[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring DTCP-over-SSH Service for the Flow-Tap Application

The active monitoring flow-tap application requires you to configure the flow-tap DTCP-over-SSH service. Flow-tap enables you to intercept IPv4 packets transiting an active monitoring router and send a copy of matching packets to one or more content destinations, for use in flexible trend analysis of security threats and in lawful intercept of data.

To enable the flow-tap DTCP-over-SSH service, include the following statements at the [edit system services] hierarchy level:




flow-tap-dtcp {


ssh {
<connection-limit limit>;
<rate-limit limit>;
}


}

By default, the router supports a limited number of simultaneous flow-tap DTCP-over-SSH sessions and connection attempts per minute. Optionally, you can include either or both of the following statements to change the defaults:

connection-limit limit—Maximum number of simultaneous connections (a value from 1 through 250). The default is 75.
rate-limit limit—Maximum number of connection attempts accepted per minute (a value from 1 through 250). The default is 150.

You must also define user permissions that enable flow-tap users to configure flow-tap services. Specify a login class and access privileges for flow-tap users at the [edit system login class class-name permissions] hierarchy level:



[edit system login class class-name permissions]
(flow-tap | flow-tap-control | flow-tap-operation);

The permission bit for a flow-tap login class can be one of the following:

flow-tap—Can view the flow-tap configuration in configuration mode.
flow-tap-control—Can view the flow-tap configuration in configuration mode and configure flow-tap configuration information at the [edit services flow-tap] hierarchy level.
flow-tap-operation—Can make flow-tap requests to the router from a remote location using a DTCP client.

Note: Only users with a configured access privilege of flow-tap-operation can initiate flow-tap requests.

For more information about how to define login classes, see Defining Login Classes.

You can also specify user permissions through the Juniper-User-Permissions RADIUS attribute. For more information, see Configuring Juniper Networks Vendor-Specific RADIUS Attributes.

To enable the flow-tap DTCP-over-SSH service, you must also include statements at the [edit interfaces] hierarchy level to specify an Adaptive Services PIC that runs the flow-tap service and conveys flow-tap filters from the mediation device to the router. In addition, you must include the flow-tap statement at the [edit services] hierarchy level. For more information, see the JUNOS Services Interfaces Configuration Guide.

[Contents] [Prev] [Next] [Index] [Report an Error]