示例:在 MX 系列和 T4000 路由器上配置内联主动流监控
配置
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,然后将命令复制并粘贴到 [编辑] 层次结构级别的 CLI 中。
配置模板属性
set services flow-monitoring version9 template template1 flow-active-timeout 120 set services flow-monitoring version9 template template1 flow-inactive-timeout 60 set services flow-monitoring version9 template template1 template-refresh-rate packets 100 set services flow-monitoring version9 template template1 template-refresh-rate seconds 600 set services flow-monitoring version9 template template1 option-refresh-rate packets 100 set services flow-monitoring version9 template template1 option-refresh-rate seconds 600 set services flow-monitoring version9 template template1 ipv4-template set services flow-monitoring version-ipfix template template-v61 flow-active-timeout 150 set services flow-monitoring version-ipfix template template-v61 flow-inactive-timeout 100 set services flow-monitoring version-ipfix template template-v61 template-refresh-rate seconds 30 set services flow-monitoring version-ipfix template template-v61 ipv6-template
配置采样实例
set forwarding-options sampling instance instance-1 input rate 1 set forwarding-options sampling instance instance-1 family inet output flow-server 10.50.1.2 port 2055 set forwarding-options sampling instance instance-1 family inet output flow-server 10.50.1.2 version9 template template1 set forwarding-options sampling instance instance-1 family inet output inline-jflow source-address 10.50.1.100 set forwarding-options sampling instance instance-1 family inet output inline-jflow flow-export-rate 10 set forwarding-options sampling instance instance-1 family inet6 output flow-server 10.50.1.2 port 2055 set forwarding-options sampling instance instance-1 family inet6 output flow-server 10.50.1.2 version-ipfix template template-v61 set forwarding-options sampling instance instance-1 family inet6 output inline-jflow source-address 10.50.1.110 set forwarding-options sampling instance instance-1 family inet6 output inline-jflow flow-export-rate 6
配置 FPC 参数
set chassis fpc 0 sampling-instance instance-1 set chassis fpc 0 inline-services flow-table-size ipv4-flow-table-size 8 set chassis fpc 0 inline-services flow-table-size ipv6-flow-table-size 7
配置防火墙过滤器
set firewall family inet filter inet-sample term t1 then sample set firewall family inet filter inet-sample term t1 then accept set firewall family inet6 filter inet6-sample term t1 then sample set firewall family inet6 filter inet6-sample term t1 then accept
配置接口属性
set interfaces ge-0/0/4 unit 0 family inet filter input inet-sample set interfaces ge-0/0/4 unit 0 family inet address 10.150.1.1/24 set interfaces ge-0/1/6 unit 0 family inet6 filter input inet6-sample set interfaces ge-0/1/6 unit 0 family inet6 address 2001:db8:0:2::1/64
分步过程
下面的示例要求您在各个配置层级中进行导航。有关 CLI 导航的信息,请参阅 CLI 用户指南中的在配置模式下使用 CLI 编辑器。
-
配置用于内联主动流监控的模板属性。
[edit services flow-monitoring] user@router1# set version9 template template1 ipv4-template user@router1# set version9 template template1 flow-active-timeout 120 user@router1# set version9 template template1 flow-inactive-timeout 60 user@router1# set version9 template template1 template-refresh-rate packets 100 user@router1# set version9 template template1 option-refresh-rate packets 100 user@router1# set version-ipfix template template-v61 ipv6-template user@router1# set version-ipfix template template-v61 flow-active-timeout 150 user@router1# set version-ipfix template template-v61 flow-inactive-timeout 100 user@router1# set version-ipfix template template-v61 template-refresh-rate seconds 30 user@router1# set version-ipfix template template-v61 option-refresh-rate seconds 30
-
配置用于内联主动流监控的采样实例。
[edit forwarding-options sampling] user@router1# set instance instance-1 input rate 1 user@router1# set instance instance-1 family inet output flow-server 10.50.1.2 port 2055 user@router1# set instance instance-1 family inet output flow-server 10.50.1.2 version9 template template1 user@router1# set instance instance-1 family inet output inline-jflow source-address 10.50.1.100 user@router1# set instance instance-1 family inet output inline-jflow flow-export-rate 10 user@router1# set instance instance-1 family inet6 output flow-server 10.50.1.2 port 2055 user@router1# set instance instance-1 family inet6 output flow-server 10.50.1.2 version-ipfix template template-v61 user@router1# set instance instance-1 family inet6 output inline-jflow source-address 10.50.1.110 user@router1# set instance instance-1 family inet6 output inline-jflow flow-export-rate 6
