Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Copying Traffic to a PIC While an M, MX or T Series Router Forwards the Packet to the Original Destination

Traffic sampling enables you to copy traffic to a Physical Interface Card (PIC) while the router forwards the packet to its original destination. This example describes how to configure a router to perform sampling on the Routing Engine using the sampled process. For this method, you configure a filter (input or output) with a matching term that contains the then sample statement. In addition, for VPN routing and forwarding (VRF) Routing Engine-based sampling, you configure a VRF routing instance that maps to an interface. Each VRF instance corresponds with a forwarding table. Routes on the interface go into the corresponding forwarding table.

For VRF Routing Engine-based sampling, the kernel queries the correct VRF route table based on the ingress interface index for the received packet. For interfaces configured in VRF, the sampled packets contain the correct input and output interface SNMP index, the source and destination AS numbers, and the source and destination mask.

Note:

With Junos OS Release 10.1, VRF Routing Engine-based sampling is performed only on IPv4 traffic. You cannot use Routing Engine-based sampling on IPv6 traffic or on MPLS label-switched paths.

This example describes how to configure and verify VRF Routing Engine-based sampling on one router in a four-router topology.

Requirements

This example uses the following hardware and software components:

  • Junos OS Release 10.1 or later

  • M Series, MX Series, or T Series router

Before you configure VRF Routing Engine-Based sampling on your router, be sure you have an active connection between the routers on which you configure sampling. In addition, you need to have an understanding of VRF to configure the interfaces and routing instances that form the basis of the sampling configuration; and an understanding of the BGP, MPLS, and OSPF protocols to configure the other routers in the network to bring up the sampling configuration.

Overview and Topology

The scenario in this example illustrates VRF Routing Engine-based sampling configured on the PE1 router in a four-router network. The CE routers use BGP as the routing protocol to communicate with the PE routers. MPLS LSPs pass traffic between the PE routers. Packets from the CE1 router are sampled on the PE1 router. Regular traffic is forwarded to the original destination (the CE2 router).

Topology

Figure 1: Routing Engine-Based Sampling Network TopologyRouting Engine-Based Sampling Network Topology

Configuration

In this configuration example, the VRF Routing Engine-based sampling is configured on the PE1 router that samples the traffic that goes through the interface and routes configured in the VRF. The configurations on the other three routers are included to show the sampling configuration on the PE1 router working in the context of a network.

To configure VRF Routing Engine-based sampling for the network example, perform these tasks:

Configuring the CE1 Router

Step-by-Step Procedure

In this step, you configure interfaces, routing options, protocols, and policy options for the CE1 router. To configure the CE1 router:

  1. Configure one interface with two IP addresses. One address is for traffic to the PE1 router; the other address is to check that traffic is flowing to the CE2 router:

  2. Configure the autonomous system to establish a connection between BGP peers:

  3. Configure BGP as the routing protocol between the CE router and the PE router:

  4. Configure the policies that ensure that the CE routers exchange routing information. In this example, Router CE1 exchanges routing information with Router CE2:

Results

The output below shows the configuration of the CE1 router:

Configuring the PE1 Router

Step-by-Step Procedure

In this step, you configure a filter with a matching term that contains the then sample statement and apply the filter to the ingress interface. You also configure a VRF routing instance with import and export policies. In addition, you configure interfaces, forwarding options, routing options, protocols, and policy options for the PE1 router. To configure the PE1 router:

  1. Create the fw firewall filter that is applied to the logical interface being sampled:

  2. Configure two interfaces, one interface that connects to the CE1 router (ge-2/0/2), and another that connects to the PE2 router (ge-2/0/0):

  3. Enable MPLS on the interface that connects to the PE2 router (ge-2/0/0):

  4. On the interface that connects to the CE1 router, apply the fw filter that was configured in the firewall configuration:

  5. Configure the management (fxp0) and loopback (lo0) interfaces:

  6. Configure the sampled log file in the /var/log directory to record traffic sampling:

  7. Specify the sampling rate and threshold value for traffic sampling:

  8. Specify active and inactive flow periods, and the router (198.51.100.2) that sends out the monitored information:

  9. Configure the autonomous system to establish a connection between BGP peers:

  10. Configure RSVP to support MPLS label-switched paths (LSPs) between the PE routers:

  11. Configure an MPLS LSP from the PE1 router to the PE2 router:

  12. Configure an internal BGP group for the PE routers. Include the family inet-vpn unicast statement to enable BGP to carry network layer reachability information (NLRI) parameters and for BGP peers to only carry unicast routes for forwarding:

  13. Configure OSPF as the interior gateway protocol (IGP) and to compute the MPLS LSPs:

  14. Create the extended community that is applied in the policy options configuration:

  15. Define the vpna-export routing policy that is applied in the vrf-export statement in the routing instance configuration. Also, apply the vpna-comm community from which routes are learned:

  16. Define the vpna-import routing policy that is applied in the vrf-import statement in the routing instance configuration. Also, apply the vpna-comm community from which routes are learned:

