Hardware and Software Considerations

There are several hardware and software considerations when you implement passive flow monitoring. When defining the hardware requirements of the monitoring station, keep in mind the following:

• The input interfaces on the monitoring station must be SONET/SDH interfaces (OC3, OC12, or OC48), ATM2 IQ interfaces (OC3 or OC12), 4-port Fast Ethernet interfaces, Gigabit Ethernet interfaces with SFP (4-port or 10-port), or 1-port 10-Gigabit Ethernet interfaces with XENPAK.
• To monitor the flows in both directions for a single interface, the monitoring station must have two SONET/SDH, ATM2 IQ, or Ethernet-based receive ports, one for each direction of flow. In Figure 41, the monitoring station needs one port to monitor the traffic flowing from Router 1 to Router 2, and a second port to monitor the traffic flowing from Router 2 to Router 1.
• The Monitoring Services PICs must be installed in a Type 1 enhanced FPC slot.
• Type 1 and Type 2 Tunnel Services PICs are supported.
• Use an ES PIC to encrypt the flow export.

When defining a traffic monitoring strategy, keep in mind the following:

• The monitoring station collects only IPv4 packets. All other packet formats are discarded and not counted.
• You can set the amount of time a data flow can be inactive before the monitoring station terminates the flow and exports the flow data. To set the timer, include the flow-inactive-timeout statement at the [edit forwarding-options monitoring group-name family inet output] hierarchy level. The timer value can be from 15 seconds through 1800 seconds, with a default value of 60 seconds.

You can also configure the monitoring station to collect periodic flow reports for flows that last longer than the configured active timeout. To set this activity timer, include the flow-active-timeout statement at the [edit forwarding-options monitoring group-name family inet output] hierarchy level. The timer value can be from 60 seconds through 1800 seconds, with a default value of 180 seconds.

• Multiple expired flows are exported together, if possible. A UDP packet is sent when one of the following conditions is met:
  • When 30 flows are contained in the current packet, the flows are exported.
  • If there are fewer than 30 flows but the export timer expires, the flows are exported one second after the timer expires.
• TCP and UDP flows are considered differently:
  • TCP flows watch for a segment containing the FIN bit and a subsequent acknowledgement (ACK) to detect the end of a flow. Alternately, a TCP reset (RST) can also indicate the end of a flow. When these TCP combinations are detected, the flow expires. The FIN+ACK and RST cases cover most TCP stream closures. For all other flows, an inactive timeout is needed.
  • All non-TCP flows, such as UDP, depend on timeout mechanisms for export.
• The default MTU value for SONET/SDH interfaces is 4474 bytes; for Gigabit Ethernet and Fast Ethernet interfaces, it is 1500 bytes. If the monitoring station receives packets exceeding 4474 bytes, they are discarded; no fragmentation is performed. Note that the supported MTU size on the Gigabit Ethernet or Fast Ethernet PICs might exceed 1500 bytes, depending on the type of PIC.
• Any incoming traffic that is discarded is not forwarded to packet analyzers.
• The interfaces on the monitoring station that collect intercepted traffic must be configured with Cisco HDLC or PPP encapsulation.
• You must always use a standard interface (for example, one that follows the usual interface-name-fpc/pic/slot format) to send flow records to a flow server. Flow data generated by the Monitoring Services or Monitoring Services II PICs will not be delivered to the server across the fxp0 interface.
• You can send version 5 records to multiple flow servers. You can configure up to eight servers and flow traffic is load-balanced between the servers in a round-robin fashion. If one of the servers ceases operation, flow traffic load-balances automatically between the remaining active servers. To configure, include up to eight flow-server statements at the [edit forwarding-options monitoring group-name output] hierarchy level.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.