Example: Configuring Flow Monitoring on an MX Series Router with MS-MIC and MS-MPC
This example shows how you can configure Junos Traffic Vision for flow monitoring on an MX Series Router with MS-MIC and MS-MPC, and contains the following sections:
Hardware and Software Requirements
This example requires an MX Series router that has:
Junos OS Release 13.2 running on it.
An MS-MIC installed in it.
Junos Traffic Vision Support on MS-MIC and MS-MPC
Junos Traffic Vision (previously known as Jflow) is the accounting service that is available on the MS-MIC and MS-MPC. Junos Traffic Vision enables users to keep track of the packets received on the MS-MIC or MS-MPC and to generate flow records that contain information such as the source address of the packet, the destination address of the packet, packets and byte counts, and so on. Junos Traffic Vision implementation does not interrupt the traffic, instead it makes a copy of the incoming packet and sends that copy to the service interface card for analyzing the information and maintaining the record.
Starting with Release 13.2, the Junos OS extension-provider packages come preinstalled on a multiservices MIC and MPC (MS-MIC and MS-MPC). The adaptive-services configuration at the [edit chassis fpc number pic number] hierarchy level is preconfigured on these cards.
Before you configure Junos Traffic Vision on an MS-MIC or an MS-MPC, you must create a firewall filter that has sample configured as action, and apply that to the interface on which you want to monitor the traffic. The flow-collector in Junos Traffic Vision implementations is a device for collecting the flow records. The flow collector is typically deployed outside the network.
For more information about configuring firewall filters, see the Junos OS Firewall Filters Configuration Guide.
On MS-MIC and MS-MPC, Junos OS supports Junos Traffic Vision Version 9 (v9). Junos Traffic Vision v9 supports sampling of IPv4, IPv6, and MPLS traffic. A services interface card is essential for the v9 implementation, and hence this is often known as PIC-based monitoring.
You can configure the maximum time for which the flow records are stored on the services interface card. The active timeout and inactive timeout values, configured while defining the template, control the export of flow records to the collector. An MS-MIC can store a maximum of 14 million flow records, whereas an MS-MPC can store upto 30 million flows per NPU.
In Junos Traffic Vision configurations using the Junos OS extension-provider package, modifying the following statements after flow monitoring has been initiated causes all existing flows to expire:
At the [edit forwarding-options sampling instance instance-name family (inet |inet6 |mpls) output] and [edit forwarding-options sampling family (inet |inet6 |mpls) output] hierarchy levels:
flow-server port port-number
flow-server template template
At the [edit services flow-monitoring version9 template template-name mpls-ipv4-template] and [edit services flow-monitoring version9 template template-name mpls-template] hierarchy levels:
Because these changes can disrupt the ongoing flow monitoring, we recommend that you do not change these values after flow monitoring has been initiated on a device. The changes made to these configuration statements when flow monitoring is going on, apply only to the newly created flows.
Also, note that these changes do not disrupt flow monitoring on devices running Jflow configuration using the Junos OS Layer 2 services package. However, even in the case of Layer 2 service package-based configuration, the changes are applied only to the newly created flows. The existing flows continue to use the initial settings.
When Junos Traffic Vision is configured on the MS-MIC and MS-MPC, the next-hop address and outgoing interfaces are incorrectly displayed in the IPv4 and IPv6 flow records when the destination of the sampled flow is reachable through multiple paths.
Configuring Flow Monitoring on MS-MIC
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the  hierarchy level.
You can follow the same procedure and use the same configuration for configuring flow monitoring on MS-MPC.
Enabling the Services Interface Card
Configuring the Template and Timers
Configuring Service Set Properties
Configuring Forwarding Options and Flow Server Settings
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
- Configure the services interface.[edit interfaces]user@router1# set interfaces ms-2/0/0 unit 0 family inetuser@router1# set interfaces ms-2/0/0 unit 1 family inet6user@router1# set interfaces ms-2/0/0 unit 2 family mpls
- Configure the template properties and the export policy
timers. [edit services]user@router1# set flow-monitoring version9 template template1user@router1# set flow-monitoring version9 template template1 flow-active-timeout 120user@router1# set flow-monitoring version9 template template1 flow-inactive-timeout 60user@router1# set flow-monitoring version9 template template1 ipv4-templateuser@router1# set flow-monitoring version9 template template1 template-refresh-rate packets 100user@router1# set flow-monitoring version9 template template1 template-refresh-rate seconds 600user@router1# set flow-monitoring version9 template template1 option-refresh-rate packets 100user@router1# set flow-monitoring version9 template template1 option-refresh-rate seconds 600
Table 1: Quick Reference to Key Configuration Statements at This Hierarchy Level
Configures the interval (in seconds) after which an active flow is exported.
