[Contents] [Prev] [Next] [Index] [Report an Error]

Example: Passive Flow Monitoring Configuration

Figure 25: Passive Flow Monitoring—Topology Diagram

Image g003052.gif

In Figure 25, traffic enters the monitoring station through interfaces so-0/0/0 and so-0/1/0. After the firewall filter accepts the traffic to be monitored, the packets enter a VRF instance.

The original packets travel within the VRF instance to the Monitoring Services PIC for flow processing. The final flow packets are sent from the monitoring services interfaces out the fe-3/0/0 interface to a flow server.

A copy of the accepted traffic is port-mirrored to the Tunnel PIC. As the copied packets enter the tunnel interface, a second firewall filter separates TCP and UDP packets and places them into two filter-based forwarding instances. The UDP instance directs the UDP packets to a packet analyzer attached to fe-3/2/0. The TCP instance sends the TCP packets to the ES PIC for encryption and the ES PIC sends the packets to a second packet analyzer connected to fe-3/2/1.

Your first step is to define a firewall filter to select packets for monitoring. All filtered traffic must be accepted, and the port-mirror statement at the [edit firewall family inet filter filter-name term term-name then] hierarchy level facilitates port mirroring.

Next, configure the input SONET/SDH interfaces and apply the firewall filter that you just defined. The passive-monitor-mode statement disables SONET keepalives on the SONET/SDH interfaces and enables passive flow monitoring.

Configure all other interfaces that you will use with the monitoring application, including the monitoring services interfaces, the export interfaces, the tunnel interface, and the ES interface. Once the interfaces are in place, configure a VRF instance and monitoring group to direct the original packets from the input interfaces to the monitoring services interfaces for processing. The resulting flow description packets exit fe-3/0/0 to reach the flow server.

Next, configure statements to port-mirror the monitored traffic to a tunnel interface. Design a firewall filter that selects some of this copied traffic for further analysis and some of the traffic for discarding. In this case, isolate TCP and UDP traffic and direct these two flows into separate filter-based forwarding routing instances. Remember to apply the filter to the tunnel interface to enable the separation of TCP traffic from UDP traffic. Also, import the interface routes into the forwarding instances with a routing table group.

In the filter-based forwarding instances, define static route next hops. The next hop for the TCP instance is the ES interface and the next hop for the UDP instance is the packet analyzer connected to fe-3/2/0. Finally, configure IPSec so that the next hop for the TCP traffic is the second packet analyzer attached to fe-3/2/1.

