Configuring the Flow-Tap Service on MX Series Routers

Configuring the Flow-Tap Interface

To configure an adaptive services interface for flow-tap service, include the interface statement at the [edit services flow-tap] hierarchy level:

You can assign any Adaptive Services or Multiservices PIC in the active monitoring router and use any logical unit on the PIC.

You can specify the type of traffic for which you want to apply the flow-tap service by including the family inet | inet6 statement. If the family statement is not included, the flow-tap service is, by default, applied to the IPv4 traffic. To apply flow-tap service to IPv6 traffic, you must include the family inet6 statement in the configuration. To enable the flow-tap service for IPv4 and IPv6 traffic, you must explicitly configure the family statement for both the inet family and the inet6 family.

You must also configure the logical interface at the [edit interfaces] hierarchy level:

Strengthening Flow-Tap Security

You can add an extra level of security to Dynamic Tasking Control Protocol (DTCP) transactions between the mediation device and the router by enabling DTCP sessions on top of the SSH layer. To configure SSH settings, include the flow-tap-dtcp statement at the [edit system services] hierarchy level:

To configure client permissions for viewing and modifying flow-tap configurations and for receiving tapped traffic, include the permissions statement at the [edit system login class class-name] hierarchy level:

The permissions needed to use flow-tap features are as follows:

• flow-tap—Can view flow-tap configuration

• flow-tap-control—Can modify flow-tap configuration

• flow-tap-operation—Can tap flows

You can also specify user permissions on a RADIUS server, for example:

Starting in Junos OS Release 16.2, MX Series routers can process mediation device DTCP ADD requests that contain up to 15 source-destination port pairs. Multiple source-destination port pairs must be separated by commas. For example:

For details on [edit system] and RADIUS configuration, see the User Access and Authentication Administration Guide for Junos OS.

Restrictions on Flow-Tap Services

The following restrictions apply to Junos flow-tap services:

• You cannot configure dynamic flow capture and flow-tap services on the same router simultaneously.

• On routers that support LMNR-based FPCs, you cannot configure the flow-tap service for IPv6 along with port mirroring or sampling of IPv6 traffic. This restriction applies even if the router does not have any LMNR-based FPC installed in it. However, there is no restriction on configuring the flow-tap service on routers that are configured for port mirroring or sampling of IPv4 traffic.

• Flow-tap does not support interception of MPLS and virtual private LAN service (VPLS).

• Flow-tap cannot intercept Address Resolution Protocol (ARP) and other Layer 2 exceptions.

• IPv4 and IPv6 intercept filters can coexist on a system, subject to a combined maximum of 100 filters.

• When the dynamic flow capture process or the Adaptive Services or Multiservices PIC configured for flow-tap restarts, all filters are deleted and the mediation devices are disconnected.

• Only the first fragment of an IPv4 fragmented packet stream is sent to the content destination.

• Port mirroring might not work in conjunction with the flow-tap service.

• Running the flow-tap service over an IPsec tunnel on the same router can cause packet loops and is not supported.

• You cannot configure the flow-tap service on channelized interfaces.