Configuring FlowTapLite on MX Series Routers and M320 Routers with FPCs
FlowTapLite, which is a lighter version of the FlowTap application, is available on MX Series routers and also on M320 routers with Enhanced III Flexible PIC Concentrators (FPCs). All of the functionality resides in the Packet Forwarding Engine rather than in a service PIC or Dense Port Concentrator (DPC). To see which routers and line cards support this feature, see Support for FlowTapLite.
Starting in Junos OS
Release 17.2R1, FlowTapLite supports the sampling of circuit cross connect (CCC)
traffic. DTCP/0.8 is required to specify X-JTap-Filter-Family ccc. L3
parameters cannot be included in a DTCP/0.8 ADD request containing
X-JTap-Filter-Family. To see which routers support this feature, seeFlowTapLite support for circuit cross connect
traffic.
On M320 routers only, if the replacement of FPCs results in a mode change, you must restart the dynamic flow capture process manually by disabling and then re-enabling the CLI configuration.
FlowTapLite uses the same DTCP-SSH architecture to install the Dynamic Tasking Control Protocol (DTCP) filters and authenticate the users as the original flow-tap application and supports up to 3000 filters per chassis.
The original FlowTap application and FlowTapLite cannot be used at the same time.
To configure FlowTapLite, include the flow-tap statement at the
[edit services] hierarchy level:
flow-tap { tunnel-interface interface-name; }
If you do not specify a family, FlowTapLite is applied only to IPv4 traffic. Starting in Junos OS release 17.2R1, FlowTapLite can be applied to circuit cross connect traffic (ccc). DTCP/0.8 is required to specify X-JTap-Filter-Family ccc. L3 parameters cannot be included in a DTCP/0.8 ADD request containing X-JTap-Filter-Family.
For the Packet Forwarding Engine to encapsulate the intercepted packet, it must send the
packet to a tunnel logical (vt-) interface. You need to allocate a
tunnel interface and assign it to the dynamic flow capture process for FlowTapLite to
use. To create the tunnel interface, include the following configuration:
chassis {
fpc number {
pic number {
tunnel-services {
bandwidth (1g | 10g);
}
}
}
}
Currently FlowTapLite supports only one tunnel interface per instance.
To configure the logical interfaces and assign them to the dynamic flow capture process, include the following configuration:
interfaces {
vt-fpc/pic/port {
unit 0 {
family inet;
family inet6;
}
}
}
If a service PIC or DPC is available, you can use its tunnel interface for the same purpose.
If you do not include the family inet6 statement in the
configuration, IPv6 flows are not intercepted.
With FlowTapLite configured and traceoptions enabled, if you add more than two
content destinations by including the X-JTAP- CDEST-DEST-ADDRESS line in the Dynamic
Tasking Control Protocol (DTCP) parameter file and initiate a DTCP session by
sending a DTCP ADD message, a 400 BAD request message is received.
Although you can specify more than two content destinations in the DTCP file that is
sent from the mediation device, this error message occurs when the DTCP ADD message
is sent. This behavior is expected with more than two content destinations. You must
specify only two content destinations per DTCP ADD message.
Prior to Junos OS Release 17.3R1, the FlowTapLite service [edit services
flow-tap] and the RADIUS flow-tap service [edit services
radius-flow-tap] cannot run simultaneously on the router. Consequently, you
cannot run both FlowTapLite and subscriber secure policy mirroring at the same time on
the same router. Starting in Junos OS Release 17.3R1, FlowTapLite and subscriber secure
policy mirroring are supported to run concurrently on the same MX Series router. To see
which routers support this feature, see: Concurrent subscriber secure policy and
FlowTapLite.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.