  17. Configure a VRF routing instance so that routes received from the provider edge-provider edge (PE-PE) session can be imported into any of the instance’s VRF secondary routing tables:

Results

Check the results of the configuration for the PE1 router:

Configuring the PE2 Router

Step-by-Step Procedure

In this step, you configure a filter with a matching term that contains the then sample statement and apply the filter to the ingress interface. You also configure a VRF routing instance with import and export policies. In addition, you configure interfaces, forwarding options, routing options, protocols, and policy options for the PE2 router. To configure the PE2 router:

  1. Create the fw firewall filter that is applied to the logical interface being sampled:

  2. Configure two interfaces, one interface that connects to the CE2 router (ge-3/1/2), and another that connects to the PE1 router (ge-3/1/0):

  3. Enable MPLS on the interface that connects to the PE1 router (ge-3/1/0):

  4. On the interface that connects to the CE2 router, apply the fw filter that was configured in the firewall configuration:

  5. Configure the sampled log file in the /var/log directory to record traffic sampling:

  6. Specify the sampling rate and threshold value for traffic sampling:

  7. Specify active and inactive flow periods, and the router (198.51.100.2) that sends out the monitored information:

  8. Configure the autonomous system to establish a connection between BGP peers:

  9. Configure RSVP to support MPLS label-switched paths (LSPs) between the PE routers:

  10. Configure an MPLS LSP from the PE2 router to the PE1 router:

  11. Configure an internal BGP group for the PE routers. Include the family inet-vpn unicast statement to enable BGP to carry network layer reachability information (NLRI) parameters and for BGP peers to only carry unicast routes for forwarding:

  12. Configure OSPF as the interior gateway protocol (IGP) and to compute the MPLS LSPs:

  13. Create the extended community that is applied in the policy options configuration:

  14. Define the vpna-export routing policy that is applied in the vrf-export statement in the routing instance configuration. Also, apply the vpna-comm community from which routes are learned:

  15. Define the vpna-import routing policy that is applied in the vrf-import statement in the routing instance configuration. Also, apply the vpna-comm community from which routes are learned:

  16. Configure a VRF routing instance so that routes received from the provider edge-provider edge (PE-PE) session can be imported into any of the instance’s VRF secondary routing tables:

Results

Check the results of the configuration for the PE2 router:

Configuring the CE2 Router

Step-by-Step Procedure

In this step, you configure interfaces, routing options, protocols, and policy options for the CE2 router. To configure the CE2 router:

  1. Configure one interface with two IP addresses. One address is for traffic to the PE2 router and the other address is to check that traffic is flowing from the CE1 router:

  2. Configure the autonomous system to establish a connection between BGP peers:

  3. Configure BGP as the routing protocol between the CE and the PE routers:

  4. Configure the policies that ensure that the CE routers exchange routing information. In this example, Router CE2 exchanges routing information with Router CE1:

Results

The output below shows the configuration of the CE2 router:

Verification

After you have completed the configuration of the four routers, you can verify that traffic is flowing from the CE1 router to the CE2 router, and you can observe the sampled traffic from two locations. To confirm that the configuration is working properly, perform these tasks:

Verifying the Traffic Flow Between the CE Routers

Purpose

Use the ping command to verify traffic between the CE routers.

Action

From the CE1 router, issue the ping command to the CE2 router:

Meaning

The output from the ping command shows that the ping command was successful. Traffic is flowing between the CE routers.

Verifying Sampled Traffic

Purpose

You can observe the sampled traffic using the show log sampled command from the CLI or from the router shell using the tail –f /var/log/sampled command. In addition, you can collect the logs in a flowcollector. The same information appears in the output of both commands and in the flow collector. For information about using a flow collector, see “Sending cflowd Records to Flow Collector Interfaces” and “Example: Configuring a Flow Collector Interface on an M, MX or T Series Router.”

Action

From the PE1 router, use the show log sampled command:

Meaning

The output from the show log sampled command shows the correct SNMP index for the incoming and outgoing interfaces on the PE1 router. Also, the source and destination addresses for the autonomous systems for the two CE routers are correct.

Cross Verifying Sampled Traffic

Purpose

You can also double check that the sampled traffic is the correct traffic by using the show interface interface-name-fpc/pic/port.unit-number | match SNMP command and the show route route-name detail command.

Action

The following output is a cross check of the output in the Verifying Sampled Traffic task:

Meaning

The output of the show interfaces ge-2/0/2.0 | match SNMP command shows that the SNMP ifIndex field has the same value (503) as the output for the show log sampled command in the Verifying Sampled Traffic task, indicating that the intended traffic is being sampled.

The output of the show route 10.4.4.4 detail command shows that the source address 10.4.4.4, the source mask (16), and the source AS (65000) have the same values as the output for the show log sampled command in the Verifying Sampled Traffic task, indicating that the intended traffic is being sampled.