Enable Accounting on Inbound and Outbound Interfaces

Unlike DCU, which only requires implementation on a single interface, accounting for SCU must be enabled on two interfaces: the inbound and outbound physical or logical interfaces traversed by the source class. You must define explicitly the two interfaces on which SCU monitored traffic is expected to arrive and depart. This is because SCU performs two lookups in the routing table: a source address (SA) and a destination address (DA) lookup. In contrast, DCU only has a single destination address lookup. By specifying the addresses involved in the additional SCU SA lookup, you minimize the performance impact on your router.

An individual SCU interface can be configured as an input interface, an output interface, or both. SCU can be enabled in an IPv4 (family inet) or IPv6 (family inet6) network. You configure SCU accounting with the following commands:

[edit]

interfaces 

    interface-name {

        unit unit-number {

            family (inet | inet6) {

                accounting {

                    source-class-usage {

                        (input | output | [input output]);

                    }

                    destination-class-usage;

                }

            }

        }

    }

}

After the full SCU configuration is enabled, every packet arriving on an SCU input interface is subjected to an SA-based lookup and then a DA-based lookup. In addition, an individual set of counters for every configured SCU class is maintained by the router on a per-interface and per-protocol family basis.

When you enable SCU or DCU, keep the following information in mind:

• In JUNOS Release 5.6 and later for M-series routers only, you can use a source class or a destination class as a match condition in a firewall filter. To configure, include the destination-class or source-class statement at the [edit firewall filter firewall-name term term-name from] hierarchy level. For more information about firewall filters, see the JUNOS Internet Software Policy Framework Configuration Guide.
• You can assign up to 126 source classes and 126 destination classes.
• A source or destination class is applied to a packet only once during the routing table lookup. When a network prefix matches a class-usage policy, SCU is assigned to packets first; DCU is assigned only if SCU has not been assigned. Be careful when using both class types, since misconfiguration can result in uncounted packets. The following example explores one potential mishap:

    A packet arrives on a router interface configured for both SCU and DCU. The packet's 
source address matches an SCU class and its destination matches a DCU class. 
Consequently, the packet is subjected to a source lookup, marked with the SCU class, 
and the DCU class is ignored. As a result, the packet is forwarded to the outbound 
interface with only the SCU class still intact.

    However, the outbound interface lacks an SCU configuration. As the packet is ready 
to leave the router, the router notices the output interface is not configured for SCU and 
the packet is not counted by SCU. Likewise, even though the prefix matched the DCU 
prefix, the DCU counters do not increment since DCU was superseded by SCU at the 
inbound interface.

To solve this problem, make sure you configure both the inbound and outbound interfaces completely or configure only one class type per interface per direction.

• Classes cannot be mapped to directly connected prefixes configured on local interfaces. This is true for DCU and SCU classes.
• If you use multiple terms within a single policy, you only need to configure the policy name and apply it to the forwarding table once. This makes it easier to change options within your terms without having to reconfigure the main policy.
• Execute CLI show commands and accounting profiles at the desired outbound interface to track SCU traffic. SCU counters increment at the SCU output interface.
• Apply your classes to the inbound and outbound interfaces by means of the input and output SCU interface parameters.
• On T-series routing platforms, the source and destination classes are not carried across the platform fabric. For these routing platforms, SCU and DCU accounting is performed before the packet enters the fabric and DCU is performed before output filters are evaluated.
• If an output filter drops traffic on M-series platforms, the dropped packets are excluded from DCU statistics. If an output filter drops traffic on T-series routing platforms, the dropped packets are included in DCU statistics.