[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Passive Flow Monitoring Configuration Examples

This section contains configuration examples and commands you can issue to verify a passive flow monitoring configuration:

Example: Passive Flow Monitoring Configuration

Figure 43: Passive Flow Monitoring—Topology Diagram

Image g003052.gif

In Figure 43, traffic enters the monitoring station through interfaces so-0/0/0 and so-0/1/0. After the firewall filter accepts the traffic to be monitored, the packets enter a VRF instance.

The original packets travel within the VRF instance to the Monitoring Services PIC for flow processing. The final flow packets are sent from the monitoring services interfaces out the fe-3/0/0 interface to a flow server.

A copy of the accepted traffic is port-mirrored to the Tunnel PIC. As the copied packets enter the tunnel interface, a second firewall filter separates TCP and UDP packets and places them into two filter-based forwarding instances. The UDP instance directs the UDP packets to a packet analyzer attached to fe-3/2/0. The TCP instance sends the TCP packets to the ES PIC for encryption and the ES PIC sends the packets to a second packet analyzer connected to fe-3/2/1.

Your first step is to define a firewall filter to select packets for monitoring. All filtered traffic must be accepted, and the port-mirror statement at the [edit firewall family inet filter filter-name term term-name then] hierarchy level facilitates port mirroring.

Next, configure the input SONET/SDH interfaces and apply the firewall filter that you just defined. The passive-monitor-mode statement disables SONET keepalives on the SONET/SDH interfaces and enables passive flow monitoring.

Configure all other interfaces that you will use with the monitoring application, including the monitoring services interfaces, the export interfaces, the tunnel interface, and the ES interface. Once the interfaces are in place, configure a VRF instance and monitoring group to direct the original packets from the input interfaces to the monitoring services interfaces for processing. The resulting flow description packets exit fe-3/0/0 to reach the flow server.

Next, configure statements to port-mirror the monitored traffic to a tunnel interface. Design a firewall filter that selects some of this copied traffic for further analysis and some of the traffic for discarding. In this case, isolate TCP and UDP traffic and direct these two flows into separate filter-based forwarding routing instances. Remember to apply the filter to the tunnel interface to enable the separation of TCP traffic from UDP traffic. Also, import the interface routes into the forwarding instances with a routing table group.

In the filter-based forwarding instances, define static route next hops. The next hop for the TCP instance is the ES interface and the next hop for the UDP instance is the packet analyzer connected to fe-3/2/0. Finally, configure IPSec so that the next hop for the TCP traffic is the second packet analyzer attached to fe-3/2/1.

