On routers with an Internet Processor II ASIC, you can sample IP traffic based on particular input interfaces and various fields in the packet header. You can use traffic sampling to monitor any combination of specific logical interfaces, specific protocols on one or more interfaces, a range of addresses on a logical interface, or individual IP addresses. Information about the sampled packets is saved to files on the router's hard disk. The traffic sampling feature is not meant to capture all packets received by a router. Juniper Networks does not recommend excessive sampling (a rate greater than 1 in 1,000 packets), because it can increase the load on the processor. If you need to set a higher sampling rate to diagnose a particular problem or type of traffic received, we recommend that you revert to a lower sampling rate after the problem or troublesome traffic is discovered . To configure traffic sampling, perform at least the following tasks :
To configure other forwarding options, include one or more of the following statements: [edit forwarding-options] hash-key { family inet { layer-3; layer-4; } family mpls { label-1; label-2; } } sampling { disable; input { family inet { max-packets-per-second number; rate number ; run-length number ; } } output { cflowd host-name { aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant; } source-prefix; } autonomous-system-type (origin peer); (local-dump no-local-dump); port port-number; version format; } file { filename filename; files number; size bytes ; (stamp no-stamp); (world-readable no-world-readable); } port-mirroring { interface interface-name; next-hop address; } } traceoptions { file filename { files number; size bytes ; (world-readable no-world-readable); } } } Configuring Per-Flow Load Balancing InformationYou can specify what information the router uses for per-flow load balancing based on port data rather than based only on source and destination IP addresses. For aggregated Ethernet and aggregated SONET interfaces, you can load balance based on the MPLS label information. By default, the software ignores port data when determining flows. To enable per-flow load balancing, set the load-balance per-packet action in the routing policy configuration. To include port data in the flow determination, include the family inet statement: [edit forwarding-options hash-key] family inet { layer-3; layer-4; } By default, the router uses the following Layer 3 information in the packet header to load-balance: source IP address, destination IP address, and protocol. If you include both the layer-3 and layer-4 statements, the router uses the source IP address, destination IP address, protocol, source port number, destination port number, and incoming interface index to load balance. This is appropriate behavior for Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) packets. For ICMP packets, the field location offset is the checksum field, which makes each ping packet a separate "flow." This can be problematic ; for example, some traceroute implementations might use ICMP rather than UDP for the outgoing packets. Configuring Traffic Sampling Output FilesTo collect sampled packets in a file in the /var/tmp directory, include the file statement. Traffic sampling output is saved to an ASCII text file, with each line containing information for one sampled packet. [edit forwarding-options sampling output] file { filename filename ; files number; size bytes ; (stamp no-stamp); (world-readable no-world-readable); } } Tracing Traffic Sampling OperationsTracing operations track all traffic sampling operations and record them in a log file in the /var/log directory. By default, this file is named /var/log/sampled . The default file size is 128 KB, and 10 files are created before the first one gets overwritten. To trace traffic sampling operations, include the file statement: [edit forwarding-options sampling traceoptions] file filename { files number; size bytes ; (world-readable no-world-readable); } Configuring Flow Aggregation (cflowd)You can collect an aggregate of sampled flows and send the aggregate to a specified host that runs the cflowd application available from CAIDA (http://www.caida.org). Using cflowd, you can obtain various types of byte and packet counts of flows through a router. The cflowd application collects the sampled flows over a period of 1 minute. At the end of the minute, the number of samples to be exported are divided over the period of another minute and are exported over the course of the same minute. By default, flow aggregation is disabled. To enable the collection of flow aggregates, include the cflowd statement, specifying the name or identifier of the host that collects the flow aggregates. [edit forwarding-options sampling output] cflowd host-name { aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant; } source-prefix; } autonomous-system-type (origin peer); (local-dump no-local-dump); port port-number; version format; } You must also include the UDP port number on the host and the version , which gives the format of the exported cflowd aggregates. To collect cflowd records in a log file before exporting, include the local-dump statement. To specify aggregation of specific types of traffic, which conserves memory and bandwidth in enabling cflowd to export targeted flows rather than all the aggregated traffic, include the aggregation statement. The aggregation type can be one of the following:
Collection of sampled packets in a local ASCII file is not affected by the cflowd statement. To collect the cflowd flows in a log file before they are exported, include the local-dump statement. By default, the flows are collected in /var/log/sampled . Note that you cannot configure both host (cflowd) sampling and port mirroring at the same time. Configuring Port MirroringOn routers containing an Internet Processor II ASIC, you can send a copy of an IPv4 packet from the router to an external host address or a packet analyzer for analysis, also known as port mirroring. Port mirroring is different from traffic sampling. In traffic sampling, a sampling key based on the IPv4 header is sent to the Routing Engine, and the key can be placed in a file or cflowd packets based on the key can be sent to a cflowd server. In port mirroring, the entire packet is copied and sent out through a next-hop interface. To configure port mirroring, configure traffic sampling on a logical interface by including the input statement at the [edit forwarding-options sampling] hierarchy level. Then specify the output interface to the analyzer and port-mirroring destination in the port-mirroring statement: [edit forwarding-options sampling output] port-mirroring { interface interface-name; next-hop address; } The following restrictions apply to port mirroring:
|