Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 4-1 Operating Juniper Networks Routers in the Enterprise Chapter 7: Services

Copyright © 2007 Juniper Networks, Inc. 7-2 Education Services 7-2 Chapter Objectives After successfully completing this chapter, you will be able to: Describe the services architecture List common Layer 2 and Layer 3 services Explain the purpose of MLPPP Configure and monitor MLPPP Explain the purpose of NAT and PAT Configure and monitor NAT and PAT

Copyright © 2007 Juniper Networks, Inc. 7-3 Education Services 7-3 Agenda: Services Overview of Services and Services Architecture Overview of MLPPP Configuring and Monitoring MLPPP Overview of NAT and PAT Configuring and Monitoring NAT and PAT

Copyright © 2007 Juniper Networks, Inc. 7-4 Education Services 7-4 Disclaimer! Because of the flexibility and power of the services architecture, services can be complicated Full coverage of the services architecture and services offered in JUNOS software is outside the scope of this class Our goal is to provide a basic understanding of the services architecture and provide some common configuration and monitoring examples Students should attend the AJRE class for detailed coverage of JUNOS software services found in the enterprise

Copyright © 2007 Juniper Networks, Inc. 7-5 Education Services 7-5 Overview of Services Layer 2 services: MLPPP MLFR CRTP Layer 3 services: NAT and PAT Stateful firewall IPSec VPN Intrusion detection

Copyright © 2007 Juniper Networks, Inc. 7-6 Education Services 7-6 Services Interfaces Services provided by: AS PIC AS Module (M7i) J-series software processes Link Services PIC Tunnel Services PIC MultiServices PIC

Copyright © 2007 Juniper Networks, Inc. 7-7 Education Services 7-7 MultiServices PIC and AS PIC Service Package Must configure MultiServices PIC and AS PIC for Layer 2 or Layer 3 service package under [edit chassis fpc slot pic pic adaptive-services] : set service-package (layer-2 | layer-3) Not required for J-series software process or AS Module (M7i)

Copyright © 2007 Juniper Networks, Inc. 7-8 Education Services 7-8 Intentionally left blank

Copyright © 2007 Juniper Networks, Inc. 7-9 Education Services 7-9 J-series Services Architecture Services are provided by a software instantiation of the M-series and T-series AS PIC Manifested as a virtual service interface named sp-0/0/0 Handled as a real-time thread within the forwarding process JUNOS Kernel Control Plane Services Thread Ingress PIM PFE ( fwdd-unix ) Egress PIM fwdd-rt UNIX Socket Packets are forwarded to the services interface as needed Real-time forwarding and services threads

Copyright © 2007 Juniper Networks, Inc Education Services 7-10 Agenda: Services Overview of Services and Services Architecture Overview of MLPPP Configuring and Monitoring MLPPP Overview of NAT and PAT Configuring and Monitoring NAT and PAT

Copyright © 2007 Juniper Networks, Inc Education Services 7-11 What Is MLPPP? MLPPP is: A protocol that allows the connection of multiple PPP-based links between two devices (routers) An extension to PPP (defined in RFC 1990) A Layer 2 service offering in JUNOS software

Copyright © 2007 Juniper Networks, Inc Education Services 7-12 Benefits of MLPPP Benefits: Creates a virtual link that provides greater bandwidth than the individual member links Provides load balancing across member links by splitting, recombining, and sequencing datagrams across multiple logical data links

Copyright © 2007 Juniper Networks, Inc Education Services 7-13 MLPPP Case Study: Symptom Employees are complaining about unreliable connectivity between Site A and Site B t1-1/0/0.1/30 Site A Site B t1-1/0/0.2/30 Service Provider fe-0/0/1.1/24 fe-0/0/1.1/24

Copyright © 2007 Juniper Networks, Inc Education Services 7-14 MLPPP Case Study: Investigation Investigation shows that maximum capacity for the circuit is reached during peak hours and that packet drops are occurring t1-1/0/0.1/30 Site A Site B t1-1/0/0.2/30 Service Provider fe-0/0/1.1/24 fe-0/0/1.1/24 Bottleneck

