Juniper Traffic Sampling User Manual

Junos® OS

r Sampling, Forwarding, and

Monitoring User Guide

Published

2021-04-18

ii

Juniper Networks, Inc. 1133 nn v n Way Sunnyvale, California 94089 USA

408-745-2000 www.juniper.net

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their r s c v owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right

to change, modify, transfer, or otherwise revise this b c		n without n c
Junos® OS r	c Sampling, Forwarding, and Monitoring User Guide
Copyright © 2021 Juniper Networks, Inc. All rights reserved.
The n rm	n in this document is current as of the date on the		page.

YEAR 2000 NOTICE

Juniper Networks hardware and s ftw r products are Year 2000 compliant. Junos OS has no known m r

m ns through the year 2038. However, the NTP c n is known to have some c y in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical						c m n	n consists of (or is intended for use
with) Juniper Networks s ftw r	Use of such s		ftw r	is subject to the terms and c n				ns of the End User License
Agreement ("EULA") posted at	s s	r	n r n	s	r	. By downloading, installing or using such
s ftw r you agree to the terms and c n		ns of that EULA.

iii

Table of Contents

1

2

About This Guide | xi

Overview

rc Sampling, Forwarding, and Monitoring Overview | 2

c	n		r c Samples for Network Monitoring
r c Sampling				n	r	n | 4
Minimum		r	c Sampling			n	r n | 5
n	r n		r	c Sampling | 6
Disabling		r	c Sampling | 9
c	n	r	c Sampling Output in a File | 10
r c n		r	c Sampling Output to a Server Running the c w					c n | 12
c	n	r	c Sampling Output in the Cisco Systems NetFlow Services Export
Version 9 Format | 16
Example: Sampling a Single SONET/SDH Interface | 18
Example: Sampling All					r	c from a Single IP Address | 19
Example: Sampling All FTP						r	c | 21
Tracing	r		c S m n			r	ns | 22

3	n	r n		r c Forwarding for Network Monitoring
	n	r n	r	c Forwarding and Monitoring | 24
	n	r n	IPv6		cc	n	n	| 29
	n	r n	Discard			cc	n	n | 30
	n	r n	c	v	Flow Monitoring on PTX Series Packet Transport Routers | 31
	n	r n	Passive Flow Monitoring | 34
	n	r n	Port Mirroring | 36

4

5

iv

n	r n Next-Hop Groups to Use	Interfaces to Forward Packets Used in
Port Mirroring | 41
n n	a Port-Mirroring Firewall Filter | 43
n n	a Next-Hop Group on MX Series Routers for Port Mirroring | 46
n	r n Forwarding Table Filters to	c n y Route r c

nr n Forwarding Table Filters | 50

Forwarding Table Filters for R	n Instances on ACX Series Routers | 52
Applying Forwarding Table Filters | 53

n	r n	Forwarding	ns for Load Balancing r c
n	r n	Load Balancing for Ethernet Pseudowires | 58

nr n Load-Balance Groups | 59

Understanding the Algorithm Used to Load Balance r c on MX Series Routers | 60 Understanding Per-Packet Load Balancing | 73

nr n Per-Packet Load Balancing | 76

Understanding Load Balancing for BGP						r c with Unequal Bandwidth Allocated to the
Paths | 80
Understanding the Default BGP R					n	Policy on Packet Transport Routers (PTX
Series) |		81
Per-Flow and			r r	x Load Balancing Overview | 83
n	r n	r	r	x Load Balancing | 84
n	r n	Per-Flow Load Balancing Based on Hash Values | 85

nr n Load Balancing Based on MAC Addresses | 86

Load Balancing VPLS Non-Unicast r c Across Member Links of an Aggregate

	Interface | 87
Example: n		r n	c s Load Balancing over Aggregated Ethernet Links | 89
	Requirements | 89
	Overview | 90

6

7

v

	C n	r	n | 91
	r	c	n | 106
	n	r n	Other Forwarding		ns
	n	r n	Routers, Switches, and Interfaces as DHCP and BOOTP Relay Agents | 108
	n	r n	DNS and TFTP Packet Forwarding | 111
	n	r n	Port-based LAN Broadcast Packet Forwarding | 116
r v n		n DHCP S		n on MX Series 5G Universal R n		rms | 118

