Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Passive Flow Monitoring Configuration on M, MX and T Series Routers

Figure 1: Passive Flow Monitoring—Topology DiagramPassive Flow Monitoring—Topology Diagram

In Figure 1, traffic enters the monitoring station through interfaces so-0/0/0 and so-0/1/0. After the firewall filter accepts the traffic to be monitored, the packets enter a VRF instance.

The original packets travel within the VRF instance to the Monitoring Services PIC for flow processing. The final flow packets are sent from the monitoring services interfaces out the fe-3/0/0 interface to a flow server.

A copy of the accepted traffic is port-mirrored to the Tunnel PIC. As the copied packets enter the tunnel interface, a second firewall filter separates TCP and UDP packets and places them into two filter-based forwarding instances. The UDP instance directs the UDP packets to a packet analyzer attached to fe-3/2/0. The TCP instance sends the TCP packets to the ES PIC for encryption and the ES PIC sends the packets to a second packet analyzer connected to fe-3/2/1.

Your first step is to define a firewall filter to select packets for monitoring. All filtered traffic must be accepted, and the port-mirror statement at the [edit firewall family inet filter filter-name term term-name then] hierarchy level facilitates port mirroring.

Next, configure the input SONET/SDH interfaces and apply the firewall filter that you just defined. The passive-monitor-mode statement disables SONET keepalives on the SONET/SDH interfaces and enables passive flow monitoring.

Configure all other interfaces that you will use with the monitoring application, including the monitoring services interfaces, the export interfaces, the tunnel interface, and the ES interface. Once the interfaces are in place, configure a VRF instance and monitoring group to direct the original packets from the input interfaces to the monitoring services interfaces for processing. The resulting flow description packets exit fe-3/0/0 to reach the flow server.

Next, configure statements to port-mirror the monitored traffic to a tunnel interface. Design a firewall filter that selects some of this copied traffic for further analysis and some of the traffic for discarding. In this case, isolate TCP and UDP traffic and direct these two flows into separate filter-based forwarding routing instances. Remember to apply the filter to the tunnel interface to enable the separation of TCP traffic from UDP traffic. Also, import the interface routes into the forwarding instances with a routing table group.

In the filter-based forwarding instances, define static route next hops. The next hop for the TCP instance is the ES interface and the next hop for the UDP instance is the packet analyzer connected to fe-3/2/0. Finally, configure IPSec so that the next hop for the TCP traffic is the second packet analyzer attached to fe-3/2/1.

Verifying Your Work

To verify that your configuration is correct, use the following commands on the monitoring station that is configured for passive flow monitoring:

  • show route 0/0

  • show passive-monitoring error

  • show passive-monitoring flow

  • show passive-monitoring memory

  • show passive-monitoring status

  • show passive-monitoring usage

To clear statistics for the show passive-monitoring error and show passive-monitoring flow commands, issue the clear passive-monitoring (all | interface-name) command.

You can also view passive flow monitoring status with the Simple Network Management Protocol (SNMP). The following Management Information Base (MIB) tables are supported:

  • jnxPMonErrorTable—Corresponds to the show passive-monitoring error command.

  • jnxPMonFlowTable—Corresponds to the show passive-monitoring flow command.

  • jnxPMonMemoryTable—Corresponds to the show passive-monitoring memory command.

The following section shows the output of the show commands used with the configuration example:

# We are only concerned with the routing-instance route.

 

Note:

For all show passive-monitoring commands, the output obtained when using a wildcard (such as *) or the all option is based on the configured interfaces listed at the [edit forwarding-options monitoring group-name] hierarchy level. In the output from the configuration example, you see information only for the configured interfaces mo-4/0/0, mo-4/1/0, mo-4/2/0, and mo-4/3/0.

Many of the statements you can configure in a monitoring group, such as engine-id and engine-type, are visible in the output of the show passive-monitoring commands.

Table 1: Output Fields for the show passive-monitoring error Command

Field

Explanation

Packets dropped (no memory)

Number of packets dropped because of memory.