Copyright © 2007 Juniper Networks, Inc Education Services 7-15 MLPPP Case Study: Solution t1-1/0/0 t1-1/0/1 t1-1/0/0 ls-0/0/0.1 Site A Site B fe-0/0/1.1/24 fe-0/0/1.1/24 Service Provider Increase bandwidth capacity between sites by adding a second T1 circuit and using MLPPP T1 (X) 2 (+) MLPPP =.1/30.2/30

Copyright © 2007 Juniper Networks, Inc Education Services 7-16 Agenda: Services Overview of Services and Services Architecture Overview of MLPPP Configuring and Monitoring MLPPP Overview of NAT and PAT Configuring and Monitoring NAT and PAT

Copyright © 2007 Juniper Networks, Inc Education Services 7-17 interfaces { ls-0/0/0 { unit 0 { family inet { address /30; } se-1/0/0 { unit 0 { family mlppp { bundle ls-0/0/0.0; } se-1/0/1 { unit 0 { family mlppp { bundle ls-0/0/0.0; } Multilink PPP Configuration (1 of 2) Logically bind one or more physical links to bundle interfaces { ls-0/0/0 { unit 0 { family inet { address /30; } se-1/0/0 { unit 0 { family mlppp { bundle ls-0/0/0.0; } se-1/0/1 { unit 0 { family mlppp { bundle ls-0/0/0.0; } R2 configuration R1 configuration

Copyright © 2007 Juniper Networks, Inc Education Services 7-18 Multilink PPP Configuration (2 of 2) Bundle can have up to 8 member links Bundle can have minimum-links value specified Identifies threshold to maintain bundle state Value can be from 1 to 8 with a default value of 1 set interfaces ls-0/0/0 unit 0 minimum-links ? Possible completions: Minimum number of links to sustain the bundle (1..8) Pop Quiz: When would you set the minimum-links value at something other than the default value of 1?

Copyright © 2007 Juniper Networks, Inc Education Services 7-19 Monitoring MLPPP show interfaces ls-0/0/0 Physical interface: ls-0/0/0, Enabled, Physical link is Up … Logical interface ls-0/0/0.0 (Index 68) (SNMP ifIndex 39) Flags: Point-To-Point SNMP-Traps 0x4000 Encapsulation: Multilink-PPP Bandwidth: 16mbps Statistics Frames fps Bytes bps Bundle: Fragments: Input : Output: Packets: Input : Output: Link: se-1/0/0.0 Input : Output: se-1/0/1.0 Input : Output: NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured, mpls: Not-configured Protocol inet, MTU: 1500 Flags: None Addresses, Flags: Is-Preferred Is-Primary Destination: /30, Local: Member Links

Copyright © 2007 Juniper Networks, Inc Education Services 7-20 Agenda: Services Overview of Services and Services Architecture Overview of MLPPP Configuring and Monitoring MLPPP Overview of NAT and PAT Configuring and Monitoring NAT and PAT

Copyright © 2007 Juniper Networks, Inc Education Services 7-21 What are NAT and PAT? NAT is a mechanism that converts IP addresses from one address realm to another address realm in a one-to-one mapping fashion PATalso known as Network Address Port Translation (NAPT)translates addresses in a many-to-one fashion making use of port numbers to distinguish individual sessions Both NAT and PAT are typically used to translate private addresses to unique and globally routable addresses

Copyright © 2007 Juniper Networks, Inc Education Services 7-22 Benefits of NAT and PAT NAT and PAT provide the following benefits: Conserve address space Useful during mergers and ISP migration Permit sharing of a single, outside, global address

Copyright © 2007 Juniper Networks, Inc Education Services 7-23 NAT and PAT Example (1 of 2) Internet access requires a public, globally routable address Router performs NAT services between private and public address realms Internet.1/24.2/30 Private Address Realm Public Address Realm.1/30.100/24

Copyright © 2007 Juniper Networks, Inc Education Services 7-24 NAT and PAT Example (2 of 2) Private host address was translated to public, globally routable address Router maintains state for session Process is transparent to host Inside Local NAT/PAT / / SRC-IP DST-IP SRC-Port 80 DST-Port 6 Protocol SRC-IP DST-IP 1025 SRC-Port 80 DST-Port 6 Protocol.1.2 Private/Inside Public/Outside Outside Global.1

