- play_arrow Flow Monitoring and Flow Collection Services
- play_arrow Understanding Flow Monitoring
- play_arrow Monitoring Traffic Using Active Flow Monitoring
- Configuring Active Flow Monitoring
- Active Flow Monitoring System Requirements
- Active Flow Monitoring Applications
- Active Flow Monitoring PIC Specifications
- Active Flow Monitoring Overview
- Active Flow Monitoring Overview
- Example: Configuring Active Monitoring on an M, MX or T Series Router’s Logical System
- Example: Configuring Flow Monitoring on an MX Series Router with MS-MIC and MS-MPC
- Configuring Services Interface Redundancy with Flow Monitoring
- Configuring Inline Active Flow Monitoring Using Routers, Switches or NFX250
- Configuring Flow Offloading on MX Series Routers
- Configuring Active Flow Monitoring on PTX Series Packet Transport Routers
- Configuring Actively Monitored Interfaces on M, MX and T Series Routers
- Collecting Flow Records
- Configuring M, MX and T Series Routers for Discard Accounting with an Accounting Group
- Configuring M, MX and T Series Routers for Discard Accounting with a Sampling Group
- Configuring M, MX and T Series Routers for Discard Accounting with a Template
- Defining a Firewall Filter on M, MX and T Series Routers to Select Traffic for Active Flow Monitoring
- Processing IPv4 traffic on an M, MX or T Series Router Using Monitoring services, Adaptive services or Multiservices Interfaces
- Replicating M, MX and T Series Routing Engine-Based Sampling to Multiple Flow Servers
- Replicating Version 9 Flow Aggregation From M, MX and T Series Routers to Multiple Flow Servers
- Configuring Routing Engine-Based Sampling on M, MX and T Series Routers for Export to Multiple Flow Servers
- Example: Copying Traffic to a PIC While an M, MX or T Series Router Forwards the Packet to the Original Destination
- Configuring an Aggregate Export Timer on M, MX and T Series Routers for Version 8 Records
- Example: Sampling Configuration for M, MX and T Series Routers
- Associating Sampling Instances for Active Flow Monitoring with a Specific FPC, MPC, or DPC
- Example: Sampling Instance Configuration
- Example: Sampling and Discard Accounting Configuration on M, MX and T Series Routers
- play_arrow Monitoring Traffic Using Passive Flow Monitoring
- Passive Flow Monitoring Overview
- Passive Flow Monitoring System Requirements for T Series, M Series and MX Series Routers
- Passive Flow Monitoring Router and Software Considerations for T Series, M Series and MX Series Routers
- Understanding Passive Flow Monitoring on T Series, M Series and MX Series Routers
- Enabling Passive Flow Monitoring on M Series, MX Series or T Series Routers
- Configuring Passive Flow Monitoring
- Example: Passive Flow Monitoring Configuration on M, MX and T Series Routers
- Configuring a Routing Table Group on an M, MX or T Series Router to Add Interface Routes into the Forwarding Instance
- Using IPSec and an ES PIC on an M, MX or T Series Router to Send Encrypted Traffic to a Packet Analyzer
- Applying a Firewall Filter Output Interface on an M, MX or T Series Router to Port-mirror Traffic to PICs or Flow Collection Services
- Monitoring Traffic on a Router with a VRF Instance and a Monitoring Group
- Specifying a Firewall Filter on an M, MX or T Series Router to Select Traffic to Monitor
- Configuring Input Interfaces, Monitoring Services Interfaces and Export Interfaces on M, MX or T Series Routers
- Establishing a VRF Instance on an M, MX or T Series Router for Monitored Traffic
- Configuring a Monitoring Group on an M, MX or T Series Router to Send Traffic to the Flow Server
- Configuring Policy Options on M, MX or T Series Routers
- Stripping MPLS Labels on ATM, Ethernet-Based and SONET/SDH Router Interfaces
- Using an M, MX or T Series Router Flow Collector Interface to Process and Export Multiple Flow Records
- Example: Configuring a Flow Collector Interface on an M, MX or T Series Router
- play_arrow Processing and Exporting Multiple Records Using Flow Collection
- play_arrow Logging Flow Monitoring Records with Version 9 and IPFIX Templates for NAT Events
