Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring Active Flow Monitoring Version 9 on a PTX3000 and PTX5000 When Both Are Tethered to a CSE2000

 

This example shows how to configure active flow monitoring version 9 for simultaneous IPv4, IPv6 and MPLS flows on a PTX5000 router and a PTX3000 router when both are tethered to a CSE2000. The step-by-step instructions in this example will help you to configure traffic sampling on a PTX5000 router and a PTX3000 router, generate the v9 records, and send these records to a specified host.

This example contains the following sections:

Requirements

This example requires the following hardware and software components:

  • One PTX5000 router running Junos OS Release 13.3R4 or later

  • One PTX3000 router running Junos OS Release 13.3R4 or later

  • One CSE2000 running CSE Series Release 13.3R4 or later

  • Version 9 flow server (to collect sampled flows using the version 9 format)

Before you configure active flow monitoring version 9, connect the CSE2000 to the PTX5000 router and the PTX3000 router. For more information, see the CSE2000 Hardware Installation Guide.

Overview and Topology

This example shows the configuration of active flow monitoring version 9 for simultaneous IPv4, IPv6, and MPLS flows on a PTX5000 router and a PTX3000 router when both are tethered to a CSE2000. All the configurations shown in this example are performed on the PTX5000 and PTX3000 routers.

The topology for this example consists of a PTX5000 router and a PTX3000 router on which active flow monitoring version 9 needs to be enabled (see Figure 1). These routers are tethered to a CSE2000 device.

Figure 1: Active Flow Monitoring Version 9 on PTX3000 and PTX5000 Connected to CSE2000
Active Flow Monitoring
Version 9 on PTX3000 and PTX5000 Connected to CSE2000

Interface et-1/0/0 is the ingress interface through which packets enter the PTX5000 router. Traffic sampling is performed on interface et-1/0/0. The PTX5000 router forwards the traffic to the egress interface et-5/0/0, and the sampled traffic to the 10-Gigabit Ethernet interfaces et-3/0/0 and et-3/0/3. The sampled packets are transmitted through the ATS interface of the CSE2000.

Interface et-2/0/0 is the ingress interface through which packets enter the PTX3000 router. Traffic sampling is performed on interface et-2/0/0. The PTX3000 router forwards the traffic to the egress interface et-6/0/0, and the sampled traffic to the 10-Gigabit Ethernet interfaces et-4/0/0 and et-4/0/3. The sampled packets are transmitted through the ATS interface of the CSE2000.

In this example, service card ESC0 of the CSE2000 is connected to the PTX5000 router. The service card ESC0 has two 10-Gigabit Ethernet interfaces (esp-8/0/0 and esp-8/0/1), which are used to connect to the 10-Gigabit Ethernet PICs on the PTX5000 for the sampled traffic. The CSE2000 performs active flow monitoring on the sampled traffic and exports the version 9 records through esp interfaces (esp-8/0/0 or esp-8/0/1) to the PTX5000 router. The PTX5000 router forwards the v9 records to the version 9 flow server.

In this example, service card ESC1 of the CSE2000 is connected to the PTX3000 router. The service card ESC1 has two 10-Gigabit Ethernet interfaces (esp-16/1/0 and esp-16/1/1), which are used to connect to the 10-Gigabit Ethernet PICs on the PTX3000 for the sampled traffic. The CSE2000 performs active flow monitoring on the sampled traffic and exports the version 9 records through ESP interfaces (esp-16/1/0 or esp-16/1/1) to the PTX3000 router. The PTX3000 router forwards the v9 records to the version 9 flow server.

In this example, ats0 is the ATS interface that connects the PTX5000 router and the CSE2000. The interfaces et-3/0/3 and et-3/0/0 need to be configured as the member interfaces of the ats0 interface.

The ATS interface ats1 connects the PTX3000 router and the CSE2000. The interfaces et-4/0/3 and et-4/0/0 need to be configured as the member interfaces of the ats1 interface.

The physical connections used in this example are shown in Figure 1.

