• Download Software
• Research a Problem 
• Case Management 
• Contract & Product Management 
• Technical Documentation
  • Advanced Search
  • Documentation Archive
  • Documentation Bug Report
  • Enterprise MIBs
  • File Format Help
  • Glossary
  • Portable Libraries
• End-of-Life Products
• Contact Support
• Guidelines and Policies
• Security Resources

Configuring the Flow-Tap Interface

To configure an adaptive services interface for flow-tap service, include the interface statement at the [edit services flow-tap] hierarchy level:

You can assign any AS or Multiservices PIC in the active monitoring router for flow-tap service, and use any logical unit on the PIC.

Note: You cannot configure dynamic flow capture (DFC) and flow-tap features on the same router simultaneously.

You must also configure the logical interface at the [edit interfaces] hierarchy level:

Strengthening Flow-Tap Security

You can add an extra level of security to DTCP transactions between the mediation device and the router by enabling DTCP sessions on top of the SSH layer. To configure SSH settings, include the flow-tap-dtcp statement at the [edit system services] hierarchy level:

To configure client permissions for viewing and modifying flow-tap configurations and for receiving tapped traffic, include the permissions statement at the [edit system login class class-name] hierarchy level:

The permissions needed to use flow-tap features are as follows:

• flow-tap—Can view flow-tap configuration.
• flow-tap-control—Can modify flow-tap configuration.
• flow-tap-operation—Can tap flows.

You can also specify user permissions on a RADIUS server, for example:

For details on [edit system] and RADIUS configuration, see the Junos System Basics Configuration Guide.

Restrictions on Flow-Tap Services

The following restrictions apply to flow-tap services:

• You cannot configure dynamic flow capture (DFC) and flow-tap features on the same router simultaneously.
• When the DFC process or the AS or Multiservices PIC configured for flow-tap processing restarts, all filters are deleted and the mediation devices are disconnected.
• Only the first fragment of an IPv4 fragmented packet stream is sent to the content destination.
• Port mirroring might not work in conjunction with flow-tap processing.
• If flow-tap is configured, you cannot configure the filter action then syslog for any firewall filter running on the same platform.
• Running the flow-tap application over an IPsec tunnel on the same router can cause packet loops and is not supported.