface
  • Number of Flow Bytes
  • Number of Flow Packets
  • Minimum TTL (time to live)
  • Maximum TTL (time to live)
  • Flow Start Time
  • Flow End Time
  • Flow End Reason
  • 1Q VLAN identifier (dot1qVlanId)
  • 1Q Customer VLAN identifier (dot1qCustomerVlanId)

As a result, we created a few dozen new reports to improve our Juniper IPFIX support. Be sure to check them out as I didn’t cover everything they are exporting in this post.  There are several other details such as subscriber VRF, name, type, IP Address, DNS latency, etc.

juniper-mx-ipfix-reporting

Reach out to our team if you would like to report on these rich new details.