Configuring Active Flow Monitoring Version 9 on a PTX5000 Router

To configure active flow monitoring version 9 for IPv4, IPv6, and MPLS flows on the PTX5000 router tethered to the CSE2000, perform these tasks:

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them in a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Configuring the Member Interfaces and Interface Family for Aggregated Tethered Services Interfaces

Step-by-Step Procedure

The interfaces et-3/0/0 and et-3/0/3 of the PTX5000 router that connect to the CSE2000 are configured as the member interfaces of the ATS interface ats0. This configuration associates the physical links of the router with the logical bundle of the ATS interface. You must also specify the constituent physical links by including the 802.3ad statement. All the configurations are performed on the PTX5000 router.

To configure the member interfaces and interface family for the ATS interface bundle ats0:

  1. Configure the interfaces et-3/0/0 and et-3/0/3 to form the ATS interface bundle ats0.
  2. Configure the ats0 interface to process IPv4, IPv6, and MPLS addresses by including the family statement and specifying the inet, inet6, and mpls options, respectively, at the [edit interfaces] hierarchy level.

Configuring the Active Flow Monitoring Version 9 Template for IPv4, MPLS, and IPv6 Flows

Step-by-Step Procedure

To activate templates in flow monitoring, configure a template and include that template in the version 9 flow monitoring configuration:

  1. Configure a version 9 template for IPv4, IPv6, and MPLS flows.
    • Create a version 9 template for IPv4 flows by including the flow-monitoring version9 template statement and specifying v4_template as the name of the template at the [edit services] hierarchy level.

    • Create a version 9 template for IPv6 flows by including the flow-monitoring version9 template statement and specifying v6_template as the name of the template at the [edit services] hierarchy level.

    • Create a version 9 template for MPLS flows by including the flow-monitoring version9 template statement and specifying mpls as the name of the template at the [edit services] hierarchy level.

  2. Configure the active timeout and the inactive timeout values for the traffic flows by including the flow-active-timeout and flow-inactive-timeout statements at the [edit services flow-monitoring version9 template v4_template], [edit services flow-monitoring version9 template v6_template], and [edit services flow-monitoring version9 template mpls] hierarchy levels.
    • If the interval between the time the last packet was received and the time the flow was last exported exceeds the configured active timeout value, the flow is exported to the flow server.

    • If the interval between the current time and the time that the last packet for this flow was received exceeds the configured inactive timeout value, the flow is allowed to expire.

      In this example, the active timeout value is 60 seconds and the inactive timeout value is 30 seconds.

  3. Enable the templates for IPv4, IPv6, and MPLS flows.
    • Enable the template for IPv4 flows by including the ipv4-template statement at the [edit services flow-monitoring version9 template v4_template] hierarchy level.

    • Enable the template for IPv6 flows by including the ipv6-template statement at the [edit services flow-monitoring version9 template v6_template] hierarchy level.

    • Enable the template for MPLS flows by including the mpls-template statement at the [edit services flow-monitoring version9 template mpls] hierarchy level. Also include the label-position statement and specify label positions 1 and 2 at the [edit services flow-monitoring version9 template mpls mpls-template] hierarchy level.

  4. Configure the rate at which the router sends IPv4, IPv6, and MPLS template definitions and options to the flow server for IPv4, IPv6, and MPLS traffic. Because version 9 flow monitoring traffic is unidirectional from the router to the flow server, configure the router to send template definitions and options, such as sampling rate, to the server. In this example, the template definitions and options are refreshed for every 480 packets.
    • Include the template-refresh-rate and option-refresh-rate statements at the [edit services flow-monitoring version9 template v4_template] hierarchy level.

    • Include the template-refresh-rate and option-refresh-rate statements at the [edit services flow-monitoring version9 template v6_template] hierarchy level.

    • Include the template-refresh-rate and option-refresh-rate statements at the [edit services flow-monitoring version9 template mpls] hierarchy level.

Configuring the Firewall Filter

Step-by-Step Procedure

The firewall filter identifies the traffic flows that need to be sampled and processed by the CSE2000.

To configure the firewall filter:

  1. Configure the firewall filter for IPv4, IPv6, and MPLS traffic.
    • To configure the firewall filter for IPv4, include the filter statement and specify ipv4_sample_filter as the name of the filter at the [edit firewall family inet] hierarchy level. Include the term statement and specify 1 as the name of the term. For active monitoring using version 9, you must include the sample and accept action statements at the [edit firewall family inet] hierarchy level.

