[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Active Flow Monitoring Configuration Examples

This section contains configuration examples and commands you can issue to verify an active flow monitoring configuration:

Example: Sampling Configuration

Figure 46: Active Flow Monitoring—Sampling Configuration Topology Diagram

Image g003104.gif

In Figure 46, traffic from Router 1 arrives on the monitoring router's Gigabit Ethernet ge-2/3/0 interface. The exit interface on the monitoring router that leads to destination Router 2 is ge-3/0/0. In active flow monitoring, both the input interface and exit interface can be any interface type (such as SONET/SDH, Gigabit Ethernet, and so on). The export interface leading to the flow server is fe-1/0/0.

Configure a firewall filter to sample, count, and accept all traffic. Apply the filter to the input interface, and configure the exit interface (for traffic forwarding), the adaptive services interface (for flow processing), and the export interface (for exporting flow records).

Configure sampling at the [edit forwarding-options] hierarchy level. Include the IP address and port of the flow server with the flow-server statement and specify the adaptive services interface to be used for flow record processing with the interface statement at the [edit forwarding-options sampling] hierarchy level.

Router 1

[edit]
interfaces {
sp-2/0/0 { # This adaptive services interface creates the flow records.
unit 0 {
family inet {
address 10.5.5.1/32 {
destination 10.5.5.2;
}
}
}
}
fe-1/0/0 { # This is the interface where records are sent to the flow server.
unit 0 {
family inet {
address 10.60.2.2/30;
}
}
}
ge-2/3/0 { # This is the input interface where all traffic enters the router.
unit 0 {
family inet {
filter {
input catch_all; # This is where the firewall filter is applied.
}
address 10.1.1.1/20;
}
}
}
ge-3/0/0 { # This is the interface where the original traffic is forwarded.
unit 0 {
family inet {
address 10.2.2.1/24;
}
}
}
}
forwarding-options {
sampling { # Traffic is sampled and sent to a flow server.
input {
family inet {
rate 1; # Samples 1 out of x packets (here, a rate of 1 sample per packet).
}
}
output {
flow-server 10.60.2.1 { # The IP address and port of the flow server.
port 2055;
version 5; # Records are sent to the flow server using version 5 format.
}
flow-inactive-timeout 15;
flow-active-timeout 60;
interface sp-2/0/0 { # Adding an interface here enables PIC-based sampling.
engine-id 5; # Engine statements are dynamic, but can be configured.
engine-type 55;
source-address 10.60.2.2; # You must configure this statement.
}
}
}
}
firewall {
family inet {
filter catch_all { # Apply this filter on the input interface.
term default {
then {
sample;
count counter1;
accept;
}
}
}
}
}

Verifying Your Work

To verify that your configuration is correct, use the following commands on the monitoring station that is configured for active flow monitoring:

Most active flow monitoring operational mode commands contain equivalent output information to the following passive flow monitoring commands:

The active flow monitoring commands can be used with most active flow monitoring applications, including sampling, discard accounting, port mirroring, and multiple port mirroring. However, you can use the passive flow monitoring commands only with configurations that contain a monitoring group at the [edit forwarding-options monitoring] hierarchy level.

The following shows the output of the show commands used with the configuration example:


user@router> show services accounting errors 
Service Accounting interface: sp-2/0/0, Local interface index: 542
Service name: (default sampling)
  Error information
    Packets dropped (no memory): 0, Packets dropped (not IP): 0
    Packets dropped (not IPv4): 0, Packets dropped (header too small): 0
    Memory allocation failures: 0, Memory free failures: 0
    Memory free list failures: 0
    Memory overload: No, PPS overload: No, BPS overload: Yes

user@router> show services accounting flow-detail limit 10
Service Accounting interface: sp-2/0/0, Local interface index: 468
Service name: (default sampling)
Protocol   Source         Source  Destination Destination    Packet        Byte
           Address          Port  Address            Port     count       count
udp(17)    10.1.1.2           53  10.0.0.1             53      4329     3386035
ip(0)      10.1.1.2            0  10.0.0.2              0      4785     3719654
ip(0)      10.1.1.2            0  10.0.1.2              0      4530     3518769
udp(17)    10.1.1.2            0  10.0.7.1              0      5011     3916767
tcp(6)     10.1.1.2           20  10.3.0.1             20         1        1494
tcp(6)     10.1.1.2           20  10.168.80.1          20         1         677
tcp(6)     10.1.1.2           20  10.69.192.1          20         1         446
tcp(6)     10.1.1.2           20  10.239.240.1         20         1        1426
tcp(6)     10.1.1.2           20  10.126.160.1         20         1         889
tcp(6)     10.1.1.2           20  10.71.224.1          20         1        1046

