[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Enabling Passive Flow Monitoring

You can monitor IPv4 traffic from another router if you have the following components installed in an M40e, M160, M320, or T Series router:

On SONET/SDH interfaces, you enable passive flow monitoring by including the passive-monitor-mode statement at the [edit interfaces so-fpc/pic/port unit logical-unit-number] hierarchy level:

[edit interfaces so-fpc/pic/port unit logical-unit-number]
passive-monitor-mode;

On Asynchronous Transfer Mode (ATM), Fast Ethernet, or Gigabit Ethernet interfaces, you enable passive flow monitoring by including the passive-monitor-mode statement at the [edit interfaces interface-name] hierarchy level:

[edit interfaces interface-name]
passive-monitor-mode;

When you configure an interface in passive monitoring mode, the Packet Forwarding Engine silently drops packets coming from that interface and destined to the router itself. Passive monitoring mode also stops the Routing Engine from transmitting any packet from that interface. Packets received from the monitored interface can be forwarded to monitoring interfaces. If you include the passive-monitor-mode statement in the configuration:

On monitoring services interfaces, you enable passive flow monitoring by including the family statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level, specifying the inet option:

[edit interfaces interface-name unit logical-unit-number]
family inet;

For the monitoring services interface, you can configure multiservice physical interface properties. For more information, see Configuring Flow Monitoring.

For conformity with cflowd record structure, you must include the receive-options-packets and receive-ttl-exceeded statements at the [edit interfaces interface-name unit logical-unit-number family inet] hierarchy level:

[edit interfaces interface-name unit logical-unit-number family inet]
receive-options-packets;
receive-ttl-exceeded;

For more information, see the following sections:

Passive Flow Monitoring for MPLS Encapsulated Packets

On monitoring services interfaces, you can process MPLS packets that have not been assigned label values and have no corresponding entry in the mpls.0 routing table. This allows you to assign a default route to unlabeled MPLS packets.

To configure a default label value for MPLS packets, include the default-route statement at the [edit protocols mpls interface interface-name label-map] hierarchy level:

[edit protocols mpls interface interface-name label-map]
default-route {
(next-hop (address | interface-name | address/interface-name)) | (reject | discard);
(pop | (swap <out-label>);
class-of-service value;
preference preference;
type type;
}

For more information about static labels, see the JUNOS MPLS Applications Configuration Guide.

Removing MPLS Labels from Incoming Packets

The JUNOS Software can forward only IPv4 packets to a Monitoring Services, Adaptive Services, or MultiServices PIC. IPv4 packets with MPLS labels cannot be forwarded to a monitoring PIC. By default, if packets with MPLS labels are forwarded to the monitoring PIC, they are discarded. To monitor packets with MPLS labels, you must remove the MPLS labels as the packets arrive on the interface.

You can remove up to two MPLS labels from an incoming packet by including the pop-all-labels statement at the [edit interfaces interface-name (atm-options | fastether-options | gigether-options | sonet-options) mpls] hierarchy level:

[edit interfaces interface-name (atm-options | fastether-options | gigether-options | sonet-options) mpls]
pop-all-labels {
required-depth [ numbers ];
}

By default, the pop-all-labels statement takes effect for incoming packets with one or two labels. You can specify the number of MPLS labels that an incoming packet must have for the pop-all-labels statement to take effect by including the required-depth statement at the [edit interfaces interface-name (atm-options | fastether-options | gigether-options | sonet-options) mpls pop-all-labels] hierarchy level:

[edit interfaces interface-name (atm-options | fastether-options | gigether-options | sonet-options) mpls pop-all-labels]
required-depth [ numbers ];

The required depth can be 1, 2, or [ 1 2 ]. If you include the required-depth 1 statement, the pop-all-labels statement takes effect for incoming packets with one label only. If you include the required-depth 2 statement, the pop-all-labels statement takes effect for incoming packets with two labels only. If you include the required-depth [ 1 2 ] statement, the pop-all-labels statement takes effect for incoming packets with one or two labels. A required depth of [ 1 2 ] is equivalent to the default behavior of the pop-all-labels statement.

When you remove MPLS labels from incoming packets, note the following:

Example: Enabling Passive Flow Monitoring

The following example shows a complete configuration for enabling passive flow monitoring on an Ethernet interface.

In this example, the Gigabit Ethernet interface can accept all Ethernet packets. It strips VLAN tags (if there are any) and up to two MPLS labels blindly, and passes IPv4 packets to the monitoring interface. With this configuration, it can monitor IPv4, VLAN+IPv4, VLAN+MPLS+IPv4, and VLAN+MPLS+MPLS+IPv4 labeled packets.

The Fast Ethernet interface can accept only packets with VLAN ID 100. All other packets are dropped. With this configuration, it can monitor VLAN (ID=100)+IPv4, VLAN (ID=100)+MPLS+IPv4, and VLAN (ID=100)+MPLS+MPLS+IPv4 labeled packets.

[edit firewall]
family inet {
filter input-monitoring-filter {
term def {
then {
count counter;
accept;
}
}
}
}
[edit interfaces]
ge-0/0/0 {
passive-monitor-mode;
gigether-options {
mpls {
pop-all-labels;
}
}
unit 0 {
family inet {
filter {
input input-monitoring-filter;
}
}
}
}
fe-0/1/0 {
passive-monitor-mode;
vlan-tagging;
fastether-options {
mpls {
pop-all-labels required-depth [ 1 2 ];
}
}
unit 0 {
vlan-id 100;
family inet {
filter {
input input-monitoring-filter;
}
}
}
}
mo-1/0/0 {
unit 0 {
family inet {
receive-options-packets;
receive-ttl-exceeded;
}
}
unit 1 {
family inet;
}
}
[edit forwarding-options]
monitoring mon1 {
family inet {
output {
export-format cflowd-version-5;
cflowd 50.0.0.2 port 2055;
interface mo-1/0/0.0 {
source-address 50.0.0.1;
}
}
}
}
[edit routing-instances]
monitoring-vrf {
instance-type vrf;
interface ge-0/0/0.0;
interface fe-0/1/0.0;
interface mo-1/0/0.1;
route-distinguisher 68:1;
vrf-import monitoring-vrf-import;
vrf-export monitoring-vrf-export;
routing-options {
static {
route 0.0.0.0/0 next-hop mo-1/0/0.1;
}
}
}
[edit policy-options]
policy-statement monitoring-vrf-import {
then {
reject;
}
}
policy-statement monitoring-vrf-export {
then {
reject;
}
}
[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

[an error occurred while processing this directive]