Example: Passive Monitoring Configuration
In Figure 8, traffic enters the monitoring station through interfaces so-0/0/0 and so-0/1/0. After the firewall filter accepts the traffic to be monitored, the packets enter a VRF instance.
The original packets travel within the VRF instance to the Monitoring Services PIC for cflowd processing. The final cflowd packets are sent from the Monitoring Services PIC interfaces out the fe-3/0/0 interface to a cflowd server.
A copy of the accepted traffic is port-mirrored to the Tunnel PIC. As the copied packets enter the tunnel interface, a second firewall filter separates TCP and UDP packets and places them into two filter-based forwarding instances. The UDP instance directs the UDP packets to a packet analyzer attached to fe-3/2/0. The TCP instance sends the TCP packets to the ES PIC for encryption and the ES PIC sends the packets to a second packet analyzer connected to fe-3/2/1.
Your first step is to define a firewall filter to select packets for monitoring. All filtered traffic must be accepted and the sample statement at the [edit firewall family inet filter filter-name term term-name then] hierarchy level facilitates port mirroring.
Next, configure the input SONET interfaces and apply the firewall filter that you just defined. The passive-monitor-mode statement disables SONET keepalives on the SONET interfaces and enables passive monitoring.
Configure all other interfaces that you will use with the monitoring application, including the Monitoring Services PIC interfaces, the export interfaces, the Tunnel PIC interface, and the ES PIC interface. Once the interfaces are in place, configure a VRF instance and monitoring group to direct the original packets from the input interfaces to the Monitoring Services PIC interfaces for processing. The resulting flow description packets exit fe-3/0/0 to reach the cflowd server.
Next, configure sampling statements to port mirror the monitored traffic to a Tunnel PIC interface. Design a firewall filter that selects some of this copied traffic for sampling and some of the traffic for discarding. In this case, isolate TCP and UDP traffic and direct these two flows into separate filter-based forwarding routing instances. Remember to apply the filter to the Tunnel PIC interface to enable the sampling filter. Also, import the interface routes into the forwarding instances with a routing table group.
In the filter-based forwarding instances, define static route next hops. The next hop for the TCP instance is the ES PIC interface and the next hop for the UDP instance is the packet analyzer connected to fe-3/2/0. Finally, configure IPSec so that the next hop for the TCP traffic is the second packet analyzer attached to fe-3/2/1.
[edit]
interfaces {
so-0/0/0 { # Traffic enters the router on this interface.
encapsulation ppp;
unit 0 {
passive-monitor-mode; #This turns off SONET keepalives to enable passive monitoring.
family inet {
filter {
input input-monitoring-filter; #The firewall filter is applied here.
}
}
}
}
so-0/1/0 { # Traffic enters the router on this interface.
encapsulation ppp;
unit 0 {
passive-monitor-mode; #This turns off keepalives and makes the router a monitoring station.
family inet {
filter {
input input-monitoring-filter; #The firewall filter is applied here.
}
}
}
}
es-3/1/0 { # This is where the TCP traffic enters the ES PIC.
unit 0 {
tunnel {
source 10.8.8.1;
destination 10.8.8.2;
}
family inet {
ipsec-sa sa-esp;
address 3.3.3.1/32 {
destination 3.3.3.2;
}
}
}
}
fe-3/0/0 { # Flow records exit the monitoring station here and travel to the cflowd server.
unit 0 {
family inet;
address 192.168.245.1/30
}
}
fe-3/2/0 { # This export interface for UDP traffic leads to a packet analyzer.
unit 0 {
family inet {
address 10.9.9.1/30;
}
}
}
fe-3/2/1 { # This IPSec tunnel source exports TCP traffic to another packet analyzer.
unit 0 {
family inet {
address 10.8.8.1/30;
}
}
}
mo-4/0/0 { # This marks the beginning of the Monitoring Services PIC interfaces.
unit 0 { # Unit 0 is part of the inet.0 routing table and helps generates flow records.
family inet;
}
unit 1 { # Unit 1 receives monitored traffic and is configured in the VRF instance.
family inet;
}
}
mo-4/1/0 {
unit 0 { # Unit 0 is part of the inet.0 routing table and helps generates flow records.
family inet;
}
unit 1 { # Unit 1 receives monitored traffic and is configured in the VRF instance.
family inet;
}
}
mo-4/2/0 {
unit 0 { # Unit 0 is part of the inet.0 routing table and helps generates flow records.
family inet;
}
unit 1 { # Unit 1 receives monitored traffic and is configured in the VRF instance.
family inet;
}
}
mo-4/3/0 {
unit 0 { # Unit 0 is part of the inet.0 routing table and helps generates flow records.
family inet;
}
unit 1 { # Unit 1 receives monitored traffic and is configured in the VRF instance.
family inet;
}
}
}
forwarding-options {
monitoring group1 { # This allows monitored traffic to be processed by the Monitoring Services
family inet { # PIC interfaces and cflowd records to be sent to the cflowd server.
input {
interface so-0/0/0.0; # Traffic enters the router and VRF through this interface.
interface so-0/1/0.0; # Traffic enters the router and VRF through this interface.
