Dynamic Flow Capture Architecture

The architecture consists of one or more control sources that send requests to a Juniper Networks routing platform to monitor incoming data, and then forward any packets that match specific filter criteria to a set of one or more content destinations. The architectural components are defined as follows:

• Control source—A client that monitors electronic data or voice transfer over the network. The control source sends filter requests to the Juniper Networks routing platform using the Dynamic Task Control Protocol (DTCP), specified in draft-cavuto-dtcp-01.txt at http://www.ietf.org/internet-drafts. The control source is identified by a unique identifier and an optional list of IP addresses.
• Monitoring platform—A Juniper Networks T-series or M320 routing platform containing one or more Dynamic Flow Capture (DFC) PICs, which support dynamic flow capture processing. The monitoring platform processes the requests from the control sources, creates the filters, monitors incoming data flows, and sends the matched packets to the appropriate content destinations.
• Content destination—Recipient of the matched packets from the monitoring platform. Typically the matched packets are sent using an IP Security (IPSec) tunnel from the monitoring platform to another router connected to the content destination. The content destination and the control source can be physically located on the same host. For more information on IPSec tunnels, see IPSec Services Configuration Guidelines.

Note: The DFC PIC (either a Monitoring Services III PIC or MultiServices 400 PIC) forwards the entire packet content to the content destination, rather than to a content record as is done with cflowd or flow aggregation version 9 templates.

Figure 11 shows a sample topology. The number of control sources and content destinations is arbitrary.

Figure 11: Dynamic Flow Capture Topology

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.