- Understanding NAT Event Logging in Flow Monitoring Format on an MX Series Router or NFX250
- Configure Active Flow Monitoring Logs for NAT44/NAT64
- Configuring Log Generation of NAT Events in Flow Monitoring Record Format on an MX Series Router or NFX250
- Exporting Syslog Messages to an External Host Without Flow Monitoring Formats Using an MX Series Router or NFX250
- Exporting Version 9 Flow Data Records to a Log Collector Overview Using an MX Series Router or NFX250
- Understanding Exporting IPFIX Flow Data Records to a Log Collector Using an MX Series Router or NFX250
- Mapping Between Field Values for Version 9 Flow Templates and Logs Exported From an MX-Series Router or NFX250
- Mapping Between Field Values for IPFIX Flow Templates and Logs Exported From an MX Series Router or NFX250
- Monitoring NAT Events on MX Series Routers by Logging NAT Operations in Flow Template Formats
- Example: Configuring Logs in Flow Monitoring Format for NAT Events on MX Series Routers for Troubleshooting
-
- play_arrow Flow Capture Services
- play_arrow Dynamically Capturing Packet Flows Using Junos Capture Vision
- play_arrow Detecting Threats and Intercepting Flows Using Junos Flow-Tap and FlowTapLite Services
- Understanding the FlowTap and FlowTapLite Services
- Understanding FlowTap and FlowTapLite Architecture
- Configuring the FlowTap Service on MX Series Routers
- Configuring a FlowTap Interface on MX Series Routers
- Configuring FlowTap and FlowTapLite Security Properties
- FlowTap and FlowTapLite Application Restrictions
- Examples: Configuring the FlowTapLite Application on MX Series and ACX Series Routers
- Configuring FlowTapLite on MX Series Routers and M320 Routers with FPCs
-
- play_arrow Inline Monitoring Services and Inband Network Telemetry
- play_arrow Inline Monitoring Services
- play_arrow Flow-Based Telemetry
- play_arrow Inband Flow Analyzer 2.0
- play_arrow Juniper Resiliency Interface
-
- play_arrow Sampling and Discard Accounting Services
- play_arrow Sampling Data Using Traffic Sampling and Discard Accounting
- play_arrow Sampling Data Using Inline Sampling
- Understand Inline Active Flow Monitoring
- Configuring Inline Active Flow Monitoring Using Routers, Switches or NFX250
- Configuring Inline Active Flow Monitoring on MX80 and MX104 Routers
- Configuring Inline Active Flow Monitoring on PTX Series Routers
- Inline Active Flow Monitoring of MPLS-over-UDP Flows on PTX Series Routers
- Inline Active Flow Monitoring on IRB Interfaces
- Example: Configuring Inline Active Flow Monitoring on MX Series and T4000 Routers
- play_arrow Sampling Data Using Flow Aggregation
- Understanding Flow Aggregation
- Enabling Flow Aggregation
- Configuring Flow Aggregation on MX, M and T Series Routers and NFX250 to Use Version 5 or Version 8 cflowd
- Configuring Flow Aggregation on MX, M, vMX and T Series Routers and NFX250 to Use Version 9 Flow Templates
- Configuring Flow Aggregation on PTX Series Routers to Use Version 9 Flow Templates
- Configuring Inline Active Flow Monitoring to Use IPFIX Flow Templates on MX, vMX and T Series Routers, EX Series Switches, NFX Series Devices, and SRX Series Firewalls
- Configuring Flow Aggregation to Use IPFIX Flow Templates on PTX Series Routers
- Configuring Observation Domain ID and Source ID for Version 9 and IPFIX Flows
- Configuring Template ID and Options Template ID for Version 9 and IPFIX Flows
- Including Fragmentation Identifier and IPv6 Extension Header Elements in IPFIX Templates on MX Series Routers
- Directing Replicated Flows from M and T Series Routers to Multiple Flow Servers
- Logging cflowd Flows on M and T Series Routers Before Export
- Configuring Next-Hop Address Learning on MX Series and PTX Series Routers for Destinations Accessible Over Multiple Paths
-
- play_arrow Configuration Statements and Operational Commands
Example: Configuring TWAMP Client and Server for SRX Series Firewalls
This example shows how to configure the Two-Way Active Measurement Protocol (TWAMP) client and TWAMP server.