Understanding the Hyper Mode Feature on Enhanced MPCs for MX Series Routers and EX9200 Switches | 120

nr n Hyper Mode on Enhanced MPCs to Speed Up Packet Processing | 123 Unsupported Features and CLI Commands When Hyper Mode Is Enabled | 124

nr n Statements

cc n n | 132

rn | 134

autonomous-system-type | 136

bootp | 138
bum-hashing | 140
c	w	(Discard	cc n	n ) | 141
c	w	(Flow Monitoring) | 143
client-address | 145
c	n	r s ns	| 147
	scr	n (Forwarding		ns) | 148
dhcp-relay (DHCP S				n r v n n) | 150
disable (Forwarding				ns) | 151
domain | 153
ecmp-local-bias | 155

vi

enhanced-hash-key | 157
export-format | 163
family (Filtering)				| 164
family (Monitoring) | 166
family (Port Mirroring) | 168
family (Sampling) | 170
family inet | 173
family mpls | 175
family m		s rv c			| 179
(Extended DHCP Relay Agent and Helpers Trace							ns) | 182
(Sampling) | 184
(Trace			ns) | 185
n m (Sampling) | 187
s (Sampling and					r c	ns) | 188
r (IPv4, IPv6, and MPLS) | 190
r (VPLS) | 192
	| 193
w	c v	m			| 195
w	x	r	s	n	n | 197
w n c		v	m		| 198
w s rv r | 200
group (DHCP S					n r v n n) | 202
	nn	n		n	n	r | 204
hash-key (Forwarding						ns) | 206
helpers | 210

vii

s	s rv c	n	r | 214
hosted-services | 215
hyper-mode (		rw r	n	ns) | 217
indexed-load-balance | 219
input (Forwarding Table) | 221
input (Port Mirroring) | 222
input (Sampling) | 224
instance | 225
interface ( cc		n n	or Sampling) | 227
interface (BOOTP) | 229
interface (DHCP S			n	r v n n) | 231

interface (DNS, Port, and TFTP Packet Forwarding or Relay Agent) | 232 interface (Monitoring) | 235

interface (Next-Hop Group) | 236 interface (Port Mirroring) | 238

nn s ss	n	n	r | 240
link-layer-broadcast-inet-check | 241
load-balance (Forwarding			ns) | 243
load-balance-group | 246
local-bias | 247
local-dump | 249
max-packets-per-second | 250
maximum-hop-count | 252
maximum-packet-length | 254
m n m m w	m	| 256

viii

mirror-once | 258
monitoring | 259
next-hop (Forwarding				ns) | 261
next-hop-group (Forwarding					ns) | 263
next-hop-group | 265
n	r c	c	| 267
no-listen | 268
output ( cc		n	n ) | 270
output (Forwarding Table) | 272
output (Monitoring) | 273
output (Port Mirroring) | 275
output (Sampling) | 277

rw | 280

rr x | 281

port (c	w	) | 283
port (Packet Forwarding) | 285
port-mirroring | 288
rate (Forwarding			ns) | 293
r y	n		n | 295
r	cc	n n	| 296
rpm-tracking | 298
run-length | 301
sampling (Forwarding				ns) | 303

server (DHCP and BOOTP Relay Agent) | 307 server (DNS, Port, and TFTP Service) | 309

ix

server-address (Hosted Services) | 311
s	rv r	r	| 312
s	rv r	r	( c	v Flow Monitoring) | 314
size (Sampling and				r c	ns) | 315
source-checking | 317
stamp | 319
	| 320
r c			ns (DNS, Port, and TFTP Packet Forwarding) | 322
r c			ns (Port Mirroring and r c Sampling) | 325
transport-type | 327
version | 328
version9 | 330
world-readable (Forwarding					ns) | 332

8	r	n Commands
	clear passive-monitoring s				s	cs | 336
	clear services		w c c	r s		s	cs | 337
	request services		w c	c	r c		n	s	n	n primary interface | 339
	request services		w c	c	r c		n	s	n	n secondary interface | 341
	request services		w c	c	r	s		r ns		r | 343

show chassis forwarding | 345

show	rw r		n	ns hyper-mode | 348
show	rw r		n	ns load-balance | 350
show	rw	r	n	ns port-mirroring | 355
show	rw	r	n	ns next-hop-group | 358

show interfaces (Flow Monitoring) | 363

x

show interfaces (M Series, MX Series, T Series Routers, and PTX Series Management and

