Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configuring Junos Packet Vision on MX, M and T Series Routers

This topic explains Junos Packet Vision (previously known as Flow-Tap) configuration.

Configuring the Junos Packet Vision Interface

To configure an adaptive services interface for flow-tap service, include the interface statement at the [edit services flow-tap] hierarchy level:

You can assign any Adaptive Services or Multiservices PIC in the active monitoring router for Junos Packet Vision, and use any logical unit on the PIC.

You can specify the type of traffic for which you want to apply the Junos Packet Vision service by including the family inet | inet6 statement. If the family statement is not included, the Junos Packet Vision service is, by default, applied to the IPv4 traffic. To apply Junos Packet Vision service to IPv6 traffic, you must include the family inet6 statement in the configuration. To enable the Junos Packet Vision service for IPv4 and IPv6 traffic, you must explicitly configure the family statement for both inet and inet6 families.

Note:

You cannot configure Junos Capture Vision (previously known as dynamic flow capture) and Junos Packet Vision services on the same router simultaneously.

You must also configure the logical interface at the [edit interfaces] hierarchy level:

Note:

If you do not include the family inet6 statement in the configuration, IPv6 flows are not intercepted. Note that the Flow-Tap solution did not support IPv6.

Strengthening Junos Packet Vision Security

You can add an extra level of security to Dynamic Tasking Control Protocol (DTCP) transactions between the mediation device and the router by enabling DTCP sessions on top of the SSH layer. To configure SSH settings, include the flow-tap-dtcp statement at the [edit system services] hierarchy level:

To configure client permissions for viewing and modifying Junos Packet Vision configurations and for receiving tapped traffic, include the permissions statement at the [edit system login class class-name] hierarchy level:

The permissions needed to use Junos Packet Vision features are as follows:

  • flow-tap—Can view Junos Packet Vision configuration

  • flow-tap-control—Can modify Junos Packet Vision configuration

  • flow-tap-operation—Can tap flows

You can also specify user permissions on a RADIUS server, for example:

Starting in Junos OS Release 16.2, MX Series routers can process mediation device DTCP ADD requests that contain up to 15 source-destination port pairs. Multiple source-destination port pairs must be separated by commas. For example:

For details on [edit system] and RADIUS configuration, see the User Access and Authentication Administration Guide.

Restrictions on Junos Packet Vision Services

The following restrictions apply to Junos Packet Vision services:

  • You cannot configure Junos Capture Vision and Junos Packet Vision features on the same router simultaneously.

  • On routers that support LMNR-based FPCs, you cannot configure the Junos Packet Vision for IPv6 along with port mirroring or sampling of IPv6 traffic. This restriction applies even if the router does not have any LMNR-based FPC installed in it. However, there is no restriction on configuring Junos Packet Vision on routers that are configured for port mirroring or sampling of IPv4 traffic.

  • Junos Packet Vision does not support interception of MPLS and virtual private LAN service (VPLS).

  • Junos Packet Vision cannot intercept Address Resolution Protocol (ARP) and other Layer 2 exceptions.

  • IPv4 and IPv6 intercept filters can coexist on a system, subject to a combined maximum of 100 filters.

  • When Junos Capture Vision process or the Adaptive Services or Multiservices PIC configured for Junos Packet Vision restarts, all filters are deleted and the mediation devices are disconnected.

  • Only the first fragment of an IPv4 fragmented packet stream is sent to the content destination.

  • Port mirroring might not work in conjunction with Junos Packet Vision.

  • Running the Junos Packet Vision over an IPsec tunnel on the same router can cause packet loops and is not supported.

  • M10i routers do not support the standard Junos Packet Vision, but do support FlowTapLite (see Configuring FlowTapLite on MX Series Routers and M320 Routers with FPCs). Junos Packet Vision and FlowTapLite cannot be configured simultaneously on the same chassis.

  • PIC-based flow-tap is not supported on M7i and M10i routers equipped with an Enhanced Compact Forwarding Engine Board (CFEB-E).

  • You cannot configure Junos Packet Vision on channelized interfaces.

Related Documentation

Release History Table
Release
Description
16.2
Starting in Junos OS Release 16.2, MX Series routers can process mediation device DTCP ADD requests that contain up to 15 source-destination port pairs. Multiple source-destination port pairs must be separated by commas.