Examples: Configuring Junos Packet Vision on M, T, and MX Series Routers
The following example shows all parts of a complete Junos Packet Vision configuration with IPv4 and IPv6 flow intercepts:
Note:
The following example applies only to M Series and T Series routers, except M160 and TX Matrix routers. For MX Series routers, because the flow-tap application resides in the Packet Forwarding Engine rather than a service PIC or Dense Port Concentrator (DPC), the Packet Forwarding Engine must send the packet to a tunnel logical (vt-) interface to encapsulate the intercepted packet. In such a scenario, you need to allocate a tunnel interface and assign it to the dynamic flow capture process for FlowTapLite to use.
services {
flow-tap {
interface sp-1/2/0.100;
}
}
interfaces {
sp-1/2/0 {
unit 100 {
family inet;
family inet6;
}
}
}
system {
services {
flow-tap-dtcp {
ssh {
connection-limit 5;
rate-limit 5;
}
}
}
login {
class ft-class {
permissions flow-tap-operation;
}
user ft-user1 {
class ft-class;
authentication {
encrypted-password “xxxx”;
}
}
}
}
The following example shows a FlowTapLite configuration that intercepts IPv4 and IPv6 flows:
system {
login {
class flowtap {
permissions flow-tap-operation;
}
user ftap {
uid 2000;
class flowtap;
authentication {
encrypted-password "$ABC123"; ## SECRET-DATA
}
}
}
services {
flow-tap-dtcp {
ssh;
}
}
}
chassis {
fpc 0 {
pic 0 {
tunnel-services {
bandwidth 10g;
}
}
}
}
interfaces {
vt-0/0/0 {
unit 0 {
family inet;
family inet6;
}
}
}
services {
flow-tap {
tunnel-interface vt-0/0/0.0;
}
}