user@router>  show services accounting memory
Service Accounting interface: sp-2/0/0, Local interface index: 468
Service name: (default sampling)
  Memory utilization
    Allocation count: 437340, Free count: 430681, Maximum allocated: 6782
    Allocations per second: 3366, Frees per second: 6412
    Total memory used (in bytes): 133416928, Total memory free (in bytes): 133961744

user@router>  show services accounting packet-size-distribution
Service Accounting interface: sp-2/0/0, Local interface index: 468
Service name: (default sampling)
Range start     Range end     Number of packets     Percentage packets
         64            96               1705156                    100

user@router>  show services accounting status
Service Accounting interface: sp-2/0/0, Local interface index: 468
Service name: (default sampling)
  Interface state: Monitoring
  Group index: 0
  Export interval: 60 secs, Export format: cflowd v5
  Protocol: IPv4, Engine type: 55, Engine ID: 5
  Route record count: 13, IFL to SNMP index count: 30, AS count: 1
  Time set: Yes, Configuration set: Yes
  Route record set: Yes, IFL SNMP map set: Yes

user@router>  show services accounting usage
Service Accounting interface: sp-2/0/0, Local interface index: 468
Service name: (default sampling)
  CPU utilization
    Uptime: 4790345 milliseconds, Interrupt time: 1668537848 microseconds
    Load (5 second): 71%, Load (1 minute): 63%

Example: Sampling and Discard Accounting Configuration

Discard accounting allows you to sample traffic, send it to a flow server for analysis, and discard all packets without forwarding them to their intended destination. Discard accounting is enabled with the discard accounting group-name statement in a firewall filter at the [edit firewall family inet filter filter-name term term-name then] hierarchy level. Then, the filter is applied to an interface with the filter statement at the [edit interfaces interface-name unit unit-number family inet] hierarchy level and processed with the output statement at the [edit forwarding-options accounting group-name] hierarchy level.

Figure 47: Active Flow Monitoring—Sampling and Discard Accounting Topology Diagram

Image g003105.gif

In Figure 47, traffic from Router 1 arrives on the monitoring router’s Gigabit Ethernet ge-2/3/0 interface. The export interface leading to the flow server is fe-1/0/0 and there is no exit interface.

In this example, TCP traffic is sent to one accounting group and all other traffic is diverted to a second group. After being sampled and counted, the two types of traffic are acted upon by the sampling and accounting processes. These processes create flow records and send the records to the version 8 flow server for analysis. Because multiple types of traffic are sent to the same server, we recommend that you configure the engine-id, engine-type, and source-address statements manually in your accounting and sampling hierarchies. This way, you can differentiate between traffic types when they arrive at the flow server.

[edit]
interfaces {
sp-2/0/0 { # This adaptive services interface creates the flow records.
unit 0 {
family inet {
address 10.5.5.1/32 {
destination 10.5.5.2;
}
}
}
}
fe-1/0/0 { # This is the interface where records are sent to the flow server.
unit 0 {
family inet {
address 10.60.2.2/30;
}
}
}
ge-2/3/0 { # This is the input interface where traffic enters the router.
unit 0 {
family inet {
filter {
input catch_all;
}
address 10.1.1.1/20;
}
}
}
}
forwarding-options {
sampling { # The router samples the traffic.
input {
family inet {
rate 100; # One out of every 100 packets is sampled.
}
}
output { # The sampling process creates and exports flow records.
flow-server 10.60.2.1 { # You can configure a variety of settings.
port 2055;
version 8;
aggregation { # Aggregation is unique to flow version 8.
protocol-port;
source-destination-prefix;
}
}
aggregate-export-interval 90;
flow-inactive-timeout 60;
flow-active-timeout 60;
interface sp-2/0/0 { # This statement enables PIC-based sampling.
engine-id 5; # Engine statements are dynamic, but can be configured.
engine-type 55;
source-address 10.60.2.2; # You must configure this statement.
}
}
}
accounting counter1 { # This discard accounting process handles default traffic.
output { # This process creates and exports flow records.
flow-inactive-timeout 65;
flow-active-timeout 65;
flow-server 10.60.2.1 { # You can configure a variety of settings.
port 2055;
version 8;
aggregation { # Aggregation is unique to version 8.
protocol-port;
source-destination-prefix;
}
}
interface sp-2/0/0 { # This statement enables PIC-based discard accounting.
engine-id 1; # Engine statements are dynamic, but can be configured.
engine-type 11;
source-address 10.60.2.3; # You must configure this statement.
}
}
}
accounting t2 { # The second discard accounting process handles the TCP traffic.
output { # This process creates and exports flow records.
aggregate-export-interval 90;
flow-inactive-timeout 65;
flow-active-timeout 65;
flow-server 10.60.2.1 { # You can configure a variety of settings for the server.
port 2055;
version 8;
aggregation { # Aggregation is unique to version 8.
protocol-port;
source-destination-prefix;
}
}
interface sp-2/0/0 { # This statement enables PIC-based discard accounting.
engine-id 2; # Engine statements are dynamic, but can be configured.
engine-type 22;
source-address 10.60.2.4;# You must configure this statement.
}
}
}
}
firewall {
family inet {
filter catch_all { # Apply the firewall filter on the input interface.
term t2 { # This places TCP traffic into one group for sampling and
from { # discard accounting.
protocol tcp;
}
then {
count c2;# The count action counts traffic as it enters the router.
sample; # The sample action sends the traffic to the sampling process.
discard accounting t2; # The discard accounting discards traffic.
}
}
term default { # Performs sampling and discard accounting on all other traffic.
then {
count counter; # The count action counts traffic as it enters the router.
sample# The sample action sends the traffic to the sampling process.
discard accounting counter1; # This activates discard accounting.
}
}
}
}
}

