Example: IPv6 Support for FlowTapLite
This example describes how to configure IPv6 support for FlowTapLite on an M120 router with Enhanced III FPCs. The configuration of FlowTapLite is similar on an M320 router and an MX Series router with Enhanced III FPCs. However, because the MX Series routers do not support Tunnel Services PICs, you configure a DPC and the corresponding Packet Forwarding Engine to use tunneling services at the [edit chassis] hierarchy level.
With Junos OS Release 10.1, the FlowTapLite service supports lawful interception of IPv6 packets; previously only interception of IPv4 packets was supported. The intercepted packets are sent to a content destination, while the flow of original packets to the actual destination is unaffected.
A mediation device installs dynamic filters on the router (or server) by sending DTCP requests. These filters include the quintuple information (source address, destination address, source port, destination port, and protocol) about the intercepted flows and the details (IP addresses and port information) of the content destination.
Below is an example of such a filter:
ADD DTCP/0.8 Csource-ID: ftap Cdest-ID: cd1 Source-Address: 7234:5678:ABCD:EF12:3456:78AB:ABC8:1235/112 Dest-Address: affe::1:1 Source-Port: 1234 Dest-Port: 2345 Protocol: * Priority: 2 X-JTap-Input-Interface: ge-2/0/1 X-JTap-Cdest-Dest-Address: 6.3.4.5 X-JTap-Cdest-Dest-Port: 2300 X-JTap-Cdest-Source-Address: 208.223.208.9 X-JTap-Cdest-Source-Port: 65535 X-JTap-Cdest-TTL: 255 X-JTap-IP-Version: ipv6 Flags: STATIC
Following are descriptions of the parameters in the dynamic filter:
- Csource-ID—The username configured in the router at the [edit system login user] hierarchy level.
- Cdest-ID—The content destination identifier.
- Source-Address, Dest-Address Source-Port, Dest-Port, Protocol—Parameters that determine which packet flows need to be intercepted.
- X-JTap-Input-Interface—The interface through which the actual flows are coming into the router. Depending on the type of filters installed, the value in this field can include the following: X-JTap-Output-Interface to install output interface filters; X-JTap-VRF-NAME to install VRF filters; and to install global filters, no parameters are specified.
- X-JTap-Cdest-Dest—All parameters that start with this string specify different parameters associated with the content destination.
- X-JTap-IP-Version–Differentiates between IPv6 and IPv4 filters.
From the Packet Forwarding Engine console, you can verify that the filters are installed and working correctly.
This example describes how to configure IPv6 support for FlowTapLite on an M120 router:
Requirements
This example uses the following hardware and software components:
- Junos OS Release 10.1 or later
- M120 router with a tunnel (vt) interface
Before you configure IPv6 FlowTapLite on your router, be sure you have:
- A tunnel PIC that is up
- A connection from the router to the mediation device and the content destination
- Traffic flow to and from the router
Overview and Topology
Figure 1 shows the FlowTapLite configuration for one M120 router to lawfully intercept packets.
Figure 1: FlowTapLite Topology
In this example, the IPv6 packets enter the Packet Forwarding Engine and, depending on the filters installed, a new flow is created for the intercepted packets while the original packets are forwarded normally. The new flow is rerouted through the tunnel PIC back to the Packet Forwarding Engine for a route lookup, and then on to the content destination.
Configuration
To configure IPv6 FlowTapLite on an M120 router, perform these tasks:
- Configuring User Credentials
- Configuring the Tunnel Interface for FlowTapLite
- Configuring the Logical Tunnel Interface
- Configuring FlowTapLite
CLI Quick Configuration
To quickly configure IPv6 FlowTapLite, copy the following commands and paste them into the CLI:
set system login class flowtap permissions flow-tap-operation set system login user ftap uid 2000 set system login user ftap class flowtap set system login user ftap authentication encrypted-password "xxxxxx" set system services flow-tap-dtcp ssh set interfaces vt-4/0/0 unit 0 family inet set interfaces vt-4/0/0 unit 0 family inet6 set services flow-tap tunnel-interface vt-4/0/0.0
Configuring User Credentials
Step-by-Step Procedure
The username and password configured here are used by the mediation device when connecting and sending out DTCP requests.
- Define a login class called flowtap:
[edit system]
user@router# set login class flowtap permissions flow-tap-operation - For the meditation device, configure a user called ftap with a unique identifier (UID):
[edit system]
user@router# set login user ftap uid 2000 - Apply the flowtap class to the ftap user:
[edit system]
user@router# set login user ftap class flowtap - Configure the password used by the mediation device:
[edit system]
user@router# set login user ftap authentication encrypted-password xxxxxx - Commit the configuration:
[edit system]
user@router# commit
Configuring the Tunnel Interface for FlowTapLite
Step-by-Step Procedure
You can add an extra level of security to DTCP transactions between the mediation device and the router by enabling DTCP sessions on top of the SSH layer.
