ON THIS PAGE
Example: Configuring Inline Active Flow Monitoring on MX Series and T4000 Routers
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
Configuring Template Properties
set services flow-monitoring version9 template template1 flow-active-timeout 120 set services flow-monitoring version9 template template1 flow-inactive-timeout 60 set services flow-monitoring version9 template template1 template-refresh-rate packets 100 set services flow-monitoring version9 template template1 template-refresh-rate seconds 600 set services flow-monitoring version9 template template1 option-refresh-rate packets 100 set services flow-monitoring version9 template template1 option-refresh-rate seconds 600 set services flow-monitoring version9 template template1 ipv4-template set services flow-monitoring version-ipfix template template-v61 flow-active-timeout 150 set services flow-monitoring version-ipfix template template-v61 flow-inactive-timeout 100 set services flow-monitoring version-ipfix template template-v61 template-refresh-rate seconds 30 set services flow-monitoring version-ipfix template template-v61 ipv6-template
Configuring a Sampling Instance
set forwarding-options sampling instance instance-1 input rate 1 set forwarding-options sampling instance instance-1 family inet output flow-server 10.50.1.2 port 2055 set forwarding-options sampling instance instance-1 family inet output flow-server 10.50.1.2 version9 template template1 set forwarding-options sampling instance instance-1 family inet output inline-jflow source-address 10.50.1.100 set forwarding-options sampling instance instance-1 family inet output inline-jflow flow-export-rate 10 set forwarding-options sampling instance instance-1 family inet6 output flow-server 10.50.1.2 port 2055 set forwarding-options sampling instance instance-1 family inet6 output flow-server 10.50.1.2 version-ipfix template template-v61 set forwarding-options sampling instance instance-1 family inet6 output inline-jflow source-address 10.50.1.110 set forwarding-options sampling instance instance-1 family inet6 output inline-jflow flow-export-rate 6
Configuring FPC Parameters
set chassis fpc 0 sampling-instance instance-1 set chassis fpc 0 inline-services flow-table-size ipv4-flow-table-size 8 set chassis fpc 0 inline-services flow-table-size ipv6-flow-table-size 7
Configuring Firewall Filters
set firewall family inet filter inet-sample term t1 then sample set firewall family inet filter inet-sample term t1 then accept set firewall family inet6 filter inet6-sample term t1 then sample set firewall family inet6 filter inet6-sample term t1 then accept
Configuring Interface Properties
set interfaces ge-0/0/4 unit 0 family inet filter input inet-sample set interfaces ge-0/0/4 unit 0 family inet address 10.150.1.1/24 set interfaces ge-0/1/6 unit 0 family inet6 filter input inet6-sample set interfaces ge-0/1/6 unit 0 family inet6 address 2001:db8:0:2::1/64
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
-
Configure the template properties for inline active flow monitoring.
[edit services flow-monitoring] user@router1# set version9 template template1 ipv4-template user@router1# set version9 template template1 flow-active-timeout 120 user@router1# set version9 template template1 flow-inactive-timeout 60 user@router1# set version9 template template1 template-refresh-rate packets 100 user@router1# set version9 template template1 option-refresh-rate packets 100 user@router1# set version-ipfix template template-v61 ipv6-template user@router1# set version-ipfix template template-v61 flow-active-timeout 150 user@router1# set version-ipfix template template-v61 flow-inactive-timeout 100 user@router1# set version-ipfix template template-v61 template-refresh-rate seconds 30 user@router1# set version-ipfix template template-v61 option-refresh-rate seconds 30
-
Configure the sampling instance for inline active flow monitoring.
[edit forwarding-options sampling] user@router1# set instance instance-1 input rate 1 user@router1# set instance instance-1 family inet output flow-server 10.50.1.2 port 2055 user@router1# set instance instance-1 family inet output flow-server 10.50.1.2 version9 template template1 user@router1# set instance instance-1 family inet output inline-jflow source-address 10.50.1.100 user@router1# set instance instance-1 family inet output inline-jflow flow-export-rate 10 user@router1# set instance instance-1 family inet6 output flow-server 10.50.1.2 port 2055 user@router1# set instance instance-1 family inet6 output flow-server 10.50.1.2 version-ipfix template template-v61 user@router1# set instance instance-1 family inet6 output inline-jflow source-address 10.50.1.110 user@router1# set instance instance-1 family inet6 output inline-jflow flow-export-rate 6
Note:Until you complete the next step for associating the sampling instance with an FPC, the instance remains inactive and is marked
inactivein the configuration. -
Associate the sampling instance with the FPC on which you want to implement inline active flow monitoring, and also configure the hash table sizes.
