Mailing List Archive: sampled -> Monitoring PIC on 5.6?

sampled -> Monitoring PIC on 5.6?

Sep 23, 2003, 7:39 PM

Post #1 of 3 (845 views)

i was pretty sure that the Monitoring PIC was supported in 5.6, has
anybody configured this. we've been collecting flows from the sampled
process for a while now.

Pretend
-------

[edit interfaces lo0]
unit 0 {
family inet {
address 127.0.0.1/32;
address 192.168.1.1/32 {
preferred;
}
}
}

[edit forwarding options sampling]
input {
family inet {
rate 8000;
}
}
output {
cflowd 192.168.42.42 {
port 9843;
version 5;
}
}

and we have appropriate sample/accept terms on firewall filters on
interfaces and everything is working fine. flows flow. the exporter
IP in the flows is 192.168.1.1, the collector is 192.168.42.42

we're now ready to test a Monitoring PIC, what changes need to be made?

noteworthy points:

* we're still running 5.6, i can't find clear documentation for
the PIC configuration. i've found the PIC examples in the 6.0
documentation but the 6.0 syntax doesn't seem to be supported
in the older 5.6 release. the PIC datasheet i found says it
does support 5.6

* the port-mirroring option won't work, we have filters and perform
routing over the interfaces we sample. both listed as mirroring
contraindicators. we also aren't setup for passive monitoring.

* we've been advised not to upgrade to 6.0 but to wait for the next
release to ensure our needs are met (we're actually running a
special 5.6 build to fix some issues we had with 5.6).

so, will the Monitoring PIC work with 5.6? is there documentation that
i missed somewhere? any example configs?

under 6.0 the config seems to go something like this (rough outline):

Configure PIC
Configure Sampling Output
Configure Monitoring

Configure PIC
-------------

what address goes here? can it be a private non-routed address?
say 192.168.254.1?
destination for what? to the netflow collector?

[edit interfaces]
mo-0/1/0 {
unit 1 {
family inet {
address 192.168.x.x {
destination 192.168.42.42
}

are these the filters we currently have on the interfaces for
sampling? or are they filters to filter the flows before they
reach the PIC? (the last one i think)

! filter {
! group filter-group-number;
! input filter-name;
! output filter-name;
! }

i think i understand this part. but it doesn't seem to really exist in 5.6

sampling {
! [ input output ];
both;
}

# set interfaces mo-0/1/0 unit 1 family inet ?
Possible completions:
<[Enter]> Execute this command
> accounting Configure interface-based accounting options
> address Interface address/destination prefix
+ apply-groups Groups from which to inherit configuration data
> filter Packet filtering
mtu Protocol family MTU
no-redirects Do not redirect traffic
no-targeted-broadcast Reject targeted broadcast packets
> policer Interface policing
primary Candidate for primary interface in system
> rpf-check Enable reverse-path-forwarding checks on this interface
| Pipe through a command

}
}

probably don't need any of these yet, save until later.

! multiservice-options {
! boot-command filename;
! (core-dump | no-core-dump);
! (syslog | no-syslog);
! }

}

Configure Sampling Output
-------------------------

is this the source-address in the flows?

[edit forwarding-options sampling output]
interface mo-0/1/0.1 {
engine-id number;
engine-type number;
source-address 192.168.1.1;
}

no interface section in 5.6

# set ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
> cflowd Configure sending traffic aggregates in cflowd format
> file Configure parameters for dumping sampled packets
> port-mirroring Configure sending sampled traffic out through an interface

Configure Monitoring
--------------------

yet another possible collector address and exporter address. what are
all of these addresses?

[edit forwarding-options monitoring group1 family inet output]
cflowd hostname port port-number;
export-format format;
flow-active-timeout seconds;
flow-inactive-timeout seconds;
interface interface-name {
engine-id number;
engine-type number;
input-interface-index number;
output-interface-index number;
source-address address;
}

well, at least 5.6 has the interface section but so much else is
different. no cflowd statement... maybe the destination-(address|port)?