    • To configure the firewall filter for IPv6, include the filter statement and specify ipv6_sample_filter as the name of the filter at the [edit firewall family inet6] hierarchy level. Include the term statement and specify 1 as the name of the term. For active monitoring using version 9, you must include the sample and accept action statements at the [edit firewall family inet6] hierarchy level.

    • To configure the firewall filter for MPLS, include the filter statement and specify mpls_sample_filter as the name of the filter at the [edit firewall family mpls] hierarchy level. Include the term statement and specify 1 as the name of the term. For active monitoring using version 9, you must include the sample and accept action statements at the [edit firewall family mpls] hierarchy level.

  2. Apply the firewall filter to the interface where traffic flow needs to be sampled.

    The filter can be applied to either ingress or egress traffic depending on the use case. In this example, the filter is applied to the ingress (input) traffic.

    • To apply the firewall filter to the et-1/0/0 interface for IPv4, include the input statement and specify ipv4_sample_filter as the name of the filter at the [edit interfaces et-1/0/0 unit 0 family inet filter] hierarchy level.

    • To apply the firewall filter to the et-1/0/0 interface for IPv6, include the input statement and specify ipv6_sample_filter as the name of the filter at the [edit interfaces et-1/0/0 unit 0 family inet6 filter] hierarchy level.

    • To apply the firewall filter to the et-1/0/0 interface for MPLS, include the input statement and specify mpls_sample_filter as the name of the filter at the [edit interfaces et-1/0/0 unit 0 family mpls filter] hierarchy level.

Configuring Traffic Sampling

Step-by-Step Procedure

Traffic sampling enables you to copy traffic to the CSE2000, which performs flow accounting while the router forwards the packet to its original destination. You can configure traffic sampling by defining a sampling instance that specifies a name for the sampling parameters and binding the instance name to a particular FPC.

To configure traffic sampling:

  1. Configure the sampling instance ins1 with sampling rate 10, run length 1, and the maximum packet length of 128 bytes.
  2. Apply the sampling instance to an FPC on the PTX5000 router by including the sampling-instance statement at the [edit chassis] hierarchy level.

    The FPC number must match the FPC portion of the interface name for the interface on which sampling is enabled. In this example, FPC 1 is associated with the interface et-1/0/0 on which sampling is enabled.

Configuring the Flow Server to Collect the Active Flow Monitoring Version 9 Records

Step-by-Step Procedure

To configure the flow server:

  1. Configure the flow server for IPv4, IPv6, and MPLS flows.
    • To configure the flow server for IPv4, include the flow-server statement and specify 192.0.2.2 as the IPv4 address of the host system that is collecting traffic flows at the [edit forwarding-options sampling instance ins1 family inet output] hierarchy level. Also include the port statement and specify UDP port 2055 for use by the flow server.

    • To configure the flow server for IPv6, include the flow-server statement and specify 192.0.2.2 as the IPv4 address of the host system that is collecting traffic flows at the [edit forwarding-options sampling instance ins1 family inet6 output] hierarchy level. Also include the port statement and specify UDP port 2055 for use by the flow server.

    • To configure the flow server for MPLS, include the flow-server statement and specify 192.0.2.2 as the IPv4 address of the host system that is collecting traffic flows at the [edit forwarding-options sampling instance ins1 family mpls output] hierarchy level. Also include the port statement and specify UDP port 2055 for use by the flow server.

  2. Enable active flow monitoring by using the version 9 template format.
    • To enable active flow monitoring for IPv4 flows by using the version 9 template format, include the version9 template statement and specify v4_template as the name of the template to use at the [edit forwarding-options sampling instance ins1 family inet output flow-server 192.0.2.2] hierarchy level.

    • To enable active flow monitoring for IPv6 flows by using the version 9 template format, include the version9 template statement and specify v6_template as the name of the template to use at the [edit forwarding-options sampling instance ins1 family inet6 output flow-server 192.0.2.2] hierarchy level.

    • To enable active flow monitoring for MPLS flows by using the version 9 template format, include the version9 template statement and specify mpls as the name of the template to use at the [edit forwarding-options sampling instance ins1 family mpls output flow-server 192.0.2.2] hierarchy level.

  3. Configure the interface connected to the flow server by specifying the source address for generating the monitored packets.
    • For IPv4 flows, configure the interface connected to the flow server by specifying 192.0.2.1 as the source address for generating the monitored packets at the [edit forwarding-options sampling instance ins1 family inet output] hierarchy level.

