Example: Configuring Flow Monitoring on an MX Series Router with MS-MIC and MS-MPC

 

This example shows how you can configure Junos Traffic Vision for flow monitoring on an MX Series Router with MS-MIC and MS-MPC, and contains the following sections:

Hardware and Software Requirements

This example requires an MX Series router that has:

  • Junos OS Release 13.2 running on it.

  • An MS-MIC installed in it.

Junos Traffic Vision Support on MS-MIC and MS-MPC

Junos Traffic Vision (previously known as Jflow) is the accounting service that is available on the MS-MIC and MS-MPC. Junos Traffic Vision enables users to keep track of the packets received on the MS-MIC or MS-MPC and to generate flow records that contain information such as the source address of the packet, the destination address of the packet, packets and byte counts, and so on. Junos Traffic Vision implementation does not interrupt the traffic, instead it makes a copy of the incoming packet and sends that copy to the service interface card for analyzing the information and maintaining the record.

Starting with Release 13.2, the Junos OS extension-provider packages come preinstalled on a multiservices MIC and MPC (MS-MIC and MS-MPC). The adaptive-services configuration at the [edit chassis fpc number pic number] hierarchy level is preconfigured on these cards.

Before you configure Junos Traffic Vision on an MS-MIC or an MS-MPC, you must create a firewall filter that has sample configured as action, and apply that to the interface on which you want to monitor the traffic. The flow-collector in Junos Traffic Vision implementations is a device for collecting the flow records. The flow collector is typically deployed outside the network.

Note

For more information about configuring firewall filters, see the Junos OS Firewall Filters Configuration Guide.

On MS-MIC and MS-MPC, Junos OS supports Junos Traffic Vision Version 9 (v9). Junos Traffic Vision v9 supports sampling of IPv4, IPv6, and MPLS traffic. A services interface card is essential for the v9 implementation, and hence this is often known as PIC-based monitoring.

You can configure the maximum time for which the flow records are stored on the services interface card. The active timeout and inactive timeout values, configured while defining the template, control the export of flow records to the collector. An MS-MIC can store a maximum of 14 million flow records, whereas an MS-MPC can store upto 30 million flows per NPU.

Note

In Junos Traffic Vision configurations using the Junos OS extension-provider package, modifying the following statements after flow monitoring has been initiated causes all existing flows to expire:

  • At the [edit forwarding-options sampling instance instance-name family (inet |inet6 |mpls) output] and [edit forwarding-options sampling family (inet |inet6 |mpls) output] hierarchy levels:

    • flow-server ip-address

    • flow-server port port-number

    • flow-server template template

  • At the [edit services flow-monitoring version9 template template-name mpls-ipv4-template] and [edit services flow-monitoring version9 template template-name mpls-template] hierarchy levels:

    • label-position

Because these changes can disrupt the ongoing flow monitoring, we recommend that you do not change these values after flow monitoring has been initiated on a device. The changes made to these configuration statements when flow monitoring is going on, apply only to the newly created flows.

Also, note that these changes do not disrupt flow monitoring on devices running Jflow configuration using the Junos OS Layer 2 services package. However, even in the case of Layer 2 service package-based configuration, the changes are applied only to the newly created flows. The existing flows continue to use the initial settings.

Note

When Junos Traffic Vision is configured on the MS-MIC and MS-MPC, the next-hop address and outgoing interfaces are incorrectly displayed in the IPv4 and IPv6 flow records when the destination of the sampled flow is reachable through multiple paths.

Configuring Flow Monitoring on MS-MIC

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Note

You can follow the same procedure and use the same configuration for configuring flow monitoring on MS-MPC.

Enabling the Services Interface Card

Configuring the Template and Timers

Configuring Service Set Properties

Configuring Forwarding Options and Flow Server Settings

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

  1. Configure the services interface.
  2. Configure the template properties and the export policy timers.

    Table 1: Quick Reference to Key Configuration Statements at This Hierarchy Level

    Configuration Statement

    Description

    flow-active-timeout

    Configures the interval (in seconds) after which an active flow is exported.

    Range is 10 through 600 seconds, and the default value is 60 seconds.

    flow-inactive-timeout

    Configures the interval (in seconds) of inactivity after which a flow is marked inactive.

    Range is 10 through 600 seconds, and the default value is 60 seconds.

    ipv4-template | ipv6-template | mpls-template | mpls-ipv4-template

    Specifies the type of traffic for which the template is used for.

    template-refresh-rate

    Specifies the template refresh rate either as number of packets (range is 1 through 480,000 and the default value is 4800) or in seconds (the range is 10 through 600 and the default is 60).

    Because the communication between the flow generator and the flow collector is a one-way communication, the flow generator has to regularly send updates about template definitions to the flow collector. The value configured for this statement controls the frequency of such updates.

    option-refresh-rate

    Specifies the option refresh rate either as number of packets (range is 1 through 480,000 and the default value is 4800) or in seconds (the range is 10 through 600 and the default is 60).

  3. Configure service set properties.

    Table 2: Quick Reference to Configuration Statements at This Hierarchy Level

    Configuration Statement

    Description

    sampling

    Configures the service set to handle sampling/flow monitoring activities.

    service-interface

    Specifies the service interface associated with the service set.

    The interface configured here should match the interface configured at the [edit forwarding-options sampling family inet output]. Also, note that the interface should not be associated with any other service set.

  4. Configure forwarding options and flow-server properties.
    Note

    You can specify the sampling parameters either at the global level (as shown in this example) or at the FPC level by defining a sampling instance. To define a sampling instance, include the instance statement at the [edit forwarding-options sampling] hierarchy level, and the sampling-instance statement at the [edit chassis fpc number] hierarchy level to associate the sampling instance with an FPC. Under the [edit forwarding-options sampling instance instance] hierarchy level, you must also include the input and output configurations explained in this step.

    Table 3: Quick Reference to Key Configuration Statements at this Hierarchy Level

    Configuration Statement

    Description

    rate

    The ratio of the number of packets to be sampled. For example, if you specify a rate of 10, every tenth packet (1 packet out of 10) is sampled.

    The range is 1 through 16000000(16M).

    run-length

    The number of samples following the initial trigger event. This enables you to sample packets following those already being sampled.

    The range is 0 through 20, and the default is 0.

    flow-server

    A host system to collect sampled flows using the version 9 format.

    source-address

    An IPv4 address to be used as the source address of the exported packet.

Result

From the configuration mode, confirm your configuration by entering the show chassis fpc 2, show interfaces, and show forwarding-options commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Verification

Confirm that the configuration is working properly.

Verifying the Junos Traffic Vision Configuration

Purpose

Verify that Junos Traffic Vision is enabled on the router.

Action

From operational mode, enter the show services accounting status command.

user@router1> show services accounting status

Meaning

Shows the service interface on which monitoring is configured, and also provides information about the export format used (version 9 in this case).

Viewing the Flow Details

Purpose

View the flow details on the interface configured for flow monitoring.

Action

From operational mode, enter the show services accounting flow command.

user@router1> show services accounting flow

Viewing Details of Errors That Occurred on the Services Interface

Purpose

View details of errors, if any, on the interface that is configured for flow monitoring.

Action

From operational mode, enter the show services accounting errors command.

user@router1> show services accounting errors