# set ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
destination-address Address to which monitored packets will be sent
destination-port Port to which monitored packets will be sent
export-format Format for sending monitoring information
export-interval Interval of distributing monitoring information (seconds)
> interface Interfaces used to send monitored information
source-address Address to use for generating monitored packets

----
Carl Hayter
ISD - Data Network Operations
University of Southern California

sampled -> Monitoring PIC on 5.6? [ In reply to ]

avram at juniper

Sep 24, 2003, 3:40 PM

Post #2 of 3 (826 views)

Permalink

Carl,

Trying to dust of the cobwebs for you...

You need the feature guide manual. Here:

http://www.juniper.net/techpubs/software/junos/junos56/feature-guide-
56/html/fg-flow-monitoring.html

This subject was re-written in the 5.7 manual, and is easier to follow
there (but not all 5.7 features were in 5.6)

http://www.juniper.net/techpubs/software/junos/junos57/feature-guide-
57/html/fg-flow-monitoring.html

Now, active monitoring (aka inline monitoring) only works via
port-mirroring. Since it is a pic, it can only process packets it sees.
There is nothing magical about it that causes it to see packets that
any other pic in that slot would not see. You have to either route to
it, or mirror to it. If you route to it, it's a dead-end, the packet
will be processed and discarded.

-Avram

On Tuesday, September 23, 2003, at 07:39 PM, hayter wrote:

> i was pretty sure that the Monitoring PIC was supported in 5.6, has
> anybody configured this. we've been collecting flows from the sampled
> process for a while now.
>
> Pretend
> -------
>
> [edit interfaces lo0]
> unit 0 {
> family inet {
> address 127.0.0.1/32;
> address 192.168.1.1/32 {
> preferred;
> }
> }
> }
>
> [edit forwarding options sampling]
> input {
> family inet {
> rate 8000;
> }
> }
> output {
> cflowd 192.168.42.42 {
> port 9843;
> version 5;
> }
> }
>
> and we have appropriate sample/accept terms on firewall filters on
> interfaces and everything is working fine. flows flow. the exporter
> IP in the flows is 192.168.1.1, the collector is 192.168.42.42
>
>
> we're now ready to test a Monitoring PIC, what changes need to be made?
>
> noteworthy points:
>
> * we're still running 5.6, i can't find clear documentation for
> the PIC configuration. i've found the PIC examples in the 6.0
> documentation but the 6.0 syntax doesn't seem to be supported
> in the older 5.6 release. the PIC datasheet i found says it
> does support 5.6
>
> * the port-mirroring option won't work, we have filters and perform
> routing over the interfaces we sample. both listed as mirroring
> contraindicators. we also aren't setup for passive monitoring.
>
> * we've been advised not to upgrade to 6.0 but to wait for the next
> release to ensure our needs are met (we're actually running a
> special 5.6 build to fix some issues we had with 5.6).
>
>
> so, will the Monitoring PIC work with 5.6? is there documentation that
> i missed somewhere? any example configs?
>
>
> under 6.0 the config seems to go something like this (rough outline):
>
> Configure PIC
> Configure Sampling Output
> Configure Monitoring
>
>
> Configure PIC
> -------------
>
> what address goes here? can it be a private non-routed address?
> say 192.168.254.1?
> destination for what? to the netflow collector?
>
> [edit interfaces]
> mo-0/1/0 {
> unit 1 {
> family inet {
> address 192.168.x.x {
> destination 192.168.42.42
> }
>
> are these the filters we currently have on the interfaces for
> sampling? or are they filters to filter the flows before they
> reach the PIC? (the last one i think)
>
> ! filter {
> ! group filter-group-number;
> ! input filter-name;
> ! output filter-name;
> ! }
>
> i think i understand this part. but it doesn't seem to really exist
> in 5.6
>
> sampling {
> ! [ input output ];
> both;
> }
>
> # set interfaces mo-0/1/0 unit 1 family inet ?
> Possible completions:
> <[Enter]> Execute this command
>> accounting Configure interface-based accounting options
>> address Interface address/destination prefix
> + apply-groups Groups from which to inherit configuration data
>> filter Packet filtering
> mtu Protocol family MTU
> no-redirects Do not redirect traffic
> no-targeted-broadcast Reject targeted broadcast packets
>> policer Interface policing
> primary Candidate for primary interface in system
>> rpf-check Enable reverse-path-forwarding checks on this
>> interface
> | Pipe through a command
>
> }
> }
>
> probably don't need any of these yet, save until later.
>
> ! multiservice-options {
> ! boot-command filename;
> ! (core-dump | no-core-dump);
> ! (syslog | no-syslog);
> ! }
>
> }
>
>
> Configure Sampling Output
> -------------------------
>
> is this the source-address in the flows?
>
> [edit forwarding-options sampling output]
> interface mo-0/1/0.1 {
> engine-id number;
> engine-type number;
> source-address 192.168.1.1;
> }
>
> no interface section in 5.6
>
> # set ?
> Possible completions:
> + apply-groups Groups from which to inherit configuration data
>> cflowd Configure sending traffic aggregates in cflowd
>> format
>> file Configure parameters for dumping sampled packets
>> port-mirroring Configure sending sampled traffic out through an
>> interface
>
>
> Configure Monitoring
> --------------------
>
> yet another possible collector address and exporter address. what are
> all of these addresses?
>
> [edit forwarding-options monitoring group1 family inet output]
> cflowd hostname port port-number;
> export-format format;
> flow-active-timeout seconds;
> flow-inactive-timeout seconds;
> interface interface-name {
> engine-id number;
> engine-type number;
> input-interface-index number;
> output-interface-index number;
> source-address address;
> }
>
> well, at least 5.6 has the interface section but so much else is
> different. no cflowd statement... maybe the
> destination-(address|port)?
>
> # set ?
> Possible completions:
> + apply-groups Groups from which to inherit configuration data
> destination-address Address to which monitored packets will be sent
> destination-port Port to which monitored packets will be sent
> export-format Format for sending monitoring information
> export-interval Interval of distributing monitoring information
> (seconds)
>> interface Interfaces used to send monitored information
> source-address Address to use for generating monitored packets
>
>
> ----
> Carl Hayter
> ISD - Data Network Operations
> University of Southern California
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp

