[j-nsp] sampled -> Monitoring PIC on 5.6?

Tue Sep 23 17:39:37 EDT 2003

i was pretty sure that the Monitoring PIC was supported in 5.6, has
anybody configured this.  we've been collecting flows from the sampled
process for a while now.

Pretend
-------

[edit interfaces lo0]
unit 0 {
    family inet {
        address 127.0.0.1/32;
        address 192.168.1.1/32 {
            preferred;
        } 
    }
}

[edit forwarding options sampling]
input {
    family inet {
        rate 8000;
    }
}   
output {
    cflowd 192.168.42.42 {
        port 9843;
        version 5;
    }
}

and we have appropriate sample/accept terms on firewall filters on
interfaces and everything is working fine.  flows flow.  the exporter
IP in the flows is 192.168.1.1, the collector is 192.168.42.42

we're now ready to test a Monitoring PIC, what changes need to be made?

noteworthy points:

  * we're still running 5.6, i can't find clear documentation for
    the PIC configuration.  i've found the PIC examples in the 6.0
    documentation but the 6.0 syntax doesn't seem to be supported
    in the older 5.6 release.  the PIC datasheet i found says it
    does support 5.6

  * the port-mirroring option won't work, we have filters and perform
    routing over the interfaces we sample.  both listed as mirroring
    contraindicators.  we also aren't setup for passive monitoring.

  * we've been advised not to upgrade to 6.0 but to wait for the next
    release to ensure our needs are met (we're actually running a
    special 5.6 build to fix some issues we had with 5.6).

so, will the Monitoring PIC work with 5.6?  is there documentation that
i missed somewhere?  any example configs?

under 6.0 the config seems to go something like this (rough outline):

Configure PIC
Configure Sampling Output
Configure Monitoring

Configure PIC
-------------

what address goes here?  can it be a private non-routed address?
say 192.168.254.1?
destination for what?  to the netflow collector?

[edit interfaces]
mo-0/1/0 {
    unit 1 {
        family inet {
            address 192.168.x.x {
                destination 192.168.42.42
            }

are these the filters we currently have on the interfaces for
sampling?  or are they filters to filter the flows before they
reach the PIC? (the last one i think)

!            filter {
!                group filter-group-number;
!                input filter-name;
!                output filter-name;
!            }

i think i understand this part.  but it doesn't seem to really exist in 5.6

            sampling {
!                [ input output ];
                both;
            }

# set interfaces mo-0/1/0 unit 1 family inet ?
Possible completions:
  <[Enter]>            Execute this command
> accounting           Configure interface-based accounting options
> address              Interface address/destination prefix
+ apply-groups         Groups from which to inherit configuration data
> filter               Packet filtering
  mtu                  Protocol family MTU
  no-redirects         Do not redirect traffic
  no-targeted-broadcast  Reject targeted broadcast packets
> policer              Interface policing
  primary              Candidate for primary interface in system
> rpf-check            Enable reverse-path-forwarding checks on this interface
  |                    Pipe through a command

        }
    }

probably don't need any of these yet, save until later.

!    multiservice-options {
!        boot-command filename;
!        (core-dump | no-core-dump);
!        (syslog | no-syslog);
!    }

}

Configure Sampling Output
-------------------------

is this the source-address in the flows?

[edit forwarding-options sampling output]
interface mo-0/1/0.1 {
    engine-id number;
    engine-type number;
    source-address 192.168.1.1;
}

no interface section in 5.6

# set ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
> cflowd               Configure sending traffic aggregates in cflowd format
 > file                 Configure parameters for dumping sampled packets
> port-mirroring       Configure sending sampled traffic out through an interface

Configure Monitoring
--------------------

yet another possible collector address and exporter address.  what are
all of these addresses?

[edit forwarding-options monitoring group1 family inet output]
cflowd hostname port port-number;
export-format format;
flow-active-timeout seconds;
flow-inactive-timeout seconds;
interface interface-name {
    engine-id number;
    engine-type number;
    input-interface-index number;
    output-interface-index number;
    source-address address;
}

well, at least 5.6 has the interface section but so much else is
different.  no cflowd statement... maybe the destination-(address|port)?

# set ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
  destination-address  Address to which monitored packets will be sent
  destination-port     Port to which monitored packets will be sent
  export-format        Format for sending monitoring information
  export-interval      Interval of distributing monitoring information (seconds)
> interface            Interfaces used to send monitored information
  source-address       Address to use for generating monitored packets

----
Carl Hayter
ISD - Data Network Operations
University of Southern California