Technical Documentation

Using a Flow Collector Interface to Process and Export Multiple Flow Records

Basic passive monitoring can sometimes create a large number of flow records. However, you can manage multiple flow records with a flow collector interface. You can create a flow collector interface from a Monitoring Services II PIC. The flow collector interface combines multiple flow records received from a monitoring services interface into a compressed ASCII data file and exports the file to an FTP server.

To convert a Monitoring Services II PIC into a flow collector interface, include the flow-collector statement at the [edit chassis fpc fpc-slot pic pic-slot monitoring-services application] hierarchy level. To restore the monitoring functions of a Monitoring Services II PIC, include the monitor statement at the [edit chassis fpc fpc-slot pic pic-slot monitoring-services application] hierarchy level.

After you commit the configuration to convert the PIC between the monitor and flow-collector service types, you must take the PIC offline and then bring the PIC back online. Rebooting the router does not enable the new service type. You can use the Monitoring Services II PIC for either flow collection or monitoring, but not both types of service simultaneously.

A flow collector interface, designated by the cp-fpc/pic/port interface name, requires three logical interfaces for correct operation. Units 0 and 1 are used respectively as export channels 0 and 1 to send the compressed ASCII data files to an FTP server. You must include a class-of-service (CoS) configuration for these two export channels to provide adequate bandwidth for file transmission. Unit 2 is used as a flow receive channel to receive flow records from a monitoring services interface.

Note: Unlike conventional interfaces, IP addresses for flow collector logical interfaces set up a point-to-point connection between the Routing Engine and the flow collector. The address statement at the [edit interfaces cp-fpc/pic/port unit unit-number family inet] hierarchy level corresponds to the IP address of the Routing Engine. Likewise, the destination statement at the [edit interfaces cp-fpc/pic/port unit unit-number family inet address ip-address] hierarchy level corresponds to the IP address of the flow collector interface. As a result, you must configure the destination statement for Units 0 and 1 (export channels 0 and 1) with local addresses that can reach the FTP server. Similarly, configure the destination statement for Unit 2 (flow receive channel) with a local IP address so it can reach the monitoring services interface that sends flow records.

To activate flow collector services after the Monitoring Services II PIC is converted into a flow collector, include the flow-collector statement at the [edit services] hierarchy level. You also need to configure several additional components:

  • Destination of the FTP server—Determines where the compressed ASCII data files are sent after the flow records are collected and processed. To specify the destination FTP server, include the destinations statement at the [edit services flow-collector] hierarchy level. You can specify up to two FTP server destinations and include the password for each configured server. If two FTP servers are configured, the first server in the configuration is the primary server and the second is a backup server.
  • File specifications—Preset data file formats, name formats, and transfer characteristics. Files are sent by FTP to the destination FTP server when the timer expires or when a preset number of records are received, whichever comes first. To set the data file format, include the data-format statement at the [edit services flow-collector file-specification file-name] hierarchy level. The default data format is flow-compressed. To set the export timer and file size thresholds, include the transfer statement at the [edit services flow-collector file-specification file-name] hierarchy level and specify values for the timeout and record-level options. The default values are 600 seconds for timeout and 500,000 records for record-level.

    To set the filename format, include the name-format statement at the [edit services flow-collector file-specification file-name] hierarchy level. Common name format macros that you can use in your configuration are included in Table 1.

    Table 1: Name Format Macros

    Field

    Expansion

    {am_pm}

    AM or PM

    {date}

    Expands to the current date, using the {month}, {day}, and {year} macros.

    {day}

    01 to 31

    {day_abbr}

    Sun through Sat

    {day_full}

    Sunday through Saturday

    {generation_number}

    Expands to a unique, sequential number for each new file created.

    {hour_12}

    01 to 12

    {hour_24}

    00 to 23

    {ifalias}

    Expands to a description string for the logical interface.

    {minute}

    00 to 59

    {month}

    01 to 12

    {month_abbr}

    Jan through Dec

    {month_full}

    January through December

    {num_zone}

    -2359 to +2359

    {second}

    00 to 60

    {time}

    Expands to the time the file is created, using the {hour_24}, {minute}, and {second} macros.

    {time_zone}

    Time zone code name of the locale (gmt, pst, and so on).

    {year}

    1970, 2008, and so on.

