Example: Sampling and Discard Accounting Configuration
Discard accounting allows you to sample traffic, send it to a cflowd server for analysis, and discard all packets without forwarding them to their intended destination. Discard accounting is enabled with the discard accounting group-name statement in a firewall filter at the [edit firewall family inet filter filter-name term term-name then] hierarchy level. Then, the filter is applied to an interface with the filter statement at the [edit interfaces interface-name unit unit-number family inet] hierarchy level and processed with the output statement at the [edit forwarding-options accounting group-name] hierarchy level.
In Figure 11, traffic from Router 1 arrives on the monitoring router's Gigabit Ethernet ge-2/3/0 interface. The export interface leading to the cflowd server is fe-1/0/0 and there is no exit interface.
In this example, TCP traffic is sent to one accounting group and all other traffic is diverted to a second group. After being sampled and counted, the two types of traffic are acted upon by the sampling and accounting processes. These processes create cflowd records and send the records to the cflowd version 8 server for analysis. Because multiple types of traffic are sent to the same server, we recommend that you configure the engine-id, engine-type, and source-address statements manually in your accounting and sampling hierarchies. This way, you can differentiate between traffic types when they arrive at the cflowd server.
[edit]
interfaces {
sp-2/0/0 { # This adaptive services interface creates the cflowd records.
unit 0 {
family inet {
address 10.1.1.1/32 {
destination 10.1.1.2;
}
}
}
}
fe-1/0/0 { # This is the export interface where records are sent to the cflowd server.
unit 0 {
family inet {
address 10.60.2.2/30;
}
}
}
ge-2/3/0 { # This is the input interface where traffic enters the router.
unit 0 {
family inet {
filter {
input catch_all;
}
address 11.1.1.1/20;
}
}
} # Note: There is no exit interface, because all traffic is processed and discarded.
}
forwarding-options {
sampling {# The router samples the traffic.
input {
family inet {
rate 100; # One out of every 100 packets is sampled.
}
}
output {#The sampling process creates and exports cflowd records.
cflowd 10.60.2.1 {# You can configure a variety of settings for the cflowd server.
port 2055;
version 8;
aggregation { # Aggregation is unique to cflowd version 8.
protocol-port;
source-destination-prefix;
}
}
aggregate-export-interval 90;
flow-inactive-timeout 60;
flow-active-timeout 60;
interface sp-2/0/0 {# This statement enables PIC-based sampling.
engine-id 5; # Engine statements are generated dynamically, but can be configured.
engine-type 55;
source-address 10.60.2.2; # You must configure this statement.
}
}
}
accounting counter1 {#The first discard accounting process handles default traffic.
output {#This process creates and exports cflowd records.
flow-inactive-timeout 65;
flow-active-timeout 65;
cflowd 10.60.2.1 {# You can configure a variety of settings for the cflowd server.
port 2055;
version 8;
aggregation { # Aggregation is unique to cflowd version 8.
protocol-port;
source-destination-prefix;
}
}
interface sp-2/0/0 {# This statement enables PIC-based discard accounting.
engine-id 1; # Engine statements are generated dynamically, but can be configured.
engine-type 11;
source-address 10.60.2.3; # You must configure this statement.
}
}
}
accounting t2 {#The second discard accounting process handles the TCP traffic.
output {#This process creates and exports cflowd records.
aggregate-export-interval 90;
flow-inactive-timeout 65;
flow-active-timeout 65;
cflowd 10.60.2.1 {# You can configure a variety of settings for the cflowd server.
port 2055;
version 8;
aggregation { # Aggregation is unique to cflowd version 8.
protocol-port;
source-destination-prefix;
}
}
interface sp-2/0/0 { # This statement enables PIC-based discard accounting.
engine-id 2; # Engine statements are generated dynamically, but can be set manually.
engine-type 22;
source-address 10.60.2.4; # You must configure this statement.
}
}
}
}
firewall {
family inet {
filter catch_all { # Apply the firewall filter on the input interface.
term t2 { # This places TCP traffic into one group for sampling and discard accounting.
from {
protocol tcp;
}
then {
count c2;# Thecountaction only counts the traffic as it enters the router.
sample;# Thesampleaction sends the traffic to the sampling process.
discard accounting t2;# Thediscard accountingaction activates accounting.
}
}
term default { # This performs sampling and discard accounting on all other traffic.
then {
count counter;# Thecountaction only counts the traffic as it enters the router.
sample# Thesampleaction sends the traffic to the sampling process.
discard accounting counter1;# This activates discard accounting.
}
}
}
}
}