sampled -> Monitoring PIC on 5.6? [ In reply to ]

hayter at usc

Sep 24, 2003, 5:31 PM

Post #3 of 3 (811 views)

Permalink

On Wed, Sep 24, 2003 at 03:40:32PM -0400, Avram Dorfman wrote:

thanks for the links...

> Now, active monitoring (aka inline monitoring) only works via
> port-mirroring. Since it is a pic, it can only process packets it sees.
> There is nothing magical about it that causes it to see packets that
> any other pic in that slot would not see. You have to either route to
> it, or mirror to it. If you route to it, it's a dead-end, the packet
> will be processed and discarded.

that seems pointless and conflicts with this statement from the 6.0
docs:

Configure Traffic Sampling

Traffic sampling enables you to direct traffic to a PIC that performs
flow accounting and then forwards the packet to its original
destination. You can configure the router to perform sampling in
either of two locations:

* On the Routing Engine, using the sampled process. To select this
method, use a filter (input or output) with a matching term that
contains the then sample statement.

* On the Monitoring Services PIC.

which implies that sampled traffic sent to the PIC will be forwarded to
it's original destination. is this a 6.0 only feature?

----
Carl Hayter
ISD - Data Network Operations

>
> -Avram
>
> On Tuesday, September 23, 2003, at 07:39 PM, hayter wrote:
>
> > i was pretty sure that the Monitoring PIC was supported in 5.6, has
> > anybody configured this. we've been collecting flows from the sampled
> > process for a while now.
> >
> > Pretend
> > -------
> >
> > [edit interfaces lo0]
> > unit 0 {
> > family inet {
> > address 127.0.0.1/32;
> > address 192.168.1.1/32 {
> > preferred;
> > }
> > }
> > }
> >
> > [edit forwarding options sampling]
> > input {
> > family inet {
> > rate 8000;
> > }
> > }
> > output {
> > cflowd 192.168.42.42 {
> > port 9843;
> > version 5;
> > }
> > }
> >
> > and we have appropriate sample/accept terms on firewall filters on
> > interfaces and everything is working fine. flows flow. the exporter
> > IP in the flows is 192.168.1.1, the collector is 192.168.42.42
> >
> >
> > we're now ready to test a Monitoring PIC, what changes need to be made?
> >
> > noteworthy points:
> >
> > * we're still running 5.6, i can't find clear documentation for
> > the PIC configuration. i've found the PIC examples in the 6.0
> > documentation but the 6.0 syntax doesn't seem to be supported
> > in the older 5.6 release. the PIC datasheet i found says it
> > does support 5.6
> >
> > * the port-mirroring option won't work, we have filters and perform
> > routing over the interfaces we sample. both listed as mirroring
> > contraindicators. we also aren't setup for passive monitoring.
> >
> > * we've been advised not to upgrade to 6.0 but to wait for the next
> > release to ensure our needs are met (we're actually running a
> > special 5.6 build to fix some issues we had with 5.6).
> >
> >
> > so, will the Monitoring PIC work with 5.6? is there documentation that
> > i missed somewhere? any example configs?
> >
> >
> > under 6.0 the config seems to go something like this (rough outline):
> >
> > Configure PIC
> > Configure Sampling Output
> > Configure Monitoring
> >
> >
> > Configure PIC
> > -------------
> >
> > what address goes here? can it be a private non-routed address?
> > say 192.168.254.1?
> > destination for what? to the netflow collector?
> >
> > [edit interfaces]
> > mo-0/1/0 {
