Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Configuring DTCP-over-SSH Service for the Flow-Tap Application

The active monitoring flow-tap application requires Dynamic Tasking Control Protocol, by configuring the flow-tap DTCP-over-SSH service. Flow-tap enables you to intercept IPv4 packets transiting an active monitoring router and send a copy of matching packets to one or more content destinations, for use in flexible trend analysis of security threats and in lawful intercept of data.

Note: The flow-tap feature is not supported on outbound, or egress, traffic. Only inbound, or ingress, traffic is supported.

To enable the flow-tap DTCP-over-SSH service, include the following statements at the [edit system services] hierarchy level:

• connection-limit limit—Maximum number of simultaneous connections per protocol (IPv4 and IPv6). The range is a value from 1 through 250. The default is 75. When you configure a connection limit, the limit is applicable to the number of sessions per protocol (IPv4 and IPv6). For example, a connection limit of 10 allows 10 IPv6 clear-text service sessions and 10 IPv4 clear-text service sessions.
• rate-limit limit—Maximum number of connection attempts accepted per minute per protocol (IPv4 and IPv6). The range is a value from 1 through 250. The default is 150. When you configure a rate limit, the limit is applicable to the number of connection attempts per protocol (IPv4 and IPv6). For example, a rate limit of 10 allows 10 IPv6 session connection attempts per minute and 10 IPv4 session connection attempts per minute.

You must also define user permissions that enable flow-tap users to configure flow-tap services. Specify a login class and access privileges for flow-tap users at the [edit system login class class-name permissions] hierarchy level:

The permission bit for a flow-tap login class can be one of the following:

• flow-tap—Can view the flow-tap configuration in configuration mode.
• flow-tap-control—Can view the flow-tap configuration in configuration mode and configure flow-tap configuration information at the [edit services flow-tap] hierarchy level.
• flow-tap-operation—Can make flow-tap requests to the router from a remote location using a DTCP client.

  Note: Only users with a configured access privilege of flow-tap-operation can initiate flow-tap requests.

You can also specify user permissions through the Juniper-User-Permissions RADIUS attribute.

To enable the flow-tap DTCP-over-SSH service, you must also include statements at the [edit interfaces] hierarchy level to specify an Adaptive Services PIC that runs the flow-tap service and conveys flow-tap filters from the mediation device to the router. In addition, you must include the flow-tap statement at the [edit services] hierarchy level.