Configuring Traffic Sampling and Forwarding

Previous page
Table of content
Next page

On routers with an Internet Processor II ASIC, you can sample IP traffic based on particular input interfaces and various fields in the packet header. You can use traffic sampling to monitor any combination of specific logical interfaces, specific protocols on one or more interfaces, a range of addresses on a logical interface, or individual IP addresses. Information about the sampled packets is saved to files on the router's hard disk. The traffic sampling feature is not meant to capture all packets received by a router. Juniper Networks does not recommend excessive sampling (a rate greater than 1 in 1,000 packets), because it can increase the load on the processor. If you need to set a higher sampling rate to diagnose a particular problem or type of traffic received, we recommend that you revert to a lower sampling rate after the problem or troublesome traffic is discovered .

To configure traffic sampling, perform at least the following tasks :

  1. Create a firewall filter: 

     [edit firewall] filter  filter-name  {   term  term-name  {     then {       sample;       accept;     }   } }

  2. Apply the filter to the logical interfaces on which you want to sample traffic: 

     [edit interfaces]  interface-name  {   unit  logical-unit-number  {     family inet {       filter {         input  filter-name;  }       address  address  {         destination  destination-address;  }     }   } }

  3. Enable sampling, specifying a nonzero sampling rate: 

     [edit forwarding-options] sampling {   input {     family inet inet {       rate  number  ;     }   } }

To configure other forwarding options, include one or more of the following statements: 

 [edit forwarding-options] hash-key {   family inet {     layer-3;     layer-4;   }   family mpls {     label-1;     label-2;   } } sampling {   disable;   input {     family inet {       max-packets-per-second  number;  rate  number  ;       run-length  number  ;     }   }   output {     cflowd  host-name  {       aggregation {         autonomous-system;         destination-prefix;         protocol-port;         source-destination-prefix {           caida-compliant;         }         source-prefix;       }       autonomous-system-type (origin  peer);       (local-dump  no-local-dump);       port  port-number;  version  format;  }     file {       filename  filename;  files  number;  size  bytes  ;       (stamp  no-stamp);       (world-readable  no-world-readable);     }     port-mirroring {       interface  interface-name;  next-hop  address;  }   }   traceoptions {     file  filename  {       files  number;  size  bytes  ;       (world-readable  no-world-readable);     }   } }

Configuring Per-Flow Load Balancing Information

You can specify what information the router uses for per-flow load balancing based on port data rather than based only on source and destination IP addresses. For aggregated Ethernet and aggregated SONET interfaces, you can load balance based on the MPLS label information. By default, the software ignores port data when determining flows. To enable per-flow load balancing, set the load-balance per-packet action in the routing policy configuration. To include port data in the flow determination, include the family inet statement: 

 [edit forwarding-options hash-key] family inet {   layer-3;   layer-4; }

By default, the router uses the following Layer 3 information in the packet header to load-balance: source IP address, destination IP address, and protocol. If you include both the layer-3 and layer-4 statements, the router uses the source IP address, destination IP address, protocol, source port number, destination port number, and incoming interface index to load balance. This is appropriate behavior for Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) packets. For ICMP packets, the field location offset is the checksum field, which makes each ping packet a separate "flow." This can be problematic ; for example, some traceroute implementations might use ICMP rather than UDP for the outgoing packets.

Configuring Traffic Sampling Output Files

To collect sampled packets in a file in the /var/tmp directory, include the file statement. Traffic sampling output is saved to an ASCII text file, with each line containing information for one sampled packet. 

