FlowTap and FlowTapLite Application Restrictions
The application restrictions vary by application and by router platform.
The following restrictions apply to FlowTap and FlowTapLite services:
-
You cannot configure dynamic flow capture and FlowTap services on the same router simultaneously.
-
When the dynamic flow capture process or an AS PIC configured for FlowTap processing restarts, all filters are deleted and the mediation devices are disconnected.
-
Only the first fragment of an IPv4 fragmented packet stream is sent to the content destination.
-
If the FlowTap application is configured, you cannot configure the filter action then syslog for any firewall filter running on the same platform.
-
Running the FlowTap or FlowTapLite application over an IPsec tunnel on the same router can cause packet loops and is not supported.
-
The FlowTapLite service
[edit services flow-tap]
on tunnel interfaces on ACX and MX Series routers and the RADIUS flow-tap service[edit services radius-flow-tap]
cannot run simultaneously on the router. Consequently, you cannot run both FlowTapLite and subscriber secure policy mirroring at the same time on the same router in the earlier releases. However, starting in Junos OS Release 17.3R1, FlowTapLite and subscriber secure policy mirroring are supported to run concurrently on the same MX Series router. -
For those ACX routers that support FlowTapLite:
-
You can configure only one mediation device in the system. That is, we support only one combination of source-ip/destination-ip/source-port/destination-port per mediation device tunnel. MX Series devices can support more than one mediation device.
-
Ingress flow analyzers, ingress flow-mirroring, and egress flow-mirroring do not work for the flow-tapped packets.
-
You can match on only these three items: source IP address, destination IP address, and VRF.
-
If you want to tap by both source IP address and destination IP address, you must have two flow-tap rules, one for the source address and one for the destination address.
-
The configured IPv4 address can only be 32 bytes and the configured IPv6 address can only be 128 bytes; that is, network prefixes are not allowed.
-
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.