[edit]
interfaces {
so-0/0/0 { # Traffic enters the router on this interface.
description “ input interface”;
encapsulation ppp;
unit 0 {
passive-monitor-mode; # Disables SONET keepalives.
family inet {
filter {
input input-monitoring-filter; # The firewall filter is applied here.
}
}
}
}
so-0/1/0 { # Traffic enters the router on this interface.
description “ input interface”;
encapsulation ppp;
unit 0 {
passive-monitor-mode; # Disables SONET keepalives.
family inet {
filter {
input input-monitoring-filter; # The firewall filter is applied here.
}
}
}
}
es-3/1/0 { # This is where the TCP traffic enters the ES PIC.
unit 0 {
tunnel {
source 10.8.8.1;
destination 10.8.8.2;
}
family inet {
ipsec-sa sa-esp;
address 3.3.3.1/32 {
destination 3.3.3.2;
}
}
}
}
fe-3/0/0 { # Flow records exit here and travel to the flow server.
description “ export interface to the flow server”;
unit 0 {
family inet;
address 192.168.245.1/30;
}
}
fe-3/2/0 { # This export interface for UDP traffic leads to a packet analyzer.
description “ export interface to the packet analyzer”;
unit 0 {
family inet {
address 10.9.9.1/30;
}
}
}
fe-3/2/1 { # This IPSec tunnel source exports TCP traffic to a packet analyzer.
unit 0 {
family inet {
address 10.8.8.1/30;
}
}
}
mo-4/0/0 { # This marks the beginning of the monitoring services interfaces.
unit 0 { # Unit 0 is part of the inet.0 routing table and generates flow records.
family inet;
}
unit 1 { # Unit 1 receives monitored traffic and is part of the VRF instance.
family inet;
}
}
mo-4/1/0 {
unit 0 { # Unit 0 is part of the inet.0 routing table and generates flow records.
family inet;
}
unit 1 { # Unit 1 receives monitored traffic and is part of the VRF instance.
family inet;
}
}
mo-4/2/0 {
unit 0 { # Unit 0 is part of the inet.0 routing table and generates flow records.
family inet;
}
unit 1 { # Unit 1 receives monitored traffic and is part of the VRF instance.
family inet;
}
}
mo-4/3/0 {
unit 0 { # Unit 0 is part of the inet.0 routing table and generates flow records.
family inet;
}
unit 1 { # Unit 1 receives monitored traffic and is part of the VRF instance.
family inet;
}
}
vt-0/2/0 { # The tunnel services interface receives the port-mirrored traffic.
unit 0 {
family inet {
filter {
input tunnel-interface-filter; # The filter splits traffic into TCP and UDP
}
}
}
}
}
forwarding-options {
monitoring group1 { # Monitored traffic is processed by the monitoring services
family inet { # interfaces and flow records are sent to the flow server.
output {
export-format cflowd-version-5;
flow-active-timeout 60;
flow-inactive-timeout 30;
flow-server 192.168.245.2 port 2055; # IP address and port for server.
interface mo-4/0/0.1 { # Use monitoring services interfaces for output.
engine-id 1; # engine and interface-index statements are optional.
engine-type 1;
input-interface-index 44;
output-interface-index 54;
source-address 192.168.245.1; # This is the IP address of fe-3/0/0.
}
interface mo-4/1/0.1 {
engine-id 2; # engine and interface-index statements are optional.
engine-type 1;
input-interface-index 45;
output-interface-index 55;
source-address 192.168.245.1; # This is the IP address of fe-3/0/0.
}
interface mo-4/2/0.1 {
engine-id 3; # engine and interface-index statements are optional.
engine-type 1;
input-interface-index 46;
output-interface-index 56;
source-address 192.168.245.1; # This is the IP address of fe-3/0/0.
}
interface mo-4/3/0.1 {
engine-id 4; # engine and interface-index statements are optional.
engine-type 1;
input-interface-index 47;
output-interface-index 57;
source-address 192.168.245.1; # This is the IP address of fe-3/0/0.
}
}
}
}
port-mirroring { # Copies the traffic and sends it to the Tunnel Services PIC.
family inet {
input {
rate 1;
run-length 1;
}
output {
interface vt-0/2/0.0;
no-filter-check;
}
}
}
}
routing-options { # This installs the interface routes into the forwarding instances.
interface-routes {
rib-group inet bc-vrf;
}
rib-groups {
bc-vrf {
import-rib [inet.0 tcp-routing-table.inet.0 udp-routing-table.inet.0];
}
}
forwarding-table {
export pplb; # Applies per-packet load balancing to the forwarding table.
}
}
policy-options {
policy-statement monitoring-vrf-import {
then reject;
}
policy-statement monitoring-vrf-export {
then reject;
}
policy-statement pplb {
then {
load-balance per-packet;
}
}
}
security { # This sets IPSec options for the ES PIC.
ipsec {
proposal esp-sha1-3des {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 180;
}
policy esp-group2 {
perfect-forward-secrecy {
keys group2;
}
proposals esp-sha1-3des;
}
security-association sa-esp {
mode tunnel;
dynamic {
ipsec-policy esp-group2;
}
}
}
ike {
proposal ike-esp {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 180;
}
policy 10.8.8.2 {
mode aggressive;
proposals ike-esp;
pre-shared-key ascii-text "$9$qmQnuORrlMBIds2oiH0BIESe";
}
}
}
firewall {
family inet {
filter input-monitoring-filter { # This filter selects traffic to send into the VRF
term 1 { # instance and prepares the traffic for port mirroring.
from {
destination-address {
10.7.0.0/16;
}
}
then {
port-mirror;
accept;
}
}
term 2 {
from {
destination-address {
10.6.0.0/16;
}
}
then accept;
}
}
filter tunnel-interface-filter { # This filter breaks the port-mirrored traffic into two
term tcp { # filter-based forwarding instances: TCP packets and UDP packets.
from {
protocol tcp;
}
then { # This counts TCP packets and sends them into a TCP instance.
count tcp;
routing-instance tcp-routing-table;
}
}
term udp {
from {
protocol udp;
}
then { # This counts UDP packets and sends them into a UDP instance.
count udp;
routing-instance udp-routing-table;
}
}
term rest {
then {
count rest;
discard;
}
}
}
}
}
routing-instances {
monitoring-vrf { # This is the VRF instance where you send the traffic. It contains
instance-type vrf; # the input interface and the monitoring services interfaces.
interface so-0/0/0.0; # Traffic enters the router on these input interfaces.
interface so-0/1/0.0;
interface mo-4/0/0.1;
interface mo-4/1/0.1; # These are output interfaces (use them as
interface mo-4/2/0.1; # output interfaces in your monitoring group).
interface mo-4/3/0.1;
route-distinguisher 69:1;
vrf-import monitoring-vrf-import;
vrf-export monitoring-vrf-export;
routing-options { # Sends traffic to a group of monitoring services interfaces.
static {
route 0.0.0.0/0 next-hop [mo-4/0/0.1 mo-4/1/0.1
mo-4/2/0.1 mo-4/3/0.1];
}
}
}
tcp-routing-table { # This is the filter-based forwarding instance for TCP traffic.
instance-type forwarding;
routing-options { # The next hop is the ES PIC.
static {
route 0.0.0.0/0 next-hop es-3/1/0.0;
}
}
}
udp-routing-table { # This is the filter-based forwarding instance for UDP traffic.
instance-type forwarding;
routing-options { # The next hop is the second packet analyzer.
static {
route 0.0.0.0/0 next-hop 10.9.1.2;
}
}
}
}

Verifying Your Work

To verify that your configuration is correct, use the following commands on the monitoring station that is configured for passive flow monitoring:

To clear statistics for the show passive-monitoring error and show passive-monitoring flow commands, issue the clear passive-monitoring (all | interface-name) command.

