Example: Configuring Active Flow Monitoring Version 9 for IPv4, MPLS, and IPv6
This example shows how to monitor IPv4, MPLS, and IPv6 flows by using active flow Monitoring version 9. It is organized in the following sections:
Requirements
This example requires the following hardware and software components:
Junos OS Release 9.2 or later
One M 120 or M320 Multiservice Edge Router, MX Series 3D Universal Edge Router, or T Series Core Router
One Adaptive Services PIC
This configuration example has been tested using the software release listed and is assumed to work on all later releases.
Overview of Flow Monitoring
This example explains how to monitor IPv4, MPLS, and IPv6 flows.
The physical connections used in this example are shown in Figure 1.
Configuring Active Flow Monitoring Version 9 for IPv4, MPLS, and IPv6
Step-by-Step Procedure
- Enable the services PIC interface to process IPv4, MPLS,
and IPv6 addresses by including the family statement and
specifying the inet option, mpls option, and inet6 option at the [edit interfaces sp-0/0/0 unit 0] hierarchy level.[edit interfaces]sp-0/0/0 {unit 0 {family inet;family mpls;family inet6;}}
- Configure the interface connected to the flow collector
by including the address statement and specifying 100.1.1.1/24 as the IPv4 address of the interface at the [edit interfaces ge-1/1/3 unit 0 family inet] hierarchy level.[edit interfaces]ge-1/1/3 {description to-flow-collector;unit 0 {family inet {address 100.1.1.1/24;}}}
- Create the version 9 templates and configure the timers
for IPv4.
Create a version 9 template for IPv4 by including the template statement and specifying v4_template as the name of the template at the [edit services flow-monitoring version9] hierarchy level.
Enable the template for IPv4 flows by including the ipv4-template statement at the [edit services flow-monitoring version9 template v4_template] hierarchy level.
Configure the flow active timeout by including the flow-active-timeout statement and specifying 600 seconds at the [edit services flow-monitoring version9 template v4_template] hierarchy level. Configure the flow inactive timeout by including the flow-inactive-timeout statement and specifying 30 seconds at the [edit services flow-monitoring version9 template v4_template] hierarchy level.
[edit services]flow-monitoring {version9 {template v4_template {flow-active-timeout 600;flow-inactive-timeout 30;ipv4-template;}}} - Create the version 9 templates and configure the timers
for MPLS.
Create a version 9 template for MPLS by including the template statement and specifying mpls as the name of the template at the [edit services flow-monitoring version9] hierarchy level.
Enable the template for MPLS flows by including the mpls-template statement at the [edit services flow-monitoring version9 template mpls] hierarchy level. Also include the label-position statement and specify label positions 1 and 2 at the [edit services flow-monitoring version9 template mpls mpls-template] hierarchy level.
Configure the flow active timeout by including the flow-active-timeout statement and specifying 600 seconds at the [edit services flow-monitoring version9 template mpls] hierarchy level. Configure the flow inactive timeout by including the flow-inactive-timeout statement and specifying 30 seconds at the [edit services flow-monitoring version9 template mpls] hierarchy level.
[edit services]flow-monitoring {version9 {template mpls {flow-active-timeout 600;flow-inactive-timeout 30;mpls-template {label-position [ 1 2 ];}}}} - Create the version 9 templates and configure the timers
for IPv6.
Create a version 9 template for IPv6 by including the template statement and specifying v6_template as the name of the template at the [edit services flow-monitoring version9] hierarchy level.
Enable the template for IPv6 flows by including the ipv6-template statement at the [edit services flow-monitoring version9 template v6_template] hierarchy level.
Configure the flow active timeout by including the flow-active-timeout statement and specifying 600 seconds at the [edit services flow-monitoring version9 template v6_template] hierarchy level. Configure the flow inactive timeout by including the flow-inactive-timeout statement and specifying 30 seconds at the [edit services flow-monitoring version9 template v6_template] hierarchy level.
[edit services]flow-monitoring {version9 {template v6_template {flow-active-timeout 600;flow-inactive-timeout 30;ipv6-template;}}} Configure the rate at which the router sends template definitions and options to the flow collector for IPv4.
Since version 9 flow monitoring traffic is unidirectional from the monitor (router) to the flow collector, configure the monitor to send template definitions and options, such as sampling rate, to the collector.In this example, the template definitions and options are refreshed every 600 seconds or 480000 packets, whichever occurs first.
Include the packets statement and specify 480000 packets at the [edit services flow-monitoring version9 template v4_template template-refresh-rate] and [edit services flow-monitoring version9 template v4_template option-refresh-rate] hierarchy levels. Include the seconds statement and specify 600 seconds at the [edit services flow-monitoring template v4_template version9 template-refresh-rate] and [edit services flow-monitoring version9 template v4_template option-refresh-rate] hierarchy levels.
