Configuring Flow Monitoring

The flow-monitoring application performs traffic flow monitoring and enables lawful interception of traffic between two routers. Traffic flows can either be passively monitored by an offline router or actively monitored by a router participating in the network.

To configure flow monitoring you need to do the following:

Configuring Flow-Monitoring Interfaces

To enable flow monitoring on the Monitoring Services PIC, include the mo-fpc/pic/port statement at the [edit interfaces] hierarchy level:

mo-fpc/pic/port {unit logical-unit-number {family inet {address address {destination address;}filter {group filter-group-number;input filter-name;output filter-name;}sampling {[ input output ];}}}multiservice-options {(core-dump | no-core-dump);(syslog | no-syslog);}}

Specify the physical and logical location of the flow-monitoring interface. You cannot use unit 0, because it is already used by internal processes. Specify the source and destination addresses. The filter statement allows you to associate an input or output filter or a filter group that you have already configured for this purpose. The sampling statement specifies the traffic direction: input, output, or both.

The multiservice-options statement allows you to configure properties related to flow-monitoring interfaces:

Include the core-dump statement to enable storage of core files in /var/tmp.

Include the syslog statement to enable storage of system logging information in /var/log.

Note: Boot images for monitoring services interfaces are specified at the [edit chassis images pic] hierarchy level. You must include the following configuration to make the flow monitoring feature operable:

[edit system]ntp {boot-server ntp.juniper.net;server 172.17.28.5;}processes {ntp enable;}

For more information, see the Junos System Basics Configuration Guide.

Configuring Flow-Monitoring Properties

To configure flow-monitoring properties, include the monitoring statement at the [edit forwarding-options] hierarchy level:

monitoring name {family inet {output {cflowd hostname port port-number;export-format format;flow-active-timeout seconds;flow-export-destination {collector-pic;}flow-inactive-timeout seconds;interface interface-name {engine-id number;engine-type number;input-interface-index number;output-interface-index number;source-address address;}}}

A monitoring instance is a named entity that specifies collector information under the monitoring name statement. The following sections describe the properties you can configure:

Directing Traffic to Flow-Monitoring Interfaces

To direct traffic to a flow-monitoring interface, include the interface statement at the [edit forwarding-options monitoring name output] hierarchy level. By default, the Junos OS automatically assigns values for the engine-id and engine-type statements:

engine-id—Monitoring interface location.
engine-type—Platform-specific monitoring interface type.

The source-address statement specifies the traffic source for transmission of cflowd information; you must configure it manually. If you provide a different source-address statement for each monitoring services output interface, you can track which interface processes a particular cflowd record.

By default, the input-interface-index value is the SNMP index of the input interface. You can override the default by including a specific value. The input-interface-index and output-interface-index values are exported in fields present in the cflowd version 5 flow format.

Note: On J Series Services Routers, cflowd sampling in the input direction of an interface reports the output interface index as 0.

Exporting Flows

To direct traffic to a flow collection interface, include the flow-export-destination statement. For more information about flow collection, see Flow Collection.

To configure the cflowd version number, include the export-format statement at the [edit forwarding-options monitoring name output] hierarchy level. By default, version 5 is used. Version 8 enables the router software to aggregate the flow information using broader criteria and reduce cflowd traffic. Version 8 aggregation is performed periodically (every few seconds) on active flows and when flows are allowed to expire. Because the aggregation is performed periodically, active timeout events are ignored.

For more information on cflowd properties, see Enabling Flow Aggregation.

Configuring Time Periods when Flow Monitoring is Active and Inactive

To configure time periods for active flow monitoring and intervals of inactivity, include the flow-active-timeout and flow-inactive-timeout statements at the [edit forwarding-options monitoring name output] hierarchy level:

The flow-active-timeout statement specifies the time interval between flow exports for active flows. If the interval between the time the last packet was received and the time the flow was last exported exceeds the configured value, the flow is exported.

This timer is needed to provide periodic updates when a flow has a long duration. The active timeout setting enables the router to retain the start time for the flow as a constant and send out periodic cflowd reports. This in turn allows the collector to register the start time and determine that a flow has survived for a duration longer than the configured active timeout.

Note: In active flow monitoring, the cflowd records are exported after a time period that is a multiple of 60 seconds and greater than or equal to the configured active timeout value. For example, if the active timeout value is 90 seconds, the cflowd records are exported at 120-second intervals. If the active timeout value is 150 seconds, the cflowd records are exported at 180-second intervals, and so forth.

The flow-inactive-timeout statement specifies the interval of inactivity for a flow that triggers the flow export. If the interval between the current time and the time that the last packet for this flow was received exceeds the configured inactive timeout value, the flow is allowed to expire.
If the flow stops transmitting for longer than the configured inactive timeout value, the router purges it from the flow table and exports the cflowd record. As a result, the flow is forgotten as far as the PIC is concerned and if the same 5-tuple appears again, it is assigned a new start time and considered a new flow.

Both timers are necessary. The active timeout setting is needed to provide information for flows that constantly transmit packets for a long duration. The inactive timeout setting enables the router to purge flows that have become inactive and would waste tracking resources.

Note: The router must contain an Adaptive Services, Multiservices, or Monitoring Services PIC for the flow-active-timeout and flow-inactive-timeout statements to take effect.

Example: Configuring Flow Monitoring

The following is an example of flow-monitoring properties configured to support input SONET/SDH interfaces, output monitoring services interfaces, and export to cflowd for flow analysis. To complete the configuration, you also need to configure the interfaces and set up a virtual private network (VPN) routing and forwarding (VRF) instance. For a complete example, see the Junos Feature Guide. For information on cflowd, see Enabling Flow Aggregation.

[edit forwarding-options]monitoring group1 {family inet {output {cflowd 192.168.245.2 port 2055;export-format cflowd-version-5;flow-active-timeout 60;flow-inactive-timeout 30;interface mo-4/0/0.1 {engine-id 1;engine-type 1;input-interface-index 44;output-interface-index 54;source-address 192.168.245.1;}interface mo-4/1/0.1 {engine-id 2;engine-type 1;input-interface-index 45;output-interface-index 55;source-address 192.168.245.1;}interface mo-4/2/0.1 {engine-id 3;engine-type 1;input-interface-index 46;output-interface-index 56;source-address 192.168.245.1;}interface mo-4/3/0.1 {engine-id 4;engine-type 1;input-interface-index 47;output-interface-index 57;source-address 192.168.245.1;}}}}