You can also view passive flow monitoring status with the Simple Network Management Protocol (SNMP). The following Management Information Base (MIB) tables are supported:

The following section shows the output of the show commands used with the configuration example:


user@mon-station> show route 0/0 
 <skip inet.0>

# We are only concerned with the routing-instance route. 

bc-vrf.inet.0:  1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
bc-vrf.inet.0:+ = Active Route, - = Last Active, * = Both
0.0.0.0/0          *[Static/5] 5d 17:34:57
                      via mo-4/0/0.1
                    > via mo-4/1/0.1
                      via mo-4/2/0.1
                      via mo-4/3/0.1
tcp-rt.inet.0: 13 destinations, 13 routes (12 active, 0 holddown, 1
hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0          *[Static/5] 19:24:39
                    > via es-3/1/0.0
  : <other interface routes>
udp-rt.inet.0: 13 destinations, 13 routes (12 active, 0 holddown, 1
hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0          *[Static/5] 19:24:39
                    > to 10.9.1.2 via fe-3/2/0.0
  : <other interface routes>

 

Note: For all show passive-monitoring commands, the output obtained when using a wildcard (such as *) or the all option is based on the configured interfaces listed at the [edit forwarding-options monitoring group-name] hierarchy level. In the output from the configuration example, you see information only for the configured interfaces mo-4/0/0, mo-4/1/0, mo-4/2/0, and mo-4/3/0.

Many of the statements you can configure in a monitoring group, such as engine-id and engine-type, are visible in the output of the show passive-monitoring commands.

Table 29: Output Fields for the show passive-monitoring error Command

Field

Explanation

Packets dropped (no memory)

Number of packets dropped because of memory.

Packets dropped (not IP)

Number of non-IP packets dropped.

Packets dropped (not IPv4)

Number of packets dropped because they failed the IPv4 check.

Packets dropped (header too small)

Number of packets dropped because the packet length or IP header length was too small.

Memory allocation failures

Number of flow record memory allocation failures. A small number reflects failures to replenish the free list. A large number indicates the monitoring station is almost out of memory space.

Memory free failures

Number of flow record memory frees.

Memory free list failures

Number of flow records received from free list that failed. Memory is nearly exhausted or too many new flows greater than 128K are being created in one second.

Memory warning

The flows have exceeded 1 million packets per second (Mpps) on a Monitoring Services PIC or 2 Mpps on a Monitoring Services II PIC. The response can be Yes or No.

Memory overload

The memory has been overloaded. The response is Yes or No.

PPS overload

In packets per second, whether the PIC is receiving more traffic than the configured threshold. The response can be Yes or No.

BPS overload

In bytes per second, whether the PIC is receiving more traffic than the configured threshold. The response can be Yes or No.


user@mon-station> show passive-monitoring error all 
Passive monitoring interface: mo-4/0/0, Local interface index: 44
  Error information
    Packets dropped (no memory): 0, Packets dropped (not IP): 0
    Packets dropped (not IPv4): 0, Packets dropped (header too small): 0
    Memory allocation failures: 0, Memory free failures: 0
    Memory free list failures: 0
    Memory warning: No, Memory overload: No, PPS overload: No, BPS overload: No

Passive monitoring interface: mo-4/1/0, Local interface index: 45
  Error information
    Packets dropped (no memory): 0, Packets dropped (not IP): 0
    Packets dropped (not IPv4): 0, Packets dropped (header too small): 0
    Memory allocation failures: 0, Memory free failures: 0
    Memory free list failures: 0
    Memory warning: No, Memory overload: No, PPS overload: No, BPS overload: No

Passive monitoring interface: mo-4/2/0, Local interface index: 46
  Error information
    Packets dropped (no memory): 0, Packets dropped (not IP): 0
    Packets dropped (not IPv4): 0, Packets dropped (header too small): 0
    Memory allocation failures: 0, Memory free failures: 0
    Memory free list failures: 0
    Memory warning: No, Memory overload: No, PPS overload: No, BPS overload: No

Passive monitoring interface: mo-4/3/0, Local interface index: 47
  Error information
    Packets dropped (no memory): 0, Packets dropped (not IP): 0
    Packets dropped (not IPv4): 0, Packets dropped (header too small): 0
    Memory allocation failures: 0, Memory free failures: 0
    Memory free list failures: 0
    Memory warning: No, Memory overload: No, PPS overload: No, BPS overload: No

Table 30: Output Fields for the show passive-monitoring flow Command

Field

Explanation

Flow packets

Number of packets received by an operational PIC.

Flow bytes

Number of bytes received by an operational PIC.

Flow packets 10-second rate

Number of packets per second handled by the PIC and displayed as a 10-second average.

Flow bytes 10-second rate

Number of bytes per second handled by the PIC and displayed as a 10-second average.

Active flows

Number of currently active flows tracked by the PIC.

Total flows

Total number of flows received by an operational PIC.

Flows exported

Total number of flows exported by an operational PIC.

Flows packets exported

Total number of flow packets exported by an operational PIC.

Flows inactive timed out

Total number of flows that are exported because of inactivity.