[edit services flow-monitoring version9 template v4_template]template-refresh-rate {packets 480000;seconds 600;}option-refresh-rate {packets 480000;seconds 600;}- Configure the rate at which the router sends template
definitions and options to the flow collector for MPLS.
Include the packets statement and specify 480000 packets at the [edit services flow-monitoring version9 template mpls template-refresh-rate] and [edit services flow-monitoring version9 template mpls option-refresh-rate] hierarchy levels. Include the seconds statement and specify 600 seconds at the [edit services flow-monitoring version9 template mpls template-refresh-rate] and [edit services flow-monitoring version9 template mpls option-refresh-rate] hierarchy levels.
[edit services flow-monitoring version9 template mpls]template-refresh-rate {packets 480000;seconds 600;}option-refresh-rate {packets 480000;seconds 600;} - Configure the rate at which the router sends template
definitions and options to the flow collector for IPv6.
Include the packets statement and specify 480000 packets at the [edit services flow-monitoring version9 template v6_template template-refresh-rate] and [edit services flow-monitoring version9 template v6_template option-refresh-rate] hierarchy levels. Include the seconds statement and specify 600 seconds at the [edit services flow-monitoring version9 template v6_template template-refresh-rate] and [edit services flow-monitoring version9 template v6_template option-refresh-rate] hierarchy levels.
[edit services flow-monitoring version9 template v6_template]template-refresh-rate {packets 480000;seconds 600;}option-refresh-rate {packets 480000;seconds 600;} - Configure the sampling rate and run length.
The sampling rate determines the ratio of the number of packets to be sampled. For example, if you specify a rate of 10, 1 out of every 10 packets is sampled. In this example, the rate is 1 out of every 1 packets.
Sampling can be configured as a global chassis configuration that is applicable to all Flexible PIC Concentrators (FPCs) and Dense Port Concentrators (DPCs) at the [edit forwarding-options sampling input] hierarchy level. Sampling can also be configured at the [edit forwarding-options sampling instance instance-name] hierarchy level and then applied to a single FPC.
The run length sets the number of samples to be taken following the initial trigger event. This allows you to sample packets following those already being sampled. Since you are sampling every packet in this example, the run length can be set to 1.
To configure the sampling rate, include the rate statement and specify 1 as the rate at the [edit forwarding-options sampling instance ins1 input] hierarchy level. To configure the run length, include the run-length statement and specify 1 as the run length at the [edit forwarding-options sampling instance ins1 input] hierarchy level.
[edit forwarding-options]sampling {instance ins1 {input {rate 1;run-length 1;}}} - Apply the sampling instance to the desired FPC or DPC.
The FPC number must match the FPC portion of the interface name for the interface on which sampling is enabled.
To apply the sampling instance, include the sampling-instance statement and specify ins1 at the[edit chassis fpc 0] hierarchy level.
[edit]chassis {fpc 0 {sampling-instance ins1;}} Configure the flow collector and enable active flow monitoring for IPv4, MPLS, and IPv6 using the version 9 template format.
To configure the flow collector for IPv4, include the flow-server statement and specify 100.1.1.2 as the IPv4 address of the host system that is collecting traffic flows using version 9 at the [edit forwarding-options sampling instance ins1 family inet output] hierarchy level. Also include the port statement and specify UDP port 2055 for use by the flow collector.
To enable active flow monitoring for IPv4 using the version 9 template format, include the template statement and specify the v4-template as the name of the template to use at the [edit forwarding-options sampling instance ins1 family inet output flow-server 100.1.1.2 version9] hierarchy level.
To configure the flow collector for MPLS, include the flow-server statement and specify 100.1.1.2 as the IPv4 address of the host system that is collecting traffic flows using version 9 at the [edit forwarding-options sampling instance ins1 family mpls output] hierarchy level. Also include the port statement and specify UDP port 2055 for use by the flow collector.
To enable active flow monitoring for MPLS using the version 9 template format, include the template statement and specify mpls as the name of the template to use at the [edit forwarding-options sampling instance ins1 family mpls output flow-server 100.1.1.2 version9] hierarchy level.
To configure the flow collector for IPv6, include the flow-server statement and specify 100.1.1.2 as the IPv4 address of the host system that is collecting traffic flows using version 9 at the [edit forwarding-options sampling instance ins1 family inet6 output] hierarchy level. Also include the port statement and specify UDP port 2055 for use by the flow collector.
