Junos OS

Hi, 

I tried to config ipv6 firewall filter like below, but it gave me commit error: 
"Template type must match input protocol"
Errors listed below. What am I doing wrong?

set firewall family  inet6    filter   ip6_sampling    term t1    then count ip6_sampling_count
set firewall family  inet6    filter   ip6_sampling    term t1    then sample
set forwarding-options   sampling input rate 2000
set forwarding-options   sampling family inet6 output flow-server 192.168.0.1 port 1000 version9 template v6

Errors:
---------------

admin@mx960# commit
[edit forwarding-options sampling family inet6 output flow-server 192.168.0.1]
'version9'
Service PIC or inline-jflow (j-series and SRX only) must be specified for version9
[edit forwarding-options sampling family inet6 output flow-server 192.168.0.1 version9 template]
'v6'
Template type must match input protocol
error: commit failed: (statements constraint check failed)

[edit]

Hi PL2,

Greetings, The commit error you are getting is for the sampling configuration, please check this out:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB25836

Mixed with ipv6: https://kb.juniper.net/InfoCenter/index?page=content&id=KB27279&smlogin=true&actp=search

If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \:)/

Regards,

Lil Dexx
JNCIE-ENT#863, 3X JNCIP-[SP-ENT-DC], 4X JNCIA [cloud-DevOps-Junos-Design], Champions Ingenius, SSYB

Hello PL2,

Greetings!

I tried the above configuration on the lab device and ended up getting the same error:-

# set firewall family inet6 filter ip6_sampling term t1 then count ip6_sampling_count

# set firewall family inet6 filter ip6_sampling term t1 then sample

# set forwarding-options sampling input rate 2000

# set forwarding-options sampling family inet6 output flow-server 192.168.0.1 port 1000 version9 template v6

# commit check
re0:
[edit forwarding-options sampling family inet6 output flow-server 192.168.0.1]
'version9'
Service PIC or inline-jflow (j-series and SRX only) must be specified for version9
[edit forwarding-options sampling family inet6 output flow-server 192.168.0.1 version9 template]
'v6'
Template type must match input protocol
error:

--------------------------------------------------------------------------------------------------------------------------

To remove " Template type must match input protocol",  need to add the below command for configuration:-

set services flow-monitoring version9 template v6 ipv6-template

# set firewall family inet6 filter ip6_sampling term t1 then count ip6_sampling_count

# set firewall family inet6 filter ip6_sampling term t1 then sample

# set forwarding-options sampling input rate 2000

# set forwarding-options sampling family inet6 output flow-server 192.168.0.1 port 1000 version9 template v6

labroot@jtac-mx480-r2032-re0# set services flow-monitoring version9 template v6 ipv6-template

[edit]
labroot@jtac-mx480-r2032-re0# commit check
re0:
[edit forwarding-options sampling family inet6 output flow-server 192.168.0.1]
'version9'
Service PIC or inline-jflow (j-series and SRX only) must be specified for version9
error: configuration check-out failed: (statements constraint check failed)

----------------------------------------------------------------------------------------------------------------------------

To remove the next error, need to configure inline-jflow :-

#set forwarding-options sampling family inet6 output inline-jflow source-address 1.1.1.1

--------------------------------------------------------------------------------------------------------------

The final set of commands:-

set firewall family inet6 filter ip6_sampling term t1 then count ip6_sampling_count

set firewall family inet6 filter ip6_sampling term t1 then sample

set forwarding-options sampling input rate 2000

set forwarding-options sampling family inet6 output flow-server 192.168.0.1 port 1000 version9 template v6

set services flow-monitoring version9 template v6 ipv6-template

set forwarding-options sampling family inet6 output inline-jflow source-address 1.1.1.1

# commit check
re0:
configuration check succeeds
re1:
configuration check succeeds

I hope this helps. Please mark this post "Accept as solution" if this answers your query. 

Kudos are appreciated too! 

