Configuring Dynamic Flow Capture

To configure dynamic flow capture, include the dynamic-flow-capture statement at the [edit services] hierarchy level:

[edit services]dynamic-flow-capture {capture-group client-name {content-destination identifier {address address;hard-limit bandwidth;hard-limit-target bandwidth;soft-limit bandwidth;soft-limit-clear bandwidth;ttl hops;}control-source identifier {allowed-destinations [ destinations ];minimum-priority value;no-syslog;notification-targets address port port-number;service-port port-number;shared-key value;source-addresses [ addresses ];}duplicates-dropped-periodicity seconds;input-packet-rate-threshold rate;interfaces interface-name;max-duplicates number;pic-memory-threshold percentage percentage;}g-duplicates-dropped-periodicity seconds;g-max-duplicates number;}

This section describes the following tasks for configuring dynamic flow capture:

Configuring the Capture Group

A capture group defines a profile of dynamic flow capture configuration information. The static configuration includes information about control sources, content destinations, and notification destinations. Dynamic configuration is added through interaction with control sources using a control protocol.

To configure a capture group, include the capture-group statement at the [edit services dynamic-flow-capture] hierarchy level:

capture-group client-name {content-destination identifier {address address;hard-limit bandwidth;hard-limit-target bandwidth;soft-limit bandwidth;soft-limit-clear bandwidth;ttl hops;}control-source identifier {allowed-destinations [ destinations ];minimum-priority value;no-syslog;notification-targets address port port-number;service-port port-number;shared-key value;source-addresses [ addresses ];}duplicates-dropped-periodicity seconds;input-packet-rate-threshold rate;interfaces interface-name;max-duplicates number;pic-memory-threshold percentage percentage;}

To specify the capture-group, assign it a unique client-name that associates the information with the requesting control sources.

Configuring the Content Destination

You must specify a destination for the packets that match DFC PIC filter criteria. To configure the content destination, include the content-destination statement at the [edit services dynamic-flow-capture capture-group client-name] hierarchy level:

content-destination identifier {address address;hard-limit bandwidth;hard-limit-target bandwidth;soft-limit bandwidth;soft-limit-clear bandwidth;ttl hops;}

Assign the content-destination a unique identifier. You must also specify its IP address and you can optionally include additional settings:

address—The DFC PIC interface appends an IP header with this destination address on the matched packet (with its own IP header and contents intact) and sends it out to the content destination.
ttl—The time-to-live (TTL) value for the IP-IP header. By default, the TTL value is 255. Its range is 0 through 255.
Congestion thresholds—You can specify per-content destination bandwidth limits that control the amount of traffic produced by the DFC PIC during periods of congestion. The thresholds are arranged in two pairs: hard-limit and hard-limit-target, and soft-limit and soft-limit-clear. You can optionally include one or both of these paired settings. All four settings are 10–second average bandwidth values in bits per second. Typically soft-limit-clear < soft-limit < hard-limit-target < hard-limit. When the content bandwidth exceeds the soft-limit setting:
1. A congestion notification message is sent to each control source of the criteria that point to this content destination
2. If the control source is configured for syslog, a system log message is generated.
3. A latch is set, indicating that the control sources have been notified. No additional notification messages are sent until the latch is cleared, when the bandwidth falls below the soft-limit-clear value.
When the bandwidth exceeds the hard-limit value:
1. The dynamic flow capture application begins deleting criteria until the bandwidth falls below the hard-limit-target value.
2. For each criterion deleted, a CongestionDelete notification is sent to the control source for that criterion.
3. If the control source is configured for syslog, a log message is generated.
The application evaluates criteria for deletion using the following data:
- Priority—Lower priority criteria are purged first, after adjusting for control source minimum priority.
- Bandwidth—Higher bandwidth criteria are purged first.
- Timestamp—The more recent criteria are purged first.

Configuring the Control Source

You configure information about the control source, including allowed source addresses and destinations and authentication key values. To configure the control source information, include the control-source statement at the [edit services dynamic-flow-capture capture-group client-name] hierarchy level:

control-source identifier {allowed-destinations [ destination-identifiers ];minimum-priority value;no-syslog;notification-targets address port port-number;service-port port-number;shared-key value;source-addresses [ addresses ];}

Assign the control-source statement a unique identifier. You can also include values for the following statements:

allowed-destinations—One or more content destination identifiers to which this control source can request that matched data be sent in its control protocol requests. If you do not specify any content destinations, all available destinations are allowed.
minimum-priority—Value assigned to the control source that is added to the priority of the criteria in the DTCP ADD request to determine the total priority for the criteria. The lower the value, the higher the priority. By default, minimum-priority has a value of 0 and the allowed range is 0 through 254.
notification-targets—One or more destinations to which the DFC PIC interface can log information about control protocol-related events and other events such as PIC bootup messages. You configure each notification-target entry with an IP address value and a User Datagram Protocol (UDP) port number.
service-port—UDP port number to which the control protocol requests are directed. Control protocol requests that are not directed to this port are discarded by DFC PIC interfaces.
shared-key—20-byte authentication key value shared between the control source and the DFC PIC monitoring platform.
source-addresses—One or more allowed IP addresses from which the control source can send control protocol requests to the DFC PIC monitoring platform. These are /32 addresses.