Flows active timed out

Total number of long-lived flows that are exported because of an active timeout.


user@mon-station> show passive-monitoring flow all 
Passive monitoring interface: mo-4/0/0, Local interface index: 44
  Flow information
    Flow packets: 6533434, Flow bytes: 653343400
    Flow packets 10-second rate: 0, Flow bytes 10-second rate: 0
    Active flows: 0, Total flows: 1599
    Flows exported: 1599, Flows packets exported: 55
    Flows inactive timed out: 1599, Flows active timed out: 0

Passive monitoring interface: mo-4/1/0, Local interface index: 45
  Flow information
    Flow packets: 6537780, Flow bytes: 653778000
    Flow packets 10-second rate: 0, Flow bytes 10-second rate: 0
    Active flows: 0, Total flows: 1601
    Flows exported: 1601, Flows packets exported: 55
    Flows inactive timed out: 1601, Flows active timed out: 0

Passive monitoring interface: mo-4/2/0, Local interface index: 46
  Flow information
    Flow packets: 6529259, Flow bytes: 652925900
    Flow packets 10-second rate: 0, Flow bytes 10-second rate: 0
    Active flows: 0, Total flows: 1599
    Flows exported: 1599, Flows packets exported: 55
    Flows inactive timed out: 1599, Flows active timed out: 0

Passive monitoring interface: mo-4/3/0, Local interface index: 47
  Flow information
    Flow packets: 6560741, Flow bytes: 656074100
    Flow packets 10-second rate: 0, Flow bytes 10-second rate: 0
    Active flows: 0, Total flows: 1598
    Flows exported: 1598, Flows packets exported: 55
    Flows inactive timed out: 1598, Flows active timed out: 0

Table 31: Output Fields for the show passive-monitoring memory Command

Field

Explanation

Allocation count

Number of flow records allocated.

Free count

Number of flow records freed.

Maximum allocated

Maximum number of flow records allocated since the monitoring station booted. This number represents the peak number of flow records allocated at a time.

Allocations per second

Flow records allocated per second during the last statistics interval on the PIC.

Frees per second

Flow records freed per second during the last statistics interval on the PIC.

Total memory used

Total amount of memory currently used (in bytes).

Total memory free

Total amount of memory currently free (in bytes).

user@mon-station> show passive-monitoring memory all
Passive monitoring interface: mo-4/0/0, Local interface index: 44
  Memory utilization
    Allocation count: 1600, Free count: 1599, Maximum allocated: 1600
    Allocations per second: 3200, Frees per second: 1438
    Total memory used (in bytes): 103579176, Total memory free (in bytes): 163914184

Passive monitoring interface: mo-4/1/0, Local interface index: 45
  Memory utilization
    Allocation count: 1602, Free count: 1601, Maximum allocated: 1602
    Allocations per second: 3204, Frees per second: 1472
    Total memory used (in bytes): 103579176, Total memory free (in bytes): 163914184

Passive monitoring interface: mo-4/2/0, Local interface index: 46
  Memory utilization
    Allocation count: 1600, Free count: 1599, Maximum allocated: 1600
    Allocations per second: 3200, Frees per second: 1440
    Total memory used (in bytes): 103579176, Total memory free (in bytes): 163914184

Passive monitoring interface: mo-4/3/0, Local interface index: 47
  Memory utilization
    Allocation count: 1599, Free count: 1598, Maximum allocated: 1599
    Allocations per second: 3198, Frees per second: 1468
    Total memory used (in bytes): 103579176, Total memory free (in bytes): 163914184

Table 32: Output Fields for the show passive-monitoring status Command

Field

Explanation

Interface state

Indicates whether the interface is monitoring (operating properly), disabled (administratively disabled), or not monitoring (not configured).

Group index

Integer that represents the monitoring group of which the PIC is a member. (This does not indicate the number of monitoring groups.)

Export interval

Configured export interval for flow records, in seconds.

Export format

Configured export format (only v5 is currently supported).

Protocol

Protocol the PIC is configured to monitor (only IPv4 is currently supported).

Engine type

Configured engine type that is inserted in output flow packets.

Engine ID

Configured engine ID that is inserted in output flow packets.

Route record count

Number of routes recorded.

IFL to SNMP index count

Number of logical interfaces mapped to an SNMP index.

AS count

Number of AS boundaries that the flow has crossed.

Time set

Indicates whether the time stamp is in place.

Configuration set

Indicates whether the monitoring configuration is set.

Route record set

Indicates whether routes are being recorded

IFL SNMP map set

Indicates whether logical interfaces are being mapped to an SNMP index.


user@mon-station> show passive-monitoring status all 
Passive monitoring interface: mo-4/0/0, Local interface index: 44
  Interface state: Monitoring
  Group index: 0
  Export interval: 15 secs, Export format: cflowd v5
  Protocol: IPv4, Engine type: 1, Engine ID: 1
  Route record count: 13, IFL to SNMP index count: 30, AS count: 1
  Time set: Yes, Configuration set: Yes
  Route record set: Yes, IFL SNMP map set: Yes

Passive monitoring interface: mo-4/1/0, Local interface index: 45
  Interface state: Monitoring
  Group index: 0
  Export interval: 15 secs, Export format: cflowd v5
  Protocol: IPv4, Engine type: 1, Engine ID: 2
  Route record count: 13, IFL to SNMP index count: 30, AS count: 1
  Time set: Yes, Configuration set: Yes
  Route record set: Yes, IFL SNMP map set: Yes

Passive monitoring interface: mo-4/2/0, Local interface index: 46
  Interface state: Monitoring
  Group index: 0
  Export interval: 15 secs, Export format: cflowd v5
  Protocol: IPv4, Engine type: 1, Engine ID: 3
  Route record count: 13, IFL to SNMP index count: 30, AS count: 1
  Time set: Yes, Configuration set: Yes
  Route record set: Yes, IFL SNMP map set: Yes

Passive monitoring interface: mo-4/3/0, Local interface index: 47
  Interface state: Monitoring
  Group index: 0
  Export interval: 15 secs, Export format: cflowd v5
  Protocol: IPv4, Engine type: 1, Engine ID: 4
  Route record count: 13, IFL to SNMP index count: 30, AS count: 1
  Time set: Yes, Configuration set: Yes
  Route record set: Yes, IFL SNMP map set: Yes

Table 33: Output Fields for the show passive-monitoring usage Command

Field

Explanation

Uptime

Time, in milliseconds, that the PIC has been operational.

