Operating Juniper Networks Routers in the Enterprise Chapter
![NAT and PAT Configuration: Defining the Services Interface [edit] lab@London# edit interfaces Service interface](https://slidetodoc.com/presentation_image_h2/5afdf7839fe774c3bdcafe97cf89a871/image-30.jpg "NAT and PAT Configuration: Defining the Services Interface [edit] lab@London# edit interfaces Service interface")
![§ Apply a service set to the interface performing NAT [edit interfaces se-1/0/0] lab@London#](https://slidetodoc.com/presentation_image_h2/5afdf7839fe774c3bdcafe97cf89a871/image-35.jpg "§ Apply a service set to the interface performing NAT [edit interfaces se-1/0/0] lab@London#")
- Slides: 40
Operating Juniper Networks Routers in the Enterprise Chapter 7: Services 4 -1 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www. juniper. net
Chapter Objectives § After successfully completing this chapter, you will be able to: • Describe the services architecture • List common Layer 2 and Layer 3 services • Explain the purpose of MLPPP • Configure and monitor MLPPP • Explain the purpose of NAT and PAT • Configure and monitor NAT and PAT 7 -2 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -2
Agenda: Services àOverview of Services and Services Architecture § Overview of MLPPP § Configuring and Monitoring MLPPP § Overview of NAT and PAT § Configuring and Monitoring NAT and PAT 7 -3 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -3
Disclaimer! § Because of the flexibility and power of the services architecture, services can be complicated • Full coverage of the services architecture and services offered in JUNOS software is outside the scope of this class • Our goal is to provide a basic understanding of the services architecture and provide some common configuration and monitoring examples • Students should attend the AJRE class for detailed coverage of JUNOS software services found in the enterprise 7 -4 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -4
Overview of Services § Layer 2 services: • MLPPP • MLFR • CRTP § Layer 3 services: • NAT and PAT • Stateful firewall • IPSec VPN • Intrusion detection 7 -5 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -5
Services Interfaces § Services provided by: • AS PIC • AS Module (M 7 i) • J-series software processes • Link Services PIC • Tunnel Services PIC • Multi. Services PIC 7 -6 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -6
Multi. Services PIC and AS PIC Service Package § Must configure Multi. Services PIC and AS PIC for Layer 2 or Layer 3 service package under [edit chassis fpc slot pic adaptive-services]: set service-package (layer-2 | layer-3) § Not required for J-series software process or AS Module (M 7 i) 7 -7 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -7
J-series Services Architecture Control Plane JUNOS Kernel Ingress PIM 0 Packets are forwarded to the services interface as needed UNIX Socket PFE (fwdd-unix) Egress PIM 0 Real-time forwarding and services threads fwdd-rt 1 Services Thread 1 § Services are provided by a software instantiation of the M-series and T-series AS PIC • Manifested as a virtual service interface named sp 0/0/0 • Handled as a real-time thread within the forwarding 7 -9 process Education Services Copyright © 2007 Juniper Networks, Inc. 7 -9
Agenda: Services § Overview of Services and Services Architecture àOverview of MLPPP § Configuring and Monitoring MLPPP § Overview of NAT and PAT § Configuring and Monitoring NAT and PAT 7 -10 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -10
What Is MLPPP? § MLPPP is: • A protocol that allows the connection of multiple PPPbased links between two devices (routers) • An extension to PPP (defined in RFC 1990) • A Layer 2 service offering in JUNOS software 7 -11 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -11
Benefits of MLPPP § Benefits: • Creates a virtual link that provides greater bandwidth than the individual member links • Provides load balancing across member links by splitting, recombining, and sequencing datagrams across multiple logical data links 7 -12 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -12
MLPPP Case Study: Symptom § Employees are complaining about unreliable connectivity between Site A and Site B Site A t 1 -1/0/0 Service Provider t 1 -1/0/0. 2/30 1 fe 24 / /0 0 fe- . 1/ -0/ 0/ 1. 1/ 24 . 1/30 Site B 7 -13 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -13
