Collect cflowd Records with a Sampling Group

If your needs for active flow monitoring are simple, you can collect cflowd records with a sampling group. Sampling does not require you to configure a monitoring group (as required in passive flow monitoring) because you can configure cflowd server information in the sampling hierarchy. When you wish to sample traffic, include the sampling statement at the [edit forwarding-options] hierarchy level.

The typical sampling configuration has one input interface and one export interface. The input interface is activated by the then sample statement in a firewall filter term. This match condition directs traffic to the sampling process. Alternatively, you can use an interface-based filter in place of a firewall filter if you include the sampling statement at the [edit interfaces interface-name-fpc/pic/port unit unit-number family inet] hierarchy level.

There are two types of sampling available: PIC-based sampling and Routing Engine-based sampling. PIC-based sampling occurs when a monitoring services or adaptive services interface is the target for the output of the sampling process. To enable PIC-based sampling, include the interface statement at the [edit forwarding-options sampling output] hierarchy level and specify a monitoring services or adaptive services interface as the output interface. If an output interface is not specified in the sampling configuration, sampling is performed by the Routing Engine.

To specify a cflowd server in a sampling configuration, include the cflowd statement at the [edit forwarding-options sampling output] hierarchy level. You must specify the IP address, port number, and cflowd version of the destination cflowd server. Routing Engine-based sampling can use only one cflowd version 5 server or one version 8 server at a time. In contrast, PIC-based sampling allows you to specify one cflowd version 5 server and one version 8 server simultaneously. However, the two cflowd servers must have different IP addresses.

As part of the output interface statements, you must configure a source address. In contrast, the interface-level statements of engine-id and engine-type are both added automatically. However, you can override these values with manually configured statements to track different flows with a single cflowd collector, as needed. When you configure sampling, SNMP input and output interface index information is captured in cflowd records by default.

[edit]

forwarding-options {

    sampling {

        input {

            family inet {

                rate 1;

            }

        }

        output {

            cflowd 10.60.2.1 {

                port 2055;

                version 5;

            }

            flow-inactive-timeout 15;

            flow-active-timeout 60;

            interface sp-2/0/0 {

                engine-id 5;

                engine-type 55;

                source-address 10.60.2.2;

            }

        }

    }

}