Interrupt time

Cumulative time that the PIC spent in processing packets since the last PIC reset.

Load (5 second)

CPU load on the PIC averaged over 5 seconds. The number is a percentage obtained by dividing the time spent on active tasks by the total elapsed time.

Load (1 minute)

CPU load on the PIC averaged over 1 minute. The number is a percentage obtained by dividing the time spent on active tasks by the total elapsed time.


user@mon-station> show passive-monitoring usage * 
Passive monitoring interface: mo-4/0/0, Local interface index: 44
  CPU utilization
    Uptime: 653155 milliseconds, Interrupt time: 40213754 microseconds
    Load (5 second): 20%, Load (1 minute): 17%

Passive monitoring interface: mo-4/1/0, Local interface index: 45
  CPU utilization
    Uptime: 652292 milliseconds, Interrupt time: 40223178 microseconds
    Load (5 second): 22%, Load (1 minute): 15%

Passive monitoring interface: mo-4/2/0, Local interface index: 46
  CPU utilization
    Uptime: 649491 milliseconds, Interrupt time: 40173645 microseconds
    Load (5 second): 22%, Load (1 minute): 10098862%

Passive monitoring interface: mo-4/3/0, Local interface index: 47
  CPU utilization
    Uptime: 657328 milliseconds, Interrupt time: 40368704 microseconds
    Load (5 second): 1%, Load (1 minute): 15%

Example: Flow Collector Interface Configuration

Figure 44: Flow Collector Interface Topology Diagram

Image g003250.gif

Figure 44 shows the path traveled by monitored traffic as it passes through the routing platform. Packets arrive at input interfaces so-0/1/0, so-3/0/0, and so-3/1/0. The raw packets are directed into a filter-based forwarding routing instance and processed into flow records by the monitoring services interfaces mo-7/1/0, mo-7/2/0, and mo-7/3/0. The flow records are compressed into files at the flow collector interfaces cp-6/0/0 and cp-7/0/0 and sent to the FTP server for analysis. Finally, a mandatory class-of-service (CoS) configuration is applied to export channels 0 and 1 on the flow collector interfaces to manage the outgoing processed files.