Our content testing team has validated and updated this example.
Requirements
This example uses the following hardware and software components:
SRX Series Firewall.
Junos OS Release 18.1R1 and later releases.
Updated and revalidated using vMX on Junos OS Release 22.2R1.
Before you begin configuring TWAMP client and TWAMP server, ensure that you have read Understand Two-Way Active Measurement Protocol to understand how this task fits into the overall configuration process.
Overview
The TWAMP is an open protocol for measuring network performance between any two devices in a network that supports the TWAMP protocol. The TWAMP consists of TWAMP-Control protocol and TWAMP-Test protocol. The TWAMP-Control protocol is used to initiate, start and stop the test sessions between the control client. The TWAMP-Test protocol used to exchange the test packets between the session sender and the session reflector.
Figure 1 shows the TWAMP architecture composed of the following entities that are responsible for starting a monitoring session and exchanging packets:
The control client initiates all requested test sessions with a start sessions message, and the TWAMP server acknowledges. When necessary, the control client sends a message to stop all test sessions.
The session sender and the session reflector exchange test packets according to the TWAMP-Test protocol for each active session. On receiving a TWAMP-Test packet, the session reflector reflects a measurement packet and does not collect any packet statistics in TWAMP.
The TWAMP server is an end system that manages one or more TWAMP sessions and capable of configuring per-session ports. The TWAMP server listens to the TCP port. The session reflector and TWAMP server make up the TWAMP responder in an IP service-level agreement operation.
For Junos OS Release 18.1R1, both the control client and session sender resides on the same device. The client design does not mandate the TWAMP server and the session reflector to be on the same system. Hence, the Juniper TWAMP client is also capable of working with a third-party server implementation.
Configuring the TWAMP Client for SRX Series Firewalls
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI, at the [edit] hierarchy level, and then enter commit from configuration mode.
set system host-name R1 set services rpm twamp client control-connection c1 target-address 10.0.12.2 set services rpm twamp client control-connection c1 test-session t1 target-address 10.0.12.2 set services rpm twamp client control-connection c1 test-session t1 probe-count 2000 set security policies default-policy permit-all set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/0.0 set interfaces ge-0/0/0 unit 0 description "To Server R2" set interfaces ge-0/0/0 unit 0 family inet address 10.0.12.1/24 set interfaces lo0 unit 0 family inet address 192.168.0.1/32
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy.
To configure the TWAMP Client:
Configure the client device host name as R1.
content_copy zoom_out_map[edit system] user@R1# set host-name R1
Configure Device R1 interfaces.
content_copy zoom_out_map[edit interfaces] user@R1# set ge-0/0/0 unit 0 description "To Server R2" user@R1# set ge-0/0/0 unit 0 family inet address 10.0.12.1/24 user@R1# set lo0 unit 0 family inet address 192.168.0.1/32
Enable traffic flow and system services to run on Device R1, which is otherwise dropped by default.
content_copy zoom_out_map[edit security zones] user@R1# set security-zone trust host-inbound-traffic system-services all user@R1# set security-zone trust host-inbound-traffic protocols all user@R1# set security-zone trust interfaces ge-0/0/0.0
Configure the control session from Device R1 to Device R2.
content_copy zoom_out_map[edit services] user@R1# set rpm twamp client control-connection c1 target-address 10.0.12.2
Configure the test session from Device R1 to Device R2 for collecting probe results.
content_copy zoom_out_map[edit services] user@R1# set rpm twamp client control-connection c1 test-session t1 target-address 10.0.12.2 user@R1# set rpm twamp client control-connection c1 test-session t1 probe-count 2000
Results
From the configuration mode on Device R1, confirm your configuration by
entering the show | no-more command. If the output does not
display the intended configuration, repeat the instructions in this example
to correct the configuration.