注意:在完成将采样实例与 FPC 关联的下一步之前,该实例将保持非活动状态,并在配置中进行标记
inactive。 -
将采样实例与要实施内联主动流监控的 FPC 相关联,并配置哈希表大小。
注意:在早于 12.1 版的 Junos OS 版本中,当您为内联主动流监控配置 IPv4 和 IPv6 流表大小时,以下条件适用于支持向后兼容性:
-
如果未在
[edit chassis fpc slot-number inline-services]层次结构级别配置flow-table-size语句,则默认情况下会为 IPv4 流表分配 15 个 256K 条目,默认情况下会为数据包转发引擎上的 IPv6 流表分配 1 个 1K 条目。 -
如果在
[edit chassis fpc slot-number inline-services flow-table-size]层次结构级别配置ipv4-flow-table-size size语句,而未在[edit chassis fpc slot-number inline-services flow-table-size]层次结构级别配置ipv6-flow-table-size size语句,则将分配为 IPv4 流表配置的 256K 个条目的单元数。对于 IPv6 流表,会在数据包转发引擎上分配一个 1K 条目的默认大小。 -
如果未在
[edit chassis fpc slot-number inline-services flow-table-size]层次结构级别配置ipv4-flow-table-size size语句,而在[edit chassis fpc slot-number inline-services flow-table-size]层次结构级别配置ipv6-flow-table-size size语句,则将分配为 IPv6 流表配置的 256K 个条目的单元数。对于 IPv4 流表,数据包转发引擎上会分配一个 1K 条目的默认大小。 -
如果同时配置 IPv4 和 IPv6 流表的大小,则将根据您指定的大小在数据包转发引擎上创建流表。
注意:为 VPLS 流配置内联主动流监控时,请包含语
vpls-flow-table-size句。[edit chassis] user@router1# set fpc 0 sampling-instance instance-1 user@router1# set fpc 0 inline-services flow-table-size ipv4-flow-table-size 8 user@router1# set fpc 0 inline-services flow-table-size ipv6-flow-table-size 7
-
-
配置防火墙过滤器。
[edit firewall] user@router1# set family inet filter inet-sample term t1 then sample user@router1# set family inet filter inet-sample term t1 then accept user@router1# set family inet6 filter inet6-sample term t1 then sample user@router1# set family inet6 filter inet6-sample term t1 then accept
-
将上一步中配置的防火墙过滤器与要设置内联主动流监控的接口相关联。
[edit interfaces] user@router1# set ge-0/0/4 unit 0 family inet filter input inet-sample user@router1# set ge-0/0/4 unit 0 family inet address 10.150.1.1/24 user@router1# set ge-0/1/6 unit 0 family inet6 filter input inet6-sample user@router1# set ge-0/1/6 unit 0 family inet6 address 2001:db8:0:2::1/64
-
提交配置。
[edit] user@router1# commit
结果
在配置模式下,输入show services flow-monitoring、show forwarding-options sampling、show chassis fpc 0show firewall、和show interfaces命令,以确认您的配置。如果输出未显示预期的配置,请重复示例中的说明以更正配置。
-
show services flow-monitoringversion9 { template template1 { flow-active-timeout 120; flow-inactive-timeout 60; template-refresh-rate { packets 100; seconds 600; } option-refresh-rate { packets 100; seconds 600; } ipv4-template; } } version-ipfix { template template-v61 { flow-active-timeout 150; flow-inactive-timeout 100; template-refresh-rate { seconds 30; } ipv6-template; } } -
show forwarding-options samplinginstance { instance-1 { input { rate 1; } family inet { output { flow-server 10.50.1.2 { port 2055; version9 { template { template1; } } } inline-jflow { source-address 10.50.1.100; flow-export-rate 10; } } } family inet6 { output { flow-server 10.50.1.2 { port 2055; version-ipfix { template { template-v61; } } } inline-jflow { source-address 10.50.1.110; flow-export-rate 6; } } } } } -
show chassis fpc 0sampling-instance instance-1; inline-services { flow-table-size { ipv4-flow-table-size 8; ipv6-flow-table-size 7; } } -
show firewallfamily inet { filter inet-sample { term t1 { then { sample; accept; } } } } family inet6 { filter inet6-sample { term t1 { then { sample; accept; } } } } -
show interfaces... ge-0/1/6 { vlan-tagging; unit 0 { family inet6 { filter { input inet6-sample; } address 2001:db8:0:2::1/64; } } } ge-0/0/4 { vlan-tagging; unit 0 { family inet { filter { input inet-sample; } address 10.150.1.1/24; } } } ...
软件和硬件要求
-
MX80 以外的 MX 系列路由器
-
Junos OS 13.2 或更高版本。
注意:-
早于 13.2 的 Junos OS 版本还支持内联主动流监控。但是,此示例中讨论的某些功能在以前的版本上不受支持。
-
您需要 Junos OS 14.2 或更高版本,才能在具有 5 类 FPC 的 T4000 路由器上配置内联主动流监控。
-
概述
通过内联主动流监控,可以在不使用服务 DPC 的情况下配置主动采样。本主题介绍为 IPv4 和 IPv6 流启用内联主动流监控的基本配置。您还可以为 VPLS 流配置内联主动流监控。要为 VPLS 流配置内联主动流监控,必须在层次结构级别指定 family as vpls 和 include vpls-template [edit services flow-monitoring version-ipfix template template-name] 。