Click here to load reader

· PDF file 2020. 6. 18. · DeterministicNAPTRestrictions|112 ConfiguringDeterministicNAPTforNextGenServices|113 ConfiguringtheNATPoolforDeterministicNAPTforNextGenServices|113

  • View
    0

  • Download
    0

Embed Size (px)

Text of · PDF file 2020. 6. 18. · DeterministicNAPTRestrictions|112...

  • Next Gen Services Interfaces User Guide for Routing Devices

    Next Gen Services Interfaces User Guide for Routing Devices

    Published

    2020-06-18

  • Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net

    Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners.

    Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

    Next Gen Services Interfaces User Guide for Routing Devices Next Gen Services Interfaces User Guide for Routing Devices Copyright © 2020 Juniper Networks, Inc. All rights reserved.

    The information in this document is current as of the date on the title page.

    YEAR 2000 NOTICE

    Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

    END USER LICENSE AGREEMENT

    The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the EndUser License Agreement (“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of that EULA.

    ii

    https://support.juniper.net/support/eula/

  • Table of Contents

    About the Documentation | xxviii

    Documentation and Release Notes | xxviii

    Using the Examples in This Manual | xxviii

    Merging a Full Example | xxix

    Merging a Snippet | xxix

    Documentation Conventions | xxx

    Documentation Feedback | xxxiii

    Requesting Technical Support | xxxiii

    Self-Help Online Tools and Resources | xxxiv

    Creating a Service Request with JTAC | xxxiv

    Overview1 Next Gen Services Overview | 2

    Next Gen Services Overview | 2

    MX Series 5G Universal Router Services Overview | 2

    Adaptive Services Overview | 3

    Inline Services | 4

    Next Gen Services | 4

    Summary of Services Supported on MX Series 5G Universal Routers | 4

    Next Gen Services Documentation | 6

    Enabling Next Gen Services | 7

    Compatibility with Other Services Cards | 7

    Configuring the MX-SPC3 Services Card | 8

    Methods for Applying Services to Traffic | 8

    Configuration Overview | 9

    Configuration Differences Between Adaptive Services and Next Gen Services on the MX-SPC3 | 9

    Overview | 9

    Interfaces | 11

    Service Set | 14

    iii

  • Stateful Firewall | 17

    Rules and Policies | 17

    Address Lists and Ranges | 19

    Applications | 20

    Traceoptions and Counters | 21

    Carrier Grade Network Address Translation (CGNAT) | 22

    Intrusion Detection System (IDS) | 48

    Migrate from the MS Card to the MX-SPC3 | 56

    Next Gen Services Feature Configuration Overview | 58

    Service Rules and Rule Sets | 58

    Service Sets | 58

    Interface-Style Service Set | 58

    Next-Hop-Style Service Set | 58

    Services Interfaces | 59

    How to Configure Services Interfaces for Next Gen Services | 59

    How to Configure Interface-Style Service Sets for Next Gen Services | 61

    How to Configure Next-Hop Style Service Sets for Next Gen Services | 62

    How to Configure Service Set Limits for Next Gen Services | 64

    Enabling and Disabling Next Gen Services | 66

    Loading the Software Images on RE-S-X6-64G-UB | 66

    Enabling Next Gen Services on an MX Series Router | 67

    Disabling Next Gen Services on an MX Series Router | 68

    Determining Whether Next Gen Services is Enabled on an MX Series Router | 69

    Global System Logging Overview and Configuration | 70

    Understanding Next Gen Services CGNAT Global System Logging | 70

    Next Gen Services CGNAT Global System Logging | 70

    Modes of Operation for Next Gen Services System Logging | 71

    Understanding Stream Mode | 71

    System Logging Configuration Overview | 71

    Disabling Session Open Information in Syslogs | 72

    Enabling Global System Logging for Next Gen Services | 72

    Configuring Local System Logging for Next Gen Services | 73

    iv

  • Configuring System Logging to One or More Remote Servers for Next Gen Services | 75