MLPPP Case Study: Investigation § Investigation shows that maximum capacity for the circuit is reached during peak hours and that packet drops are occurring Site A t 1 -1/0/0 Service Provider t 1 -1/0/0. 2/30 fe 24 /1 /0 0 fe- . 1/ -0/ 0/ 1. 1/ 24 . 1/30 Site B Bottleneck 7 -14 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -14
MLPPP Case Study: Solution § Increase bandwidth capacity between sites by adding a second T 1 circuit and using MLPPP Site A ls-0/0/0. 1 t 1 -1/0/0 t 1 -1/0/1 ls-0/0/0. 1 . 2/30 24 /1 /0 0 fe- fe /1 Service Provider t 1 -1/0/0 . 1/ -0/ 0/ 1. 1/ 24 . 1/30 Site B T 1 (X) 2 (+) MLPPP = 7 -15 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -15
Agenda: Services § Overview of Services and Services Architecture § Overview of MLPPP àConfiguring and Monitoring MLPPP § Overview of NAT and PAT § Configuring and Monitoring NAT and PAT 7 -16 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -16
Multilink PPP Configuration (1 of 2) § Logically bind one or more physical links to bundle R 2 configuration R 1 configuration interfaces { ls-0/0/0 { unit 0 { family inet { address 172. 18. 37. 5/30; } } } se-1/0/0 { unit 0 { family mlppp { bundle ls-0/0/0. 0; } } } se-1/0/1 { unit 0 { family mlppp { bundle ls-0/0/0. 0; } } Copyright © 2007 Juniper Networks, Inc. interfaces { ls-0/0/0 { unit 0 { family inet { address 172. 18. 37. 6/30; } } } se-1/0/0 { unit 0 { family mlppp { bundle ls-0/0/0. 0; } } } se-1/0/1 { unit 0 { family mlppp { bundle ls-0/0/0. 0; } } 7 -17 Education Services 7 -17
Multilink PPP Configuration (2 of 2) § Bundle can have up to 8 member links • Bundle can have minimum-links value specified • Identifies threshold to maintain bundle state • Value can be from 1 to 8 with a default value of 1 user@host# set interfaces ls-0/0/0 unit 0 minimum-links ? Possible completions: <minimum-links> Minimum number of links to sustain the bundle (1. . 8) Pop Quiz: When would you set the minimum-links value at something other than the default value of 1? 7 -18 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -18
Monitoring MLPPP Member Links user@host> show interfaces ls-0/0/0 Physical interface: ls-0/0/0, Enabled, Physical link is Up … Logical interface ls-0/0/0. 0 (Index 68) (SNMP if. Index 39) Flags: Point-To-Point SNMP-Traps 0 x 4000 Encapsulation: Multilink-PPP Bandwidth: 16 mbps Statistics Frames fps Bytes bps Bundle: Fragments: Input : 4090 0 372190 0 Output: 3649 0 328410 0 Packets: Input : 4093 0 343812 0 Output: 3652 0 307950 0 Link: se-1/0/0. 0 Input : 1041 0 94731 0 Output: 840 0 75600 0 se-1/0/1. 0 Input : 1041 0 94731 0 Output: 840 0 75600 0 NCP state: inet: Opened, inet 6: Not-configured, iso: Not-configured, mpls: Not-configured Protocol inet, MTU: 1500 Flags: None Addresses, Flags: Is-Preferred Is-Primary Destination: 172. 18. 37. 4/30, Local: 172. 18. 37. 5 7 -19 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -19
Agenda: Services § Overview of Services and Services Architecture § Overview of MLPPP § Configuring and Monitoring MLPPP àOverview of NAT and PAT § Configuring and Monitoring NAT and PAT 7 -20 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -20
What are NAT and PAT? § NAT is a mechanism that converts IP addresses from one address realm to another address realm in a one-to-one mapping fashion § PAT—also known as Network Address Port Translation (NAPT)—translates addresses in a many-to-one fashion making use of port numbers to distinguish individual sessions § Both NAT and PAT are typically used to translate private addresses to unique and globally routable addresses 7 -21 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -21
Benefits of NAT and PAT § NAT and PAT provide the following benefits: • Conserve address space • Useful during mergers and ISP migration • Permit sharing of a single, outside, global address 7 -22 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -22
NAT and PAT Example (1 of 2) § Internet access requires a public, globally routable address • Router performs NAT services between private and public address realms Private Address Realm Public Address Realm. 2/30 . 1/ 24 . 1/30 Internet . 100/24 7 -23 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -23
NAT and PAT Example (2 of 2) § Private host address was translated to public, globally routable address • Router maintains state for session • Process is transparent to host Private/Inside Public/Outside 10. 1. 1. 0/24 201. 1. 8. 0/30 . 100 Inside Local SRC-IP . 1 DST-IP 10. 1. 1. 100 221. 1. 8. 5 Protocol 6 SRC-Port DST-Port 36033 80 Outside Global . 2 SRC-IP DST-IP Protocol 201. 1. 8. 1 221. 1. 8. 5 6 SRC-Port DST-Port 1025 80 NAT/PAT 7 -24 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -24