Internal Ethernet) | 372
show interfaces s		s	cs | 398
show passive-monitoring error | 416
show passive-monitoring				w | 420
show passive-monitoring memory | 424
show passive-monitoring status | 427
show passive-monitoring usage | 430
show route forwarding-table | 432
show route rpm-tracking | 447
show services	cc	n	n	r	n | 452
show services	cc	n	n	r	n template | 459
show services	cc	n	n	errors | 461
show services	cc	n	n	w | 468
show services	cc	n	n	w	| 477
show services	cc	n	n	memory | 485
show services	cc	n	n	c	s z s r b	n | 488
show services	cc	n	n	status | 491
show services	cc	n	n	usage | 497
show services	w c		c	r	interface | 500
show services	w c		c	r input interface | 504
show services	w c		c	r interface | 507

xi

About This Guide

This guide provides n		rm	n about r	c sampling, which allows you to sample IP	r c based on
r c r input interfaces and various				s in the packet header. You can also use r	c sampling to
monitor interfaces, protocols, and addresses.
The guide also	rs n	rm	n about	r fl w load balancing, port mirroring, and domain name
system (DNS) or Trivial File Transfer Protocol (TFTP) forwarding.

rc sampling and forwarding are supported only on routers equipped with an Internet Processor II

c

n s c c integrated circuit (ASIC). To determine whether a r

n

rm has an Internet

Processor II ASIC, use the show chassis hardware command.

1

CHAPTER

Overview

r c Sampling, Forwarding, and Monitoring Overview | 2

2

r c Sampling, Forwarding, and

Monitoring Overview

r c sampling allows you to sample IP	r c based on r c r input interfaces and various		s in
the packet header. You can also use r	c sampling to monitor any c mb n	n of s c c logical

interfaces, s c c protocols on one or more interfaces, a range of addresses on a logical interface, or individual IP addresses. n rm n about the sampled packets is saved to s on the router's hard disk.

r c sampling is not meant to capture all packets received by a router. We do not recommend excessive sampling (a rate greater than 1/1000 packets), because it can increase the load on your processor. If you need to set a higher sampling rate to diagnose a r c r problem or type of r c received, we recommend that you revert to a lower sampling rate ft r you discover the problem or

troublesome r c In	n r	c sampling and forwarding are supported only on routers equipped
with an Internet Processor II	c	n s c c integrated circuit (ASIC). To determine whether a

rn rm has an Internet Processor II ASIC, use the show chassis hardware command.

Junos OS supports both per-packet and

r fl

w load balancing. In Junos OS Release 9.0 and later, you

can c n

r

r

r

x load balancing. This feature enables the router to elect the next hop

independent of the route chosen by other routers. The result is a b

r

z

n of available links.

Likewise, you can c

n

r Junos OS so that, for the

c v

route, all next-hop addresses for a

s n

n are installed in the forwarding table. This is called per-packet load balancing, which you can

use to spread

r c across m

paths between routers.

With forwarding policies, you can c

n

r

r fl w load balancing, port mirroring, and domain name

system (DNS) or Trivial File Transfer Protocol (TFTP) forwarding.

Release History Table

Release

scr

n

9.0

In Junos OS Release 9.0 and later, you can c n

r

r r

x load balancing.

