示例:在 MX 系列和 T4000 路由器上配置内联主动流监控
配置
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,然后将命令复制并粘贴到 [edit] 层次结构级别的 CLI 中。
配置模板属性
set services flow-monitoring version9 template template1 flow-active-timeout 120 set services flow-monitoring version9 template template1 flow-inactive-timeout 60 set services flow-monitoring version9 template template1 template-refresh-rate packets 100 set services flow-monitoring version9 template template1 template-refresh-rate seconds 600 set services flow-monitoring version9 template template1 option-refresh-rate packets 100 set services flow-monitoring version9 template template1 option-refresh-rate seconds 600 set services flow-monitoring version9 template template1 ipv4-template set services flow-monitoring version-ipfix template template-v61 flow-active-timeout 150 set services flow-monitoring version-ipfix template template-v61 flow-inactive-timeout 100 set services flow-monitoring version-ipfix template template-v61 template-refresh-rate seconds 30 set services flow-monitoring version-ipfix template template-v61 ipv6-template
配置采样实例
set forwarding-options sampling instance instance-1 input rate 1 set forwarding-options sampling instance instance-1 family inet output flow-server 10.50.1.2 port 2055 set forwarding-options sampling instance instance-1 family inet output flow-server 10.50.1.2 version9 template template1 set forwarding-options sampling instance instance-1 family inet output inline-jflow source-address 10.50.1.100 set forwarding-options sampling instance instance-1 family inet output inline-jflow flow-export-rate 10 set forwarding-options sampling instance instance-1 family inet6 output flow-server 10.50.1.2 port 2055 set forwarding-options sampling instance instance-1 family inet6 output flow-server 10.50.1.2 version-ipfix template template-v61 set forwarding-options sampling instance instance-1 family inet6 output inline-jflow source-address 10.50.1.110 set forwarding-options sampling instance instance-1 family inet6 output inline-jflow flow-export-rate 6
配置 FPC 参数
set chassis fpc 0 sampling-instance instance-1 set chassis fpc 0 inline-services flow-table-size ipv4-flow-table-size 8 set chassis fpc 0 inline-services flow-table-size ipv6-flow-table-size 7
配置防火墙过滤器
set firewall family inet filter inet-sample term t1 then sample set firewall family inet filter inet-sample term t1 then accept set firewall family inet6 filter inet6-sample term t1 then sample set firewall family inet6 filter inet6-sample term t1 then accept
配置接口属性
set interfaces ge-0/0/4 unit 0 family inet filter input inet-sample set interfaces ge-0/0/4 unit 0 family inet address 10.150.1.1/24 set interfaces ge-0/1/6 unit 0 family inet6 filter input inet6-sample set interfaces ge-0/1/6 unit 0 family inet6 address 2001:db8:0:2::1/64
逐步过程
以下示例要求您在配置层次结构中的各个级别上导航。有关导航 CLI 的信息,请参阅 CLI 用户指南中的在配置模式下使用 CLI 编辑器。
-
为内联活动流监控配置模板属性。
[edit services flow-monitoring] user@router1# set version9 template template1 ipv4-template user@router1# set version9 template template1 flow-active-timeout 120 user@router1# set version9 template template1 flow-inactive-timeout 60 user@router1# set version9 template template1 template-refresh-rate packets 100 user@router1# set version9 template template1 option-refresh-rate packets 100 user@router1# set version-ipfix template template-v61 ipv6-template user@router1# set version-ipfix template template-v61 flow-active-timeout 150 user@router1# set version-ipfix template template-v61 flow-inactive-timeout 100 user@router1# set version-ipfix template template-v61 template-refresh-rate seconds 30 user@router1# set version-ipfix template template-v61 option-refresh-rate seconds 30
-
配置采样实例以实现内联主动流监控。
[edit forwarding-options sampling] user@router1# set instance instance-1 input rate 1 user@router1# set instance instance-1 family inet output flow-server 10.50.1.2 port 2055 user@router1# set instance instance-1 family inet output flow-server 10.50.1.2 version9 template template1 user@router1# set instance instance-1 family inet output inline-jflow source-address 10.50.1.100 user@router1# set instance instance-1 family inet output inline-jflow flow-export-rate 10 user@router1# set instance instance-1 family inet6 output flow-server 10.50.1.2 port 2055 user@router1# set instance instance-1 family inet6 output flow-server 10.50.1.2 version-ipfix template template-v61 user@router1# set instance instance-1 family inet6 output inline-jflow source-address 10.50.1.110 user@router1# set instance instance-1 family inet6 output inline-jflow flow-export-rate 6
