Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential 4-1 Operating Juniper Networks Routers in the Enterprise Chapter 7:

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net

4-1

Operating Juniper Networks Routers in the Enterprise

Chapter 7: Services

Copyright © 2007 Juniper Networks, Inc. 7-2Education Services

7-2

Chapter Objectives

After successfully completing this chapter, you will be able to:•Describe the services architecture•List common Layer 2 and Layer 3 services•Explain the purpose of MLPPP•Configure and monitor MLPPP•Explain the purpose of NAT and PAT•Configure and monitor NAT and PAT


7-3

Agenda: Services

Overview of Services and Services Architecture

Overview of MLPPP Configuring and Monitoring MLPPP Overview of NAT and PAT Configuring and Monitoring NAT and PAT


7-4

Disclaimer!

Because of the flexibility and power of the services architecture, services can be complicated•Full coverage of the services architecture and

services offered in JUNOS software is outside the scope of this class

•Our goal is to provide a basic understanding of the services architecture and provide some common configuration and monitoring examples

•Students should attend the AJRE class for detailed coverage of JUNOS software services found in the enterprise


7-5

Overview of Services

Layer 2 services:•MLPPP•MLFR•CRTP

Layer 3 services:•NAT and PAT•Stateful firewall• IPSec VPN•Intrusion detection


7-6

Services Interfaces

Services provided by:•AS PIC•AS Module (M7i)• J-series software processes•Link Services PIC•Tunnel Services PIC•MultiServices PIC


7-7

MultiServices PIC and AS PIC Service Package

Must configure MultiServices PIC and AS PIC for Layer 2 or Layer 3 service package under [edit chassis fpc slot pic pic adaptive-services]:set service-package (layer-2 | layer-3)

Not required for J-series software process or AS Module (M7i)


7-9

J-series Services Architecture

Services are provided by a software instantiation of the M-series and T-series AS PIC•Manifested as a virtual service interface named sp-0/0/0

•Handled as a real-time thread within the forwarding process

JUNOS Kernel

Control Plane

Services Thread

Ingress PIM

0

1

0

1

PFE(fwdd-unix)

Egress PIM

fwdd-rt

UNIX Socke

t

Packets are forwarded to the services interface as

needed

Real-time forwarding and

services threads


7-10

Agenda: Services


Overview of MLPPP Configuring and Monitoring MLPPP Overview of NAT and PAT Configuring and Monitoring NAT and PAT


7-11

What Is MLPPP?

MLPPP is: •A protocol that allows the connection of multiple

PPP-based links between two devices (routers)•An extension to PPP (defined in RFC 1990)•A Layer 2 service offering in JUNOS software


7-12

Benefits of MLPPP

Benefits:•Creates a virtual link that provides greater

bandwidth than the individual member links•Provides load balancing across member links by

splitting, recombining, and sequencing datagrams across multiple logical data links


7-13

MLPPP Case Study: Symptom

Employees are complaining about unreliable connectivity between Site A and Site B

t1-1/0/0

.1/30

Site A Site B

t1-1/0/0

.2/30

ServiceProvider

fe-0

/0/1

.1/2

4

fe-0/0/1

.1/24


7-14

MLPPP Case Study: Investigation

Investigation shows that maximum capacity for the circuit is reached during peak hours and that packet drops are occurring

t1-1/0/0

.1/30

Site A Site B

t1-1/0/0

.2/30

ServiceProvider

fe-0

/0/1

.1/2

4

fe-0/0/1

.1/24

Bottleneck


7-15

MLPPP Case Study: Solution

t1-1/0/0

t1-1/0/1 t1-1/0/1

t1-1/0/0ls-0/0/0.1 ls-0/0/0.1

Site A Site B

fe-0

/0/1

.1/2

4

fe-0/0/1

.1/24

ServiceProvider

Increase bandwidth capacity between sites by adding a second T1 circuit and using MLPPP

T1 (X) 2 (+) MLPPP =

.1/30 .2/30


7-16

Agenda: Services


Overview of MLPPPConfiguring and Monitoring MLPPP Overview of NAT and PAT Configuring and Monitoring NAT and PAT


7-17

interfaces { ls-0/0/0 { unit 0 { family inet { address 172.18.37.6/30; } } } se-1/0/0 { unit 0 { family mlppp { bundle ls-0/0/0.0; } } } se-1/0/1 { unit 0 { family mlppp { bundle ls-0/0/0.0; } } }}

Multilink PPP Configuration (1 of 2) Logically bind one or more physical links to

bundleinterfaces { ls-0/0/0 { unit 0 { family inet { address 172.18.37.5/30; } } } se-1/0/0 { unit 0 { family mlppp { bundle ls-0/0/0.0; } } } se-1/0/1 { unit 0 { family mlppp { bundle ls-0/0/0.0; } } }}

R2 configurationR1 configuration


7-18

Multilink PPP Configuration (2 of 2)

Bundle can have up to 8 member links•Bundle can have minimum-links value specified

• Identifies threshold to maintain bundle state• Value can be from 1 to 8 with a default value of 1

user@host# set interfaces ls-0/0/0 unit 0 minimum-links ?Possible completions: <minimum-links> Minimum number of links to sustain the bundle (1..8)

Pop Quiz: When would you set the minimum-links value at something other than the default value of 1?


