JUNOSe 7.2.x Policy Management Configuration Guide
144 ! Packet Flow Monitoring
Packet Flow Monitoring
The policy log rule provides a way to monitor a packet flow by capturing a sample
of the packets that satisfy the classification of the rule in the system log. See the
JUNOSe System Event Logging Reference Guide for information about logging.
To capture the interface, protocol, source address, destination address, source port,
and destination port, set the policyMgrPacketLog event category to log at severity
info and at low verbosity. To capture the version, ToS, len ID, flags, time to live
(TTL), protocol, and checksum in addition to the information captured at low
verbosity, set the verbosity to medium or high.
When the policy is configured, all packets are examined and the matching packets
are placed in the log. No more than 512 packets are logged every 3 seconds. The
router maintains a count of the total number of matching packets. This count is
incremental even if the packet cannot be stored in the log (for example, because the
count exceeds the 512-packet threshold).
Example 1: Logging
Ingress Packets on an
Interface
This example shows how you might use classification to specify the ingress packets
that are logged on an interface.
host1(config)#ip policy-list testPolicy
host1(config-policy-list)#classifier-group logA
host1(config-policy-list-classifier-group)#log
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#exit
host1(config)#interface atm 0/0.0
host1(config-subif)#ip policy input testPolicy statistics enabled
host1(config-subif)#exit
host1(config)#log destination console severity info
host1(config)#log severity info policyMgrPacketLog
host1(config)#log verbosity low policyMgrPacketLog
host1(config)#log here
Example 2: Logging a
Ping Attack
This example provides a more detailed procedure that an ISP might use to log
information during a ping attack on the network. The procedure includes the
creation of the classifier and policy lists to specify the desired packet flow to
monitor, the logging of the output of the classification operation, and the output of
the show command.
In this example, a customer has reported to their ISP that an attack is occurring on
their internal servers. The attack is a simple ping flood.
1. The ISP creates a classifier list to define an ICMP echo request packet flow.
host1:vr2(config)#ip classifier-list icmpEchoReq icmp any any 8 0
host1:vr2(config)#ip policy-list pingAttack
host1:vr2(config-policy-list)#classifier-group icmpEchoReq
host1:vr2(config-policy-list-classifier-group)#log
host1:vr2(config-policy-list-classifier-group)#exit
host1:vr2(config-policy-list)#exit
host1:vr2(config)#interface gigabitEthernet 2/0
host1:vr2(config-if)#ip address 10.10.10.2 255.255.255.0
host1:vr2(config-if)#exit
To Next Page
Loading...
Need help?
General