注意:在您完成下一步将采样实例与 FPC 关联之前,实例将保持非活动状态,并在配置中被标记
inactive。 -
将采样实例与要对其实施内联主动流监控的 FPC 相关联,同时配置哈希表大小。
注意:在早于 12.1 的 Junos OS 版本中,当您为内联活动流监控配置 IPv4 和 IPv6 流表大小时,以下条件适用于支持向后兼容性:
-
如果不在
[edit chassis fpc slot-number inline-services]层次结构级别配置flow-table-size语句,则默认为 IPv4 流表分配 11 个 256K 条目,默认情况下,为数据包转发引擎上的 IPv6 流表分配 1 个 1K 条目。 -
如果在层次结构级别配置
ipv4-flow-table-size size语句[edit chassis fpc slot-number inline-services flow-table-size],而未在[edit chassis fpc slot-number inline-services flow-table-size]层次结构级别配置ipv6-flow-table-size size语句,则会分配您为 IPv4 流表配置的 256K 条目的单元数。对于 IPv6 流表,数据包转发引擎上分配一个 1K 条目的默认大小。 -
如果不在
ipv4-flow-table-size size[edit chassis fpc slot-number inline-services flow-table-size]层次结构级别配置语句并在层次结构级别配置ipv6-flow-table-size size语句[edit chassis fpc slot-number inline-services flow-table-size],则会分配您为 IPv6 流表配置的 256K 条目单元数。对于 IPv4 流表,数据包转发引擎上分配一个 1K 条目的默认大小。 -
如果同时配置 IPv4 和 IPv6 流表的大小,将根据您指定的大小在数据包转发引擎上创建流表。
注意:为 VPLS 流配置内联活动流监控时,请添加语句
vpls-flow-table-size。[edit chassis] user@router1# set fpc 0 sampling-instance instance-1 user@router1# set fpc 0 inline-services flow-table-size ipv4-flow-table-size 8 user@router1# set fpc 0 inline-services flow-table-size ipv6-flow-table-size 7
-
-
配置防火墙过滤器。
[edit firewall] user@router1# set family inet filter inet-sample term t1 then sample user@router1# set family inet filter inet-sample term t1 then accept user@router1# set family inet6 filter inet6-sample term t1 then sample user@router1# set family inet6 filter inet6-sample term t1 then accept
-
将上一步中配置的防火墙过滤器与要设置内联主动流监控的接口相关联。
[edit interfaces] user@router1# set ge-0/0/4 unit 0 family inet filter input inet-sample user@router1# set ge-0/0/4 unit 0 family inet address 10.150.1.1/24 user@router1# set ge-0/1/6 unit 0 family inet6 filter input inet6-sample user@router1# set ge-0/1/6 unit 0 family inet6 address 2001:db8:0:2::1/64
-
提交配置。
[edit] user@router1# commit
结果
在配置模式下,输入 show services flow-monitoring、 、 show forwarding-options samplingshow chassis fpc 0、 show firewall和show interfaces命令,以确认您的配置。如果输出未显示预期的配置,请重复示例中的说明,以更正配置。
-
show services flow-monitoringversion9 { template template1 { flow-active-timeout 120; flow-inactive-timeout 60; template-refresh-rate { packets 100; seconds 600; } option-refresh-rate { packets 100; seconds 600; } ipv4-template; } } version-ipfix { template template-v61 { flow-active-timeout 150; flow-inactive-timeout 100; template-refresh-rate { seconds 30; } ipv6-template; } } -
show forwarding-options samplinginstance { instance-1 { input { rate 1; } family inet { output { flow-server 10.50.1.2 { port 2055; version9 { template { template1; } } } inline-jflow { source-address 10.50.1.100; flow-export-rate 10; } } } family inet6 { output { flow-server 10.50.1.2 { port 2055; version-ipfix { template { template-v61; } } } inline-jflow { source-address 10.50.1.110; flow-export-rate 6; } } } } } -
show chassis fpc 0sampling-instance instance-1; inline-services { flow-table-size { ipv4-flow-table-size 8; ipv6-flow-table-size 7; } } -
show firewallfamily inet { filter inet-sample { term t1 { then { sample; accept; } } } } family inet6 { filter inet6-sample { term t1 { then { sample; accept; } } } } -
show interfaces... ge-0/1/6 { vlan-tagging; unit 0 { family inet6 { filter { input inet6-sample; } address 2001:db8:0:2::1/64; } } } ge-0/0/4 { vlan-tagging; unit 0 { family inet { filter { input inet-sample; } address 10.150.1.1/24; } } } ...
软件和硬件要求
-
MX80 以外的 MX 系列路由器
-
Junos OS 13.2 或更高版本。
注意:-
早于 13.2 的 Junos OS 版本还支持内联主动流监控。但是,此示例中讨论的部分功能在先前版本中不受支持。
-
您需要在具有 5 类 FPC 的 T4000 路由器上配置 Junos OS 14.2 或更高版本。
-
概述
借助内联主动流监控,您可以在不使用服务 DPC 的情况下配置主动采样。本主题介绍为 IPv4 和 IPv6 流启用内联活动流监控的基本配置。您还可以为 VPLS 流配置内联主动流监控。要为 VPLS 流配置内联活动流监控,必须在层次结构级别上指定family为vpls和包括vpls-template[edit services flow-monitoring version-ipfix template template-name]。