[Contents][Prev][Next][Index][Report an Error]
Flow-Tap Architecture
The architecture consists of one or more mediation devices that send requests to a Juniper Networks
routing platform to monitor incoming data and forward any packets
that match specific filter criteria to a set of one or more content destinations:
- Mediation device—A client that monitors electronic
data or voice transfer over the network. The mediation device sends
filter requests to the Juniper Networks routing platform using the
DTCP. The clients are not identified for security reasons, but have
permissions defined by a set of special login classes.
- Monitoring platform—A Juniper Networks M-series
or T-series routing platform containing one or more Adaptive Services
(AS) or MultiServices PICs, which are configured to support the flow-tap
application. The monitoring platform processes the requests from the
mediation devices, applies the dynamic filters, monitors incoming
data flows, and sends the matched packets to the appropriate content
destinations.
- Content destination—Recipient of the matched packets
from the monitoring platform. Typically the matched packets are sent
using an IP Security (IPSec) tunnel from the monitoring platform to
another router connected to the content destination. The content destination
and the mediation device can be physically located on the same host.
For more information on IPSec tunnels, see IPSec Services Configuration Guidelines.
- Dynamic filters—The Packet Forwarding Engine automatically
generates a firewall filter that is applied to all IPv4 routing instances.
Each term in the filter includes a flow-tap action that is
similar to the existing sample or port-mirroring actions. As long as one of the filter terms matches an incoming
packet, the router copies the packet and forwards it to the AS or
MultiServices PIC that is configured for flow-tap service. The AS
or MultiServices PIC runs the packet through the client filters and
sends a copy to each matching content destination.
Following is a sample filter configuration; note
that it is dynamically generated by the router (no user configuration
required):
- filter combined_LEA_filter {
-
- term LEA1_filter {
-
- from {
- source-address 1.2.3.4;
- destination-address 3.4.5.6;
- }
-
- then {
- flow-tap;
- }
- }
-
- term LEA2_filter {
-
- from {
- source-address 10.1.1.1;
- source-port 23;
- }
-
- then {
- flow-tap;
- }
- }
- }
Figure 12 shows a sample
topology that uses two mediation devices and two content destinations.
Figure 12: Flow-Tap Topology
[Contents][Prev][Next][Index][Report an Error]