2

CHAPTER

r Samples for Network Monitoring

r	c Sampling C				n	r	n | 4
Minimum			r	c Sampling C n				r n | 5
C n		r n		r c Sampling | 6
Disabling			r	c Sampling			| 9
C	c	n	r	c Sampling Output in a File | 10
r c		n	r	c Sampling Output to a Server Running the cfl w					c n |
12
C	c	n	r	c Sampling Output in the Cisco Systems NetFlow Services Export
Version 9 Format | 16
Example: Sampling a Single SONET/SDH Interface | 18
Example: Sampling All						r	c from a Single IP Address | 19
Example: Sampling All FTP							r	c | 21
Tracing r				c S m	n		r	ns | 22

4

r	c Sampling n	r	n
To c n	r r c sampling, include the sampling statement at the [edit rw r n			ns hierarchy
level:

[edit forwarding-options] sampling {

disable;

family (inet | inet6 | mpls) { disable;

output {

aggregate-export-interval seconds; extension-service service-name; file {

disable;

filename filename; files number;

size bytes;

(stamp | no-stamp);

(world-readable | no-world-readable);

}

flow-active-timeout seconds; flow-inactive-timeout seconds; flow-server hostname {

aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix {

caida-compliant;

}

source-prefix;

}

autonomous-system-type (origin | peer); (local-dump | no-local-dump);

port port-number; source-address address; version format; version9 {

template template-name;

5

}

}

interface interface-name { engine-id number; engine-type number; source-address address;

}

}

}

input {

max-packets-per-second number; maximum-packet-length bytes; rate number;

run-length number;

}

traceoptions {

file filename { files number; size bytes;

(world-readable | no-world-readable);

}

}

}

Minimum		r	c Sampling		n	r	n
To c n r	r	c sampling, you must perform at least the following tasks:
1. Create a	r w	r to apply to the logical interfaces being sampled by including the						r
statement at the [edit			r w	family family-name] hierarchy level. In the			r then statement, you
must specify the c			n m	r sample and the c	n accept.

[edit firewall family family-name] filter filter-name {

term term-name { then {

sample;

accept;

}

6

}

}
2. Apply the	r to the interfaces on which you want to sample r c

[edit interfaces] interface-name {

unit logical-unit-number { family family-name {

filter {

input filter-name;

}

address address {

destination destination-address;

}

}

}

}

3. Enable sampling and specify a nonzero sampling rate:

[edit forwarding-options] sampling {

input {

rate number;

}

}

n			r n	r		c Sampling
On r	n		rms containing a Monitoring Services PIC or an					v	Services PIC, you can
c n	r	r	c sampling for		r	c passing through the r	n	rm	In Junos OS Release 8.3 and
later, you can also c n				r	r	c sampling of MPLS r	c
To c	n	r	r c sampling on a logical interface:

7

1. Include the input statement at the [edit rw r n

ns sampling] hierarchy level, for example:

[edit forwarding-options sampling] input {

max-packets-per-second number; maximum-packet-length bytes rate number;

run-length number;

}

Junos OS Release 17.2R1, you can export fl w records generated by inline fl w monitoring to four collectors under a family with the same source IP address. The Packet Forwarding Engine (PFE) can

export the fl w record, fl w record template,			n data, and,	n data template packet to all
c n	r collectors. You can c n	r the m	collectors at the [edit rw r n		ns
sampling instance instance name] hierarchy level.

NOTE: You cannot change the source IP address for collectors under the same family.

2.Specify the threshold r c value by using the max-packets-per-second statement. The value is the maximum number of packets to be sampled, beyond which the sampling mechanism begins dropping packets. The range is 0 through 65,535. A value of 0 instructs the Packet Forwarding Engine not to sample any packets. The default value is 1000.

NOTE: This statement is not valid for port mirroring.

3.Specify the maximum length of the sampled packet by using the maximum-packet-length bytes statement. For bytes, specify a value.

NOTE: For MX-Series devices with Modular Port Concentrators (MPCs) and T4000 router

with Type 5 FPC, port-mirrored or sampled packets can be truncated (or clipped) to any
length in the range of 1 to 255 bytes. Only 1 to 255 are valid values for packet r nc	n on

these devices. For other devices, the range is from 0 to 9216. A maximum-packet-length

value of zero represents that r nc	n is disabled, and the n r packet is mirrored or
sampled.

8

4. Specify the sampling rate by s n the values for rate and run-length (see Figure 1 on page 8).

Figure 1: n r Sampling Rate

The forwarding plane provides support for random sampling that can be c n				r through the rate or
run-length statement. The rate statement sets the r			of the number of packets to be sampled on an
average. For example, if you c n		r a rate of 10, on average every tenth packet (1 packet out of 10) is
sampled.
The run-length statement s	c	s the number of matching packets to sample following the n			one-
packet trigger event. C n	r n	a run length greater than 0 allows you to sample packets following
those already being sampled.