    • For IPv6 flows, configure the interface connected to the flow server by specifying 192.0.2.1 as the source address for generating the monitored packets at the [edit forwarding-options sampling instance ins1 family inet6 output] hierarchy level.

    • For MPLS flows, configure the interface connected to the flow server by specifying 192.0.2.1 as the source address for generating the monitored packets at the [edit forwarding-options sampling instance ins1 family mpls output] hierarchy level.

  4. Configure the address of the export port that is used by the v9 records to reach the flow server.
    • For IPv4 flows, configure the export port address 192.0.2.1/24 at the [edit forwarding-options sampling instance ins1 family inet output] hierarchy level.

    • For IPv6 flows, configure the export port address 192.0.2.1/24 at the [edit forwarding-options sampling instance ins1 family inet6 output] hierarchy level.

    • For MPLS flows, configure the export port address 192.0.2.1/24 at the [edit forwarding-options sampling instance ins1 family mpls output] hierarchy level.

Results

Display the results of the configuration.

Configuring Active Flow Monitoring Version 9 on a PTX3000 Router

To configure active flow monitoring version 9 for IPv4, IPv6, and MPLS flows on the PTX3000 router tethered to the CSE2000, perform these tasks:

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them in a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Configuring the Member Interfaces and Interface Family for Aggregated Tethered Services Interfaces

Step-by-Step Procedure

The interfaces et-4/0/0 and et-4/0/3 of the PTX3000 router that connect to the CSE2000 are configured as the member interfaces of the ATS interface ats1. This configuration associates the physical links of the router with the logical bundle of the ATS interface. You must also specify the constituent physical links by including the 802.3ad statement. All the configurations are performed on the PTX3000 router.

To configure the member interfaces and interface family for the ATS interface bundle ats1:

  1. Configure the interfaces et-4/0/0 and et-4/0/3 to form the ATS interface bundle ats1.
  2. Configure the ats1 interface to process IPv4, IPv6, and MPLS addresses by including the family statement and specifying the inet, inet6, and mpls options, respectively, at the [edit interfaces] hierarchy level.

Configuring the Active Flow Monitoring Version 9 Template for IPv4, IPv6, and MPLS Flows

Step-by-Step Procedure

To activate templates in flow monitoring, configure a template and include that template in the version 9 flow monitoring configuration:

  1. Configure a version 9 template for IPv4, IPv6, and MPLS flows.
    • Create a version 9 template for IPv4 flows by including the flow-monitoring version9 template statement and specifying v4_template as the name of the template at the [edit services] hierarchy level.

    • Create a version 9 template for IPv6 flows by including the flow-monitoring version9 template statement and specifying v6_template as the name of the template at the [edit services] hierarchy level.

    • Create a version 9 template for MPLS flows by including the flow-monitoring version9 template statement and specifying mpls as the name of the template at the [edit services] hierarchy level.

  2. Configure the active timeout and the inactive timeout values for the traffic flows by including the flow-active-timeout and flow-inactive-timeout statements at the [edit services flow-monitoring version9 template v4_template], [edit services flow-monitoring version9 template v6_template], and [edit services flow-monitoring version9 template mpls] hierarchy levels.
    • If the interval between the time the last packet was received and the time the flow was last exported exceeds the configured active timeout value, the flow is exported to the flow server.

    • If the interval between the current time and the time that the last packet for this flow was received exceeds the configured inactive timeout value, the flow is allowed to expire.

      In this example, the active timeout value is 60 seconds and the inactive timeout value is 30 seconds.

  3. Enable the templates for IPv4, IPv6, and MPLS flows.
    • Enable the template for IPv4 flows by including the ipv4-template statement at the [edit services flow-monitoring version9 template v4_template] hierarchy level.

    • Enable the template for IPv6 flows by including the ipv6-template statement at the [edit services flow-monitoring version9 template v6_template] hierarchy level.

    • Enable the template for MPLS flows by including the mpls-template statement at the [edit services flow-monitoring version9 template mpls] hierarchy level. Also include the label-position statement and specify label positions 1 and 2 at the [edit services flow-monitoring version9 template mpls mpls-template] hierarchy level.