Packets dropped (not IP)

Number of non-IP packets dropped.

Packets dropped (not IPv4)

Number of packets dropped because they failed the IPv4 check.

Packets dropped (header too small)

Number of packets dropped because the packet length or IP header length was too small.

Memory allocation failures

Number of flow record memory allocation failures. A small number reflects failures to replenish the free list. A large number indicates the monitoring station is almost out of memory space.

Memory free failures

Number of flow record memory frees.

Memory free list failures

Number of flow records received from free list that failed. Memory is nearly exhausted or too many new flows greater than 128K are being created in one second.

Memory warning

The flows have exceeded 1 million packets per second (Mpps) on a Monitoring Services PIC or 2 Mpps on a Monitoring Services II PIC. The response can be Yes or No.

Memory overload

The memory has been overloaded. The response is Yes or No.

PPS overload

In packets per second, whether the PIC is receiving more traffic than the configured threshold. The response can be Yes or No.

BPS overload

In bytes per second, whether the PIC is receiving more traffic than the configured threshold. The response can be Yes or No.

Table 2: Output Fields for the show passive-monitoring flow Command

Field

Explanation

Flow packets

Number of packets received by an operational PIC.

Flow bytes

Number of bytes received by an operational PIC.

Flow packets 10-second rate

Number of packets per second handled by the PIC and displayed as a 10-second average.

Flow bytes 10-second rate

Number of bytes per second handled by the PIC and displayed as a 10-second average.

Active flows

Number of currently active flows tracked by the PIC.

Total flows

Total number of flows received by an operational PIC.

Flows exported

Total number of flows exported by an operational PIC.

Flows packets exported

Total number of flow packets exported by an operational PIC.

Flows inactive timed out

Total number of flows that are exported because of inactivity.

Flows active timed out

Total number of long-lived flows that are exported because of an active timeout.

Table 3: Output Fields for the show passive-monitoring memory Command

Field

Explanation

Allocation count

Number of flow records allocated.

Free count

Number of flow records freed.

Maximum allocated

Maximum number of flow records allocated since the monitoring station booted. This number represents the peak number of flow records allocated at a time.

Allocations per second

Flow records allocated per second during the last statistics interval on the PIC.

Frees per second

Flow records freed per second during the last statistics interval on the PIC.

Total memory used

Total amount of memory currently used (in bytes).

Total memory free

Total amount of memory currently free (in bytes).

Table 4: Output Fields for the show passive-monitoring status Command

Field

Explanation

Interface state

Indicates whether the interface is monitoring (operating properly), disabled (administratively disabled), or not monitoring (not configured).

Group index

Integer that represents the monitoring group of which the PIC is a member. (This does not indicate the number of monitoring groups.)

Export interval

Configured export interval for flow records, in seconds.

Export format

Configured export format (only v5 is currently supported).

Protocol

Protocol the PIC is configured to monitor (only IPv4 is currently supported).

Engine type

Configured engine type that is inserted in output flow packets.

Engine ID

Configured engine ID that is inserted in output flow packets.

Route record count

Number of routes recorded.

IFL to SNMP index count

Number of logical interfaces mapped to an SNMP index.

AS count

Number of AS boundaries that the flow has crossed.

Time set

Indicates whether the time stamp is in place.

Configuration set

Indicates whether the monitoring configuration is set.

Route record set

Indicates whether routes are being recorded.

IFL SNMP map set

Indicates whether logical interfaces are being mapped to an SNMP index.

Table 5: Output Fields for the show passive-monitoring usage Command

Field

Explanation

Uptime

Time, in milliseconds, that the PIC has been operational.

Interrupt time

Cumulative time that the PIC spent in processing packets since the last PIC reset.

Load (5 second)

CPU load on the PIC averaged over 5 seconds. The number is a percentage obtained by dividing the time spent on active tasks by the total elapsed time.

Load (1 minute)

CPU load on the PIC averaged over 1 minute. The number is a percentage obtained by dividing the time spent on active tasks by the total elapsed time.