Passive Flow Monitoring Router and Software Considerations for T Series, M Series and MX Series Routers
There are several hardware and software considerations when you implement passive flow monitoring. When defining the hardware requirements of the monitoring station, keep in mind the following:
-
The input interfaces on the monitoring station must be SONET/SDH interfaces (OC3, OC12, or OC48), ATM2 IQ interfaces (OC3 or OC12), 4-port Fast Ethernet interfaces, Gigabit Ethernet interfaces with SFP (4-port or 10-port), or 1-port 10-Gigabit Ethernet interfaces with XENPAK.
-
To monitor the flows in both directions for a single interface, the monitoring station must have two SONET/SDH, ATM2 IQ, or Ethernet-based receive ports, one for each direction of flow. In Passive Flow Monitoring Application Topology, the monitoring station needs one port to monitor the traffic flowing from Router 1 to Router 2, and a second port to monitor the traffic flowing from Router 2 to Router 1.
-
The Monitoring Services PICs must be installed in a Type 1 enhanced FPC slot.
-
Type 1 and Type 2 Tunnel Services PICs are supported.
-
Use an ES PIC to encrypt the flow export.
-
Symmetric hashing is not supported on the MPC10 and MPC11 line cards. You should choose a different MPC line card if you wish to support symmetrical hashing along with passive monitoring.
-
You can only configure passive monitoring on a physical port and not on a logical interface or per VLAN. You cannot configure passive monitoring on an aggregated Ethernet port or on a port with Ethernet encapsulation.
-
IDS servers must be directly connected to the router. You need to configure the interfaces connecting to the IDS servers as part of a link aggregation group (LAG). You need to configure static routes to route the packets onto an IDS server.
When defining a traffic monitoring strategy, keep in mind the following:
-
The monitoring station collects only IPv4 packets. All other packet formats are discarded and not counted.
-
You can set the amount of time a data flow can be inactive before the monitoring station terminates the flow and exports the flow data. To set the timer, include the
flow-inactive-timeout
statement at the[edit forwarding-options monitoring group-name family inet output]
hierarchy level. The timer value can be from 15 seconds through 1800 seconds, with a default value of 60 seconds.
You can also configure the monitoring station to collect periodic flow reports for flows
that last longer than the configured active timeout. To set this activity timer, include
the flow-active-timeout
statement at the [edit
forwarding-options monitoring group-name family inet
output]
hierarchy level. The timer value can be from 60 seconds through
1800 seconds, with a default value of 180 seconds.
-
Multiple expired flows are exported together, if possible. A UDP packet is sent when one of the following conditions is met:
-
When 30 flows are contained in the current packet, the flows are exported.
-
If there are fewer than 30 flows but the export timer expires, the flows are exported one second after the timer expires.
-
-
TCP and UDP flows are considered differently:
-
TCP flows watch for a segment containing the FIN bit and a subsequent acknowledgement (ACK) to detect the end of a flow. Alternately, a TCP reset (RST) can also indicate the end of a flow. When these TCP combinations are detected, the flow expires. The FIN+ACK and RST cases cover most TCP stream closures. For all other flows, an inactive timeout is needed.
-
All non-TCP flows, such as UDP, depend on timeout mechanisms for export.
-
-
The default MTU value for SONET/SDH interfaces is 4474 bytes; for Gigabit Ethernet and Fast Ethernet interfaces, it is 1500 bytes. If the monitoring station receives packets exceeding 4474 bytes, they are discarded; no fragmentation is performed. Note that the supported MTU size on the Gigabit Ethernet or Fast Ethernet PICs might exceed 1500 bytes, depending on the type of PIC.
-
Any incoming traffic that is discarded is not forwarded to packet analyzers.
-
The interfaces on the monitoring station that collect intercepted traffic must be configured with Cisco HDLC or PPP encapsulation.
-
You must always use a standard interface (for example, one that follows the usual interface-name-fpc/pic/slot format) to send flow records to a flow server. Flow data generated by the Monitoring Services or Monitoring Services II PICs will not be delivered to the server across the fxp0 interface.
-
You can send version 5 records to multiple flow servers. You can configure up to eight servers and flow traffic is load-balanced between the servers in a round-robin fashion. If one of the servers ceases operation, flow traffic load-balances automatically between the remaining active servers. To configure, include up to eight
flow-server
statements at the[edit forwarding-options monitoring group-name output]
hierarchy level.