Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Configuring IPv6 Support for FlowTapLite on an M120 Router With Enhanced III FPCs

This example describes how to configure IPv6 support for FlowTapLite on an M120 router with Enhanced III FPCs. The configuration of FlowTapLite is similar on an M320 router and an MX Series router with Enhanced III FPCs. However, because the MX Series routers do not support Tunnel Services PICs, you configure a DPC and the corresponding Packet Forwarding Engine to use tunneling services at the [edit chassis] hierarchy level.

With Junos OS Release 10.1, the FlowTapLite service supports lawful interception of IPv6 packets; previously only interception of IPv4 packets was supported. The intercepted packets are sent to a content destination, while the flow of original packets to the actual destination is unaffected.

A mediation device installs dynamic filters on the router (or server) by sending DTCP requests. These filters include the quintuple information (source address, destination address, source port, destination port, and protocol) about the intercepted flows and the details (IP addresses and port information) of the content destination.

Below is an example of such a filter:

Following are descriptions of the parameters in the dynamic filter:

  • Csource-ID—The username configured in the router at the [edit system login user] hierarchy level.

  • Cdest-ID—The content destination identifier.

  • Source-Address, Dest-Address Source-Port, Dest-Port, Protocol—Parameters that determine which packet flows need to be intercepted.

  • X-JTap-Input-Interface—The interface through which the actual flows are coming into the router. Depending on the type of filters installed, the value in this field can include the following: X-JTap-Output-Interface to install output interface filters; X-JTap-VRF-NAME to install VRF filters; and to install global filters, no parameters are specified.

  • X-JTap-Cdest-Dest—All parameters that start with this string specify different parameters associated with the content destination.

  • X-JTap-IP-Version–Differentiates between IPv6 and IPv4 filters.

From the Packet Forwarding Engine console, you can verify that the filters are installed and working correctly.

Requirements

This example uses the following hardware and software components:

  • Junos OS Release 10.1 or later

  • M120 router with a tunnel (vt) interface

Before you configure IPv6 FlowTapLite on your router, be sure you have:

  • A tunnel PIC that is up

  • A connection from the router to the mediation device and the content destination

  • Traffic flow to and from the router

Overview and Topology

Figure 1 shows the FlowTapLite configuration for one M120 router to lawfully intercept packets.

Topology

Figure 1: FlowTapLite TopologyFlowTapLite Topology

In this example, the IPv6 packets enter the Packet Forwarding Engine and, depending on the filters installed, a new flow is created for the intercepted packets while the original packets are forwarded normally. The new flow is rerouted through the tunnel PIC back to the Packet Forwarding Engine for a route lookup, and then on to the content destination.

Configuration

CLI Quick Configuration

To quickly configure IPv6 FlowTapLite, copy the following commands and paste them into the CLI:

Configuring User Credentials

Step-by-Step Procedure

The username and password configured here are used by the mediation device when connecting and sending out DTCP requests.

  1. Define a login class called flowtap:

  2. For the meditation device, configure a user called ftap with a unique identifier (UID):

  3. Apply the flowtap class to the ftap user:

  4. Configure the encrypted password used by the mediation device:

  5. Commit the configuration:

Configuring the Tunnel Interface for FlowTapLite

Step-by-Step Procedure

You can add an extra level of security to DTCP transactions between the mediation device and the router by enabling DTCP sessions on top of the SSH layer.

  1. Configure SSH from the [edit system] hierarchy level:

  2. Commit the configuration:

Configuring the Logical Tunnel Interface

Step-by-Step Procedure

  1. Configure the logical interface and assign it to the dynamic flow control process (dfcd) at the [edit interfaces] hierarchy level:

  2. Include the mandatory inet6 statement:

  3. Commit the configuration:

Configuring FlowTapLite

Step-by-Step Procedure

  1. Include the flow-tap statement and the tunnel interface at the [edit services] hierarchy level:

  2. Commit the configuration:

Results

Check the results of the configuration:

Verification

To confirm that the configuration is working properly, perform the following tasks:

Verifying That the Router Received the Filter Request

Purpose

After the mediation device sends the filters to the router, the mediation device must receive a message from the router confirming that the router has received the filter request.

Action

Check that the mediation device has received a message similar to the one below:

Meaning

The message above is an example of a successfully received filter request.

Checking That Filters Are Installed and Working on the Router

Purpose

Action

Use the show filter and the show filter index commands to check that filters are installed:

Meaning

The last four filters in the output for the show filter command above are the filters installed on the Packet Forwarding Engine. The show filter index command shows a non-zero packet count, indicating that the packets are hitting the filter.

Sending a List Request

Purpose

To verify that the correct filters are installed in the Packet Forwarding Engine.

Action

Use client software to send a list request to the Packet Forwarding Engine. In your list request, you can include the following three parameters individually or together: CSource-Id, CDest-ID, and Criteria-ID. With all requests, you must include the CSource-Id. Below is an example of a list request using the CSource-Id:

Below is an example of a response:

You can also delete the request. Below is an example of a delete request: