[j-nsp] sampled -> Monitoring PIC on 5.6?

hayter hayter at usc.edu
Wed Sep 24 17:31:38 EDT 2003 

On Wed, Sep 24, 2003 at 03:40:32PM -0400, Avram Dorfman wrote:

thanks for the links...

> Now, active monitoring (aka inline monitoring) only works via  
> port-mirroring. Since it is a pic, it can only process packets it sees.  
> There is nothing magical about it that causes it to see packets that  
> any other pic in that slot would not see. You have to either route to  
> it, or mirror to it. If you route to it, it's a dead-end, the packet  
> will be processed and discarded.

that seems pointless and conflicts with this statement from the 6.0
docs:

  Configure Traffic Sampling

  Traffic sampling enables you to direct traffic to a PIC that performs
  flow accounting and then forwards the packet to its original
  destination. You can configure the router to perform sampling in
  either of two locations:

  * On the Routing Engine, using the sampled process. To select this
    method, use a filter (input or output) with a matching term that
    contains the then sample statement.

  * On the Monitoring Services PIC.

which implies that sampled traffic sent to the PIC will be forwarded to
it's original destination.  is this a 6.0 only feature?

----
Carl Hayter
ISD - Data Network Operations

> 
> -Avram
> 
> On Tuesday, September 23, 2003, at 07:39  PM, hayter wrote:
> 
> > i was pretty sure that the Monitoring PIC was supported in 5.6, has
> > anybody configured this.  we've been collecting flows from the sampled
> > process for a while now.
> >
> > Pretend
> > -------
> >
> > [edit interfaces lo0]
> > unit 0 {
> >     family inet {
> >         address 127.0.0.1/32;
> >         address 192.168.1.1/32 {
> >             preferred;
> >         }
> >     }
> > }
> >
> > [edit forwarding options sampling]
> > input {
> >     family inet {
> >         rate 8000;
> >     }
> > }
> > output {
> >     cflowd 192.168.42.42 {
> >         port 9843;
> >         version 5;
> >     }
> > }
> >
> > and we have appropriate sample/accept terms on firewall filters on
> > interfaces and everything is working fine.  flows flow.  the exporter
> > IP in the flows is 192.168.1.1, the collector is 192.168.42.42
> >
> >
> > we're now ready to test a Monitoring PIC, what changes need to be made?
> >
> > noteworthy points:
> >
> >   * we're still running 5.6, i can't find clear documentation for
> >     the PIC configuration.  i've found the PIC examples in the 6.0
> >     documentation but the 6.0 syntax doesn't seem to be supported
> >     in the older 5.6 release.  the PIC datasheet i found says it
> >     does support 5.6
> >
> >   * the port-mirroring option won't work, we have filters and perform
> >     routing over the interfaces we sample.  both listed as mirroring
> >     contraindicators.  we also aren't setup for passive monitoring.
> >
> >   * we've been advised not to upgrade to 6.0 but to wait for the next
> >     release to ensure our needs are met (we're actually running a
> >     special 5.6 build to fix some issues we had with 5.6).
> >
> >
> > so, will the Monitoring PIC work with 5.6?  is there documentation that
> > i missed somewhere?  any example configs?
> >
> >
> > under 6.0 the config seems to go something like this (rough outline):
> >
> > Configure PIC
> > Configure Sampling Output
> > Configure Monitoring
> >
> >
> > Configure PIC
> > -------------
> >
> > what address goes here?  can it be a private non-routed address?
> > say 192.168.254.1?
> > destination for what?  to the netflow collector?
> >
> > [edit interfaces]
> > mo-0/1/0 {
> >     unit 1 {
> >         family inet {
> >             address 192.168.x.x {
> >                 destination 192.168.42.42
> >             }
> >
> > are these the filters we currently have on the interfaces for
> > sampling?  or are they filters to filter the flows before they
> > reach the PIC? (the last one i think)
> >
> > !            filter {
> > !                group filter-group-number;
> > !                input filter-name;
> > !                output filter-name;
> > !            }
> >
> > i think i understand this part.  but it doesn't seem to really exist  
> > in 5.6
> >
> >             sampling {
> > !                [ input output ];
> >                 both;
> >             }
> >
> > # set interfaces mo-0/1/0 unit 1 family inet ?
> > Possible completions:
> >   <[Enter]>            Execute this command
> >> accounting           Configure interface-based accounting options
> >> address              Interface address/destination prefix
> > + apply-groups         Groups from which to inherit configuration data
> >> filter               Packet filtering
> >   mtu                  Protocol family MTU
> >   no-redirects         Do not redirect traffic
> >   no-targeted-broadcast  Reject targeted broadcast packets
> >> policer              Interface policing
> >   primary              Candidate for primary interface in system
> >> rpf-check            Enable reverse-path-forwarding checks on this  
> >> interface
> >   |                    Pipe through a command
> >
> >         }
> >     }
> >
> > probably don't need any of these yet, save until later.
> >
> > !    multiservice-options {
> > !        boot-command filename;
> > !        (core-dump | no-core-dump);
> > !        (syslog | no-syslog);
> > !    }
> >
> > }
> >
> >
> > Configure Sampling Output
> > -------------------------
> >
> > is this the source-address in the flows?
> >
> > [edit forwarding-options sampling output]
> > interface mo-0/1/0.1 {
> >     engine-id number;
> >     engine-type number;
> >     source-address 192.168.1.1;
> > }
> >
> > no interface section in 5.6
> >
> > # set ?
> > Possible completions:
> > + apply-groups         Groups from which to inherit configuration data
> >> cflowd               Configure sending traffic aggregates in cflowd  
> >> format
> >> file                 Configure parameters for dumping sampled packets
> >> port-mirroring       Configure sending sampled traffic out through an  
> >> interface
> >
> >
> > Configure Monitoring
> > --------------------
> >
> > yet another possible collector address and exporter address.  what are
> > all of these addresses?
> >
> > [edit forwarding-options monitoring group1 family inet output]
> > cflowd hostname port port-number;
> > export-format format;
> > flow-active-timeout seconds;
> > flow-inactive-timeout seconds;
> > interface interface-name {
> >     engine-id number;
> >     engine-type number;
> >     input-interface-index number;
> >     output-interface-index number;
> >     source-address address;
> > }
> >
> > well, at least 5.6 has the interface section but so much else is
> > different.  no cflowd statement... maybe the  
> > destination-(address|port)?
> >
> > # set ?
> > Possible completions:
> > + apply-groups         Groups from which to inherit configuration data
> >   destination-address  Address to which monitored packets will be sent
> >   destination-port     Port to which monitored packets will be sent
> >   export-format        Format for sending monitoring information
> >   export-interval      Interval of distributing monitoring information  
> > (seconds)
> >> interface            Interfaces used to send monitored information
> >   source-address       Address to use for generating monitored packets
> >
> >
> > ----
> > Carl Hayter
> > ISD - Data Network Operations
> > University of Southern California
> >
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list