7-19

Monitoring MLPPPuser@host> show interfaces ls-0/0/0 Physical interface: ls-0/0/0, Enabled, Physical link is Up… Logical interface ls-0/0/0.0 (Index 68) (SNMP ifIndex 39) Flags: Point-To-Point SNMP-Traps 0x4000 Encapsulation: Multilink-PPP Bandwidth: 16mbps Statistics Frames fps Bytes bps Bundle: Fragments: Input : 4090 0 372190 0 Output: 3649 0 328410 0 Packets: Input : 4093 0 343812 0 Output: 3652 0 307950 0 Link: se-1/0/0.0 Input : 1041 0 94731 0 Output: 840 0 75600 0 se-1/0/1.0 Input : 1041 0 94731 0 Output: 840 0 75600 0 NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured, mpls: Not-configured Protocol inet, MTU: 1500 Flags: None Addresses, Flags: Is-Preferred Is-Primary Destination: 172.18.37.4/30, Local: 172.18.37.5

MemberLinks


7-20

Agenda: Services


Overview of MLPPP Configuring and Monitoring MLPPPOverview of NAT and PAT Configuring and Monitoring NAT and PAT


7-21

What are NAT and PAT?

NAT is a mechanism that converts IP addresses from one address realm to another address realm in a one-to-one mapping fashion

PAT—also known as Network Address Port Translation (NAPT)—translates addresses in a many-to-one fashion making use of port numbers to distinguish individual sessions

Both NAT and PAT are typically used to translate private addresses to unique and globally routable addresses


7-22

Benefits of NAT and PAT

NAT and PAT provide the following benefits:•Conserve address space•Useful during mergers and ISP migration•Permit sharing of a single, outside, global address


7-23

NAT and PAT Example (1 of 2)

Internet access requires a public, globally routable address•Router performs NAT services between private

and public address realms

Internet

.1/2

4

.2/30

Private AddressRealm

Public AddressRealm

.1/30

.100/24


7-24

NAT and PAT Example (2 of 2)

Private host address was translated to public, globally routable address•Router maintains state for session•Process is transparent to host

Inside Local

NAT/PAT

.100

10.1.1.0/24 201.1.8.0/30

10.1.1.100

SRC-IP

221.1.8.5DST-IP

36033

SRC-Port

80

DST-Port

6Protocol

201.1.8.1SRC-IP

221.1.8.5DST-IP

1025

SRC-Port

80

DST-Port

6Protocol

.1 .2

Private/Inside Public/Outside

Outside

Global

.1


7-25

NAT and PAT Address Assignment

Static address assignment:•One-to-one mapping between private and public addresses for lifetime of

NAT operation Dynamic address assignment:

•Public addresses within pool are dynamically assigned based on usage requirements

•Once session ends, public address is returned to pool and made available to other hosts that might require a public IP address


7-26

Application-Level Gateways

Automatically takes action based on Layers 4–7 information•Performs translation on addresses and ports in

payload•Updates session table to allow extra connections


7-27

ALG Example

Active FTP•Client contacts server on TCP/21•Client listens for data connection on ephemeral

port•Client sends server PORT command with IP

address and TCP port•Server opens data connection to IP address and

port in PORT commandControl Connection(Client contacts server on TCP/21)

Data Connection(Server contacts client on ephemeral TCP port)


7-28

Agenda: Services


Overview of MLPPP Configuring and Monitoring MLPPP Overview of NAT and PATConfiguring and Monitoring NAT and PAT


7-29

Building Blocks of NAT and PAT

NAT configuration:•Define services interface•Create NAT pool•Define NAT rules•Create service set

NAT application:•Apply service set to interface performing NAT

Apply service set to

interface performing

NAT

Define services interface

Define NAT rules

Create NAT pool

Cre

ate

serv

ice s

et


7-30

Goals:•Ensure that traffic originating on the 10.222.101.0/24 subnet is

delivered to Tokyo with a 172.18.37.5 source address•Assume that multiple sources could be active at the same time

Sample NAT and PAT Topology

Outside (Untrusted)

Inside (Trusted)

Tokyo lo0: 24.1

London lo0: 36.1

fe-2/0/1

.1

se-1/0/0 se-1/0/1.5 .6

172.18.37.4/30

10.2

22.1

01.0

/24


7-31


NAT and PAT Configuration: Defining the Services Interface

Define the services interface

[edit]lab@London# edit interfaces

[edit interfaces]lab@London# set sp-0/0/0 unit 0 family inet

[edit interfaces]lab@London# show ...sp-0/0/0 { unit 0 { family inet; }}...