[edit]
interfaces {
so-0/0/0 { # Traffic enters the router on this interface.
description “ input interface”;
encapsulation ppp;
unit 0 {
passive-monitor-mode; # Disables SONET keepalives.
family inet {
filter {
input input-monitoring-filter; # The firewall filter is applied here.
}
}
}
}
so-0/1/0 { # Traffic enters the router on this interface.
description “ input interface”;
encapsulation ppp;
unit 0 {
passive-monitor-mode; # Disables SONET keepalives.
family inet {
filter {
input input-monitoring-filter; # The firewall filter is applied here.
}
}
}
}
es-3/1/0 { # This is where the TCP traffic enters the ES PIC.
unit 0 {
tunnel {
source 10.8.8.1;
destination 10.8.8.2;
}
family inet {
ipsec-sa sa-esp;
address 3.3.3.1/32 {
destination 3.3.3.2;
}
}
}
}
fe-3/0/0 { # Flow records exit here and travel to the flow server.
description “ export interface to the flow server”;
unit 0 {
family inet;
address 192.168.245.1/30;
}
}
fe-3/2/0 { # This export interface for UDP traffic leads to a packet analyzer.
description “ export interface to the packet analyzer”;
unit 0 {
family inet {
address 10.9.9.1/30;
}
}
}
fe-3/2/1 { # This IPSec tunnel source exports TCP traffic to a packet analyzer.
unit 0 {
family inet {
address 10.8.8.1/30;
}
}
}
mo-4/0/0 { # This marks the beginning of the monitoring services interfaces.
unit 0 { # Unit 0 is part of the inet.0 routing table and generates flow records.
family inet;
}
unit 1 { # Unit 1 receives monitored traffic and is part of the VRF instance.
family inet;
}
}
mo-4/1/0 {
unit 0 { # Unit 0 is part of the inet.0 routing table and generates flow records.
family inet;
}
unit 1 { # Unit 1 receives monitored traffic and is part of the VRF instance.
family inet;
}
}
mo-4/2/0 {
unit 0 { # Unit 0 is part of the inet.0 routing table and generates flow records.
family inet;
}
unit 1 { # Unit 1 receives monitored traffic and is part of the VRF instance.
family inet;
}
}
mo-4/3/0 {
unit 0 { # Unit 0 is part of the inet.0 routing table and generates flow records.
family inet;
}
unit 1 { # Unit 1 receives monitored traffic and is part of the VRF instance.
family inet;
}
}
vt-0/2/0 { # The tunnel services interface receives the port-mirrored traffic.
unit 0 {
family inet {
filter {
input tunnel-interface-filter; # The filter splits traffic into TCP and UDP
}
}
}
}
}
forwarding-options {
monitoring group1 { # Monitored traffic is processed by the monitoring services
family inet { # interfaces and flow records are sent to the flow server.
output {
export-format cflowd-version-5;
flow-active-timeout 60;
flow-inactive-timeout 30;
flow-server 192.168.245.2 port 2055; # IP address and port for server.
interface mo-4/0/0.1 { # Use monitoring services interfaces for output.
engine-id 1; # engine and interface-index statements are optional.
engine-type 1;
input-interface-index 44;
output-interface-index 54;
source-address 192.168.245.1; # This is the IP address of fe-3/0/0.
}
interface mo-4/1/0.1 {
engine-id 2; # engine and interface-index statements are optional.
engine-type 1;
input-interface-index 45;
output-interface-index 55;
source-address 192.168.245.1; # This is the IP address of fe-3/0/0.
}
interface mo-4/2/0.1 {
engine-id 3; # engine and interface-index statements are optional.
engine-type 1;
input-interface-index 46;
output-interface-index 56;
source-address 192.168.245.1; # This is the IP address of fe-3/0/0.
}
interface mo-4/3/0.1 {
engine-id 4; # engine and interface-index statements are optional.
engine-type 1;
input-interface-index 47;
output-interface-index 57;
source-address 192.168.245.1; # This is the IP address of fe-3/0/0.
}
}
}
}
port-mirroring { # Copies the traffic and sends it to the Tunnel Services PIC.
family inet {
input {
rate 1;
run-length 1;
}
output {
interface vt-0/2/0.0;
no-filter-check;
}
}
}
}
routing-options { # This installs the interface routes into the forwarding instances.
interface-routes {
rib-group inet bc-vrf;
}
rib-groups {
bc-vrf {
import-rib [inet.0 tcp-routing-table.inet.0 udp-routing-table.inet.0];
}
}
forwarding-table {
export pplb; # Applies per-packet load balancing to the forwarding table.
}
}
policy-options {
policy-statement monitoring-vrf-import {
then reject;
}
policy-statement monitoring-vrf-export {
then reject;
}
policy-statement pplb {
then {
load-balance per-packet;
}
}
}
security { # This sets IPSec options for the ES PIC.
ipsec {
proposal esp-sha1-3des {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 180;
}
policy esp-group2 {
perfect-forward-secrecy {
keys group2;
}
proposals esp-sha1-3des;
}
security-association sa-esp {
mode tunnel;
dynamic {
ipsec-policy esp-group2;
}
}
}
ike {
proposal ike-esp {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 180;
}
policy 10.8.8.2 {
mode aggressive;
proposals ike-esp;
pre-shared-key ascii-text "$9$qmQnuORrlMBIds2oiH0BIESe";
}
}
}
firewall {
family inet {
filter input-monitoring-filter { # This filter selects traffic to send into the VRF
term 1 { # instance and prepares the traffic for port mirroring.
from {
destination-address {
10.7.0.0/16;
}
}
then {
port-mirror;
accept;
}
}
term 2 {
from {
destination-address {
10.6.0.0/16;
}
}
then accept;
}
}
filter tunnel-interface-filter { # This filter breaks the port-mirrored traffic into two
term tcp { # filter-based forwarding instances: TCP packets and UDP packets.
from {
protocol tcp;
}
then { # This counts TCP packets and sends them into a TCP instance.
count tcp;
routing-instance tcp-routing-table;
}
}
term udp {
from {
protocol udp;
}
then { # This counts UDP packets and sends them into a UDP instance.
count udp;
routing-instance udp-routing-table;
}
}
term rest {
then {
count rest;
discard;
}
}
}
}
}
routing-instances {
monitoring-vrf { # This is the VRF instance where you send the traffic. It contains
instance-type vrf; # the input interface and the monitoring services interfaces.
interface so-0/0/0.0; # Traffic enters the router on these input interfaces.
interface so-0/1/0.0;
interface mo-4/0/0.1;
interface mo-4/1/0.1; # These are output interfaces (use them as
interface mo-4/2/0.1; # output interfaces in your monitoring group).
interface mo-4/3/0.1;
route-distinguisher 69:1;
vrf-import monitoring-vrf-import;
vrf-export monitoring-vrf-export;
routing-options { # Sends traffic to a group of monitoring services interfaces.
static {
route 0.0.0.0/0 next-hop [mo-4/0/0.1 mo-4/1/0.1
mo-4/2/0.1 mo-4/3/0.1];
}
}
}
tcp-routing-table { # This is the filter-based forwarding instance for TCP traffic.
instance-type forwarding;
routing-options { # The next hop is the ES PIC.
static {
route 0.0.0.0/0 next-hop es-3/1/0.0;
}
}
}
udp-routing-table { # This is the filter-based forwarding instance for UDP traffic.
instance-type forwarding;
routing-options { # The next hop is the second packet analyzer.
static {
route 0.0.0.0/0 next-hop 10.9.1.2;
}
}
}
}
[Contents] [Prev] [Next] [Index] [Report an Error]

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.