Flow-Tap Architecture - JUNOS 9.5 Services Interfaces Configuration Guide

Flow-Tap Architecture

The architecture consists of one or more mediation devices that send requests to a Juniper Networks routing platform to monitor incoming data and forward any packets that match specific filter criteria to a set of one or more content destinations:

Mediation device—A client that monitors electronic data or voice transfer over the network. The mediation device sends filter requests to the Juniper Networks routing platform using the DTCP. The clients are not identified for security reasons, but have permissions defined by a set of special login classes.

Monitoring platform—A Juniper Networks M-series or T-series routing platform containing one or more Adaptive Services (AS) or MultiServices PICs, which are configured to support the flow-tap application. The monitoring platform processes the requests from the mediation devices, applies the dynamic filters, monitors incoming data flows, and sends the matched packets to the appropriate content destinations.

Content destination—Recipient of the matched packets from the monitoring platform. Typically the matched packets are sent using an IP Security (IPsec) tunnel from the monitoring platform to another router connected to the content destination. The content destination and the mediation device can be physically located on the same host. For more information on IPsec tunnels, see IPsec Services Configuration Guidelines.

Dynamic filters—The Packet Forwarding Engine automatically generates a firewall filter that is applied to all IPv4 routing instances. Each term in the filter includes a flow-tap action that is similar to the existing sample or port-mirroring actions. As long as one of the filter terms matches an incoming packet, the router copies the packet and forwards it to the AS or MultiServices PIC that is configured for flow-tap service. The AS or MultiServices PIC runs the packet through the client filters and sends a copy to each matching content destination.

Following is a sample filter configuration; note that it is dynamically generated by the router (no user configuration required):


            
               filter combined_LEA_filter {
               
                  
                     term LEA1_filter {
                     
                        
                           from {
                           source-address 1.2.3.4;
                           destination-address 3.4.5.6;
                           }
                        
                     
                     
                        
                           then {
                           flow-tap;
                           }
                        
                     
                     }
                  
               
               
                  
                     term LEA2_filter {
                     
                        
                           from {
                           source-address 10.1.1.1;
                           source-port 23;
                           }
                        
                     
                     
                        
                           then {
                           flow-tap;
                           }
                        
                     
                     }
                  
               
               }

Figure 12 shows a sample topology that uses two mediation devices and two content destinations.

Figure 12: Flow-Tap Topology

Image g016703.gif

Contents

Index

Report an Error