NOTE: The run-length statement is not supported on MX Series routers with Modular Port Concentrators (MPCs) and T4000 router with Type 5 FPC.

You can also send the sampled packets to a s			c	host using the cfl		w	version 5 and 8 formats or
the version 9 format as	n in RFC 3954. For more n rm				n see		r c	n r	c Sampling
Output to a Server Running the cfl w		c	n	on page 12 and C			c n	r	c Sampling
Output in the Cisco Systems NetFlow Services Export Version 9 Format" on page 16.
Junos OS does not sample packets r n		n	from the router. If you c			n	r	a sampling		r and

apply it to the output side of an interface, then only the transit packets going through that interface are

9

sampled. Packets that are sent from the R		n Engine to the Packet Forwarding Engine are not
sampled.
When you apply a r w	r to a loopback interface, the		r might block responses from the

Monitoring Services PIC. To allow responses from the Monitoring Services PIC to pass through for

sampling purposes, c n		r a term in the r w		r to include the Monitoring Services PIC’s IP
address.
NOTE: Targeted broadcast does not work when the targeted broadcast							n forward-and-
send-to-re and the r		c sampling	n sampling are c n		r	on the same egress interface
of an M320 router, a T640 router, or an MX960 router. To overcome this scenario, you must
either disable one of the these			ns or enable the sampling			n with the targeted
broadcast	n forward-only on the egress interface. For n				rm	n about targeted

broadcast, see Understanding Targeted Broadcast.

RELATED DOCUMENTATION

Guidelines for C n

r n Firewall Filters

Guidelines for Applying Standard Firewall Filters

Disabling r	c Sampling
To explicitly disable r	c sampling on the router, include the disable statement at the [edit rw r n

ns sampling] hierarchy level:

[edit forwarding-options sampling]

disable;

NOTE: The disable statement at the [edit		rw r	n	ns sampling] hierarchy level disables
only R	n Engine-based sampling. To disable PIC-based sampling and inline sampling, include
the disable statement at the [edit rw r		n	ns sampling instance instance-name]
hierarchy level.

10

c n r c Sampling Output in a File

IN THIS SECTION

r c Sampling Output Format | 11

You c	n	r r	c sampling results to a	in the /var/tmp directory. To collect the sampled packets in
a	include the		statement at the [edit	rw r n	ns sampling output] hierarchy level:

[edit forwarding-options sampling family family-name output]

file <disable> filename filename <files number> <size bytes> <stamp | no-stamp > <world-readable | no-world-readable>;

To c n	r the period of	m	before an c v fl w is exported, include the w c v m
statement at the [edit rw		r	n	ns sampling output family (inet | inet6 | mpls)] hierarchy level:

[edit forwarding-options sampling family (inet | inet6 | mpls) output]

flow-active-timeout seconds;

To c n	r the period of m	before a fl w is considered n c v include the w n c v m
statement at the [edit rw r		n	ns sampling output] hierarchy level:

[edit forwarding-options sampling family (inet | inet6 | mpls) output] flow-inactive-timeout seconds;

To c n	r	the interface that sends out monitored n rm		n include the interface statement at the
[edit	rw r	n	ns sampling output] hierarchy level:

[edit forwarding-options sampling family (inet | inet6 | mpls) output] interface interface-name {

engine-id number; engine-type number; source-address address;

}

11

NOTE: This feature is not supported with the version 9 template format. You must send r c fl ws collected using version 9 to a server. For more n rm n see C c n r c Sampling Output in the Cisco Systems NetFlow Services Export Version 9 Format" on page 16.

rc Sampling Output Format

r c sampling output is saved to an ASCII text			The following is an example of the r		c sampling
output that is saved to a	in the /var/tmp directory. Each line in the output			contains n	rm	n
for one sampled packet. You can		n y display a	m s m for each line.

The column headers are repeated ft r each group of 1000 packets.