Range is 10 through 600 seconds, and the default value is 60 seconds.
Configures the interval (in seconds) of inactivity after which a flow is marked inactive.
Range is 10 through 600 seconds, and the default value is 60 seconds.
ipv4-template | ipv6-template | mpls-template | mpls-ipv4-template
Specifies the type of traffic for which the template is used for.
Specifies the template refresh rate either as number of packets (range is 1 through 480,000 and the default value is 4800) or in seconds (the range is 10 through 600 and the default is 60).
Because the communication between the flow generator and the flow collector is a one-way communication, the flow generator has to regularly send updates about template definitions to the flow collector. The value configured for this statement controls the frequency of such updates.
Specifies the option refresh rate either as number of packets (range is 1 through 480,000 and the default value is 4800) or in seconds (the range is 10 through 600 and the default is 60).
- Configure service set properties. [edit services]user@router1# set service-set ss1 jflow-rules samplinguser@router1# set service-set ss1 sampling-service service-interface ms-2/0/0.0
Table 2: Quick Reference to Configuration Statements at This Hierarchy Level
Configures the service set to handle sampling/flow monitoring activities.
Specifies the service interface associated with the service set.
The interface configured here should match the interface configured at the [edit forwarding-options sampling family inet output]. Also, note that the interface should not be associated with any other service set.
- Configure forwarding options and flow-server properties. [edit forwarding-options]user@router1# set sampling input rate 10user@router1# set sampling input run-length 18user@router1# set sampling family inet output flow-server 10.44.4.3 port 1055user@router1# set sampling family inet output flow-server 10.44.4.3 version9 template template1user@router1# set sampling family inet output interface ms-2/0/0.0 source-address 203.0.113.1
You can specify the sampling parameters either at the global level (as shown in this example) or at the FPC level by defining a sampling instance. To define a sampling instance, include the instance statement at the [edit forwarding-options sampling] hierarchy level, and the sampling-instance statement at the [edit chassis fpc number] hierarchy level to associate the sampling instance with an FPC. Under the [edit forwarding-options sampling instance instance] hierarchy level, you must also include the input and output configurations explained in this step.
Table 3: Quick Reference to Key Configuration Statements at this Hierarchy Level
The ratio of the number of packets to be sampled. For example, if you specify a rate of 10, every tenth packet (1 packet out of 10) is sampled.
The range is 1 through 16000000(16M).
The number of samples following the initial trigger event. This enables you to sample packets following those already being sampled.
The range is 0 through 20, and the default is 0.
A host system to collect sampled flows using the version 9 format.
An IPv4 address to be used as the source address of the exported packet.
From the configuration mode, confirm your configuration by entering the show chassis fpc 2, show interfaces, and show forwarding-options commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
Confirm that the configuration is working properly.
Verifying the Junos Traffic Vision Configuration
Verify that Junos Traffic Vision is enabled on the router.
From operational mode, enter the show services accounting status command.
user@router1> show services accounting status
Service Accounting interface: ms-2/0/0 Export format: 9, Route record count: 2093 IFL to SNMP index count: 35, AS count: 2 Configuration set: Yes, Route record set: Yes, IFL SNMP map set: Yes
Shows the service interface on which monitoring is configured, and also provides information about the export format used (version 9 in this case).
Viewing the Flow Details
View the flow details on the interface configured for flow monitoring.
From operational mode, enter the show services accounting flow command.
user@router1> show services accounting flow
Flow information Service Accounting interface: ms-2/0/0, Local interface index: 229 Flow packets: 220693, Flow bytes: 24276230 Flow packets 10-second rate: 99, Flow bytes 10-second rate: 10998 Active flows: 10, Total flows: 12 Flows exported: 199, Flows packets exported: 718 Flows inactive timed out: 2, Flows active timed out: 199
Viewing Details of Errors That Occurred on the Services Interface
View details of errors, if any, on the interface that is configured for flow monitoring.
From operational mode, enter the show services accounting errors command.
user@router1> show services accounting errors
Error information Service Accounting interface: ms-2/0/0 Service sets dropped: 0, Active timeout failures: 0 Export packet failures: 0, Flow creation failures: 0 Memory overload: No