Configuring the FlowTap Service on MX Series Routers
This topic explains FlowTap configuration.
Configuring the FlowTap Interface
To configure an adaptive services interface for FlowTap service, include the
interface
statement at the [edit services
flow-tap]
hierarchy level:
interface sp-fpc/pic/port.unit-number;
You can assign any Adaptive Services or Multiservices PIC in the active monitoring router and use any logical unit on the PIC.
You can specify the type of traffic for which you want to apply the FlowTap service by including
the family inet | inet6
statement. If the family
statement is not included, the FlowTap service is, by default, applied to the IPv4
traffic. To apply FlowTap service to IPv6 traffic, you must include the
family inet6
statement in the configuration. To enable the
FlowTap service for IPv4 and IPv6 traffic, you must explicitly configure the
family
statement for both the inet
family and
the inet6
family.
You cannot configure dynamic flow capture and FlowTap services on the same router simultaneously.
You must also configure the logical interface at the [edit
interfaces]
hierarchy level:
interface sp-fpc/pic/port { unit logical-unit-number { family inet; family inet6; } }
If you do not include the family inet6
statement in the configuration, IPv6
flows are not intercepted. Note that the FlowTap solution did not support
IPv6.
Strengthening FlowTap Security
You can add an extra level of security to Dynamic Tasking Control
Protocol (DTCP) transactions between the mediation device and the
router by enabling DTCP sessions on top of the SSH layer. To configure
SSH settings, include the flow-tap-dtcp
statement at the [edit system services]
hierarchy level:
flow-tap-dtcp { ssh { connection-limit value; rate-limit value; } }
To configure client permissions for viewing and modifying FlowTap configurations and for
receiving tapped traffic, include the permissions
statement at the
[edit system login class class-name]
hierarchy level:
permissions [permissions];
The permissions needed to use FlowTap features are as follows:
flow-tap
—Can view FlowTap configurationflow-tap-control
—Can modify FlowTap configurationflow-tap-operation
—Can tap flows
You can also specify user permissions on a RADIUS server, for example:
Bob Auth-Type := Local, User-Password = = “abc123” Juniper-User-Permissions = “flow-tap-operation”
Starting in Junos OS Release 16.2, MX Series routers can process mediation device DTCP ADD requests that contain up to 15 source-destination port pairs. Multiple source-destination port pairs must be separated by commas. For example:
ADD DTCP/0.7 Csource-ID: ftap Cdest-ID: cd2 Source-Port: 2000,8001,4000,5000,6000,6001,6002 Dest-Port: 2000,9001,4000,5000,6000,9000
For details on [edit system]
and RADIUS configuration, see the User Access and Authentication Administration
Guide for Junos OS.
Restrictions on FlowTap Services
The following restrictions apply to Junos FlowTap services:
You cannot configure dynamic flow capture and FlowTap services on the same router simultaneously.
On routers that support LMNR-based FPCs, you cannot configure the FlowTap service for IPv6 along with port mirroring or sampling of IPv6 traffic. This restriction applies even if the router does not have any LMNR-based FPC installed in it. However, there is no restriction on configuring the FlowTap service on routers that are configured for port mirroring or sampling of IPv4 traffic.
FlowTap does not support interception of MPLS and virtual private LAN service (VPLS).
FlowTap cannot intercept Address Resolution Protocol (ARP) and other Layer 2 exceptions.
IPv4 and IPv6 intercept filters can coexist on a system, subject to a combined maximum of 100 filters.
When the dynamic flow capture process or the Adaptive Services or Multiservices PIC configured for FlowTap restarts, all filters are deleted and the mediation devices are disconnected.
Only the first fragment of an IPv4 fragmented packet stream is sent to the content destination.
Port mirroring might not work in conjunction with the FlowTap service.
Running the FlowTap service over an IPsec tunnel on the same router can cause packet loops and is not supported.
You cannot configure the FlowTap service on channelized interfaces.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.