# Apr		7 15:48:50
Time		Dest	Src Dest Src Proto				TOS Pkt Intf			IP	TCP
		addr	addr port port					len num frag flags
Apr	7	15:48:54 192.168.9.194	192.168.9.195	0	0	1	0x0	84	8	0x0	0x0
Apr	7	15:48:55 192.168.9.194	192.168.9.195	0	0	1	0x0	84	8	0x0	0x0
Apr	7	15:48:56 192.168.9.194	192.168.9.195	0	0	1	0x0	84	8	0x0	0x0
Apr	7	15:48:57 192.168.9.194	192.168.9.195	0	0	1	0x0	84	8	0x0	0x0
Apr	7	15:48:58 192.168.9.194	192.168.9.195	0	0	1	0x0	84	8	0x0	0x0
The output contains the following			s

•	Time—Time at which the packet was received (displayed only if you include the stamp statement in
	the c n r	n)
•	Dest addr	s n n IP address in the packet

•Src addr—Source IP address in the packet

•Dest port—Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port for the s n n address

•Src port—TCP or UDP port for the source address

•Proto—Packet’s protocol type

• TOS—Contents of the type-of-service (ToS)

in the IP header

• Pkt len—Length of the sampled packet, in bytes

12

•

n num—Unique number that

n

s the sampled logical interface

• IP frag—IP fragment number, if applicable

•

TCP fl

s—Any TCP fl

s found in the IP header

To set the

m s m

n for the

my-sample, enter the following:

[edit forwarding-options sampling family (inet | inet6 | mpls) output file]

user@host# set

n m

my-sample

s 5 size 2m world-readable stamp;

Whenever you toggle the

m s m

n a new header is included in the

If you set the stamp

n the Time

is displayed.

# Apr

7 15:48:50

# Time

Dest

Src

Dest

Src Proto

TOS

Pkt

Intf

IP

TCP

#

addr

addr

port

port

len

num

frag flags

# Feb

1 20:31:21

#

Dest

Src

Dest

Src Proto

TOS

Pkt

Intf

IP

TCP

#

addr

addr

port

port

len

num

frag flags

r c n r	c Sampling Output to a Server
Running the c	w	c	n

IN THIS SECTION

Debugging cfl w Flow

r

n | 15

You can collect an aggregate of sampled fl			ws and send the aggregate to a s c		host that runs the
cfl w	c	n available from the C	r v ss c	n for Internet Data Analysis (CAIDA) (
www c	r ). By using cfl w you can obtain various types of byte and packet counts of fl ws

through a router.

13

The cfl w c n collects the sampled fl ws over a period of 1 minute. At the end of the minute, the number of samples to be exported are divided over the period of another minute and are exported over the course of the same minute.

Before you can perform fl	w	r	n the r	n protocol process must export the autonomous
system (AS) path and r	n n	rm	n to the sampling process. To do this, include the route-record
statement:

route-record;

You can include this statement at the following hierarchy levels:

•	[edit r	n		ns
•	[edit r	n	ns	nc s r	n ns	nc	n m r	n	ns
By default, fl		w	r	n is disabled. To enable the c					c n of fl w aggregates, include the w
s	rv r statement at the [edit				rw r	n	ns sampling output] hierarchy level:

[edit forwarding-options sampling family (inet | inet6 | mpls) output ] flow-server hostname {

aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix {

caida-compliant;

}

source-prefix;

}

autonomous-system-type (origin | peer); (local-dump | no-local-dump);

port port-number; source-address address; version format;

}
In the cfl w statement, specify the name, n	r and source-address of the host that collects the

fl w aggregates. You must also include the UDP port number on the host and the version, which gives

the format of the exported cfl w	aggregates. To specify an IPv4 source address, include the source-
address statement. To collect cfl	w records in a log	before x r n include the local-dump
statement. To specify the cfl w	version number, include the version statement. The cfl w version is
either 5 or 8.