  4. Configure the rate at which the router sends IPv4, IPv6, and MPLS template definitions and options to the flow server for IPv4, IPv6, and MPLS traffic. Because version 9 flow monitoring traffic is unidirectional from the router to the flow server, configure the router to send template definitions and options, such as sampling rate, to the server. In this example, the template definitions and options are refreshed for every 480 packets.
    • For IPv4 flows, include the template-refresh-rate and option-refresh-rate statements at the [edit services flow-monitoring version9 template v4_template] hierarchy level.

    • For IPv6 flows, include the template-refresh-rate and option-refresh-rate statements at the [edit services flow-monitoring version9 template v6_template] hierarchy level.

    • For MPLS flows, include the template-refresh-rate and option-refresh-rate statements at the [edit services flow-monitoring version9 template mpls] hierarchy level.

Configuring the Firewall Filter

Step-by-Step Procedure

The firewall filter identifies the traffic flows that need to be sampled and processed by the CSE2000.

To configure the firewall filter:

  1. Configure the firewall filter.
    • To configure the firewall filter for IPv4, include the filter statement and specify ipv4_sample_filter as the name of the filter at the [edit firewall family inet] hierarchy level. Include the term statement and specify 1 as the name of the term. For active monitoring using version 9, you must include the sample and accept action statements at the [edit firewall family inet] hierarchy level.

    • To configure the firewall filter for IPv6, include the filter statement and specify ipv6_sample_filter as the name of the filter at the [edit firewall family inet6] hierarchy level. Include the term statement and specify 1 as the name of the term. For active monitoring using version 9, you must include the sample and accept action statements at the [edit firewall family inet6] hierarchy level.

    • To configure the firewall filter for MPLS, include the filter statement and specify mpls_sample_filter as the name of the filter at the [edit firewall family mpls] hierarchy level. Include the term statement and specify 1 as the name of the term. For active monitoring using version 9, you must include the sample and accept action statements at the [edit firewall family mpls] hierarchy level.

  2. Apply the firewall filter to the interface where traffic flow needs to be sampled.

    The filter can be applied to either ingress or egress traffic depending on the use case. In this example, the filter is applied to the ingress (input) traffic.

    • To apply the firewall filter to the et-2/0/0 interface for IPv4, include the input statement and specify ipv4_sample_filter as the name of the filter at the [edit interfaces et-2/0/0 unit 0 family inet filter] hierarchy level.

    • To apply the firewall filter to the et-2/0/0 interface for IPv6, include the input statement and specify ipv6_sample_filter as the name of the filter at the [edit interfaces et-2/0/0 unit 0 family inet6 filter] hierarchy level.

    • To apply the firewall filter to the et-2/0/0 interface for MPLS, include the input statement and specify mpls_sample_filter as the name of the filter at the [edit interfaces et-2/0/0 unit 0 family mpls filter] hierarchy level.

Configuring Traffic Sampling

Step-by-Step Procedure

Traffic sampling enables you to copy traffic to the CSE2000, which performs flow accounting while the router forwards the packet to its original destination. You can configure traffic sampling by defining a sampling instance that specifies a name for the sampling parameters and binding the instance name to a particular FPC.

To configure traffic sampling:

  1. Configure the sampling instance ins1 with sampling rate 10, run length 1, and the maximum packet length of 128 bytes.
  2. Apply the sampling instance to an FPC on the PTX3000 router by including the sampling-instance statement at the [edit chassis] hierarchy level.

    The FPC number must match the FPC portion of the interface name for the interface on which sampling is enabled. In this example, FPC 1 is associated with the interface et-2/0/0 on which sampling is enabled.

Configuring the Flow Server to Collect the Active Flow Monitoring Version 9 Records

Step-by-Step Procedure

To configure the flow server:

  1. Configure the flow server for IPv4, IPv6, and MPLS flows.
    • To configure the flow server for IPv4, include the flow-server statement and specify 192.0.2.2 as the IPv4 address of the host system that is collecting traffic flows at the [edit forwarding-options sampling instance ins1 family inet output] hierarchy level. Also include the port statement and specify UDP port 2055 for use by the flow server.

