Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring FlowTapLite on MX Series Routers

FlowTapLite, which is a lighter version of the FlowTap application, is available on MX Series routers. All of the functionality resides in the Packet Forwarding Engine rather than in a service PIC or Dense Port Concentrator (DPC). To see which routers and line cards support this feature, see Support for FlowTapLite.

FlowTapLite supports the sampling of circuit cross connect (CCC) traffic. DTCP/0.8 is required to specify X-JTap-Filter-Family ccc. L3 parameters cannot be included in a DTCP/0.8 ADD request containing X-JTap-Filter-Family. To see which routers support this feature, seeFlowTapLite support for circuit cross connect traffic.

FlowTapLite uses the same DTCP-SSH architecture to install the Dynamic Tasking Control Protocol (DTCP) filters and authenticate the users as the original flow-tap application and supports up to 3000 filters per chassis.

Note:

The original FlowTap application and FlowTapLite cannot be used at the same time.

To configure FlowTapLite, include the flow-tap statement at the [edit services] hierarchy level:

If you do not specify a family, FlowTapLite is applied only to IPv4 traffic. FlowTapLite can be applied to circuit cross connect traffic (ccc). DTCP/0.8 is required to specify X-JTap-Filter-Family ccc. L3 parameters cannot be included in a DTCP/0.8 ADD request containing X-JTap-Filter-Family.

For the Packet Forwarding Engine to encapsulate the intercepted packet, it must send the packet to a tunnel logical (vt-) interface. You need to allocate a tunnel interface and assign it to the dynamic flow capture process for FlowTapLite to use. To create the tunnel interface, include the following configuration:

Note:

Currently FlowTapLite supports only one tunnel interface per instance.

To configure the logical interfaces and assign them to the dynamic flow capture process, include the following configuration:

Note:

If a service PIC is available, you can use its tunnel interface for the same purpose.
Note:

If you do not include the family inet6 statement in the configuration, IPv6 flows are not intercepted.
Note:

With FlowTapLite configured and traceoptions enabled, if you add more than two content destinations by including the X-JTAP- CDEST-DEST-ADDRESS line in the Dynamic Tasking Control Protocol (DTCP) parameter file and initiate a DTCP session by sending a DTCP ADD message, a 400 BAD request message is received. Although you can specify more than two content destinations in the DTCP file that is sent from the mediation device, this error message occurs when the DTCP ADD message is sent. This behavior is expected with more than two content destinations. You must specify only two content destinations per DTCP ADD message.

FlowTapLite and subscriber secure policy mirroring are supported to run concurrently on the same MX Series router. To see which routers support this feature, see: Concurrent subscriber secure policy and FlowTapLite.

Related Documentation

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
17.3R1
FlowTapLite and subscriber secure policy mirroring are supported to run concurrently on the same MX Series router.
17.2R1
FlowTapLite supports the sampling of circuit cross connect (CCC) traffic.