Verifying Active Flow Monitoring Version 9

Note: The verification steps shown for active flow monitoring are linked to multiple configuration examples and do not exactly match the configuration of any single example.

Verify the operation of active flow monitoring by doing the following:

Verifying That Active Flow Monitoring Is Working

Purpose

Verify that active flow monitoring is working.

Action

To verify that active flow monitoring is working, use the show services accounting flow command.

user@host> show services accounting flow
  Flow information
    Service Accounting interface: sp-0/0/0, Local interface index: 149       
    Flow packets: 87168293, Flow bytes: 5578770752
    Flow packets 10-second rate: 45762, Flow bytes 10-second rate: 2928962
    Active flows: 1000, Total flows: 2000
    Flows exported: 19960, Flows packets exported: 582
    Flows inactive timed out: 1000, Flows active timed out: 29000

Meaning

The output shows that active flows exist and that flow packets are being exported. This indicates that flow monitoring is working. If flow monitoring is not working, verify that the services PIC is present in the chassis and is operational.

Verifying That the Services PIC Is Operational for Active Flow Monitoring

Purpose

Verify that the services PIC configured for active flow monitoring is present in the chassis and is operational.

Action

To verify that the services PIC is operational, use the show chassis hardware command.

user@host> show chassis hardware
Item             Version  Part number  Serial number     Description
Chassis                                JN108DA32AEA      M120
Midplane         REV 04   710-018041   RC2209            M120 Midplane
FPM Board        REV 06   710-011407   DM3120            M120 FPM Board
FPM Display      REV 02   710-011405   DN1536            M120 FPM Display
FPM CIP          REV 05   710-011410   DK5856            M120 FPM CIP
PEM 0            Rev 04   740-011936   001830            AC Power Entry Module
Routing Engine 0 REV 07   740-014080   1000743523        RE-A-1000
Routing Engine 1 REV 07   740-014080   1000743527        RE-A-1000
CB 0             REV 09   710-011403   DP4953            M120 Control Board
CB 1             REV 09   710-011403   DP5107            M120 Control Board
FPC 3            REV 03   710-015835   DL6175            M120 FPC Type 1
  PIC 0          REV 12   750-003033   RF2269            4x OC-3 SONET, MM
  PIC 1          REV 13   750-012266   DL3620            4x 1GE(LAN), IQ2
    Xcvr 0       REV 01   740-013111   8154851           SFP-T
    Xcvr 1       REV 01   740-013111   8154691           SFP-T
    Xcvr 2       REV 01   740-013111   8142743           SFP-T
    Xcvr 3       REV 01   740-013111   8142607           SFP-T
  PIC 2          REV 11   750-005727   RH2029            2x OC-3 ATM-II IQ, MM
  PIC 3          REV 14   750-002911   RH0523            4x F/E, 100 BASE-TX
  Board B        REV 03   710-017980   DN2163            M120 FPC Mezz Board
FPC 4            REV 02   710-015835   DN1923            M120 FPC Type 1
  PIC 0          REV 12   750-014884   DH2850            MultiServices 100
  PIC 1          REV 13   750-014884   DZ9927            MultiServices 100
  PIC 2          REV 13   750-023755   XN9363            4x CHOC3 SONET CE SFP
    Xcvr 0       REV 01   740-012434   6455242           SFP-SR
~
~
~
  Board B        REV 03   710-017980   DN2155            M120 FPC Mezz Board
FEB 3            REV 06   710-015795   DN8222            M120 FEB
FEB 4            REV 06   710-015795   DP2649            M120 FEB
Fan Tray 0                                               Front Top Fan Tray
Fan Tray 1                                               Front Bottom Fan Tray

Meaning

The output shows that PIC 0 under FPC 4 is a Multiservices PIC that has completed booting and is operational. If the PIC is operational but flow monitoring is not working, verify that sampling is enabled on the media interface on which traffic flow is expected and that the sampling filter direction is correct.

Verifying That Sampling Is Enabled and the Filter Direction Is Correct for Active Flow Monitoring

Purpose

Verify that sampling is enabled on the media interface on which traffic flow is expected and that the sampling filter direction is correct.

Action

To verify that sampling is enabled on the media interface on which traffic flow is expected and that the sampling filter direction is correct, use the show interfaces interface-name extensive | grep filters command.

user@host> show interfaces fe-3/3/2 extensive | grep filters
    CAM destination filters: 4, CAM source filters: 0
      Input Filters: ipv4_sample_filter
      Input Filters: ipv6_sample_filter
      Input Filters: mpls_sample_filter

Meaning

The command output shows that the sample filter is applied to the media interface on which traffic flow is expected (fe-3/3/2) and that the sampling filter direction is Input. If the PIC is operational and the filters are correct but flow monitoring is not working, verify that the sampling instance is applied to the FPC where the media interface resides.

