Configuring FlowTap and FlowTapLite Security Properties
Enable DTCP on top of the SSH layer and set permissions needed to configure and view FlowTap and FlowTapLite features.
You can add an extra level of security to DTCP transactions between the mediation device and the
router by enabling DTCP sessions on top of the SSH layer. To configure, include the
flow-tap-dtcp
statement at the [edit system
services]
hierarchy level:
flow-tap-dtcp { ssh { connection-limit value; rate-limit value; } }
To configure client permissions for viewing and
modifying flow-tap configurations and for receiving tapped traffic,
include the permissions
statement at the [edit system
login class class-name]
hierarchy level:
permissions [ permissions ];
The permissions needed to use FlowTap and FlowTapLite features are as follows:
flow-tap
—Can view FlowTap and FlowTapLite configuration.flow-tap-control
—Can modify FlowTap and FlowTapLite configuration.flow-tap-operation
—Can tap flows.
You can also specify user permissions on a RADIUS server, for example:
Bob Auth-Type := Local, User-Password = = “abc123” Juniper-User-Permissions = “flow-tap-operation”