}
output {
export-format cflowd-version-5;
export-interval 30;
destination-address 192.168.245.2; # This is the IP address of the cflowd server.
destination-port 2055;
source-address 192.168.245.1; # This is the IP address of the export interface fe-3/0/0.
interface mo-4/0/0.1 { # All Monitoring Services PIC interfaces are output interfaces.
engine-id 1;
engine-type 1;
input-interface-index 44;
output-interface-index 54;
}
interface mo-4/1/0.1 {
engine-id 2;
engine-type 1;
input-interface-index 45;
output-interface-index 55;
}
interface mo-4/2/0.1 {
engine-id 3;
engine-type 1;
input-interface-index 46;
output-interface-index 56;
}
interface mo-4/3/0.1 {
engine-id 4;
engine-type 1;
input-interface-index 47;
output-interface-index 57;
}
}
}
}
sampling { # This step accepts traffic samples and prepares them for port mirroring.
input {
family inet {
rate 1;
run-length 1;
}
}
output {
port-mirroring { # This step copies the traffic and sends it to the Tunnel PIC interface.
interface vt-0/2/0.0;
no-filter-check;
}
}
}
}
routing-options { # This installs the interface routes into the forwarding instances.
interface-routes {
rib-group inet bc-vrf;
}
rib-groups {
bc-vrf {
import-rib [ inet.0 tcp-routing-table.inet.0 udp-routing-table.inet.0 ];
}
}
forwarding-table {
export pplb; # This applies a per-packet load-balancing policy to the forwarding table.
}
}
policy-options {
policy-statement monitoring-vrf-import {
then reject;
}
policy-statement monitoring-vrf-export {
then reject;
}
policy-statement pplb {
then {
load-balance per-packet;
}
}
}
security { # This sets IPSec options for the ES PIC.
ipsec {
proposal esp-sha1-3des {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 180;
}
policy esp-group2 {
perfect-forward-secrecy {
keys group2;
}
proposals esp-sha1-3des;
}
security-association sa-esp {
mode tunnel;
dynamic {
ipsec-policy esp-group2;
}
}
}
ike {
proposal ike-esp {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 180;
}
policy 10.8.8.2 {
mode aggressive;
proposals ike-esp;
pre-shared-key ascii-text "$9$qmQnuORrlMBIds2oiH0BIESe";
}
}
}
firewall {
family inet {
filter input-monitoring-filter { # This filter selects traffic to send into the VRF instance and
term 1 { # prepares the traffic for port mirroring.
from {
destination-address {
10.7.0.0/16;
}
}
then {
sample;
accept;
}
}
term 2 {
from {
destination-address {
10.6.0.0/16;
}
}
then accept;
}
}
filter sampling-filter { # This filter breaks the port-mirrored traffic into two filter-based forwarding
term tcp { # routing instances: TCP packets and UDP packets
from {
protocol tcp;
}
then { # This counts TCP packets and sends them into a TCP instance.
count tcp;
routing-instance tcp-routing-table;
}
}
term udp {
from {
protocol udp;
}
then { # This counts UDP packets and sends them into a UDP instance.
count udp;
routing-instance udp-routing-table;
}
}
term rest {
then {
count rest;
discard;
}
}
}
}
}
routing-instances {
monitoring-vrf { # This is the VRF instance where you send the original traffic. It contains
instance-type vrf; # the input interface and the Monitoring Services PIC interfaces.
interface so-0/0/0.0;# These are input interfaces (duplicate them asinputinterfaces
interface so-0/1/0.0; # in your monitoring group).
interface mo-4/0/0.1;
interface mo-4/1/0.1;# These are output interfaces (duplicate them asoutputinterfaces
interface mo-4/2/0.1;# in your monitoring group).
interface mo-4/3/0.1;
route-distinguisher 69:1;
vrf-import monitoring-vrf-import;
vrf-export monitoring-vrf-export;
routing-options { # This sends the traffic to the group of Monitoring Services PIC interfaces.
static {
route 0.0.0.0/0 next-hop [ mo-4/0/0.1 mo-4/1/0.1 mo-4/2/0.1 mo-4/3/0.1 ];
}
}
}
tcp-routing-table { #This is the filter-based forwarding instance for TCP traffic.
instance-type forwarding;
routing-options { # The next hop is the ES PIC.
static {
route 0.0.0.0/0 next-hop es-3/1/0.0;
}
}
}
udp-routing-table { #This is the filter-based forwarding instance for UDP traffic.
instance-type forwarding;
routing-options { # The next hop is the second packet analyzer.
static {
route 0.0.0.0/0 next-hop 10.9.1.2;
}
}
}
}