Tip: If a firewall filter is used to enable sampling, add a counter as an action in the firewall filter. Then, verify if the counter is incrementing. If the counter is incrementing, it confirms that the traffic is present and that the filter direction is correct.

Verifying That the Sampling Instance Is Applied to the Correct FPC for Active Flow Monitoring

Purpose

Verify that the sampling instance is applied to the FPC where the media interface resides.

Action

To verify that the sampling instance Is applied to the correct FPC, use the show configuration chassis command.

user@host> show configuration chassis

Meaning

The output shows that the sampling instance is applied to the correct FPC. If the PIC is operational, the filters are correct, and the sampling instance is applied to the correct FPC but flow monitoring is not working, verify that the route record set of data is being created.

Verifying That the Route Record Is Being Created for Active Flow Monitoring

Purpose

Verify that the route record set of data is being created.

Action

To verify that the route record set of data is being created, use the show services accounting status command.

user@host> show services accounting status
Service Accounting interface: sp-4/0/0
  Export format: 9, Route record count: 40
  IFL to SNMP index count: 11, AS count: 1
  Configuration set: Yes, Route record set: Yes, IFL SNMP map set: Yes
  Route record set: Yes, IFL SNMP map set: Yes

Meaning

The output shows that the Route record set field is set to Yes. This confirms that the route record set is created.

Tip: If the route record set field is set to no, the record might not have been downloaded yet. Wait for 60-100 seconds and check again. If the route record is still not created, verify that the sampling process is running, that the connection between the PIC and the process is operational, and that the PIC memory is not overloaded.

Verifying That the Sampling Process Is Running for Active Flow Monitoring

Purpose

Verify that the sampling process is running.

Action

To verify that the sampling process is running, use the show system processes extensive | grep sampled command.

user@host> show system processes extensive | grep sampled
PID USERNAME  THR PRI NICE   SIZE   RES   STATE    TIME   WCPU   COMMAND
1581 root     1   1   111    5660K  5108K select   0:00  0.00%   sampled

Meaning

The output shows that sampled is listed as a running system process. In addition to verifying that the process is running, verify that the TCP connection between the sampled process and the services PIC is operational.

Verifying That the TCP Connection Is Operational for Active Flow Monitoring

Purpose

Verify that the TCP connection between the sampled process and the services PIC is operational.

Action

To verify that the TCP connection is operational, use the show system connections inet | grep 6153 command.

user@host> show system connections inet | grep 6153
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
~
~
~
tcp        0      0  128.0.0.1.6153       128.0.2.17.11265    ESTABLISHED
tcp4       0      0  *.6153                 *.*                    LISTEN

Meaning

The output shows that the TCP connection between the sampled process socket (6153) and the services PIC (128.0.0.1) is ESTABLISHED. In addition to verifying that the TCP connection between the sampled process and the services PIC is operational, verify that the services PIC memory is not overloaded.

Tip: If the TCP connection between the sampled process and the services PIC is not established, restart the sampled process by using the restart sampling command.

Verifying That the Services PIC Memory Is Not Overloaded for Active Flow Monitoring

Purpose

Verify that the services PIC memory is not overloaded.

Action

To verify that the services PIC memory is not overloaded, use the show services accounting errors command.

user@host> show services accounting errors
Service Accounting interface: sp-4/0/0, Local interface index: 542
Service name: (default sampling)
~
~
~  Error information
    Service sets dropped: 0, Active timeout failures: 0
    Export packet failures: 0, Flow creation failures: 0
    Memory overload: No

Meaning

The output shows that the memory overload field is set to No, indicating that the PIC memory is not overloaded. As a final check that active flow monitoring is working, verify that the flow collector is reachable.

Verifying That the Active Flow Monitoring Flow Collector Is Reachable

Purpose

Verify that flow collector is reachable by using the ping command.

Action

user@host> ping 100.1.1.2
PING 100.1.1.2 (100.1.1.2): 56 data bytes
64 bytes from 100.1.1.2: icmp_seq=0 ttl=64 time=0.861 ms
64 bytes from 100.1.1.2: icmp_seq=1 ttl=64 time=0.869 ms
64 bytes from 100.1.1.2: icmp_seq=2 ttl=64 time=0.786 ms
^C
--- 4.4.4.4 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.786/0.839/0.869/0.037 ms

Meaning

The output shows 0% packet loss indicating that the flow collector can be reached.

Tip: Verify that the flow collector is reachable through the media interface and is not being reached through the fxp0 Ethernet management interface.