    {year_abbr}

    00 to 99

  • Input interface-to-flow collector interface mappings—Match an input interface with a flow collector interface and apply the preset file specifications to the input interface. To configure the default flow collector and file specifications for all input interfaces, include the file-specification and collector statements at the [edit services flow-collector interface-map] hierarchy level. To override the default settings and apply flow collector and file specifications to a specific input interface, include the file-specification and collector statements at the [edit services flow-collector interface-map interface-name] hierarchy level.
  • Transfer log settings—Allow you to configure the destination FTP server where log files containing the transfer activity history for a flow collector interface are to be archived, the name for the log file, and the amount of time the router waits before sending the log file to the FTP server. To configure, include the archive-sites, filename-prefix, and maximum-age statements at the [edit services flow-collector transfer-log-archive] hierarchy level. The default value for the maximum-age statement is 120 minutes, with a range of 1 to 360 minutes. Also, you can configure up to five FTP archive site servers to receive log files.
  • Miscellaneous settings—Allow you to configure values for the IP address of the analyzer, an identifier for the analyzer, the maximum number of times the flow collector interface attempts to send transfer log files to the FTP server, and the amount of time the flow collector interface waits between retry attempts. To configure, include the analyzer-address, analyzer-id, retry, and retry-delay statements at the [edit services flow-collector] hierarchy level. The range for the retry statement is 0 through 10 retry attempts. The default for the retry-delay statement is 30 seconds and the range is 0 through 60 seconds.

To specify a flow collector interface as the destination for flow records coming from a Monitoring Services or Monitoring Services II PIC, include the collector-pic statement at the [edit forwarding-options monitoring group-name family inet output flow-export-destination] hierarchy level. You can select either the flow collector interface or a flow server as the destination for flow records, but you cannot select both destination types simultaneously.

There is also a Juniper Networks enterprise Management Information Base (MIB) for the flow collector interface. The Flow Collector Services MIB allows you to use SNMP to monitor the flow collector interface. The MIB provides statistics on files, records, memory, FTP, and error states of a flow collector interface. It also provides SNMP traps for unavailable destinations, unsuccessful file transfers, flow overloading, and memory overloading. For more information, see the JUNOS Network Management Configuration Guide or view the enterprise-specific Juniper Networks MIBs at https://www.juniper.net/techpubs/software/junos/mibs.html.

In summary, to implement the flow collector service, include statements at the [edit chassis], [edit interfaces], [edit forwarding-options], and [edit services] hierarchy levels. The excerpt on the following pages shows the flow collector service configuration hierarchy. For a full configuration example, see Example: Flow Collector Interface Configuration.

[edit]chassis {fpc fpc-slot {pic pic-slot {monitoring-services {application flow-collector;}}}}interfaces {cp-fpc/pic/port {description ”flow_collector_interface”;unit 0 {family inet {address ip-address {destination ip-address;}}}unit 1 {family inet {address ip-address {destination ip-address;}}}unit 2 {family inet {address ip-address {destination ip-address;}}}}interface-fpc/pic/port {description “export_interface”;unit 0 {family inet {address ip-address;}}}mo-fpc/pic/port {description “monitoring_services_interface”;unit 0 {family inet;}} SONET/SDH, ATM2 IQ, or Ethernet-based-interface-fpc/pic/port {description “ input_interface”;encapsulation encapsulation-type;passive-monitor-mode; # Apply to the logical interface for SONET/SDH }}forwarding-options {monitoring group1 {family inet {output {export-format cflowd-version-5;flow-active-timeout value;flow-inactive-timeout value;flow-export-destination collector-pic;interface mo-fpc/pic/port {source-address ip-address;}}}}}services {flow-collector {analyzer-address ip-address;analyzer-id name;retry value;retry-delay seconds;destinations {"ftp://username@ftp-server-address-1//directory/" {password "encrypted-password";}"ftp://username@ftp-server-address-2//directory/" {password "encrypted-password";}}file-specification {file-specification-name {}data-format flow-compressed;transfer timeout value record-level size;}}interface-map {file-specification file-specification-name; collector cp-fpc/pic/port;interface-name {file-specification file-specification-name;collector cp-fpc/pic/port;}}transfer-log-archive {filename-prefix filename;maximum-age timeout-value;archive-sites {"ftp://username@ip-address//directory/" {password "encrypted-password";}}}}

Published: 2010-04-15