Router 1

[edit]
chassis {
fpc 6 {
pic 0 {
monitoring-services {
application flow-collector; # This converts a Monitoring Services II PIC
}          # into a flow collector interface.
}
}
fpc 7 {
pic 0 {
monitoring-services {
application flow-collector; # This converts a Monitoring Services II PIC
}             # into a flow collector interface.
}
}
}
interfaces {
cp-6/0/0 {
unit 0 {# Logical interface .0 on a flow collector interface is export
family inet { # channel 0 and sends records to the FTP server.
filter {
output cp-ftp; # Apply the CoS filter here.
}
address 10.0.0.1/32 {
destination 10.0.0.2;
}
}
}
unit 1 { # Logical interface .1 on a flow collector interface is export
family inet { # channel 1 and sends records to the FTP server.
filter {
output cp-ftp; # Apply the CoS filter here.
}
address 10.1.1.1/32 {
destination 10.1.1.2;
}
}
}
unit 2 { # Logical interface .2 on a flow collector interface is the flow
family inet { # receive channel that communicates with the Routing Engine.
address 10.2.2.1/32 { # Do not apply a CoS filter on logical interface .2.
destination 10.2.2.2;
}
}
}
}
cp-7/0/0 {
unit 0 { # Logical interface .0 on a flow collector interface is export
family inet { # channel 0 and sends records to the FTP server.
filter {
output cp-ftp; # Apply the CoS filter here.
}
address 10.3.3.1/32 {
destination 10.3.3.2;
}
}
}
unit 1 { # Logical interface .1 on a flow collector interface is export
family inet { # channel 1 and sends records to the FTP server.
filter {
output cp-ftp; # Apply the CoS filter here.
}
address 10.4.4.1/32 {
destination 10.4.4.2;
}
}
}
unit 2 { # Logical interface .2 on a flow collector interface is the flow
family inet { # receive channel that communicates with the Routing Engine.
address 10.5.5.1/32 { # Do not apply a CoS filter on logical interface .2.
destination 10.5.5.2;
}
}
}
}
fe-1/3/0 { # This is the exit interface leading to the first FTP server.
unit 0 {
family inet {
address 192.168.56.90/30;
}
}
}
ge-1/0/0 { # This is the exit interface leading to the second FTP server.
unit 0 {
family inet {
address 192.168.252.2/24;
}
}
}
mo-7/1/0 { # This is the first interface that creates flow records.
unit 0 {
family inet;
}
}
mo-7/2/0 { # This is the second interface that creates flow records.
unit 0 {
family inet;
}
}
mo-7/3/0 { # This is the third interface that creates flow records.
unit 0 {
family inet;
}
}
so-0/1/0 { # This is the first input interface that receives traffic to be monitored.
encapsulation ppp;
unit 0 {
passive-monitor-mode; # This allows the interface to be passively monitored.
family inet {
filter {
input catch; # The filter-based forwarding filter is applied here.
}
}
}
}
so-3/0/0 { # This is the second interface that receives traffic to be monitored.
encapsulation ppp;
unit 0 {
passive-monitor-mode; # This allows the interface to be passively monitored.
family inet {
filter {
input catch; # The filter-based forwarding filter is applied here.
}
}
}
}
so-3/1/0 { # This is the third interface that receives traffic to be monitored.
encapsulation ppp;
unit 0 {
passive-monitor-mode; # This allows the interface to be passively monitored.
family inet {
filter {
input catch; # The filter-based forwarding filter is applied here.
}
}
}
}
}
forwarding-options {
monitoring group1 { # Always define your monitoring group here.
family inet {
output {
export-format cflowd-version-5;
flow-active-timeout 60;
flow-inactive-timeout 15;
flow-export-destination collector-pic; # Sends records to the flow collector.
interface mo-7/1/0.0 {
source-address 192.168.252.2;
}
interface mo-7/2/0.0 {
source-address 192.168.252.2;
}
interface mo-7/3/0.0 {
source-address 192.168.252.2;
}
}
}
}
}
routing-options {
interface-routes {
rib-group inet common;
}
rib-groups {
common {
import-rib [ inet.0 fbf_instance.inet.0 ];
}
}
forwarding-table {
export pplb;
}
}
policy-options {
policy-statement pplb {
then {
load-balance per-packet;
}
}
}
class-of-service { # A class-of-service configuration for the flow collector interface
interfaces { # is mandatory when implementing flow collector services.
cp-6/0/0 {
scheduler-map cp-map;
}
cp-7/0/0 {
scheduler-map cp-map;
}
}
scheduler-maps {
cp-map {
forwarding-class best-effort scheduler Q0;
forwarding-class expedited-forwarding scheduler Q1;
forwarding-class network-control scheduler Q3;
}
}
schedulers {
Q0 {
transmit-rate remainder;
buffer-size percent 90;
}
Q1 {
transmit-rate percent 5;
buffer-size percent 5;
priority strict-high;
}
Q3 {
transmit-rate percent 5;
buffer-size percent 5;
}
}
}
firewall {
family inet {
filter cp-ftp { # This filter provides CoS for flow collector interface traffic.
term t1 {
then forwarding-class expedited-forwarding;
}
}
}
filter catch { # This firewall filter sends incoming traffic into the
interface-specific; # filter-based forwarding routing instance.
term def {
then {
count counter;
routing-instance fbf_instance;
}
}
}
}
routing-instances {
fbf_instance { # This instance sends traffic to the monitoring services interface.
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop mo-7/1/0.0;
}
}
}
}
services {
flow-collector { # Define properties for flow collector interfaces here.
analyzer-address 10.10.10.1; # This is the IP address of the analyzer.
analyzer-id server1; # This helps to identify the analyzer.
retry 3; # Maximum number of attempts by the PIC to send a file transfer log.
retry-delay 30; # The time interval between attempts to send a file transfer log.
destinations { # This defines the FTP servers that receive flow collector output.
"ftp://user@192.168.56.89//tmp/collect1/" { # The primary FTP server.
password "$9$lXJK8xN-w2oZdbZDHmF30O1"; # SECRET-DATA
}
"ftp://user@192.168.252.1//tmp/collect2/" { # The second FTP server.
password "$9$eIbvL7-dsgaGVwGjkP3nOBI"; # SECRET-DATA
}
}
file-specification { # Define sets of flow collector characteristics here.
def-spec {
}
data-format flow-compressed; # The default compressed output format.
}
f1 {
name-format "cFlowd-py69Ni69-0-%D_%T-%I_%N.bcp.bi.gz";
data-format flow-compressed; # The default compressed output format.
transfer timeout 1800 record-level 1000000; # Here are configured values.
}
}
interface-map { # Allows you to map interfaces to flow collector interfaces.
file-specification def-spec; # Flows generated for default traffic are sent to the
collector cp-7/0/0; # default flow collector interface cp-7/0/0.
so-0/1/0.0 {# Flows generated for the so-0/1/0 interface are sent
collector cp-6/0/0; # to cp-6/0/0, and the file-specification used is “default”.
}
so-3/0/0.0 { # Flows generated for the so-3/0/0 interface are sent
file-specification f1; # to cp-6/0/0, and the file-specification used is "f1."
collector cp-6/0/0;
}
so-3/1/0.0; # Because no settings are defined, flows generated for this
}
transfer-log-archive { # Sends flow collector interface log files to an FTP server.
filename-prefix so_3_0_0_log;
maximum-age 15;
archive-sites {
"ftp://user@192.168.56.89//tmp/transfers/" {
password "$9$IFaEyevMXNVsWLsgaU.m6/C";
}
}
}
}

Verifying Your Work

To verify that your flow collector configuration is working, use the following commands on the monitoring station that is configured for flow collection:

