Configuring FlowTapLite on MX Series Routers and M320 Routers with FPCs
A lighter version of the flow-tap application is available on MX Series routers and also on M320 routers with Enhanced III Flexible PIC Concentrators (FPCs). All of the functionality resides in the Packet Forwarding Engine rather than in a service PIC or Dense Port Concentrator (DPC).
Starting in Junos OS
Release 17.2R1, FlowTapLite supports the sampling of circuit cross connect (CCC)
traffic. DTCP/0.8 is required to specify X-JTap-Filter-Family ccc. L3
parameters cannot be included in a DTCP/0.8 ADD request containing
X-JTap-Filter-Family.
Starting in Junos OS Release 19.3R1, you can configure FlowTapLite on MX240, MX480, and MX960 routers with an MPC10E line card.
On M320 routers only, if the replacement of FPCs results in a mode change, you must restart the dynamic flow capture process manually by disabling and then re-enabling the CLI configuration.
FlowTapLite uses the same DTCP-SSH architecture to install the Dynamic Tasking Control Protocol (DTCP) filters and authenticate the users as the original flow-tap application and supports up to 3000 filters per chassis.
The original flow-tap application and FlowTapLite cannot be used at the same time.
To configure FlowTapLite, include the flow-tap statement at the
[edit services] hierarchy level:
flow-tap { tunnel-interface interface-name; }
If you do not specify a family, FlowTapLite is applied only to IPv4 traffic. Starting in Junos OS release 17.2R1, FlowTapLite can be applied to circuit cross connect traffic (ccc). DTCP/0.8 is required to specify X-JTap-Filter-Family ccc. L3 parameters cannot be included in a DTCP/0.8 ADD request containing X-JTap-Filter-Family.
For the Packet Forwarding Engine to encapsulate the intercepted packet, it must send the
packet to a tunnel logical (vt-) interface. You need to allocate a
tunnel interface and assign it to the dynamic flow capture process for FlowTapLite to
use. To create the tunnel interface, include the following configuration:
chassis {
fpc number {
pic number {
tunnel-services {
bandwidth (1g | 10g);
}
}
}
}
Currently FlowTapLite supports only one tunnel interface per instance.
To configure the logical interfaces and assign them to the dynamic flow capture process, include the following configuration:
interfaces {
vt-fpc/pic/port {
unit 0 {
family inet;
family inet6;
}
}
}
If a service PIC or DPC is available, you can use its tunnel interface for the same purpose.
If you do not include the family inet6 statement in the
configuration, IPv6 flows are not intercepted.
With FlowTapLite configured and traceoptions enabled, if you add more than two
content destinations by including the X-JTAP- CDEST-DEST-ADDRESS line in the Dynamic
Tasking Control Protocol (DTCP) parameter file and initiate a DTCP session by
sending a DTCP ADD message, a 400 BAD request message is received.
Although you can specify more than two content destinations in the DTCP file that is
sent from the mediation device, this error message occurs when the DTCP ADD message
is sent. This behavior is expected with more than two content destinations. You must
specify only two content destinations per DTCP ADD message.
The FlowTapLite service [edit services flow-tap] and the RADIUS flow-tap
service [edit services radius-flow-tap] cannot run simultaneously on
the router. Consequently, you cannot run both FlowTapLite and subscriber secure policy
mirroring at the same time on the same router. Starting in Junos OS Release 17.3R1,
FlowTapLite and subscriber secure policy mirroring are supported to run concurrently on
the same MX Series router.