Verifying Your Work

To verify that your configuration is correct, use the following commands on the monitoring station that is configured for active flow monitoring:

The following shows the output of the show commands used with the configuration example:


user@router> show services accounting flow name t2 
Service Accounting interface: sp-2/0/0, Local interface index: 468
Service name: t2
  Flow information
    Flow packets: 56130820, Flow bytes: 3592372480
    Flow packets 10-second rate: 13024, Flow bytes 10-second rate: 833573
    Active flows: 600, Total flows: 600
    Flows exported: 28848, Flows packets exported: 960
    Flows inactive timed out: 0, Flows active timed out: 35400

user@router>  show services accounting
Service Name:
    (default sampling)
    counter1
    t2

user@router>  show services accounting aggregation protocol-port detail name t2
Service Accounting interface: sp-2/0/0, Local interface index: 468
Service name: t2

  Protocol: 6, Source port: 20, Destination port: 20
  Start time: 442794, End time: 6436260
  Flow count: 1, Packet count: 4294693925, Byte count: 4277471552

user@router>  show services accounting aggregation source-destination-prefix name 
t2 limit 10 order packets
Service Accounting interface: sp-2/0/0, Local interface index: 542
Service name: t2
     Source     Destination  Input SNMP  Output SNMP   Flow  Packet    Byte
     Prefix          Prefix       Index        Index  count   count   count
10.1.1.2/20    10.225.0.1/0          24           26      0      13    9650
10.1.1.2/20   10.143.80.1/0          24           26      0      13   10061
10.1.1.2/20   10.59.176.1/0          24           26      0      13   10426
10.1.1.2/20     10.5.32.1/0          24           26      0      13   12225
10.1.1.2/20    10.36.16.1/0          24           26      0      13    9116
10.1.1.2/20     10.1.96.1/0          24           26      0      12   11050
10.1.1.2/20    10.14.48.1/0          24           26      0      13   10812
10.1.1.2/20   10.31.192.1/0          24           26      0      13   11473
10.1.1.2/20  10.129.144.1/0          24           26      0      13    7647
10.1.1.2/20  10.188.160.1/0          24           26      0      13   10056

user@router> show services accounting aggregation source-destination-prefix name
t2 extensive limit 3
Service Accounting interface: sp-2/0/0, Local interface index: 542
Service name: t2

  Source address: 10.1.1.2, Source prefix length: 20
  Destination address: 10.200.176.1, Destination prefix length: 0
  Input SNMP interface index: 24, Output SNMP interface index: 26
  Source-AS: 69, Destination-AS: 69
  Start time: Fri Feb 21 14:16:57 2003, End time: Fri Feb 21 14:22:50 2003
  Flow count: 0, Packet count: 6, Byte count: 5340

  Source address: 10.1.1.2, Source prefix length: 20
  Destination address: 10.243.160.1, Destination prefix length: 0
  Input SNMP interface index: 24, Output SNMP interface index: 26
  Source-AS: 69, Destination-AS: 69
  Start time: Fri Feb 21 14:16:57 2003, End time: Fri Feb 21 14:22:50 2003
  Flow count: 0, Packet count: 6, Byte count: 5490
  