The following section shows the output of the show commands used with the configuration example:


user@router1> show services flow-collector input interface cp-6/0/0 detail 
Interface                      Packets        Bytes
mo-7/1/0.0                        6170      8941592

user@router1>  show services flow-collector interface all detail
Flow collector interface: cp-6/0/0
Interface state: Collecting flows
  Packets     Bytes     Flows Uncompressed  Compressed     FTP bytes FTP files
                                     Bytes       Bytes
     6736   9757936    195993     21855798     3194148             0         0
Flow collector interface: cp-7/0/0
Interface state: Collecting flows
  Packets     Bytes     Flows Uncompressed  Compressed     FTP bytes FTP files
                                     Bytes       Bytes
        0         0         0            0           0             0         0

user@router1>  show services flow-collector input interface cp-6/0/0 extensive
Interface                      Packets        Bytes
mo-7/1/0.0                        6260      9074096

user@router1>  show services flow-collector interface cp-6/0/0 extensive
Flow collector interface: cp-6/0/0
Interface state: Collecting flows
Memory:
    Used: 19593212, Free: 479528656
Input:
    Packets: 6658, per second: 0, peak per second: 0
    Bytes: 9647752, per second: 12655, peak per second: 14311
    Flow records processed: 193782, per second: 252, peak per second: 287
Allocation:
    Blocks allocated: 174, per second: 0, peak per second: 0
    Blocks freed: 0, per second: 0, peak per second: 0
    Blocks unavailable: 0, per second: 0, peak per second: 0
Files:
    Files created: 1, per second: 0, peak per second: 0
    Files exported: 0, per second: 0, peak per second: 0
    Files destroyed: 0, per second: 0, peak per second: 0
Throughput:
    Uncompressed bytes: 21075152, per second: 52032, peak per second: 156172
    Compressed bytes: 3079713, per second: 7618, peak per second: 22999
Packet drops:
    No memory: 0, Not IP: 0
    Not IPv4: 0, Too small: 0
    Fragments: 0, ICMP: 0
    TCP: 0, Unknown: 0
    Not JUNOS flow: 0
File Transfer:
    FTP bytes: 0, per second: 0, peak per second: 0
    FTP files: 0, per second: 0, peak per second: 0
    FTP failure: 0
Export channel: 0   
    Current server: Secondary
    Primary server state: OK, Secondary server state: OK
Export channel: 1
    Current server: Secondary
    Primary server state: OK, Secondary server state: OK

user@router1>  show services flow-collector file interface cp-6/0/0 terse
File name                                                        Flows State
cFlowd-py69Ni69-0-20031112_014301-so_3_0_0_0.bcp.bi.gz          185643 Active

user@router1>  show services flow-collector file interface cp-6/0/0 detail
Filename: cFlowd-py69Ni69-0-20031112_014301-so_3_0_0_0.bcp.bi.gz
  Throughput:
    Flow records: 187067, Uncompressed bytes: 21121960, Compressed bytes: 2965643
  Status:
    State: Active, Transfer attempts: 0

user@router1>  show services flow-collector file interface cp-6/0/0 extensive
Filename: cFlowd-py69Ni69-0-20031112_014301-so_3_0_0_0.bcp.bi.gz
  Throughput:
    Flow records: 188365, per second: 238, peak per second: 287
    Uncompressed bytes: 21267756, per second: 27007, peak per second: 32526
    Compressed bytes: 2965643, per second: 0, peak per second: 22999
  Status:
    Compressed blocks: 156, Block count: 156
    State: Active, Transfer attempts: 0

To clear statistics for a flow collector interface, issue the clear services flow-collector statistics interface (all | interface-name) command.

Another useful flow collector option allows you to change the FTP server from primary to secondary and test for FTP transfers. To force the flow collector interface to use a primary or secondary FTP server, include the primary or secondary option when you issue the request services flow-collector change-destination interface cp-fpc/pic/port command.

If you configure only one primary server and issue this command with the primary option, you receive the error message “Destination change not needed.” If the secondary server is not configured and you issue this command with the secondary option, you receive the error message “Destination not configured.” Otherwise, when both servers are configured properly, successful output appears as follows.


user@router1> request services flow-collector change-destination interface cp-6/0/0 primary 
Flow collector interface: cp-6/0/0
Interface state: Collecting flows
Destination change successful

user@router1>  request services flow-collector change-destination interface  cp-6/0/0 secondary
Flow collector interface: cp-6/0/0
Interface state: Collecting flows
Destination change successful

Other options for the request services flow-collector change-destination interface cp-fpc/pic/port command are immediately (which forces an instant switchover), gracefully (the default behavior that allows a gradual switchover), clear-files (which purges existing data files), and clear-logs (which purges existing log files).

To verify that transfer log files are being scheduled for delivery to the FTP servers, issue the request services flow-collector test-file-transfer filename interface cp-fpc/pic/port command. Include the desired export channel (zero or one) and target FTP server (primary or secondary) with this command.


user@router> request services flow-collector test-file-transfer test_file interface cp-6/0/0 channel-one primary 
Flow collector interface: cp-6/0/0
Interface state: Collecting flows
Response: Test file transfer successfully scheduled

Another way you can check for the success of your file transfers is by analyzing the transfer log. A transfer log sends detailed information about files that are collected and processed by the flow collector interface. Table 34 explains the various fields available in the transfer log.

Table 34: Flow Collector Interface Transfer Log Fields

Field

Explanation

fn

Filename

sz

File size

nr

Number of records

ts

Time stamp with the format of year (4 digits), month (2 digits), day (2 digits), hours (2 digits), minutes (2 digits), and seconds (2 digits).

sf

Success flag—The values are 1 for success and 0 for failure.

ul

Server URL

rc

FTP result code

er

FTP error text

tt

Transfer time

This is an example of a successful transfer log:

fn="cFlowd-py69Ni69-0-20040227_230438-at_4_0_0_4_3.bcp.bi.gz":sz=552569
:nr=20000:ts="20040227230855":sf=1:ul="ftp://10.63.152.1/tmp/server1/:"rc=250:
er="":tt=3280

This is an example of a transfer log when an FTP session fails: 

fn="cFlowd-py69Ni69-0-20040227_230515-at_4_0_0_2_8.bcp.bi.gz":sz=560436
:nr=20000:ts="20040227230855":sf=1:ul="ftp://10.63.152.1/tmp/server1/:"rc=250
:er="":tt=3290

As the flow collector interface receives and processes flow records, the PIC services logging process (fsad) handles the following tasks:

After the flow collector interface successfully delivers the processed information file to the FTP server, you can analyze the file. The file contains detailed information about the flows collected and processed by the flow collector interface. Table 35 explains the various fields available in the flow collector interface file.