14

You can specify both host (cfl				w ) sampling and port mirroring in the same c n						r	n You can
perform RE-sampling and port mirroring						c	ns simultaneously. However, you cannot perform PIC-
sampling and port mirroring			c	ns simultaneously.
To specify	r	n of s	c	c types of r			c include the	r	n statement. This conserves
memory and bandwidth enabling cfl					w	to export targeted fl		ws rather than all the aggregated
NOTE:	r	n is valid only if cfl				w	version 8 is s c
To specify a fl	w type, include the				r		n statement at the [edit		rw r n		ns sampling
output c w	hostname] hierarchy level:

[edit forwarding-options sampling family (inet | inet6 | mpls) output hostname]

aggregation {

source-destination-prefix;

}
You specify the	r	n type using one of the following	ns
• autonomous-system—Aggregate by AS number; may require s			n the separate cfl w
autonomous-system-type statement to include either origin or peer AS numbers. The origin				n

sc s to use the origin AS of the packet source address in the Source Autonomous System cfl w

The peer

n s

c s to use the peer AS through which the packet passed in the Source

Autonomous System cfl

w

By default, cfl

w exports the origin AS number.

•

s

n

n

r

x—Aggregate by

s

n

n r

x (only).

•

protocol-port—Aggregate by protocol and port number; requires s

n

the separate c w port

statement.

•

s

rc

s

n

n r

x—Aggregate by source and s

n

n r

x Version 2.1b1 of CAIDA’s

cfl

w

c

n does not record source and

s n

n mask length values in compliance with

CAIDA’s cfl

w

C n

r

n Guide, dated August 30, 1999. If you c n

r

the caida-compliant

statement, Junos OS complies with Version 2.1b1 of cfl

w If you do not include the caida-

compliant statement in the c

n

r

n Junos OS records source and

s

n

n mask length

values in compliance with the cfl

w

C n

r

n Guide.

•

s

rc

r

x—Aggregate by source

r x (only).

C

c n of sampled packets in a local ASCII

is not

c

by the c

w

statement.

15

Debugging c	w Flow	r	n
To collect the cfl w	fl ws in a log	before they are exported, include the local-dump		n at the
[edit rw r n	ns sampling output c		w hostname] hierarchy level:

[edit forwarding-options sampling family (inet | inet6 | mpls) output flow-

server hostname] local-dump;

	By default, the fl ws are collected in /var/log/sampled; to change the n m include the								n m
	statement at the [edit	rw r	n	ns sampling			r c	ns hierarchy level. For more n	rm	n
	about changing the	n m	see C	c n	r	c Sampling Output in a File" on page 10.
	NOTE: Because the local-dump			n adds extra overhead, you should use it only while
	debugging cfl w	problems, not during normal					r	n
	The following is an example of the fl			w n	rm	n The AS number exported is the origin AS number.
	All fl ws that belong under a cfl w			header are dumped, followed by the header itself:
	Jun 27 18:35:43 v5 flow entry
	Jun 27 18:35:43	Src addr: 10.53.127.1
	Jun 27 18:35:43	Dst addr: 10.6.255.15
	Jun 27 18:35:43	Nhop addr: 192.168.255.240
	Jun 27 18:35:43	Input interface: 5
	Jun 27 18:35:43	Output interface: 3
	Jun 27 18:35:43	Pkts in flow: 15
	Jun 27 18:35:43	Bytes in flow: 600
	Jun 27 18:35:43	Start time of flow: 7230
	Jun 27 18:35:43	End time of flow: 7271
	Jun 27 18:35:43	Src port: 26629
	Jun 27 18:35:43	Dst port: 179
	Jun 27 18:35:43	TCP flags: 0x10
	Jun 27 18:35:43	IP proto num: 6
	Jun 27 18:35:43	TOS: 0xc0
	Jun 27 18:35:43	Src AS: 64496
	Jun 27 18:35:43	Dst AS: 64511
	Jun 27 18:35:43	Src netmask len: 16
	Jun 27 18:35:43	Dst netmask len: 0

16

[... 41 more v5 fl w entries; then the following header:]