Note:In Junos OS releases earlier than Release 12.1, the following conditions are applicable for supporting backward compatibility when you configure the IPv4 and IPv6 flow table sizes for inline active flow monitoring:
-
If you do not configure the
flow-table-sizestatement at the[edit chassis fpc slot-number inline-services]hierarchy level, fifteen 256K entries are allocated by default for the IPv4 flow table and one 1K entry is allocated by default for the IPv6 flow table on the Packet Forwarding Engine. -
If you configure the
ipv4-flow-table-size sizestatement at the[edit chassis fpc slot-number inline-services flow-table-size]hierarchy level and do not configure theipv6-flow-table-size sizestatement at the[edit chassis fpc slot-number inline-services flow-table-size]hierarchy level, the number of units of 256K entries that you configure for the IPv4 flow table is allocated. For the IPv6 flow table, a default size of one 1K entry is allocated on the Packet Forwarding Engine. -
If you do not configure the
ipv4-flow-table-size sizestatement at the[edit chassis fpc slot-number inline-services flow-table-size]hierarchy level and if you configure theipv6-flow-table-size sizestatement at the[edit chassis fpc slot-number inline-services flow-table-size]hierarchy level, the number of units of 256K entries that you configure for the IPv6 flow table is allocated. For the IPv4 flow table, a default size of one 1K entry is allocated on the Packet Forwarding Engine. -
If you configure the sizes of both the IPv4 and IPv6 flow tables, the flow tables are created on the Packet Forwarding Engine based on the size that you specified.
Note:When you configure inline active flow monitoring for VPLS flows, include the
vpls-flow-table-sizestatement.[edit chassis] user@router1# set fpc 0 sampling-instance instance-1 user@router1# set fpc 0 inline-services flow-table-size ipv4-flow-table-size 8 user@router1# set fpc 0 inline-services flow-table-size ipv6-flow-table-size 7
-
-
Configure firewall filters.
[edit firewall] user@router1# set family inet filter inet-sample term t1 then sample user@router1# set family inet filter inet-sample term t1 then accept user@router1# set family inet6 filter inet6-sample term t1 then sample user@router1# set family inet6 filter inet6-sample term t1 then accept
-
Associate the firewall filters configured in the previous step with the interfaces on which you want to set up inline active flow monitoring.
[edit interfaces] user@router1# set ge-0/0/4 unit 0 family inet filter input inet-sample user@router1# set ge-0/0/4 unit 0 family inet address 10.150.1.1/24 user@router1# set ge-0/1/6 unit 0 family inet6 filter input inet6-sample user@router1# set ge-0/1/6 unit 0 family inet6 address 2001:db8:0:2::1/64
-
Commit the configuration.
[edit] user@router1# commit
Results
From the configuration mode, confirm your configuration by entering show
services flow-monitoring, show forwarding-options
sampling, show chassis fpc 0, show
firewall, and show interfaces commands. If the
output does not display the intended configuration, repeat the instructions in
the example to correct the configuration.
-
show services flow-monitoringversion9 { template template1 { flow-active-timeout 120; flow-inactive-timeout 60; template-refresh-rate { packets 100; seconds 600; } option-refresh-rate { packets 100; seconds 600; } ipv4-template; } } version-ipfix { template template-v61 { flow-active-timeout 150; flow-inactive-timeout 100; template-refresh-rate { seconds 30; } ipv6-template; } } -
show forwarding-options samplinginstance { instance-1 { input { rate 1; } family inet { output { flow-server 10.50.1.2 { port 2055; version9 { template { template1; } } } inline-jflow { source-address 10.50.1.100; flow-export-rate 10; } } } family inet6 { output { flow-server 10.50.1.2 { port 2055; version-ipfix { template { template-v61; } } } inline-jflow { source-address 10.50.1.110; flow-export-rate 6; } } } } } -
show chassis fpc 0sampling-instance instance-1; inline-services { flow-table-size { ipv4-flow-table-size 8; ipv6-flow-table-size 7; } } -
show firewallfamily inet { filter inet-sample { term t1 { then { sample; accept; } } } } family inet6 { filter inet6-sample { term t1 { then { sample; accept; } } } } -
show interfaces... ge-0/1/6 { vlan-tagging; unit 0 { family inet6 { filter { input inet6-sample; } address 2001:db8:0:2::1/64; } } } ge-0/0/4 { vlan-tagging; unit 0 { family inet { filter { input inet-sample; } address 10.150.1.1/24; } } } ...
Software and Hardware Requirements
-
An MX Series router other than MX80
-
Junos OS Release 13.2 or later.
Note:-
Junos OS Releases earlier than 13.2 also support inline active flow monitoring. However, some of the features discussed in this example are not supported on previous releases.
-
You need Junos OS Release 14.2 or later for configuring inline active flow monitoring on T4000 routers with Type 5 FPC.
-
Overview
Inline active flow monitoring enables you to configure active sampling without making
use of a services DPC. This topic explains the basic configuration for enabling
inline active flow monitoring for IPv4 and IPv6 flows. You can also configure inline
active flow monitoring for VPLS flows. To configure inline active flow monitoring
for VPLS flows, you must specify the family as
vpls and include vpls-template at the
[edit services flow-monitoring version-ipfix template
template-name] hierarchy level.