Table 35: Flow Collector Interface File Fields in Order of Appearance

Field

Explanation

linkDir

Link directory—A randomly generated number used to identify the record

analyzer-address

Analyzer address

analyzer-ID

Analyzer identifier

ifAlias

Interface identifier

source-address

Source address

destination-address

Destination address

packets

Number of packets

bytes

Number of bytes

start-time

Start time

end-time

End time

source-port

Source port

destination-port

Destination port

tcp_flag

TCP flag

protocol

IP protocol number

src_AS_number

Source AS number

dst_AS_number

Destination AS number

This is an example of output from a flow collector interface file: 

11799241612374557782|10.10.10.1|server1|at_4_0_0_4|192.168.10.100|10.0.0.1|8|
3136|1077926402|1077926402|8224|12336|27|6|0|0

Example: Dynamic Flow Capture Configuration

The following example shows a complete dynamic flow capture configuration. On Router 1, configure the dynamic flow capture interface, the interfaces that connect to the control source and content destination, and the interface that receives passively monitored traffic. Then, configure the capture group and specify your control source and content destination requirements. Next, configure filter-based forwarding (FBF) to send monitored traffic to logical unit 1 of the dynamic flow capture interface. Finally, configure a firewall filter and routing table groups to complete the configuration.

Router 1

[edit]
interfaces {
dfc-0/0/0 { # DFC PIC that processes requests from the control source.
unit 0 {
family inet {
address 2.1.0.0/32 { # Address of the Routing Engine for the DFC PIC.
destination 10.36.100.1; # Address of DFC PIC; used by
} # the control source to communicate with the monitoring station.
}
}
unit 1 { # This logical interface receives data packets.
family inet;
}
unit 2 { # This logical interface sends out copies of matched packets.
family inet;
}
}
fe-4/1/2 { # Interface that receives filtering requests from cs1.
unit 0 {
family inet {
address 10.36.41.2/30;
}
}
}
ge-7/0/0 { # Interface that sends monitored packets to cd1.
unit 0 {
family inet {
address 10.36.70.1/30;
}
}
}
so-1/2/0 { # Interface that receives traffic to be monitored.
encapsulation ppp;
unit 0 {
passive-monitor-mode; # Enables this interface to be passively monitored.
family inet {
filter {
input catch;
}
}
}
}
}
services {
dynamic-flow-capture {
capture-group g1 {
interfaces dfc-0/0/0; # Specifies which interface to use for DFC processing.
input-packet-rate-threshold 90k; # Traffic threshold for system log messages.
pic-memory-threshold percentage 80; # Memory threshold for log messages.
control-source cs1 { # Specifies addresses and ports for the control source.
source-addresses 10.36.41.1;
service-port 2400;
notification-targets {
10.36.41.1 port 2100;
}
shared-key "$9$ASxdsYoX7wg4aHk";
allowed-destinations cd1;
}
content-destination cd1 { # Specifies content destination addresses and TTL.
address 10.36.70.2;
ttl 244;
}
}
}
}
firewall {
filter catch { # Places monitored traffic into the filter-based forwarding instance.
interface-specific;
term def {
then {
count counter;
routing-instance fbf_inst;
}
}
}
}
routing-instances {
fbf_inst { # Sends matching traffic to the DFC PIC for processing.
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop dfc-0/0/0.1;
}
}
}
}
routing-options {
interface-routes {
rib-group inet common;
}
rib-groups {
common { # Shares routes between the instance and the main routing table.
import-rib [ inet.0 fbf_inst.inet.0 ];
}
}
forwarding-table {
export pplb;
}
}

Verifying Your Work

To verify that your dynamic flow capture configuration is operating correctly, issue the following command:

show services dynamic-flow-capture capture-group group-name control-source source-identifier source-id (detail)

The following section shows the output of this command when used with the configuration example.

Router 1


user@router1> show services dynamic-flow-capture control-source capture-group g1 source-identifier cs2 detail 
Capture group: g1, Control source: cs2
Criteria added: 1, Criteria add failed: 0
Active criteria: 2 
Static criteria: 0, Dynamic criteria: 2
Control protocol requests: 3
						Add        Delete          List       Refresh         No-op
Requests           1             0             1             0             1
Failed             0             0             0             0             0

Add request rate: 0
Add request peak rate: 1
Bandwidth across all criteria: 0
Total notifications: 0
Restart: 0, Rollover: 0, No-op: 0, Timeout: 0, Congestion: 0, Congestion delete: 0,
Dups dropped: 0
Criteria deleted: 0
Timeout idle: 0, Timeout total: 0, Packets: 0, Bytes: 0
Sequence number: 242

To clear dynamic flow capture criteria belonging to a particular control source, issue the clear services dynamic-flow-capture command. For more information on other dynamic flow capture-related operational mode commands, see the JUNOS System Basics and Services Command Reference.

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]