To enable active flow monitoring using the version 9 template format, include the template statement and specify v6_template as the name of the template to use at the [edit forwarding-options sampling instance ins1 family inet6 output flow-server 100.1.1.2 version9] hierarchy level.
[edit forwarding-options sampling instance ins1]family inet {output {flow-server 100.1.1.2 {port 2055;version9 {template v4_template;}}}}family mpls {output {flow-server 100.1.1.2 {port 2055;version9 {template mpls;}}}}family inet6 {output {flow-server 100.1.1.2 {port 2055;version9 {template v6_template;}}}}Configure the IPv4 source address for the service PIC to be used in flow export.
To configure the IPv4 source address for the sp-0/0/0 interface for IPv4, include the source-address statement and specify 3.3.3.3 at the [edit forwarding-options sampling instance ins1 family inet output interface sp-0/0/0] hierarchy level.
To configure the IPv4 source address for the sp-0/0/0 interface for MPLS, include the source-address statement and specify 3.3.3.3 at the [edit forwarding-options sampling instance ins1 family mpls output interface sp-0/0/0] hierarchy level.
To configure the IPv4 source address for the sp-0/0/0 interface for IPv6, include the source-address statement and specify 3.3.3.3 at the [edit forwarding-options sampling instance ins1 family inet6 output interface sp-0/0/0] hierarchy level.
[edit forwarding-options sampling instance ins1]family inet {output {interface sp-0/0/0 {source-address 3.3.3.3;}}}family inet6 {output {interface sp-0/0/0 {source-address 3.3.3.3;}}}family mpls {output {interface sp-0/0/0 {source-address 3.3.3.3;}}}Configure the firewall filters.
The firewall filters identify the traffic flows that need to be sampled and processed by the services PIC. Note that the implied “from” clause in the filter determines the packets that are matched and sampled according to the sampling rate.
To configure the firewall filter for IPv4, include the filter statement and specify ipv4_sample_filter as the name of the filter at the [edit firewall family inet] hierarchy level. Include the term statement and specify 1 as the name of the term. For active monitoring using version 9, you must include the sample and accept action statements at the [edit firewall family inet filter ipv4_sample_filter term 1 then] hierarchy level.
To configure the firewall filter for MPLS, include the filter statement and specify mpls_sample_filter as the name of the filter at the [edit firewall family mpls] hierarchy level. Include the term statement and specify 1 as the name of the term. For active monitoring using version 9, you must include the sample and accept action statements at the [edit firewall family mpls filter mpls_sample_filter term 1 then] hierarchy level.
To configure the firewall filter for IPv6, include the filter statement and specify ipv6_sample_filter as the name of the filter at the [edit firewall family inet6] hierarchy level. Include the term statement and specify 1 as the name of the term. For active monitoring using version 9, you must include the sample and accept action statements at the [edit firewall family inet6 filter ipv6_sample_filter term 1 then] hierarchy level.
[edit firewall]family inet {filter ipv4_sample_filter {term 1 {then {sample;accept;}}}}family mpls {filter mpls_sample_filter {term 1 {then {sample;accept;}}}}family inet6 {filter ipv6_sample_filter {term 1 {then {sample;accept;}}}}- Apply the firewall filter to the set of media
interfaces where traffic flow needs to be sampled.
To apply the firewall filter to the fe-0/3/2 interface for IPv4, include the input statement and specify ipv4_sample_filter as the name of the filter at the [edit interfaces fe-0/3/2 unit 0 family inet filter] hierarchy level.
To apply the firewall filter to the fe-0/3/2 interface for MPLS, include the input statement and specify mpls_sample_filter as the name of the filter at the [edit interfaces fe-0/3/2 unit 0 family mpls filter] hierarchy level.
To apply the firewall filter to the fe-0/3/2 interface for IPv6, include the output statement and specify ipv6_sample_filter as the name of the filter at the [edit interfaces fe-0/3/2 unit 0 family inet6 filter] hierarchy level.
[edit]interfaces {fe-0/3/2 {unit 0 {family inet {filter {input ipv4_sample_filter;}}family mpls {filter {input mpls_sample_filter;}}family inet6 {filter {input ipv6_sample_filter;}}}}}
Results
For your reference, the relevant sample configuration for the flow collector follows.
Related Documentation
Best Practices for Configuring Active Flow Monitoring Version 9
Example: Configuring Active Flow Monitoring Version 9 for IPv4
Example: Configuring Active Flow Monitoring Version 9 for IPv6
Example: Configuring Active Flow Monitoring Version 9 for MPLS
Example: Configuring Active Flow Monitoring Version 9 for IPv4