NAT and PAT Address Assignment § Static address assignment: • One-to-one mapping between private and public addresses for lifetime of NAT operation § Dynamic address assignment: • Public addresses within pool are dynamically assigned based on usage requirements • Once session ends, public address is returned to pool and made available to other hosts that might require a public IP address 7 -25 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -25
Application-Level Gateways § Automatically takes action based on Layers 4– 7 information • Performs translation on addresses and ports in payload • Updates session table to allow extra connections 7 -26 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -26
ALG Example § Active FTP • Client contacts server on TCP/21 • Client listens for data connection on ephemeral port • Client sends server PORT command with IP address and TCP port • Server opens data connection to IP address and port in PORT command Control Connection (Client contacts server on TCP/21) Data Connection (Server contacts client on ephemeral TCP port) 7 -27 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -27
Agenda: Services § Overview of Services and Services Architecture § Overview of MLPPP § Configuring and Monitoring MLPPP § Overview of NAT and PAT àConfiguring and Monitoring NAT and PAT 7 -28 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -28
Building Blocks of NAT and PAT § NAT configuration: Create service set • Define services interface • Create NAT pool • Define NAT rules • Create service set Define services interface Create NAT pool Define NAT rules § NAT application: • Apply service set to interface performing NAT 7 -29 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -29
Sample NAT and PAT Topology Outside (Untrusted) Inside (Trusted) 10. 22 01 2. 1 fe-2/0/1 . 1 London lo 0: 36. 1 se-1/0/0. 5 Tokyo lo 0: 24. 1 24 . 0/ se-1/0/1. 6 172. 18. 37. 4/30 § Goals: • Ensure that traffic originating on the 10. 222. 101. 0/24 subnet is delivered to Tokyo with a 172. 18. 37. 5 source address • Assume that multiple sources could be active at the same time 7 -30 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -30
NAT and PAT Configuration: Defining the Services Interface [edit] lab@London# edit interfaces Service interface requires a single logical unit with family inet [edit interfaces] lab@London# set sp-0/0/0 unit 0 family inet [edit interfaces] lab@London# show. . . sp-0/0/0 { unit 0 { family inet; } }. . . Create service set § Define the services interface Define services interface Create NAT pool Define NAT rules Apply service set to interface performing NAT 7 -31 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -31
NAT and PAT Configuration: Creating a NAT Pool NAT pool named global (user defined) [edit] lab@London# edit services [edit services] lab@London# set nat pool global-out address 172. 18. 37. 5 Create service set § Create a NAT pool Define services interface Create NAT pool Define NAT rules [edit services] lab@London# set nat pool global-out port automatic [edit services] lab@London# show nat { pool global-out { address 172. 18. 37. 5/32; port automatic; } } Apply service set to interface performing NAT Router assigns port numbers (you can define the range) 7 -32 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -32
NAT and PAT Configuration: Defining the NAT Rules (1 of 2) § Define the NAT rules: Translate all outbound User-defined [edit] traffic NAT rule and lab@London# edit services nat rule nat-out se 1/0/0. 0 Output Set match direction from interface’s perspective Default application set enables ALG tracking NAT pool referenced Copyright © 2007 Juniper Networks, Inc. terms Input [edit services nat rule nat-out] lab@London# show match-direction output; term nat-with-alg { from { application-sets junos-algs-outbound; } then { translated { source-pool global-out; translation-type { source dynamic; } } Address term nat-no-alg { assignment then { translated { method source-pool global-out; translation-type { source dynamic; } Education Services … Create service set SS Define services interface Create NAT pool Define NAT rules Apply service set to interface performing NAT 7 -33
