Example: Sampling and Discard Accounting Configuration on M, MX and T Series Routers
Discard accounting allows you to sample traffic, send it to a flow server for analysis,
and discard all packets without forwarding them to their intended destination. Discard
accounting is enabled with the discard accounting
group-name
statement in a firewall filter at the
[edit firewall family inet filter filter-name term
term-name then]
hierarchy level. Then, the filter is
applied to an interface with the filter
statement at the [edit
interfaces interface-name unit unit-number
family inet]
hierarchy level and processed with the output
statement at the [edit forwarding-options accounting
group-name]
hierarchy level.
In Figure 1, traffic from Router 1 arrives on the monitoring router’s Gigabit Ethernet ge-2/3/0 interface. The export interface leading to the flow server is fe-1/0/0 and there is no exit interface.
In this example, TCP traffic is sent to one accounting group and all other traffic is
diverted to a second group. After being sampled and counted, the two types of traffic
are acted upon by the sampling and accounting processes. These processes create flow
records and send the records to the version 8 flow server for analysis. Because multiple
types of traffic are sent to the same server, we recommend that you configure the
engine-id, engine-type, and
source-address
statements manually in your accounting and sampling
hierarchies. This way, you can differentiate between traffic types when they arrive at
the flow server.
[edit] interfaces { sp-2/0/0 { # This adaptive services interface creates the flow records. unit 0 { family inet { address 10.5.5.1/32 { destination 10.5.5.2; } } } } fe-1/0/0 { # This is the interface where records are sent to the flow server. unit 0 { family inet { address 10.60.2.2/30; } } } ge-2/3/0 { # This is the input interface where traffic enters the router. unit 0 { family inet { filter { input catch_all; } address 10.11.1.1/30; } } } } forwarding-options { sampling { # The router samples the traffic. input { rate 100; # One out of every 100 packets is sampled. } } family inet { output { # The sampling process creates and exports flow records. flow-server 10.60.2.1 { # You can configure a variety of settings. port 2055; version 8; aggregation { # Aggregation is unique to flow version 8. protocol-port; source-destination-prefix; } } aggregate-export-interval 90; flow-inactive-timeout 60; flow-active-timeout 60; interface sp-2/0/0 { # This statement enables PIC-based sampling. engine-id 5; # Engine statements are dynamic, but can be configured. engine-type 55; source-address 10.60.2.2; # You must configure this statement. } } } accounting counter1 { # This discard accounting process handles default traffic. output { # This process creates and exports flow records. flow-inactive-timeout 65; flow-active-timeout 65; flow-server 10.60.2.1 { # You can configure a variety of settings. port 2055; version 8; aggregation { # Aggregation is unique to version 8. protocol-port; source-destination-prefix; } } interface sp-2/0/0 { # This statement enables PIC-based discard accounting. engine-id 1; # Engine statements are dynamic, but can be configured. engine-type 11; source-address 10.60.2.3; # You must configure this statement. } } } accounting t2 { # The second discard accounting process handles the TCP traffic. output { # This process creates and exports flow records. aggregate-export-interval 90; flow-inactive-timeout 65; flow-active-timeout 65; flow-server 10.60.2.1 { # You can configure a variety of settings for the server. port 2055; version 8; aggregation { # Aggregation is unique to version 8. protocol-port; source-destination-prefix; } } interface sp-2/0/0 { # This statement enables PIC-based discard accounting. engine-id 2; # Engine statements are dynamic, but can be configured. engine-type 22; source-address 10.60.2.4;# You must configure this statement. } } } } firewall { family inet { filter catch_all { # Apply the firewall filter on the input interface. term t2 { # This places TCP traffic into one group for sampling and from { # discard accounting. protocol tcp; } then { count c2;# The count action counts traffic as it enters the router. sample; # The sample action sends the traffic to the sampling process. discard accounting t2; # The discard accounting discards traffic. } } term default { # Performs sampling and discard accounting on all other traffic. then { count counter; # The count action counts traffic as it enters the router. sample# The sample action sends the traffic to the sampling process. discard accounting counter1; # This activates discard accounting. } } } } }
Verifying Your Work
To verify that your configuration is correct, use the following commands on the monitoring station that is configured for active flow monitoring:
-
show services accounting aggregation
(for version 8 flows only) -
show services accounting errors
-
show services accounting (flow | flow-detail)
-
show services accounting memory
-
show services accounting packet-size-distribution
-
show services accounting status
-
show services accounting usage
The following shows the output of the show
commands used with the
configuration example:
user@host> show services accounting flow name t2 Service Accounting interface: sp-2/0/0, Local interface index: 468 Service name: t2 Flow information Flow packets: 56130820, Flow bytes: 3592372480 Flow packets 10-second rate: 13024, Flow bytes 10-second rate: 833573 Active flows: 600, Total flows: 600 Flows exported: 28848, Flows packets exported: 960 Flows inactive timed out: 0, Flows active timed out: 35400 user@host> show services accounting Service Name: (default sampling) counter1 t2 user@host> show services accounting aggregation protocol-port detail name t2 Service Accounting interface: sp-2/0/0, Local interface index: 468 Service name: t2 Protocol: 6, Source port: 20, Destination port: 20 Start time: 442794, End time: 6436260 Flow count: 1, Packet count: 4294693925, Byte count: 4277471552 user@host> show services accounting aggregation source-destination-prefix name t2 limit 10 order packets Service Accounting interface: sp-2/0/0, Local interface index: 542 Service name: t2 Source Destination Input SNMP Output SNMP Flow Packet Byte Prefix Prefix Index Index count count count 10.1.1.2/20 10.225.0.1/0 24 26 0 13 9650 10.1.1.2/20 10.143.80.1/0 24 26 0 13 10061 10.1.1.2/20 10.59.176.1/0 24 26 0 13 10426 10.1.1.2/20 10.5.32.1/0 24 26 0 13 12225 10.1.1.2/20 10.36.16.1/0 24 26 0 13 9116 10.1.1.2/20 10.1.96.1/0 24 26 0 12 11050 10.1.1.2/20 10.14.48.1/0 24 26 0 13 10812 10.1.1.2/20 10.31.192.1/0 24 26 0 13 11473 10.1.1.2/20 10.129.144.1/0 24 26 0 13 7647 10.1.1.2/20 10.188.160.1/0 24 26 0 13 10056 user@host> show services accounting aggregation source-destination-prefix name t2 extensive limit 3 Service Accounting interface: sp-2/0/0, Local interface index: 542 Service name: t2 Source address: 10.1.1.2, Source prefix length: 20 Destination address: 10.200.176.1, Destination prefix length: 0 Input SNMP interface index: 24, Output SNMP interface index: 26 Source-AS: 69, Destination-AS: 69 Start time: Fri Feb 21 14:16:57 2003, End time: Fri Feb 21 14:22:50 2003 Flow count: 0, Packet count: 6, Byte count: 5340 Source address: 10.1.1.2, Source prefix length: 20 Destination address: 10.243.160.1, Destination prefix length: 0 Input SNMP interface index: 24, Output SNMP interface index: 26 Source-AS: 69, Destination-AS: 69 Start time: Fri Feb 21 14:16:57 2003, End time: Fri Feb 21 14:22:50 2003 Flow count: 0, Packet count: 6, Byte count: 5490 Source address: 10.1.1.2, Source prefix length: 20 Destination address: 10.162.160.1, Destination prefix length: 0 Input SNMP interface index: 24, Output SNMP interface index: 26 Source-AS: 69, Destination-AS: 69 Start time: Fri Feb 21 14:16:57 2003, End time: Fri Feb 21 14:22:50 2003 Flow count: 0, Packet count: 6, Byte count: 4079