Jun 27 18:35:43 cflowd header:
Jun 27 18:35:43		Num-records:	42
Jun 27	18:35:43	Version: 5
Jun 27	18:35:43	Flow seq num: 118
Jun 27	18:35:43	Engine id: 0
Jun 27	18:35:43	Engine type:	3

c n r c Sampling Output in the Cisco

Systems NetFlow Services Export Version 9 Format

IN THIS SECTION

Example: C n r n c v Flow Monitoring Using Version 9 | 17

In Junos OS Release 8.3 and later, you can collect a record of sampled fl ws using the version 9 format

as	n	in RFC 3954, Cisco Systems NetFlow Services Export Version 9. Version 9 uses templates to
collect a set of sampled fl ws and send the record to a s					c	host.
You c n		r the version 9 template used to collect a record of sampled fl ws at the [edit services
monitoring] hierarchy level. For more n rm				n see the Junos OS Services Interfaces Library for
R	n	Devices and the Monitoring, Sampling, and C			c n Services Interfaces User Guide.
To enable the c			c n of r c fl ws using the version 9 format, include the version9 statement at the
[edit	rw r n		ns sampling family family-name output			w s rv r hostname] hierarchy level:

[edit forwarding-options sampling family family-name output flow-server hostname] version9 {

template template-name;

}

template-name is the name of the version 9 template c n r at the [edit services monitoring] hierarchy level.

17

You c	n r r c sampling at the [edit	rw r n	ns sampling input] hierarchy level. In Junos
OS Release 8.3 and later, you can c n		r sampling for MPLS		r c as well as IPv4 r	c You can
n	a version 9 fl w record template suitable for IPv4 r		c	MPLS r c or a c mb n	n of the

two. In Junos OS Release 9.5 and later, you can sample packets from both the inet and mpls protocol

families at the same

m

In Junos OS Release 10.4 and later, you can c n

r

sampling for peer AS

billing r

c for the inet and ipv6 protocols only. For more n

rm

n about how to c

n

r

r c

sampling, see

C

n

r n

r

c Sampling" on page 6.

The following r s r c

ns apply to c

n r

n of the version 9 format:

• You can c

n

r

only one host to collect

r

c fl ws using the version 9 format. C

n

r

the host

at the [edit

rw r

n

ns sampling family family-name output

w s

rv r hostname]

hierarchy level.

• You cannot specify both the version 9 format and cfl

w

versions 5 and 8 formats in the same

c n

r

n For more n

rm

n about how to c

n

r

fl

w monitoring using cfl w

version 8,

see

r c

n

r

c Sampling Output to a Server Running the cfl w

c

n on page 12.

• Any values for fl

w

c

v

m

and fl

w

n c v

m

that you c n

r

at the [edit

rw r

n

ns sampling output] hierarchy level are overridden by the values c

n

r

in the

version 9 template.

•Version 9 does not support R r c sampling result to a

n Engine-based sampling. You cannot c n	r version 9 to send
in the /var/tmp directory.

Example: n	r n	c	v Flow Monitoring Using Version 9
In this example, you enable c v		fl	w monitoring using version 9. You specify a template mpls that you

c n	r at the [edit services monitoring] hierarchy level. You also c n	r the r c family mpls to
sample MPLS packets.

[edit forwarding-options] sampling {

input { rate 1;

run-length;

}

family inet { output {

flow-server 10.60.2.1 { # The IP address and port of the host port 2055; # that collects the sampled traffic flows. source-address 3.3.3.1;

18

version9 {

template mpls; # Version 9 records are sent

} # using the template named mpls

}

}

}

}

Example: Sampling a Single SONET/SDH Interface

The following c n r n gathers s s c sampling n rm n from a small percentage of all r c on a single SONET/SDH interface and collects it in a named sonet-samples.txt.

Create the r

[edit firewall family inet]

filter {

sample-sonet {

then {

	sample;
	accept;
}	}
}
Apply the	r to the SONET/SDH interface:

[edit interfaces] so-0/0/1 {

unit 0 {

family inet { filter {

input sample-sonet;

}

address 10.127.68.254/32 { destination 10.127.74.7;

}

}

19

}

}
Finally, c n	r r c sampling:

[edit forwarding-options] sampling {

input {

rate 100; run-length 2;

}

family inet { output {

file {

filename sonet-samples.txt; files 40;

size 5m;

}

}

}

Example: Sampling All r c from a Single IP Address

The following c n r n gathers s			s c n rm	n about every packet entering the router on a
s c	c Gigabit Ethernet port r n		n from a single source IP address of 10.45.92.31, and collects it
in a	named samples-10-45-92-31.txt.
Create the		r

[edit firewall family inet] filter one-ip {

term get-ip { from {

source-address 10.45.92.31;

}

then {