> > unit 1 {
> > family inet {
> > address 192.168.x.x {
> > destination 192.168.42.42
> > }
> >
> > are these the filters we currently have on the interfaces for
> > sampling? or are they filters to filter the flows before they
> > reach the PIC? (the last one i think)
> >
> > ! filter {
> > ! group filter-group-number;
> > ! input filter-name;
> > ! output filter-name;
> > ! }
> >
> > i think i understand this part. but it doesn't seem to really exist
> > in 5.6
> >
> > sampling {
> > ! [ input output ];
> > both;
> > }
> >
> > # set interfaces mo-0/1/0 unit 1 family inet ?
> > Possible completions:
> > <[Enter]> Execute this command
> >> accounting Configure interface-based accounting options
> >> address Interface address/destination prefix
> > + apply-groups Groups from which to inherit configuration data
> >> filter Packet filtering
> > mtu Protocol family MTU
> > no-redirects Do not redirect traffic
> > no-targeted-broadcast Reject targeted broadcast packets
> >> policer Interface policing
> > primary Candidate for primary interface in system
> >> rpf-check Enable reverse-path-forwarding checks on this
> >> interface
> > | Pipe through a command
> >
> > }
> > }
> >
> > probably don't need any of these yet, save until later.
> >
> > ! multiservice-options {
> > ! boot-command filename;
> > ! (core-dump | no-core-dump);
> > ! (syslog | no-syslog);
> > ! }
> >
> > }
> >
> >
> > Configure Sampling Output
> > -------------------------
> >
> > is this the source-address in the flows?
> >
> > [edit forwarding-options sampling output]
> > interface mo-0/1/0.1 {
> > engine-id number;
> > engine-type number;
> > source-address 192.168.1.1;
> > }
> >
> > no interface section in 5.6
> >
> > # set ?
> > Possible completions:
> > + apply-groups Groups from which to inherit configuration data
> >> cflowd Configure sending traffic aggregates in cflowd
> >> format
> >> file Configure parameters for dumping sampled packets
> >> port-mirroring Configure sending sampled traffic out through an
> >> interface
> >
> >
> > Configure Monitoring
> > --------------------
> >
> > yet another possible collector address and exporter address. what are
> > all of these addresses?
> >
> > [edit forwarding-options monitoring group1 family inet output]
> > cflowd hostname port port-number;
> > export-format format;
> > flow-active-timeout seconds;
> > flow-inactive-timeout seconds;
> > interface interface-name {
> > engine-id number;
> > engine-type number;
> > input-interface-index number;
> > output-interface-index number;
> > source-address address;
> > }
> >
> > well, at least 5.6 has the interface section but so much else is
> > different. no cflowd statement... maybe the
> > destination-(address|port)?
> >
> > # set ?
> > Possible completions:
> > + apply-groups Groups from which to inherit configuration data
> > destination-address Address to which monitored packets will be sent
> > destination-port Port to which monitored packets will be sent
> > export-format Format for sending monitoring information
> > export-interval Interval of distributing monitoring information
> > (seconds)
> >> interface Interfaces used to send monitored information
> > source-address Address to use for generating monitored packets
> >
> >
> > ----
> > Carl Hayter
> > ISD - Data Network Operations
> > University of Southern California
> >
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > http://puck.nether.net/mailman/listinfo/juniper-nsp