Apply service set to interface

performing NAT

Define NAT rules

Create NAT pool

Cre

ate

serv

ice s

et

Service interface requires a single logical

unit with family inet


7-32

Create a NAT pool

[edit]lab@London# edit services

[edit services]lab@London# set nat pool global-out address 172.18.37.5

[edit services]lab@London# set nat pool global-out port automatic

[edit services]lab@London# show nat { pool global-out { address 172.18.37.5/32; port automatic; }}

NAT pool named global (user defined)

Router assigns port numbers (you can define

the range)

Create NAT pool


performing NAT


Define NAT rules

Cre

ate

serv

ice s

et

NAT and PAT Configuration: Creating a NAT Pool


7-33

NAT and PAT Configuration: Defining the NAT Rules (1 of 2)

Define the NAT rules: Translate all outbound traffic [edit]

lab@London# edit services nat rule nat-out

[edit services nat rule nat-out]lab@London# show match-direction output;term nat-with-alg { from { application-sets junos-algs-outbound; } then { translated { source-pool global-out; translation-type { source dynamic; } } }}term nat-no-alg { then { translated { source-pool global-out; translation-type { source dynamic; }…

Create NAT pool


performing NAT


Define NAT rules

Cre

ate

serv

ice s

et

se-1/0/0.0

SSInput

Output

Set match direction from

interface’s perspective

User-defined NAT rule and

terms

NAT pool referenced

Address assignment

method

Default application set

enables ALG tracking


7-34

Create NAT pool


performing NAT


Define NAT rules

Cre

ate

serv

ice s

et

NAT and PAT Configuration: Defining the NAT Rules (2 of 2)

[edit services nat rule nat-out]lab@London# up

[edit services nat]lab@London# edit rule no-nat-in

[edit services nat rule no-nat-in]lab@London# set match-direction input

[edit services nat rule no-nat-in]lab@London# set term all then no-translation

[edit services nat rule no-nat-in]lab@London# show match-direction input;term all { then { no-translation; }}

Define the NAT rules: Allow all inbound traffic without translation

User-defined NAT rule and

term

se-1/0/0.0

SSInput

Output

Set match direction from

interface’s perspective


7-35

[edit services nat rule no-nat-in]lab@London# top edit services service-set nat-ss

[edit services service-set nat-ss]lab@London# set nat-rules nat-out

[edit services service-set nat-ss]lab@London# set nat-rules no-nat-in

[edit services service-set nat-ss]lab@London# set interface-service service-interface sp-0/0/0.0

[edit services service-set nat-ss]lab@London# show nat-rules nat-out;nat-rules no-nat-in;interface-service { service-interface sp-0/0/0.0;}

Create a service setUser-defined service set

named nat-ss

Links NAT rules and service interface to

service set


performing NAT

Define NAT rules

Create NAT pool

Cre

ate

serv

ice s

et


NAT and PAT Configuration: Creating a Service Set


7-36

NAT and PAT Application

Apply a service set to the interface performing NAT

[edit interfaces se-1/0/0]lab@London# show unit 0 { family inet { service { input { service-set nat-ss; } output { service-set nat-ss; } } address 172.18.37.5/30; }}

Apply service set to

interface performing

NAT


Define NAT rules

Create NAT pool

Cre

ate

serv

ice s

et

Apply nat-ss service set in both input and output

directions


7-37

Monitoring NAT and PAT (1 of 2)

Use show services nat pool to view NAT usage and pool-related details

A single flow is currently active

Address and port range for NAT pool

NAT pool name and address assignment

method used

lab@London> show services nat pool Interface: sp-0/0/0, Service set: nat-outboundNAT pool Type Address Port Ports usedglobal dynamic 172.18.37.5-172.18.37.5 512-65535 1


7-38

Monitoring NAT and PAT (2 of 2)

Use show services stateful-firewall flows to view NAT flow details

Direction of flow

State of flow

lab@London> show services stateful-firewall flows Interface: sp-0/0/0, Service set: nat-outboundFlow State Dir Frm countICMP 172.18.37.6:1024 -> 172.18.37.5 Watch I 118 NAT dest 172.18.37.5:1024 -> 10.222.101.2:66 ICMP 10.222.101.2:66 -> 172.18.37.6 Watch O 118 NAT source 10.222.101.2:66 -> 172.18.37.5:1024


7-39

Review Questions

1. List several services offered in JUNOS software.

2.What is the purpose of the services interface?

3.What advantages can MLPPP provide?4.What limitations does NAT overcome?5.What methods are used to assign addresses

in NAT? 6.What is an ALG? 7.What steps are required to implement NAT?


7-40

Lab 5: Services (MLPPP and NAT)

Configure and monitor MLPPP. Configure and monitor NAT.


7-41Education Services

Documents

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential 4-1 Operating Juniper Networks Routers in the Enterprise Chapter 7: