Configuring DTCP-over-SSH Service for the Flow-Tap Application
The active monitoring flow-tap application uses Dynamic Tasking Control Protocol (DTCP) when you configure the flow-tap DTCP-over-SSH service. Flow-tap enables you to intercept IPv4 packets transiting an active monitoring router and send a copy of matching packets to one or more content destinations, for use in flexible trend analysis of security threats and in lawful intercept of data.
The flow-tap feature is not supported on outbound, or egress, traffic. Only inbound, or ingress, traffic is supported.
To enable the flow-tap DTCP-over-SSH service, include the following statements at the [edit system services] hierarchy level:
By default, the router supports a limited number of simultaneous flow-tap DTCP-over-SSH sessions and connection attempts per minute. Optionally, you can include either or both of the following statements to change the defaults:
connection-limit limit—Maximum number of simultaneous connections per protocol (IPv4 and IPv6). The range is a value from 1 through 250. The default is 75. When you configure a connection limit, the limit is applicable to the number of sessions per protocol (IPv4 and IPv6). For example, a connection limit of 10 allows 10 IPv6 cleartext service sessions and 10 IPv4 cleartext service sessions.
rate-limit limit—Maximum number of connection attempts accepted per minute per protocol (IPv4 and IPv6). The range is a value from 1 through 250. The default is 150. When you configure a rate limit, the limit is applicable to the number of connection attempts per protocol (IPv4 and IPv6). For example, a rate limit of 10 allows 10 IPv6 session connection attempts per minute and 10 IPv4 session connection attempts per minute.
You must also define user permissions that enable flow-tap users to configure flow-tap services. Specify a login class and access privileges for flow-tap users at the [edit system login class class-name permissions] hierarchy level:
The permission bit for a flow-tap login class can be one of the following:
flow-tap—Can view the flow-tap configuration in configuration mode.
flow-tap-control—Can view the flow-tap configuration in configuration mode and configure flow-tap configuration information at the [edit services flow-tap] hierarchy level.
flow-tap-operation—Can make flow-tap requests to the router from a remote location using a DTCP client.
Only users with a configured access privilege of flow-tap-operation can initiate flow-tap requests.
You can also specify user permissions through the Juniper-User-Permissions RADIUS attribute.
To enable the flow-tap DTCP-over-SSH service for service interfaces, you must also include statements at the [edit interfaces] hierarchy level to specify an Adaptive Services PIC that runs the flow-tap service and conveys flow-tap filters from the mediation device to the router. In addition, you must include the flow-tap statement at the [edit services] hierarchy level.
FlowTapLite is the flow-tap service configured on tunnel interfaces on MX Series routers. The flow-tap service [edit services flow-tap] and the RADIUS flow-tap service [edit services radius-flow-tap] cannot run simultaneously on the router. Consequently, you cannot run both FlowTapLite and subscriber secure policy mirroring at the same time on the same router. However, starting in Junos OS Release 17.3R1, flow tap and subscriber secure policy mirroring are supported to run concurrently on the same router.