Configuring the DFC PIC Interface

You specify the interface that interacts with the control sources configured in the same capture group. A Monitoring Services III PIC can belong to only one capture group, and you can configure only one PIC for each group.

To configure a DFC PIC interface, include the interfaces statement at the [edit services dynamic-flow-capture capture-group client-name] hierarchy level:

interfaces interface-name;

You specify DFC interfaces using the dfc- identifier at the [edit interfaces] hierarchy level. You must specify three logical units on each DFC PIC interface, numbered 0, 1, and 2. You cannot configure any other logical interfaces.

unit 0 processes control protocol requests and responses.
unit 1 receives monitored data.
unit 2 transmits the matched packets to the destination address.

The following example shows the configuration necessary to set up a DFC PIC interface:

[edit interfaces dfc-0/0/0]unit 0 {family inet {address 10.1.0.0/32 { # DFC PIC addressdestination 10.36.100.1; # DFC PIC address used by# the control source to correspond with the# monitoring platform}}}unit 1 { # receive data packets on this logical interfacefamily inet;}unit 2 { # send out copies of matched packets on this logical interfacefamily inet;}

In addition, you must configure the dynamic flow capture application to run on the DFC PIC in the correct chassis location. The following example shows this configuration at the [edit chassis] hierarchy level:

fpc 0 {pic 0 {monitoring-services application dynamic-flow-capture;}}

For more information on configuring chassis properties, see the Junos System Basics Configuration Guide.

Configuring System Logging

By default, control protocol activity is logged as a separate system log facility, dfc. To modify the filename or level at which control protocol activity is recorded, include the following statements at the [edit syslog] hierarchy level:

file dfc.log {dfc any;}

To cancel logging, include the no-syslog statement at the [edit services dynamic-flow-capture capture-group client-name control-source identifier] hierarchy level:

no-syslog;

Note: The dynamic flow capture (dfc-) interface supports up to 10,000 filter criteria. When more than 10,000 filters are added to the interface, the filters are accepted, but system log messages are generated indicating that the filter is full.

Configuring Thresholds

You can optionally specify threshold values for the following situations in which warning messages will be recorded in the system log:

Input packet rate to the DFC PIC interfaces
Memory usage on the DFC PIC interfaces

To configure threshold values, include the input-packet-rate-threshold or pic-memory-threshold statements at the [edit services dynamic-flow-capture capture-group client-name] hierarchy level:

input-packet-rate-threshold rate;pic-memory-threshold percentage percentage;

If these statements are not configured, no threshold messages are logged. The threshold settings are configured for the capture group as a whole.

The range of configurable values for the input-packet-rate-threshold statement is 0 through 1 Mpps. The PIC calibrates the value accordingly; the Monitoring Services III PIC caps the threshold value at 300 Kpps and the Multiservices 400 PIC uses the full configured value. The range of values for the pic-memory-threshold statement is 0 to 100 percent.

Limiting the Number of Duplicates of a Packet

You can optionally specify the maximum number of duplicate packets the DFC PIC is allowed to generate from a single input packet. This limitation is intended to reduce the load on the PIC when packets are sent to multiple destinations. When the maximum number is reached, the duplicates are sent to the destinations with the highest criteria class priority. Within classes of equal priority, criteria having earlier timestamps are selected first.

To configure this limitation, include the max-duplicates statement at the [edit services dynamic-flow-capture capture-group client-name] hierarchy level:

max-duplicates number;

You can also apply the limitation on a global basis for the DFC PIC by including the g-max-duplicates statement at the [edit services dynamic-flow-capture] hierarchy level:

g-max-duplicates number;

By default, the maximum number of duplicates is set to 3. The range of allowed values is 1 through 64. A setting for max-duplicates for an individual capture-group overrides the global setting.

In addition, you can specify the frequency with which the application sends notifications to the affected control sources that duplicates are being dropped because the threshold has been reached. You configure this setting at the same levels as the maximum duplicates settings, by including the duplicates-dropped-periodicity statement at the [edit services dynamic-flow-capture capture-group client-name] hierarchy level or the g-duplicates-dropped-periodicity statement at the [edit services dynamic-flow-capture] hierarchy level:

duplicates-dropped-periodicity seconds;g-duplicates-dropped-periodicity seconds;

As with the g-max-duplicates statement, the g-duplicates-dropped-periodicity statement applies the setting globally for the application and is overridden by a setting applied at the capture-group level. By default, the frequency for sending notifications is 30 seconds.