Active Flow Monitoring

Although the Monitoring Services PIC was designed initially for use as an offline passive flow monitoring tool, it can also be used in an active flow monitoring topology. In contrast, the AS or MultiServices PIC is designed exclusively for active flow monitoring. To use either the Monitoring Services PIC, AS PIC, or MultiServices PIC for active flow monitoring, you must install the PIC in an M-series or T-series router. The router participates in both the monitoring application and in the normal routing functionality of the network.

Specified packets can be filtered and sent to the monitoring interface. For the Monitoring Services PIC, the interface name contains the mo- prefix. For the AS or MultiServices PIC, the interface name contains the sp- prefix.

Note: If you upgrade from the Monitoring Services PIC to the Adaptive Services or MultiServices PIC for active flow monitoring, you must change the name of your monitoring interface from mo-fpc/pic/port to sp-fpc/pic/port.

The major active flow monitoring actions you can configure at the [edit forwarding-options] hierarchy level are as follows:

• Sampling, with the [edit forwarding-options sampling] hierarchy. This option sends a copy of the traffic stream to an AS or Monitoring Services PIC, which extracts limited information (such as the source and destination IP address) from some of the packets in a flow. The original packets are forwarded to the intended destination as usual.
• Discard accounting, with the [edit forwarding-options accounting] hierarchy. This option quarantines unwanted packets, creates cflowd records that describe the packets, and discards the packets instead of forwarding them.
• Port mirroring, with the [edit forwarding-options port-mirroring] hierarchy. This option makes one full copy of all packets in a flow and delivers the copy to a single destination. The original packets are forwarded to the intended destination.
• Multiple port mirroring, with the [edit forwarding-options next-hop-group] hierarchy. This option allows multiple copies of selected traffic to be delivered to multiple destinations. (Multiple port mirroring requires a Tunnel Services PIC.)

Unlike passive flow monitoring, you do not need to configure a monitoring group. Instead, you can send filtered packets to a monitoring services or adaptive services interface (mo- or sp-) by using sampling or discard accounting. Optionally, you can configure port mirroring or multiple port mirroring to direct packets to additional interfaces.

These active flow monitoring options provide a wide variety of actions that can be performed on network traffic flows. However, the following restrictions apply:

• The router can perform sampling or port mirroring at any one time.
• The router can perform forwarding or discard accounting at any one time.

Because the Monitoring Services, AS, and MultiServices PICs allow only one action to be performed at any one time, the following configuration options are available:

• Sampling and forwarding
• Sampling and discard accounting
• Port mirroring and forwarding
• Port mirroring and discard accounting
• Sampling and port mirroring on different sets of traffic

Figure 8 shows a sample topology.

Figure 8: Active Monitoring Configuration Topology

In Figure 8, traffic from Router 1 arrives on the monitoring router’s Gigabit Ethernet ge-2/3/0 interface. The exit interface on the monitoring router leading to destination Router 2 is ge-3/0/0, but this could be any interface type (such as SONET, Gigabit Ethernet, and so on). The export interface leading to the cflowd server is fe-1/0/0.

To enable active monitoring, configure a firewall filter on the interface ge-2/3/0 with the following match conditions:

• Traffic matching certain firewall conditions is sent to the Monitoring Services PIC using filter-based forwarding. This traffic is quarantined and not forwarded to other routers.
• All other traffic is port-mirrored to the Monitoring Services PIC. Port mirroring copies each packet and sends the copies to the port-mirroring next hop (in this case, a Monitoring Services PIC). The original packets are forwarded out of the router as usual.