Configuring Flow-Tap Security Properties on MX, M and T Series Routers
You can add an extra level of security to DTCP
transactions between the mediation device and the router by enabling
DTCP sessions on top of the SSH layer. To configure, include the flow-tap-dtcp statement at the [edit system services] hierarchy level:
flow-tap-dtcp {
ssh {
connection-limit value;
rate-limit value;
}
}
To configure client permissions for viewing and
modifying flow-tap configurations and for receiving tapped traffic,
include the permissions statement at the [edit system
login class class-name] hierarchy level:
permissions [ permissions ];
The permissions needed to use flow-tap features are as follows:
flow-tap—Can view flow-tap configuration.
flow-tap-control—Can modify flow-tap configuration.
flow-tap-operation—Can tap flows.
You can also specify user permissions on a RADIUS server, for example:
Bob Auth-Type := Local, User-Password = = “abc123” Juniper-User-Permissions = “flow-tap-operation”
For details on [edit system] and RADIUS
configuration, see the Junos System Basics Configuration
Guide.