  Source address: 10.1.1.2, Source prefix length: 20
  Destination address: 10.162.160.1, Destination prefix length: 0
  Input SNMP interface index: 24, Output SNMP interface index: 26
  Source-AS: 69, Destination-AS: 69
  Start time: Fri Feb 21 14:16:57 2003, End time: Fri Feb 21 14:22:50 2003
  Flow count: 0, Packet count: 6, Byte count: 4079

Example: Multiple Port Mirroring with Next-Hop Groups Configuration

When you need to analyze traffic containing more than one packet type, or you wish to perform multiple types of analysis on a single type of traffic, you can implement multiple port mirroring and next-hop groups. You can make up to 16 copies of traffic per group and send the traffic to next-hop group members. A maximum of 30 groups can be configured on a routing platform at any given time. The port-mirrored traffic can be sent to any interface, except aggregated SONET/SDH, aggregated Ethernet, loopback (lo0), or administrative (fxp0) interfaces. To send port-mirrored traffic to multiple flow servers or packet analyzers, you can use the next-hop-group statement at the [edit forwarding-options] hierarchy level.

Figure 48: Active Flow Monitoring—Multiple Port Mirroring with Next-Hop Groups Topology Diagram

Image g015505.gif

Figure 48 shows an example of how to configure multiple port mirroring with next-hop groups. All traffic enters the monitoring router at interface ge-1/0/0. A firewall filter counts and port-mirrors all incoming packets to a Tunnel Services PIC. A second filter is applied to the tunnel interface and splits the traffic into three categories: HTTP traffic, FTP traffic, and all other traffic. The three types of traffic are assigned to three separate next-hop groups. Each next-hop group contains a unique pair of exit interfaces that lead to different groups of packet analyzers and flow servers.

[edit]
interfaces {
ge-1/0/0 { # This is the input interface where packets enter the router.
unit 0 {
family inet {
filter {
input mirror_pkts; # Here is where you apply the first filter.
}
address 10.11.1.1/24;
}
}
}
ge-1/1/0 { # This is an exit interface for HTTP packets.
unit 0 {
family inet {
address 10.12.1.1/24;
}
}
}
ge-1/2/0 { # This is an exit interface for HTTP packets.
unit 0 {
family inet {
address 10.13.1.1/24;
}
}
}
so-0/3/0 { # This is an exit interface for FTP packets.
unit 0 {
family inet {
address 10.1.1.1/30;
}
}
}
so-4/3/0 { # This is an exit interface for FTP packets.
unit 0 {
family inet {
address 10.2.2.1/30;
}
}
}
so-7/0/0 { # This is an exit interface for all remaining packets.
unit 0 {
family inet {
address 10.5.5.1/30;
}
}
}
so-7/0/1 { # This is an exit interface for all remaining packets.
unit 0 {
family inet {
address 10.6.6.1/30;
}
}
}
vt-3/3/0 { # The tunnel interface is where you send the port-mirrored traffic.
unit 0 {
family inet;
}
unit 1 {
family inet {
filter {
input collect_pkts; # This is where you apply the second firewall filter.
}
}
}
}
}
forwarding-options {
port-mirroring { # This is required when you configure next-hop groups.
family inet {
input {
rate 1; # This port-mirrors all packets (one copy for every packet received).
}
output { # Sends traffic to a tunnel interface to enable multiport mirroring.
interface vt-3/3/0.1;
no-filter-check;
}
}
}
next-hop-group ftp-traffic { # Point-to-point interfaces require you to specify the
interface so-4/3/0.0; # interface name.
interface so-0/3/0.0;
}
next-hop-group http-traffic { # Configure a next hop for all multipoint interfaces.
interface ge-1/1/0.0 {
next-hop 10.12.1.2;
}
interface ge-1/2/0.0 {
next-hop 10.13.1.2;
}
}
next-hop-group default-collect {
interface so-7/0/0.0;
interface so-7/0/1.0;
}
}
firewall {
family inet {
filter mirror_pkts { # Apply this filter to the input interface.
term catch_all {
then {
count input_mirror_pkts;
port-mirror; # This action sends traffic to be copied and port-mirrored.
}
}
}
filter collect_pkts { # Apply this filter to the tunnel interface.
term ftp-term { # This term sends FTP traffic to an FTP next-hop group.
from {
protocol ftp;
}
then next-hop-group ftp-traffic;
}
term http-term { # This term sends HTTP traffic to an HTTP next-hop group.
from {
protocol http;
}
then next-hop-group http-traffic;
}
term default { # This sends all remaining traffic to a final next-hop group.
then next-hop-group default-collectors;
}
}
}
}
[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]