- Policy Terminology
- Comparison of Routing Policies and Firewall Filters
- Routing Policy Framework
- Configuring Routing Policy
- Configuring Firewall Filters
- Configuring Traffic Sampling and Forwarding
Configuring Traffic Sampling and Forwarding
On routers with an Internet Processor II ASIC, you can sample IP traffic based on particular input interfaces and various fields in the packet header. You can use traffic sampling to monitor any combination of specific logical interfaces, specific protocols on one or more interfaces, a range of addresses on a logical interface, or individual IP addresses. Information about the sampled packets is saved to files on the router's hard disk. The traffic sampling feature is not meant to capture all packets received by a router. Juniper Networks does not recommend excessive sampling (a rate greater than 1 in 1,000 packets), because it can increase the load on the processor. If you need to set a higher sampling rate to diagnose a particular problem or type of traffic received, we recommend that you revert to a lower sampling rate after the problem or troublesome traffic is discovered.
To configure traffic sampling, perform at least the following tasks:
Create a firewall filter:
[edit firewall] filter filter-name { term term-name { then { sample; accept; } } }
Apply the filter to the logical interfaces on which you want to sample traffic:
[edit interfaces] interface-name { unit logical-unit-number { family inet { filter { input filter-name; } address address { destination destination-address; } } } }
Enable sampling, specifying a nonzero sampling rate:
[edit forwarding-options] sampling { input { family inet inet { rate number ; } } }
To configure other forwarding options, include one or more of the following statements:
[edit forwarding-options] hash-key { family inet { layer-3 ; layer-4 ; } family mpls { label-1; label-2; } } sampling { disable; input { family inet { max-packets-per-second number; rate number ; run-length number ; } } output { cflowd host-name { aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant; } source-prefix; } autonomous-system-type (origin | peer); (local-dump | no-local-dump); port port-number; version format; } file { filename filename; files number; size bytes ; (stamp | no-stamp); (world-readable | no-world-readable); } port-mirroring { interface interface-name; next-hop address; } } traceoptions { file filename { files number; size bytes ; (world-readable | no-world-readable); } } }
Configuring Per-Flow Load Balancing Information
You can specify what information the router uses for per-flow load balancing based on port data rather than based only on source and destination IP addresses. For aggregated Ethernet and aggregated SONET interfaces, you can load balance based on the MPLS label information. By default, the software ignores port data when determining flows. To enable per-flow load balancing, set the load-balance per-packet action in the routing policy configuration. To include port data in the flow determination, include the family inet statement:
[edit forwarding-options hash-key] family inet { layer-3; layer-4; }
By default, the router uses the following Layer 3 information in the packet header to load-balance: source IP address, destination IP address, and protocol. If you include both the layer-3 and layer-4 statements, the router uses the source IP address, destination IP address, protocol, source port number, destination port number, and incoming interface index to load balance. This is appropriate behavior for Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) packets. For ICMP packets, the field location offset is the checksum field, which makes each ping packet a separate "flow." This can be problematic; for example, some traceroute implementations might use ICMP rather than UDP for the outgoing packets.
Configuring Traffic Sampling Output Files
To collect sampled packets in a file in the /var/tmp directory, include the file statement. Traffic sampling output is saved to an ASCII text file, with each line containing information for one sampled packet.
[edit forwarding-options sampling output] file { filename filename ; files number; size bytes ; (stamp | no-stamp) ; (world-readable | no-world-readable); } }
Tracing Traffic Sampling Operations
Tracing operations track all traffic sampling operations and record them in a log file in the /var/log directory. By default, this file is named /var/log/sampled. The default file size is 128 KB, and 10 files are created before the first one gets overwritten. To trace traffic sampling operations, include the file statement:
[edit forwarding-options sampling traceoptions] file filename { files number; size bytes ; (world-readable | no-world-readable); }
Configuring Flow Aggregation (cflowd)
You can collect an aggregate of sampled flows and send the aggregate to a specified host that runs the cflowd application available from CAIDA (http://www.caida.org). Using cflowd, you can obtain various types of byte and packet counts of flows through a router. The cflowd application collects the sampled flows over a period of 1 minute. At the end of the minute, the number of samples to be exported are divided over the period of another minute and are exported over the course of the same minute. By default, flow aggregation is disabled. To enable the collection of flow aggregates, include the cflowd statement, specifying the name or identifier of the host that collects the flow aggregates.
[edit forwarding-options sampling output] cflowd host-name { aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant; } source-prefix; } autonomous-system-type (origin | peer); (local-dump | no-local-dump); port port-number; version format; }
You must also include the UDP port number on the host and the version, which gives the format of the exported cflowd aggregates. To collect cflowd records in a log file before exporting, include the local-dump statement. To specify aggregation of specific types of traffic, which conserves memory and bandwidth in enabling cflowd to export targeted flows rather than all the aggregated traffic, include the aggregation statement. The aggregation type can be one of the following:
autonomous-systemAggregate by AS number.
destination-prefixAggregate by destination prefix only.
protocol-portAggregate by protocol and port number; requires setting the separate cflowd port statement.
source-destination-prefixAggregate by source and destination prefix.
source-prefixAggregate by source prefix only.
Collection of sampled packets in a local ASCII file is not affected by the cflowd statement.
To collect the cflowd flows in a log file before they are exported, include the local-dump statement. By default, the flows are collected in /var/log/sampled. Note that you cannot configure both host (cflowd) sampling and port mirroring at the same time.
Configuring Port Mirroring
On routers containing an Internet Processor II ASIC, you can send a copy of an IPv4 packet from the router to an external host address or a packet analyzer for analysis, also known as port mirroring. Port mirroring is different from traffic sampling. In traffic sampling, a sampling key based on the IPv4 header is sent to the Routing Engine, and the key can be placed in a file or cflowd packets based on the key can be sent to a cflowd server. In port mirroring, the entire packet is copied and sent out through a next-hop interface. To configure port mirroring, configure traffic sampling on a logical interface by including the input statement at the [edit forwarding-options sampling] hierarchy level. Then specify the output interface to the analyzer and port-mirroring destination in the port-mirroring statement:
[edit forwarding-options sampling output] port-mirroring { interface interface-name; next-hop address; }
The following restrictions apply to port mirroring:
You cannot configure both cflowd sampling and port mirroring in the same configuration.
You cannot configure firewall filters on the port-mirroring interface.
The interface you configure for port mirroring should not participate in any kind of routing activity.
The destination address should not have a route to the ultimate traffic destination. For example, if the sampled IPv4 packets have a destination address of 190.68.9.10 and the port-mirrored traffic is sent to 190.68.20.15 for analysis, the device associated with the latter address should not know a route to 190.68.9.10. Also, it should not send the sampled packets back to the source address.
Only IPv4 traffic is supported.
You can configure only one port-mirroring interface per router. If you include more than one interface in the port-mirroring statement, the previous one is overwritten.
You must include a firewall filter with both the accept action and the sample action modifier on the inbound interface for port mirroring to work. Do not include the discard action or port mirroring does not work.