Hardware and Software Considerations

There are several hardware and software considerations when you implement passive flow monitoring. When defining the hardware requirements of the monitoring station, keep in mind the following:

• The input interfaces on the monitoring station must be SONET/SDH OC-3, OC-12, or OC-48 interfaces or ATM2 IQ OC-3 or OC-12 interfaces.
• To monitor the flows in both directions for a single interface, the monitoring station must have two SONET/SDH or ATM2 IQ receive ports, one for each direction of flow. In Figure 7, the monitoring station needs one port to monitor the traffic flowing from Router 1 to Router 2, and a second port to monitor the traffic flowing from Router 2 to Router 1.
• Each Monitoring Services or Monitoring Services II PIC can handle the volume of traffic that one OC-3 PIC can accommodate.

• To monitor a fully loaded bidirectional SONET/SDH or ATM2 IQ OC-3 interface, the monitoring station must have two Monitoring Services PICs.
• To monitor a fully loaded bidirectional SONET/SDH or ATM2 IQ OC-12 interface, the monitoring station must have four Monitoring Services PICs.
• To monitor a fully loaded bidirectional SONET/SDH OC-48 interface, the monitoring station must have 16 Monitoring Services PICs.

• The Monitoring Services PICs must be installed in a Type 1 enhanced FPC slot.
• Type 1 and Type 2 Tunnel Services PICs are supported.
• Use an ES PIC to encrypt the cflowd export.

When defining a traffic monitoring strategy, keep in mind the following:

• The monitoring station collects only IPv4 packets. All other packet formats are discarded and not counted.
• You can configure an inactivity timer for the monitoring station on a per-monitoring-group basis. The timer sets the length of time in seconds that the monitoring station allows a flow to be inactive before terminating the flow and exporting the flow data. To set the timer, include the flow-inactive-timeout statement at the [edit forwarding-options monitoring group-name family inet output] hierarchy level. The timer value can be from 15 seconds through 1800 seconds, with a default value of 60 seconds.
• You can also configure a timeout for aging active flows on a per-monitoring-group basis. To set this activity timer, include the flow-active-timeout statement at the [edit forwarding-options monitoring group-name family inet output] hierarchy level. The timer value can be from 60 seconds through 1800 seconds, with a default value of 180 seconds.
• Multiple expired flows are exported together, if possible. A UDP packet is sent when one of the following conditions is met:

• When thirty flows are contained in the current packet, the flows are exported.
• If there are fewer than thirty flows but the export timer expires, the flows are exported one second after the timer expires.

• TCP and UDP flows are considered differently:

•     TCP flows watch for a segment containing the FIN bit and a subsequent acknowledgement (ACK) to detect the end of a flow. Alternately, a TCP reset (RST) can also indicate the end of a flow. When these TCP combinations are detected, the flow expires. The FIN+ACK and RST cases cover most TCP stream closures. For all other flows, an inactive timeout is needed.
• All non-TCP flows, such as UDP, depend on timeout mechanisms for export.

• The default MTU value for SONET/SDH interfaces is 4474 bytes; for Gigabit Ethernet and Fast Ethernet interfaces, it is 1500 bytes. If the monitoring station receives packets exceeding 4474 bytes, they are discarded; no fragmentation is performed. Note that the supported MTU size on the Gigabit Ethernet or Fast Ethernet PICs might exceed 1500 bytes, depending on the type of PIC.
• Any incoming traffic that is discarded is not forwarded to packet analyzers.
• The interfaces on the monitoring station that collect intercepted traffic must be configured with Cisco HDLC or PPP encapsulation.
• You must always use a standard interface (for example, one that follows the usual interface-name-fpc/pic/slot format) to send flow records to a cflowd server. Flow data generated by the Monitoring Services or Monitoring Services II PICs will not be delivered to the server across the fxp0 interface.
• You can send cflowd version 5 records to multiple cflowd servers. You can configure up to eight servers and cflowd traffic is load balanced between the servers in a round-robin fashion. If one of the servers ceases operation, cflowd traffic load balances automatically between the remaining active servers. To configure, include up to eight cflowd statements at the [edit forwarding-options monitoring group-name output] hierarchy level.