- Configure SSH from the [edit system] hierarchy
level:
[edit system]
user@router# set services flow-tap-dtcp ssh - Commit the configuration:
[edit system]
user@router# commit
Configuring the Logical Tunnel Interface
Step-by-Step Procedure
- Configure the logical interface and assign
it to the dynamic flow control process (dfcd) at the [edit interfaces] hierarchy level:
[edit interfaces]
user@router# set vt-4/0/0 unit 0 family inet - Include the mandatory inet6 statement:
[edit interfaces]
user@router# set vt-4/0/0 unit 0 family inet6 - Commit the configuration:
[edit interfaces]
user@router# commit
Configuring FlowTapLite
Step-by-Step Procedure
- Include the flow-tap statement and
the tunnel interface at the [edit services] hierarchy level:
[edit services]
user@router# set flow-tap tunnel-interface vt-4/0/0.0 - Commit the configuration:
[edit services]
user@router# commit
Results
Check the results of the configuration:
[edit]
user@router-re0# show
system {
[...Output Truncated...]
login {
class flowtap {
permissions flow-tap-operation;
}
user ftap {
uid 2000;
class flowtap;
authentication {
encrypted-password "xxxxxx"; ## SECRET-DATA
}
}
}
services {
telnet;
flow-tap-dtcp {
ssh;
}
}
}
interfaces {
vt-4/0/0 {
unit 0 {
family inet;
family inet6;
}
}
}
[...Output Truncated...]
services {
flow-tap {
tunnel-interface vt-4/0/0.0;
}
}Verification
To confirm that the configuration is working properly, perform the following tasks:
- Verifying That the Router Received the Filter Request
- Checking That Filters Are Installed and Working on the Router
- Sending a List Request
Verifying That the Router Received the Filter Request
Purpose
After the mediation device sends the filters to the router, the mediation device must receive a message from the router confirming that the router has received the filter request.
Action
Check that the mediation device has received a message similar to the one below:
DTCP/0.8 200 OK SEQ: 1 CRITERIA-ID: 1 TIMESTAMP: 2009-09-29 06:12:05.725 AUTHENTICATION-INFO: 55f9dc3debd3c7356951410f165f2a9cc5606063
Meaning
The message above is an example of a successfully received filter request.
Checking That Filters Are Installed and Working on the Router
Purpose
Action
Use the show filter and the show filter index commands to check that filters are installed:
ADPC2(diving vty)# show filter
Program Filters:
---------------
Index Dir Cnt Text Bss Name
-------- ------ ------ ------ ------ --------
1 104 0 20 20 __default_bpdu_filter__
17000 52 0 4 4 __default_arp_policer__
57007 104 144 16 16 __flowtap_inet__
65280 52 0 4 4 __auto_policer_template__
65281 104 0 16 16 __auto_policer_template_1__
65282 156 0 32 32 __auto_policer_template_2__
65283 208 0 48 48 __auto_policer_template_3__
65284 260 0 64 64 __auto_policer_template_4__
65285 312 0 80 80 __auto_policer_template_5__
65286 364 0 96 96 __auto_policer_template_6__
65287 416 0 112 112 __auto_policer_template_7__
65288 468 0 128 128 __auto_policer_template_8__
37748736 156 144 80 80 __ftaplite_filter__ifl__70__out__ipv6_
37748737 156 144 80 80 __ftaplite_filter__vrf__4__in__ipv6_
37748738 156 144 80 80 __ftaplite_filter__ifl__71__in__ipv6_
37748739 156 144 80 80 __ftaplite_filter__vrf__0__in__ipv6_
ADPC2(diving vty)# show filter index 37748738 counters
Filter Counters/Policers:
Index Packets Bytes Name
-------- -------------------- -------------------- --------
37748738 8851815 601923420 __ftaplite_term_ftap_3___counter
Meaning
The last four filters in the output for the show filter command above are the filters installed on the Packet Forwarding Engine. The show filter index command shows a non-zero packet count, indicating that the packets are hitting the filter.
Sending a List Request
Purpose
To verify that the correct filters are installed in the Packet Forwarding Engine.
Action
Use client software to send a list request to the Packet Forwarding Engine. In your list request, you can include the following three parameters individually or together: CSource-Id, CDest-ID, and Criteria-ID. With all requests, you must include the CSource-Id. Below is an example of a list request using the CSource-Id:
LIST DTCP/0.8 Csource-ID: ftap1 Flags: Both
Below is an example of a response:
DTCP/0.8 200 OK SEQ: 51 TIMESTAMP: 2009-10-04 07:56:43.003 CRITERIA-ID: 1 CSOURCE-ID: ftap1 CDEST-ID: cd1 CSOURCE-ADDRESS: 10.209.152.15 FLAGS: Static AVERAGE-BANDWIDTH: 0 MATCHING-PACKETS: 0 MATCHING-BYTES: 0 NUM-REFRESH: 0 LAST-REFRESH: 2009-10-04 07:54:30.870 X-JTAP-INPUT-INTERFACE: ge-2/1/1.0,ge-2/1/1.1,ge-2/1/1.2 SOURCE-ADDRESS: 40.0.0.1 DEST-ADDRESS: 50.0.0.1/32 SOURCE-PORT: 1000 DEST-PORT: 2000 PROTOCOL: 17 X-JTAP-CDEST-DEST-ADDRESS: 212.25.99.81 X-JTAP-CDEST-DEST-PORT: 8001 X-JTAP-CDEST-SOURCE-ADDRESS: 208.223.208.9 X-JTAP-CDEST-SOURCE-PORT: 34675 X-JTAP-CDEST-TTL: 64 CRITERIA-NUM: 1 CRITERIA-COUNT: 1 AUTHENTICATION-INFO: 0f49ff600a3d8d7d312c5031f74cc17540bc9200
You can also delete the request. Below is an example of a delete request:
DELETE DTCP/0.8 Csource-ID: ftap CDest-ID: cd1 Flags: STATIC
