Configure Active Flow Monitoring

Although the Monitoring Services PIC was designed initially for use as an offline passive flow monitoring tool, it can also be used in an active flow monitoring topology. In contrast, the Adaptive Services PIC is designed exclusively for active flow monitoring. To use either the Monitoring Services PIC or Adaptive Services PIC for active flow monitoring purposes, you must install the PIC in an M5, M7i, M10, M10i, M20, M40e, or M160 router. The router participates in both the monitoring application and in the normal routing functionality of the network.

Specified packets can be filtered and sent to the monitoring interface. For the Monitoring Services PIC, the interface name contains the mo- prefix. For the Adaptive Services PIC, the interface name contains the sp- prefix.

If you upgrade from the Monitoring Services PIC to the Adaptive Services PIC for active flow monitoring, you must modify the interface name of your monitoring interface from mo-fpc/pic/port to sp-fpc/pic/port.

The major active flow monitoring actions you can configure at the [edit forwarding-options] hierarchy level are as follows:

• Sampling, with the [edit forwarding-options sampling] hierarchy. This option extracts limited information (such as the source and destination IP address) from a copy of some of the packets in a flow, while the original packets are forwarded to the intended destination.
• Discard accounting, with the [edit forwarding-options accounting] hierarchy. This option quarantines unwanted packets, creates cflowd records that describe the packets, and discards the packets instead of forwarding them.
• Port mirroring, with the [edit forwarding-options port-mirroring] hierarchy. This option makes one full copy of all packets in a flow and delivers the copy to a single destination.
• Multiple port mirroring, with the [edit forwarding-options next-hop-group] hierarchy. This option allows multiple copies of selected traffic to be delivered to multiple destinations. (Multiple port mirroring requires a Tunnel Services PIC.)

Unlike passive flow monitoring, you do not need to configure a monitoring group. Instead, you can send filtered packets to a monitoring services or adaptive services interface
(mo- or sp-) by using sampling or discard accounting. Optionally, you can configure port mirroring or multiple port mirroring to direct packets to additional interfaces.

These active flow monitoring options provide a wide variety of actions that can be performed on network traffic flows. However, the following restrictions apply:

• The router can perform sampling OR port mirroring at any one time.
• The router can perform forwarding OR discard accounting at any one time.

Because the Monitoring Services PIC and Adaptive Services PIC allow only one action to be performed at any one time, the following configuration options are available:

• Sampling and forwarding
• Sampling and discard accounting
• Port mirroring and forwarding
• Port mirroring and discard accounting
• Sampling and port mirroring on different sets of traffic

To configure active flow monitoring, complete these steps:

• Define a Firewall Filter to Select Traffic for Active Flow Monitoring
• Configure the Interfaces That Will Be Actively Monitored
• Enable the Monitoring Services or Adaptive Services Interfaces and the Export Interface
• Collect cflowd Records
• Option: Configure Port-Mirroring Statements
• Option: Send Traffic to Multiple Export Interfaces with Next-Hop Groups

To view examples of active flow monitoring, see the following sections:

• Example: Sampling Configuration
• Example: Sampling and Discard Accounting Configuration
• Example: Multiple Port Mirroring with Next-Hop Groups Configuration