§ Define the NAT rules: Allow all inbound traffic without translation [edit services nat rule nat-out] lab@London# up [edit services nat] lab@London# edit rule no-nat-in User-defined NAT rule and term [edit services nat rule no-nat-in] lab@London# set match-direction input Create service set NAT and PAT Configuration: Defining the NAT Rules (2 of 2) Define services interface Create NAT pool Define NAT rules [edit services nat rule no-nat-in] lab@London# set term all then no-translation Set match direction from interface’s perspective SS se 1/0/0. 0 Input Output [edit services nat rule no-nat-in] lab@London# show match-direction input; term all { then { no-translation; } } Apply service set to interface performing NAT 7 -34 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -34
§ Create a service set User-defined service set named nat-ss [edit services nat rule no-nat-in] lab@London# top edit services service-set nat-ss [edit services service-set nat-ss] lab@London# set nat-rules nat-out Links NAT rules and service interface to service set [edit services service-set nat-ss] lab@London# set nat-rules no-nat-in Create service set NAT and PAT Configuration: Creating a Service Set Define services interface Create NAT pool Define NAT rules [edit services service-set nat-ss] lab@London# set interface-service-interface sp-0/0/0. 0 Apply service set to interface performing NAT [edit services service-set nat-ss] lab@London# show nat-rules nat-out; nat-rules no-nat-in; interface-service { service-interface sp-0/0/0. 0; } 7 -35 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -35
§ Apply a service set to the interface performing NAT [edit interfaces se-1/0/0] lab@London# show unit 0 { family inet { service { input { service-set nat-ss; } output { service-set nat-ss; } } address 172. 18. 37. 5/30; } } Apply nat-ss service set in both input and output directions Create service set NAT and PAT Application Define services interface Create NAT pool Define NAT rules Apply service set to interface performing NAT 7 -36 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -36
Monitoring NAT and PAT (1 of 2) § Use show services nat pool to view NAT usage and pool-related details lab@London> show services nat pool Interface: sp-0/0/0, Service set: nat-outbound NAT pool Type Address Ports used global dynamic 172. 18. 37. 5 -172. 18. 37. 5 512 -65535 1 NAT pool name and address assignment method used Address and port range for NAT pool A single flow is currently active 7 -37 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -37
Monitoring NAT and PAT (2 of 2) § Use show services stateful-firewall flows to view NAT flow details Direction of flow lab@London> show services stateful-firewall flows Interface: sp-0/0/0, Service set: nat-outbound Flow State Dir ICMP 172. 18. 37. 6: 1024 -> 172. 18. 37. 5 Watch I NAT dest 172. 18. 37. 5: 1024 -> 10. 222. 101. 2: 66 ICMP 10. 222. 101. 2: 66 -> 172. 18. 37. 6 Watch O NAT source 10. 222. 101. 2: 66 -> 172. 18. 37. 5: 1024 Frm count 118 State of flow 7 -38 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -38
Review Questions 1. List several services offered in JUNOS software. 2. What is the purpose of the services interface? 3. What advantages can MLPPP provide? 4. What limitations does NAT overcome? 5. What methods are used to assign addresses in NAT? 6. What is an ALG? 7. What steps are required to implement NAT? 7 -39 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -39
Lab 5: Services (MLPPP and NAT) § Configure and monitor MLPPP. § Configure and monitor NAT. 7 -40 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -40
7 -41 Copyright © 2007 Juniper Networks, Inc. Education Services 7 -41
Juniper ptx packet transport routers
Ginny strazisar
Rv220w dual gigabit wan vpn router
Business class telecom
Sdn architecture vs traditional network
Three-tier network topologies
Routers
Confidendial
Routers.
High performance switches
Componentes internos de un router
Consider three lans interconnected by two routers
Hnd router
Sisco
High performance switches and routers
Vc vs datagram
Backbone networks in computer networks
Enterprise networks memphis
Packet tracer - troubleshoot enterprise networks
Ibm's first 64 bit enterprise operating system
Putting the enterprise into the enterprise system
Enterprise
Bob yee
Juniper network access control
Junos network secure
Multicast traceroute
Juniper log collector
Junos space cross provisioning platform spec
Juniper icons
Juniper ex2300m
Juniper wlm series wireless lan managers
Juniper advanced threat protection
Juniper vrrp
Strm juniper
Pwht juniper
Jc manufacturing purchased inventory for $5 300
Idp sensor
Juniper ptx presentation
Esi juniper
Modem cisco icon
Cisco flowspec