[edit]
user@R1# show | no-more
system {
host-name R1;
}
services {
rpm {
twamp {
client {
control-connection c1 {
target-address 10.0.12.2;
test-session t1 {
target-address 10.0.12.2;
probe-count 2000;
}
}
}
}
}
}
security {
policies {
default-policy {
permit-all;
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
description "To Server R2";
family inet {
address 10.0.12.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 192.168.0.1/32;
}
}
}
}Configuring the TWAMP Server for SRX Series Firewalls
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI, at the [edit] hierarchy level, and then enter commit from configuration mode.
set system host-name R2 set services rpm twamp server authentication-mode none set services rpm twamp server client-list client1 address 10.0.12.1/24 set security policies default-policy permit-all set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/0.0 set interfaces ge-0/0/0 unit 0 description "To Client R1" set interfaces ge-0/0/0 unit 0 family inet address 10.0.12.2/24 set interfaces lo0 unit 0 family inet address 192.168.0.2/32
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy.
To configure the TWAMP Server:
Configure the server device host name as R2.
content_copy zoom_out_map[edit system] user@R2# set host-name R2
Configure Device R2 interfaces.
content_copy zoom_out_map[edit interfaces] user@R2# set ge-0/0/0 unit 0 description "To Client R1" user@R2# set ge-0/0/0 unit 0 family inet address 10.0.12.2/24 user@R2# set lo0 unit 0 family inet address 192.168.0.2/32
Enable traffic flow and system services to run on Device R2, which is otherwise dropped by default.
content_copy zoom_out_map[edit security zones] user@R2# set security-zone trust host-inbound-traffic system-services all user@R2# set security-zone trust host-inbound-traffic protocols all user@R2# set security-zone trust interfaces ge-0/0/0.0
Configure the client attributes for Device R2 to connect with Device R1.
content_copy zoom_out_map[edit services] user@R2# set rpm twamp server authentication-mode none user@R2# set rpm twamp server client-list client1 address 10.0.12.1/24
Results
From the configuration mode on R2, confirm your configuration by entering the
show | no-more command. If the output does not display
the intended configuration, repeat the instructions in this example to
correct the configuration.
[edit]
user@R2# show | no-more
system {
host-name R2;
}
services {
rpm {
twamp {
server {
authentication-mode none;
client-list client1 {
address {
10.0.12.1/24;
}
}
}
}
}
}
security {
policies {
default-policy {
permit-all;
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
description "To Client R1";
family inet {
address 10.0.12.2/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 192.168.0.2/32;
}
}
}
}Verification
Confirm that the configuration is working properly.
Verifying TWAMP Client Sessions
Purpose
Verify that the TWAMP client sessions are established on Device R1.
Action
From operational mode, enter the show services rpm twamp client
session command.
user@R1>show services rpm twamp client session Connection Session Sender Sender Reflector Reflector Name Name address port address port c1 t1 10.0.12.1 10010 10.0.12.2 10010
Meaning
The configured control and test sessions (c1 and t1, respectively) are established on Device R1.
Verifying TWAMP Server Sessions
Purpose
Verify that the TWAMP server sessions are established on Device R2.
Action
From operational mode, enter the show services rpm twamp server
session command.
user@R2>show services rpm twamp server session
Session Connection Sender Sender Reflector Reflector Session Auth
ID ID address port address port state mode
11 2 10.0.12.1 10010 10.0.12.2 10010 Active UnauthenticatedMeaning
The server session on Device R2 is active with Device R1 as the sender and Device R2 as the reflector.
Verifying Test Session Results
Purpose
Verify that the TWAMP test sessions on Device R1.
Action
From operational mode, enter the show services rpm twamp client
probe-results command.
user@R1> show services rpm twamp client probe-results
Owner: c1, Test: t1
server-address: 10.0.12.2, server-port: 862, Client address: 10.0.12.1, Client port: 60732
TWAMP-Server-Status: Connected, Number-Of-Retries-With-TWAMP-Server: 38
Reflector address: 10.0.12.2, Reflector port: 10011, Sender address: 10.0.12.1, sender-port: 10011
Test size: 2000 probes
Probe results:
Response received
Probe sent time: Fri Nov 25 03:18:34 2022
Probe rcvd/timeout time: Fri Nov 25 03:18:34 2022
Rtt: 718 usec, Ingress time: 134 usec, Egress time: 584 usec, Egress jitter: 48 usec, Ingress jitter: 15 usec,
Round trip jitter: 63 usec
Egress interarrival jitter: 58 usec, Ingress interarrival jitter: 40 usec, Round trip interarrival jitter: 80 usec
...(output truncated for brevity)...Meaning
The probe-results of the TWAMP test session is generated. This shows that the client-server connection is established successfully.
