[j-nsp] sampled -> Monitoring PIC on 5.6?
hayter
hayter at usc.edu
Wed Sep 24 17:31:38 EDT 2003
On Wed, Sep 24, 2003 at 03:40:32PM -0400, Avram Dorfman wrote:
thanks for the links...
> Now, active monitoring (aka inline monitoring) only works via
> port-mirroring. Since it is a pic, it can only process packets it sees.
> There is nothing magical about it that causes it to see packets that
> any other pic in that slot would not see. You have to either route to
> it, or mirror to it. If you route to it, it's a dead-end, the packet
> will be processed and discarded.
that seems pointless and conflicts with this statement from the 6.0
docs:
Configure Traffic Sampling
Traffic sampling enables you to direct traffic to a PIC that performs
flow accounting and then forwards the packet to its original
destination. You can configure the router to perform sampling in
either of two locations:
* On the Routing Engine, using the sampled process. To select this
method, use a filter (input or output) with a matching term that
contains the then sample statement.
* On the Monitoring Services PIC.
which implies that sampled traffic sent to the PIC will be forwarded to
it's original destination. is this a 6.0 only feature?
----
Carl Hayter
ISD - Data Network Operations
>
> -Avram
>
> On Tuesday, September 23, 2003, at 07:39 PM, hayter wrote:
>
> > i was pretty sure that the Monitoring PIC was supported in 5.6, has
> > anybody configured this. we've been collecting flows from the sampled
> > process for a while now.
> >
> > Pretend
> > -------
> >
> > [edit interfaces lo0]
> > unit 0 {
> > family inet {
> > address 127.0.0.1/32;
> > address 192.168.1.1/32 {
> > preferred;
> > }
> > }
> > }
> >
> > [edit forwarding options sampling]
> > input {
> > family inet {
> > rate 8000;
> > }
> > }
> > output {
> > cflowd 192.168.42.42 {
> > port 9843;
> > version 5;
> > }
> > }
> >
> > and we have appropriate sample/accept terms on firewall filters on
> > interfaces and everything is working fine. flows flow. the exporter
> > IP in the flows is 192.168.1.1, the collector is 192.168.42.42
> >
> >
> > we're now ready to test a Monitoring PIC, what changes need to be made?
> >
> > noteworthy points:
> >
> > * we're still running 5.6, i can't find clear documentation for
> > the PIC configuration. i've found the PIC examples in the 6.0
> > documentation but the 6.0 syntax doesn't seem to be supported
> > in the older 5.6 release. the PIC datasheet i found says it
> > does support 5.6
> >
> > * the port-mirroring option won't work, we have filters and perform
> > routing over the interfaces we sample. both listed as mirroring
> > contraindicators. we also aren't setup for passive monitoring.
> >
> > * we've been advised not to upgrade to 6.0 but to wait for the next
> > release to ensure our needs are met (we're actually running a
> > special 5.6 build to fix some issues we had with 5.6).
> >
> >
> > so, will the Monitoring PIC work with 5.6? is there documentation that
> > i missed somewhere? any example configs?
> >
> >
> > under 6.0 the config seems to go something like this (rough outline):
> >
> > Configure PIC
> > Configure Sampling Output
> > Configure Monitoring
> >
> >
> > Configure PIC
> > -------------
> >
> > what address goes here? can it be a private non-routed address?
> > say 192.168.254.1?
> > destination for what? to the netflow collector?
> >
> > [edit interfaces]
> > mo-0/1/0 {
> > unit 1 {
> > family inet {
> > address 192.168.x.x {
> > destination 192.168.42.42
> > }
> >
> > are these the filters we currently have on the interfaces for
> > sampling? or are they filters to filter the flows before they
> > reach the PIC? (the last one i think)
> >
> > ! filter {
> > ! group filter-group-number;
> > ! input filter-name;
> > ! output filter-name;
> > ! }
> >
> > i think i understand this part. but it doesn't seem to really exist
> > in 5.6
> >
> > sampling {
> > ! [ input output ];
> > both;
> > }
> >
> > # set interfaces mo-0/1/0 unit 1 family inet ?
> > Possible completions:
> > <[Enter]> Execute this command
> >> accounting Configure interface-based accounting options
> >> address Interface address/destination prefix
> > + apply-groups Groups from which to inherit configuration data
> >> filter Packet filtering
> > mtu Protocol family MTU
> > no-redirects Do not redirect traffic
> > no-targeted-broadcast Reject targeted broadcast packets
> >> policer Interface policing
> > primary Candidate for primary interface in system
> >> rpf-check Enable reverse-path-forwarding checks on this
> >> interface
> > | Pipe through a command
> >
> > }
> > }
> >
> > probably don't need any of these yet, save until later.
> >
> > ! multiservice-options {
> > ! boot-command filename;
> > ! (core-dump | no-core-dump);
> > ! (syslog | no-syslog);
> > ! }
> >
> > }
> >
> >
> > Configure Sampling Output
> > -------------------------
> >
> > is this the source-address in the flows?
> >
> > [edit forwarding-options sampling output]
> > interface mo-0/1/0.1 {
> > engine-id number;
> > engine-type number;
> > source-address 192.168.1.1;
> > }
> >
> > no interface section in 5.6
> >
> > # set ?
> > Possible completions:
> > + apply-groups Groups from which to inherit configuration data
> >> cflowd Configure sending traffic aggregates in cflowd
> >> format
> >> file Configure parameters for dumping sampled packets
> >> port-mirroring Configure sending sampled traffic out through an
> >> interface
> >
> >
> > Configure Monitoring
> > --------------------
> >
> > yet another possible collector address and exporter address. what are
> > all of these addresses?
> >
> > [edit forwarding-options monitoring group1 family inet output]
> > cflowd hostname port port-number;
> > export-format format;
> > flow-active-timeout seconds;
> > flow-inactive-timeout seconds;
> > interface interface-name {
> > engine-id number;
> > engine-type number;
> > input-interface-index number;
> > output-interface-index number;
> > source-address address;
> > }
> >
> > well, at least 5.6 has the interface section but so much else is
> > different. no cflowd statement... maybe the
> > destination-(address|port)?
> >
> > # set ?
> > Possible completions:
> > + apply-groups Groups from which to inherit configuration data
> > destination-address Address to which monitored packets will be sent
> > destination-port Port to which monitored packets will be sent
> > export-format Format for sending monitoring information
> > export-interval Interval of distributing monitoring information
> > (seconds)
> >> interface Interfaces used to send monitored information
> > source-address Address to use for generating monitored packets
> >
> >
> > ----
> > Carl Hayter
> > ISD - Data Network Operations
> > University of Southern California
> >
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list