Best Regards,

Lingabasappa H

@Lingabasappa:

I configured those commands as you posted earlier, but has the following errors:

--------------------------------------

admin@mx960# commit
mgd: error: [edit forwarding-options sampling family inet6 output inline-jflow]
sampling inline configuration error
Can't configure more than 4 flow-server for inline Jflow

error: configuration check-out failed

Config:

-------------

set firewall family inet6 filter ip6_sampling term t1 then count ip6_sampling_count

set firewall family inet6 filter ip6_sampling term t1 then sample

set forwarding-options sampling input rate 2000

set forwarding-options sampling family inet6 output flow-server 192.168.0.1 port 1000 version9 template v6

set services flow-monitoring version9 template v6 ipv6-template

set forwarding-options sampling family inet6 output inline-jflow source-address 1.1.1.1

Hello PL2,

I have used 1.1.1.1 for inline-jlow source-address on my device just for example, as there were no source-address pre-configured.

I see the error:

Can't configure more than 4 flow-server for inline Jflow

Don't use 1.1.1.1 as source-address, use the one which is already configured on the device and as per your requirement.

Let me know if this works and you can pass through the commit.

Best Regards,

Lingabasappa H

@Lingabasappa:

I used a different address as a source-address, but it still failed. Strange that it used to work earlier, though.

admin@mx960# set forwarding-options sampling family inet6 output inline-jflow source-address 192.168.0.2

[edit]
admin@mx960# commit
mgd: error: [edit forwarding-options sampling family inet6 output inline-jflow]
sampling inline configuration error
Can't configure more than 4 flow-server for inline Jflow

error: configuration check-out failed

[edit]

Hello PL2,

Can you please provide me below outputs:

>show version

[edit]
labroot@XX# edit forwarding-options

[edit forwarding-options]
labroot@XX# show

Best Regards,
Lingu

@Lingu: Thank you, Lingu.

The issue is now resolved.

My config has set the maximum number of jflow-servers to be 4 as seen below.

Your suggested "show forwarding-options" helped determining what max limit is set

for the jflow-server.

--------------------
set chassis fpc 0 inline-services flow-table-size ipv6-flow-table-size 4

I deleted some jflow-server configs and it worked.

Thanks again

Hello @PL2,

Thanks for the confirmation. We are so glad that the issue was resolved.

Regards,

Lingu

Hi PL2,

I hope you are doing great!

“On MX Series routers running Junos OS Release 16.1R4 and later, you can export flow records to four collectors under a family with the same source IP address for Inline-JFlow”
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/inline-flow-monitoring.html

So, the reason why we are getting the error while committing the configuration is that a maximum of 4 flow-server can be configured for inline Jflow.

Only 1 collector was supported under a family on his version (15) and later, four collectors were supported Starting with Junos OS Release 16.1R4 and 17.2R1.

Adding some more information below that could interest you-

RE based sampling limitations:
· Since RE is handling all the control traffic on the router, we cannot configure a very aggressive sampling rate as it will result in RE CPU getting over-utilized resulting in instability.
· Routing Engine based sampling is not supported on VPN routing and forwarding (VRF) instances.

PFE based or inline sampling restrictions and limitations:
· You can configure inline sampling only on MX Series routers that have Trio-based line cards.
· You can configure only one sampling instance on a Flexible PIC Concentrator (FPC).
· You can configure only one type of sampling–either PIC-based sampling or inline sampling–per family in a sampling instance. However, you can configure PIC-based and inline sampling for different families in a sampling instance.
· You can configure only one collector for inline sampling (refer the below link for more details)

https://www.juniper.net/documentation/en_US/junos/topics/usage-guidelines/services-configuring-traffic-sampling.html

Hope this helps 🙂

Please mark this "Accepted Solution"  if this helps you solve your query.

Kudos would be much appreciated too 🙂

@bmanvita:
Thanks for the great documentation reference.

@PL2,

Glad to know that it worked for you!