    • To configure the flow server for IPv6, include the flow-server statement and specify 192.0.2.2 as the IPv4 address of the host system that is collecting traffic flows at the [edit forwarding-options sampling instance ins1 family inet6 output] hierarchy level. Also include the port statement and specify UDP port 2055 for use by the flow server.

    • To configure the flow server for MPLS, include the flow-server statement and specify 192.0.2.2 as the IPv4 address of the host system that is collecting traffic flows at the [edit forwarding-options sampling instance ins1 family mpls output] hierarchy level. Also include the port statement and specify UDP port 2055 for use by the flow server.

  2. Enable active flow monitoring by using the version 9 template format.
    • To enable active flow monitoring for IPv4 flows by using the version 9 template format, include the version9 template statement and specify v4_template as the name of the template to use at the [edit forwarding-options sampling instance ins1 family inet output flow-server 192.0.2.2] hierarchy level.

    • To enable active flow monitoring for IPv6 flows by using the version 9 template format, include the version9 template statement and specify v6_template as the name of the template to use at the [edit forwarding-options sampling instance ins1 family inet6 output flow-server 192.0.2.2] hierarchy level.

    • To enable active flow monitoring for MPLS flows by using the version 9 template format, include the version9 template statement and specify mpls as the name of the template to use at the [edit forwarding-options sampling instance ins1 family mpls output flow-server 192.0.2.2] hierarchy level.

  3. Configure the interface connected to the flow server by specifying the source address for generating the monitored packets.
    • For IPv4 flows, configure the interface connected to the flow server by specifying 192.0.2.1 as the source address for generating the monitored packets at the [edit forwarding-options sampling instance ins1 family inet output] hierarchy level.

    • For IPv6 flows, configure the interface connected to the flow server by specifying 192.0.2.1 as the source address for generating the monitored packets at the [edit forwarding-options sampling instance ins1 family inet6 output] hierarchy level.

    • For MPLS flows, configure the interface connected to the flow server by specifying 192.0.2.1 as the source address for generating the monitored packets at the [edit forwarding-options sampling instance ins1 family mpls output] hierarchy level.

  4. Configure the address of the export port that is used by the v9 records to reach the flow server.
    • For IPv4 flows, configure the export port address 192.0.2.1/24 at the [edit forwarding-options sampling instance ins1 family inet output] hierarchy level.

    • For IPv6 flows, configure the export port address 192.0.2.1/24 at the [edit forwarding-options sampling instance ins1 family inet6 output] hierarchy level.

    • For MPLS flows, configure the export port address 192.0.2.1/24 at the [edit forwarding-options sampling instance ins1 family mpls output] hierarchy level.

Results

Display the results of the configuration.

Verification

Confirm that the configuration is working properly.

Verifying That the Packets Are Received on the Routers

Purpose

Verify that the packets are received on the PTX5000 and PTX3000 routers.

Action

In operational mode, enter the show interface et-1/0/0 command on the PTX5000 router.

user@ptx5000> show interface et-1/0/0

In operational mode, enter the show interface et-2/0/0 command on the PTX3000 router.

user@ptx3000> show interface et-2/0/0

Meaning

The following command output values of the Physical interface field indicates that interface et-1/0/0 on the PTX5000 router and interface et-2/0/0 on the PTX3000 router are working.

  • et-1/0/0, Enabled, Physical link is Up

  • et-2/0/0, Enabled, Physical link is Up

The following command output values on the PTX5000 and PTX3000 routers indicate that the interfaces on the routers are receiving packets.

  • Input packets : 108

  • Input packets : 138

Verifying That the Packets Are Matched and Filtered According to the Configuration

Purpose

Verify that the packets are matched and filtered according to the configuration.

Action

In operational mode, enter the show firewall command on the PTX5000 router.

user@ptx5000> show firewall

In operational mode, enter the show firewall command on the PTX3000 router.

user@ptx3000> show firewall

Meaning

The Bytes field displays the number of bytes that match the filter term under which the counter action is specified.

The Packets field displays the number of packets that match the filter term under which the counter action is specified.

The results indicate that the packets are matched and filtered according to the configuration.

Verifying That the ATS Interface Is Forwarding Packets

Purpose

Verify that the ats0 and ats1 interfaces are forwarding packets.