 [edit forwarding-options sampling output]   file {     filename  filename  ;     files  number;  size  bytes  ;     (stamp  no-stamp);     (world-readable  no-world-readable);   } }

Tracing Traffic Sampling Operations

Tracing operations track all traffic sampling operations and record them in a log file in the /var/log directory. By default, this file is named /var/log/sampled . The default file size is 128 KB, and 10 files are created before the first one gets overwritten. To trace traffic sampling operations, include the file statement: 

 [edit forwarding-options sampling traceoptions] file  filename  {   files  number;  size  bytes  ;   (world-readable  no-world-readable); }

Configuring Flow Aggregation (cflowd)

You can collect an aggregate of sampled flows and send the aggregate to a specified host that runs the cflowd application available from CAIDA (http://www.caida.org). Using cflowd, you can obtain various types of byte and packet counts of flows through a router. The cflowd application collects the sampled flows over a period of 1 minute. At the end of the minute, the number of samples to be exported are divided over the period of another minute and are exported over the course of the same minute. By default, flow aggregation is disabled. To enable the collection of flow aggregates, include the cflowd statement, specifying the name or identifier of the host that collects the flow aggregates. 

 [edit forwarding-options sampling output] cflowd  host-name  {   aggregation {     autonomous-system;     destination-prefix;     protocol-port;     source-destination-prefix {       caida-compliant;     }     source-prefix;   }   autonomous-system-type (origin  peer);   (local-dump  no-local-dump);   port  port-number;  version  format;  }

You must also include the UDP port number on the host and the version , which gives the format of the exported cflowd aggregates. To collect cflowd records in a log file before exporting, include the local-dump statement. To specify aggregation of specific types of traffic, which conserves memory and bandwidth in enabling cflowd to export targeted flows rather than all the aggregated traffic, include the aggregation statement. The aggregation type can be one of the following:

  • autonomous-system Aggregate by AS number.

  • destination-prefix Aggregate by destination prefix only.

  • protocol-port Aggregate by protocol and port number; requires setting the separate cflowd port statement.

  • source-destination-prefix Aggregate by source and destination prefix.

  • source-prefix Aggregate by source prefix only.

Collection of sampled packets in a local ASCII file is not affected by the cflowd statement.

To collect the cflowd flows in a log file before they are exported, include the local-dump statement. By default, the flows are collected in /var/log/sampled . Note that you cannot configure both host (cflowd) sampling and port mirroring at the same time.

Configuring Port Mirroring

On routers containing an Internet Processor II ASIC, you can send a copy of an IPv4 packet from the router to an external host address or a packet analyzer for analysis, also known as port mirroring. Port mirroring is different from traffic sampling. In traffic sampling, a sampling key based on the IPv4 header is sent to the Routing Engine, and the key can be placed in a file or cflowd packets based on the key can be sent to a cflowd server. In port mirroring, the entire packet is copied and sent out through a next-hop interface. To configure port mirroring, configure traffic sampling on a logical interface by including the input statement at the [edit forwarding-options sampling] hierarchy level. Then specify the output interface to the analyzer and port-mirroring destination in the port-mirroring statement: 

 [edit forwarding-options sampling output] port-mirroring {   interface  interface-name;  next-hop  address;  }

The following restrictions apply to port mirroring:

  • You cannot configure both cflowd sampling and port mirroring in the same configuration.

  • You cannot configure firewall filters on the port-mirroring interface.

  • The interface you configure for port mirroring should not participate in any kind of routing activity.

  • The destination address should not have a route to the ultimate traffic destination. For example, if the sampled IPv4 packets have a destination address of 190.68.9.10 and the port-mirrored traffic is sent to 190.68.20.15 for analysis, the device associated with the latter address should not know a route to 190.68.9.10 . Also, it should not send the sampled packets back to the source address.

  • Only IPv4 traffic is supported.

  • You can configure only one port-mirroring interface per router. If you include more than one interface in the port-mirroring statement, the previous one is overwritten.

  • You must include a firewall filter with both the accept action and the sample action modifier on the inbound interface for port mirroring to work. Do not include the discard action or port mirroring does not work.


Previous page
Table of content
Next page
Juniper Networks Field Guide and Reference
Juniper Networks Field Guide and Reference
ISBN: 0321122445
EAN: 2147483647
Year: 2002
Pages: 185
Authors: Aviva Garrett, Gary Drenan, Cris Morris, Juniperu00ae Networks
BUY ON AMAZON
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
MySQL Clustering
The Complete Cisco VPN Configuration Guide
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy