Configuring Junos Packet Vision on MX, M and T Series Routers
This topic explains Junos Packet Vision (previously known as Flow-Tap) configuration.
Configuring the Junos Packet Vision Interface
To configure an adaptive services interface for flow-tap service,
include the interface
statement at the [edit services
flow-tap]
hierarchy level:
interface sp-fpc/pic/port.unit-number;
You can assign any Adaptive Services or Multiservices PIC in the active monitoring router for Junos Packet Vision, and use any logical unit on the PIC.
You can specify the type of traffic for which you want to apply
the Junos Packet Vision service by including the family inet
| inet6
statement. If the family
statement is not
included, the Junos Packet Vision service is, by default, applied
to the IPv4 traffic. To apply Junos Packet Vision service to IPv6
traffic, you must include the family inet6
statement in
the configuration. To enable the Junos Packet Vision service for IPv4
and IPv6 traffic, you must explicitly configure the family
statement for both inet
and inet6
families.
You cannot configure Junos Capture Vision (previously known as dynamic flow capture) and Junos Packet Vision services on the same router simultaneously.
You must also configure the logical interface at the [edit
interfaces]
hierarchy level:
interface sp-fpc/pic/port { unit logical-unit-number { family inet; family inet6; } }
If you do not include the family inet6
statement
in the configuration, IPv6 flows are not intercepted. Note that the
Flow-Tap solution did not support IPv6.
Strengthening Junos Packet Vision Security
You can add an extra level of security to Dynamic Tasking Control
Protocol (DTCP) transactions between the mediation device and the
router by enabling DTCP sessions on top of the SSH layer. To configure
SSH settings, include the flow-tap-dtcp
statement at the [edit system services]
hierarchy level:
flow-tap-dtcp { ssh { connection-limit value; rate-limit value; } }
To configure client permissions for viewing and modifying Junos
Packet Vision configurations and for receiving tapped traffic, include
the permissions
statement at the [edit system login
class class-name]
hierarchy level:
permissions [permissions];
The permissions needed to use Junos Packet Vision features are as follows:
flow-tap
—Can view Junos Packet Vision configurationflow-tap-control
—Can modify Junos Packet Vision configurationflow-tap-operation
—Can tap flows
You can also specify user permissions on a RADIUS server, for example:
Bob Auth-Type := Local, User-Password = = “abc123” Juniper-User-Permissions = “flow-tap-operation”
Starting in Junos OS Release 16.2, MX Series routers can process mediation device DTCP ADD requests that contain up to 15 source-destination port pairs. Multiple source-destination port pairs must be separated by commas. For example:
ADD DTCP/0.7 Csource-ID: ftap Cdest-ID: cd2 Source-Port: 2000,8001,4000,5000,6000,6001,6002 Dest-Port: 2000,9001,4000,5000,6000,9000
For details on [edit system]
and RADIUS configuration,
see the User Access and Authentication
Administration Guide.
Restrictions on Junos Packet Vision Services
The following restrictions apply to Junos Packet Vision services:
You cannot configure Junos Capture Vision and Junos Packet Vision features on the same router simultaneously.
On routers that support LMNR-based FPCs, you cannot configure the Junos Packet Vision for IPv6 along with port mirroring or sampling of IPv6 traffic. This restriction applies even if the router does not have any LMNR-based FPC installed in it. However, there is no restriction on configuring Junos Packet Vision on routers that are configured for port mirroring or sampling of IPv4 traffic.
Junos Packet Vision does not support interception of MPLS and virtual private LAN service (VPLS).
Junos Packet Vision cannot intercept Address Resolution Protocol (ARP) and other Layer 2 exceptions.
IPv4 and IPv6 intercept filters can coexist on a system, subject to a combined maximum of 100 filters.
When Junos Capture Vision process or the Adaptive Services or Multiservices PIC configured for Junos Packet Vision restarts, all filters are deleted and the mediation devices are disconnected.
Only the first fragment of an IPv4 fragmented packet stream is sent to the content destination.
Port mirroring might not work in conjunction with Junos Packet Vision.
Running the Junos Packet Vision over an IPsec tunnel on the same router can cause packet loops and is not supported.
M10i routers do not support the standard Junos Packet Vision, but do support FlowTapLite (see Configuring FlowTapLite on MX Series Routers and M320 Routers with FPCs). Junos Packet Vision and FlowTapLite cannot be configured simultaneously on the same chassis.
PIC-based flow-tap is not supported on M7i and M10i routers equipped with an Enhanced Compact Forwarding Engine Board (CFEB-E).
You cannot configure Junos Packet Vision on channelized interfaces.