Action

In operational mode, enter the show interfaces ats0 command on the PTX5000 router.

user@ptx5000> show interfaces ats0

In operational mode, enter the show interfaces ats1 command on the PTX3000 router.

user@ptx3000> show interfaces ats1

Meaning

The Packets and Bytes fields under the Bundle statistics show that the ats0 and ats1 interfaces are forwarding the packets (Output field) to the CSE2000.

Verifying That Active Flow Monitoring Is Working

Purpose

Verify that active flow monitoring is working.

Action

To verify that active flow monitoring is working, use the show services accounting flow command on the PTX5000 and PTX3000 routers.

Meaning

The output of the PTX5000 and PTX3000 routers shows that active flows exist and that flow packets are being exported. This indicates that flow monitoring is working. If flow monitoring is not working, verify that the CSE2000 is operational.

Verifying That the CSE2000 Service Cards Are Operational

Purpose

Verify that the configured CSE2000 service cards are present in the chassis and are operational.

Action

To verify that the configured CSE2000 service cards (connected to the two routers) are operational, use the show chassis hardware command on the PTX5000 and PTX3000 routers.

Meaning

The output ESC 0 and ESC 1 shows that CSE2000 service cards have completed booting and are operational. If the service card is operational but flow monitoring is not working, verify that sampling is enabled on the media interface on which traffic flow is expected and that the sampling filter direction is correct.

Verifying That Sampling Is Enabled and the Filter Direction Is Correct for Active Flow Monitoring

Purpose

Verify that sampling is enabled on the media interface on which traffic flow is expected and that the sampling filter direction is correct.

Action

To verify that sampling is enabled on the media interface on which traffic flow is expected and that the sampling filter direction is correct, use the show interfaces interface-name extensive | grep filters command on the PTX5000 and PTX3000 routers.

Meaning

The command output shows that the sample filter is applied to the media interface on which traffic flow is expected (et-1/0/0 and et-2/0/0) and that the sampling filter direction is Input. If the CSE2000 service card is operational and the filters are correct, but flow monitoring is not working, verify that the sampling instance is applied to the FPC where the media interface resides.

Tip

If a firewall filter is used to enable sampling, add a counter as an action in the firewall filter. Then, check whether the counter is incrementing. An incrementing counter confirms that the traffic is present and that the filter direction is correct.

Verifying That the Sampling Instance Is Applied to the Correct FPC for Active Flow Monitoring

Purpose

Verify that the sampling instance is applied to the FPC where the media interface resides.

Action

To verify that the sampling instance Is applied to the correct FPC, use the show configuration chassis command on the PTX5000 and PTX3000 routers.

Meaning

The output shows that the sampling instance is applied to the correct FPC. If the CSE2000 service card is operational, the filters are correct, and the sampling instance is applied to the correct FPC, but flow monitoring is not working, verify that the route record set of data is being created.

Verifying That the Route Record Is Being Created for Active Flow Monitoring

Purpose

Verify that the route record set of data is being created.

Action

To verify that the route record set of data is being created, use the show services accounting status command on the PTX5000 and PTX3000 routers.

Meaning

The output shows that the Route record set field is set to Yes. This confirms that the route record set is created.

Tip

If the route record set field is set to no, the record might not have been downloaded yet. Wait for 60–100 seconds and check again. If the route record is still not created, verify that the sampling process is running, that the connection between the CSE2000 service card and the process is operational, and that the CSE2000 service card memory is not overloaded.

Verifying That the Sampling Process Is Running for Active Flow Monitoring

Purpose

Verify that the sampling process is running.

Action

To verify that the sampling process is running, use the show system processes extensive | grep sampled command on the PTX5000 and PTX3000 routers.

Meaning

The output shows that sampled is listed as a running system process. In addition to verifying that the process is running, verify that the TCP connection between the sampled process and the CSE2000 service card is operational.

Verifying That the TCP Connection Is Operational for Active Flow Monitoring

Purpose

Verify that the TCP connection between the sampled process and the CSE2000 service card is operational.

Action

To verify that the TCP connection is operational, use the show system connections inet | grep 6153 command on the PTX5000 and PTX3000 routers.

Meaning

The output shows that the TCP connection between the sampled process socket (6153) and the CSE2000 service card (128.0.0.1) is ESTABLISHED.

Tip

If the TCP connection between the sampled process and the CSE2000 service card is not established, restart the sampled process by using the restart sampling command.