Configuring Input Interfaces, Monitoring Services Interfaces and Export Interfaces on M, MX or T Series Routers
After creating the input filter, you need to configure
the interfaces where traffic will enter the router. To enable passive
flow monitoring for SONET/SDH input interfaces, include the passive-monitor-mode statement at the [edit interfaces so-fpc/pic/port unit unit-number] hierarchy level. This mode disables
the router from participating in the network as an active device.
On SONET/SDH interfaces, passive monitor mode suppresses SONET keepalives.
For ATM2 IQ interfaces, passive monitor mode suppresses
the sending and receiving of ATM Operations, Administration, and Maintenance
(OAM) and Integrated Local Management Interface (ILMI) control messages.
To enable passive flow monitoring for ATM2 IQ input interfaces, include
the passive-monitor-mode statement at the [edit interfaces
at-fpc/pic/port] hierarchy level. ATM passive monitoring supports the following
interface encapsulation types: Cisco-compatible ATM Network Layer
Protocol ID (NLPID) (atm-cisco-nlpid), ATM NLPID (atm-nlpid), ATM Point-to-Point Protocol (PPP) over ATM Adaptation Layer 5
(AAL5)/ logical link control (LLC) (atm-ppp-llc), ATM PPP
over raw AAL5 (atm-ppp-vc-mux), ATM LLC/ subnetwork attachment
point (SNAP) (atm-snap), and ATM virtual circuit (VC) multiplexing
(atm-vc-mux).
Ethernet-based interfaces support both per-port
passive monitoring and per-VLAN passive monitoring. For Fast Ethernet
interfaces, include the passive-monitor-mode statement
at the [edit interfaces fe-fpc/pic/port] hierarchy level.
For Gigabit Ethernet interfaces, include the passive-monitor-mode statement at the [edit interfaces ge-fpc/pic/port] hierarchy
level. On Ethernet-based interfaces, passive monitor mode disables
the Routing Engine from receiving packets and prevents the routing
table from transmitting packets. You can verify this by the presence
of the No-receive and No-transmit interface flags
in the output of the show interfaces (fe | ge)-fpc/pic/port command.
The following restrictions apply to passive flow monitoring on Ethernet-based interfaces:
No special encapsulation types are allowed, so you must configure Ethernet encapsulations only.
When you configure the
passive-monitor-modestatement, destination MAC address filters applied to incoming interfaces are disabled by default.The
flow-controlstatement at the[edit interfaces ge-fpc/pic/port gigether-options] or[edit interfaces fe-fpc/pic/port fastether-options] hierarchy level does not work when passive flow monitoring is enabled.
In addition to passive monitor mode, apply the
previously defined firewall filter to the interface with the filter statement at the [edit interfaces interface-name-fpc/pic/port unit unit-number family inet] hierarchy level:
[edit]
interfaces {
so-0/0/0 {
description “SONET/SDH input interface”;
encapsulation ppp;
unit 0 {
passive-monitor-mode;
family inet {
filter {
input input-monitoring-filter;
}
}
}
}
at-1/0/0 {
description “ATM2 IQ input interface”;
passive-monitor-mode;
atm-options {
pic-type atm2;
vpi 0 {
maximum-vcs 255;
}
}
unit 0 {
encapsulation atm-snap;
vci 0.100;
family inet {
filter {
input input-monitoring-filter;
}
}
}
}
ge-2/0/0 {
description “Gigabit Ethernet input interface”;
passive-monitor-mode;
unit 0 {
family inet {
filter {
input input-monitoring-filter;
}
}
}
}
}
Configure the interfaces on the Monitoring Services
PIC or Monitoring Services II PIC with the family inet statement
at the [edit interfaces mo-fpc/pic/port unit unit-number] hierarchy level. The statement allows the interfaces to process
IPv4 traffic received from the input interfaces.
When you use VRF instances, you need to configure two logical interfaces. The first (unit 0) is part of the inet.0 routing table and sources the flow packets. The second (unit 1) is configured as part of the VRF instance so the monitoring services interface can serve as a valid next hop for packets received in the instance.
You can also capture options packets and time-to-live
(TTL) exceeded information when the monitoring services interface
processes flow records. To configure, include the receive-options-packets and receive-ttl-exceeded statements at the [edit
interfaces mo-fpc/pic/port unit unit-number family inet] hierarchy level:
[edit]
interfaces {
mo-4/0/0 {
unit 0 {
family inet {
receive-options-packets;
receive-ttl-exceeded;
}
}
unit 1 {
family inet;
}
}
mo-4/1/0 {
unit 0 {
family inet;
}
unit 1 {
family inet;
}
}
mo-4/2/0 {
unit 0 {
family inet;
}
unit 1 {
family inet;
}
}
mo-4/3/0 {
unit 0 {
family inet;
}
unit 1 {
family inet;
}
}
}
You must also configure the export interface where flow packets exit the monitoring station and are sent to the flow server.
On output interfaces, you can apply a firewall
filter that leads to a filter-based forwarding routing instance. This
is useful if you want to port-mirror traffic to multiple Monitoring
Services PICs or flow collection services interfaces. To configure,
include the output statement at the [edit interfaces interface-name unit logical-unit-number family inet filter] hierarchy level. For more information,
see Using Filter-Based Forwarding to Export
Monitored Traffic to Multiple Destinations.
[edit]
interfaces
fe-3/0/0 {
description “export interface to flow server”;
unit 0 {
family inet;
address ip-address;
filter {
output output-filter-name;
}
}
}