    System Log Error Messages for Next Gen Services | 78

    Session Open Logs | 78

    MS-MPC Services Card | 78

    MX-SPC3 Services Card | 78

    Session Open Logs With NAT | 79

    Session Open Logs Without NAT | 79

    Session Close Logs | 80

    MS-MPC Services Card | 80

    MX-SPC3 Services Card | 80

    NAT Out of Address Logs | 81

    MS-MPC Services Card | 81

    MX-SPC3 Services Card: | 81

    NAT Out of Ports Logs | 81

    MS-MPC Services Card | 81

    MX-SPC3 Services Card | 81

    NAT Rule Match Logs | 81

    MS-MPC Services Card | 81

    MX-SPC3 Services Card | 81

    NAT Pool Release Logs | 81

    MS-MPC Services Card | 82

    MX-SPC3 Services Card | 82

    NAT Port Block Allocation Logs | 82

    MS-MPC Services Card-Example 1 | 82

    MX-SPC3 Services Card-Example 1 | 82

    MS-MPC Services Card-Example 2 | 82

    MX-SPC3 Services Card-Example 2 | 82

    NAT Port Block Allocation Interim Logs | 82

    MS-MPC Services Card | 82

    MX-SPC3 Services Card | 82

    NAT Port Block Release Logs | 82

    MS-MPC Services Card | 83

    MX-SPC3 Services Card | 83

    v

  • Deterministic NAT Logs | 83

    MS-MPC Services Card | 83

    Stateful Firewall Rule Accept Logs | 83

    MS-MPC Services Card | 83

    MX-SPC3 Services Card | 83

    Stateful Firewall Rule Reject Logs | 84

    MS-MPC Services Card | 84

    MX-SPC3 Services Card | 84

    Stateful Firewall Rule Discard Logs | 84

    MS-MPC Services Card | 84

    MX-SPC3 Services Card | 84

    Stateful Firewall Rule No Rule Drop Logs | 84

    MS-MPC Services Card | 85

    MX-SPC3 Services Card | 85

    Stateful Firewall No Policy Drop Logs | 85

    MS-MPC Services Card | 85

    MX-SPC3 Services Card | 85

    Configuring Syslog Events for NAT Rule Conditions with Next Gen Services | 85

    Next Gen Services SNMPMIBS and Traps | 87

    Next Gen Services SNMP MIBs and Traps | 87

    Service-Set Related SNMP MIBs | 87

    Summary Mapping of MX-SPC3 CLI Services Operational Commands to SNMP MIBs | 93

    NAT SNMP MIBs | 96

    SNMP Traps | 99

    Configuring SNMP Trap Generation | 100

    SNMP Trace Logs for Traps | 103

    Carrier Grade NAT (CGNAT2 Deterministic NAT Overview and Configuration | 108

    Deterministic NAPT Overview for Next Gen Services | 108

    Benefits of Deterministic NAPT | 108

    Understanding Deterministic NAPT Algorithms | 108

    vi

  • Deterministic NAPT Restrictions | 112

    Configuring Deterministic NAPT for Next Gen Services | 113

    Configuring the NAT Pool for Deterministic NAPT for Next Gen Services | 113

    Configuring the NAT Rule for Deterministic NAPT44 for Next Gen Services | 115

    Configuring the NAT Rule for Deterministic NAPT64 for Next Gen Services | 116

    Configuring the Service Set for Deterministic NAT for Next Gen Services | 117

    Clearing the Don’t Fragment Bit | 118

    Dynamic Address-Only Source NAT Overview and Configuration | 119

    Dynamic Address-Only Source Translation Overview | 119

    Benefits of Dynamic Address-Only Source Translation | 119

    Configuring Dynamic Address-Only Source NAT for Next Gen Services | 120

    Configuring the Source Pool for Dynamic Address-Only Source NAT | 120

    Configuring the NAT Source Rule for Dynamic Address-Only Source NAT | 121

    Configuring the Service Set for Dynamic Address-Only Source NAT | 123

    IPv4 Connectivity Across IPv6-Only Network Using 464XLAT Overview and Configuration | 124

    464XLAT Overview | 124

    Benefits of 464XLAT | 126

    IPv4 Addresses Embedded in IPv6 Addresses | 126

    Configuring 464XLAT Provider-Side Translator for IPv4 Connectivity Across IPv6-Only Network for Next Gen Services | 127

    Configuring the Source Pool for 464XLAT | 127

    Configuring the NAT Rules for 464XLAT | 129

    Configuring the Service Set for 464XLAT | 132

    Clearing the Don’t Fragment Bit | 133

    Network Address Port Translation Overview and Configuration | 134

    Network Address Port Translation (NAPT) Overview | 134

    Benefits of NAPT | 135

    Configuring Network Address Port Translation for Next Gen Services | 135

    Configuring the Source Pool for NAPT | 135

    Configuring the NAT Source Rule for NAPT | 139

    vii

  • Configuring the Service Set for NAPT | 141

    Configuring Syslog Events for NAT Rule Conditions with Next Gen Services | 142

    IPv6 NAT PT | 143

    IPv6 NAT PT Overview | 143

    IPv6 NAT-PT Communication Overview | 144

    NAT46 Next Gen Services Configuration Examples | 145

    NAT46 Support Summary | 146

    NAT46 Sample Configuration | 147

Search related