Configuring Flow-Tap Security Properties on MX Series Routers
You can add an extra level of security to DTCP transactions between the mediation device and the
router by enabling DTCP sessions on top of the SSH layer. To configure, include the
flow-tap-dtcp statement at the [edit system
services] hierarchy level:
flow-tap-dtcp {
ssh {
connection-limit value;
rate-limit value;
}
}
To configure client permissions for viewing and
modifying flow-tap configurations and for receiving tapped traffic,
include the permissions statement at the [edit system
login class class-name] hierarchy level:
permissions [ permissions ];
The permissions needed to use flow-tap features are as follows:
flow-tap—Can view flow-tap configuration.flow-tap-control—Can modify flow-tap configuration.flow-tap-operation—Can tap flows.
You can also specify user permissions on a RADIUS server, for example:
Bob Auth-Type := Local, User-Password = = “abc123” Juniper-User-Permissions = “flow-tap-operation”