Copyright © 2007 Juniper Networks, Inc Education Services 7-25 NAT and PAT Address Assignment Static address assignment: One-to-one mapping between private and public addresses for lifetime of NAT operation Dynamic address assignment: Public addresses within pool are dynamically assigned based on usage requirements Once session ends, public address is returned to pool and made available to other hosts that might require a public IP address

Copyright © 2007 Juniper Networks, Inc Education Services 7-26 Application-Level Gateways Automatically takes action based on Layers 4–7 information Performs translation on addresses and ports in payload Updates session table to allow extra connections

Copyright © 2007 Juniper Networks, Inc Education Services 7-27 ALG Example Active FTP Client contacts server on TCP/21 Client listens for data connection on ephemeral port Client sends server PORT command with IP address and TCP port Server opens data connection to IP address and port in PORT command Control Connection (Client contacts server on TCP/21) Data Connection (Server contacts client on ephemeral TCP port)

Copyright © 2007 Juniper Networks, Inc Education Services 7-28 Agenda: Services Overview of Services and Services Architecture Overview of MLPPP Configuring and Monitoring MLPPP Overview of NAT and PAT Configuring and Monitoring NAT and PAT

Copyright © 2007 Juniper Networks, Inc Education Services 7-29 Building Blocks of NAT and PAT NAT configuration: Define services interface Create NAT pool Define NAT rules Create service set NAT application: Apply service set to interface performing NAT Define services interface Define NAT rules Create NAT pool Create service set

Copyright © 2007 Juniper Networks, Inc Education Services 7-30 Goals: Ensure that traffic originating on the /24 subnet is delivered to Tokyo with a source address Assume that multiple sources could be active at the same time Sample NAT and PAT Topology Outside (Untrusted) Inside (Trusted) Tokyo lo0: 24.1 London lo0: 36.1 fe-2/0/1.1 se-1/0/0 se-1/0/ / /24

Copyright © 2007 Juniper Networks, Inc Education Services 7-31 Define services interface NAT and PAT Configuration: Defining the Services Interface Define the services interface [edit] edit interfaces [edit interfaces] set sp-0/0/0 unit 0 family inet [edit interfaces] show... sp-0/0/0 { unit 0 { family inet; }... Apply service set to interface performing NAT Define NAT rules Create NAT pool Create service set Service interface requires a single logical unit with family inet

Copyright © 2007 Juniper Networks, Inc Education Services 7-32 Create a NAT pool [edit] edit services [edit services] set nat pool global-out address [edit services] set nat pool global-out port automatic [edit services] show nat { pool global-out { address /32; port automatic; } NAT pool named global (user defined) Router assigns port numbers (you can define the range) Create NAT pool Apply service set to interface performing NAT Define services interface Define NAT rules Create service set NAT and PAT Configuration: Creating a NAT Pool

Copyright © 2007 Juniper Networks, Inc Education Services 7-33 NAT and PAT Configuration: Defining the NAT Rules (1 of 2) Define the NAT rules: Translate all outbound traffic [edit] edit services nat rule nat-out [edit services nat rule nat-out] show match-direction output; term nat-with-alg { from { application-sets junos-algs-outbound; } then { translated { source-pool global-out; translation-type { source dynamic; } term nat-no-alg { then { translated { source-pool global-out; translation-type { source dynamic; } … Create NAT pool Apply service set to interface performing NAT Define services interface Define NAT rules Create service set se-1/0/0.0 SS Input Output Set match direction from interfaces perspective User-defined NAT rule and terms NAT pool referenced Address assignment method Default application set enables ALG tracking

Copyright © 2007 Juniper Networks, Inc Education Services 7-34 Create NAT pool Apply service set to interface performing NAT Define services interface Define NAT rules Create service set NAT and PAT Configuration: Defining the NAT Rules (2 of 2) [edit services nat rule nat-out] up [edit services nat] edit rule no-nat-in [edit services nat rule no-nat-in] set match-direction input [edit services nat rule no-nat-in] set term all then no-translation [edit services nat rule no-nat-in] show match-direction input; term all { then { no-translation; } Define the NAT rules: Allow all inbound traffic without translation User-defined NAT rule and term se-1/0/0.0 SS Input Output Set match direction from interfaces perspective

Copyright © 2007 Juniper Networks, Inc Education Services 7-35 [edit services nat rule no-nat-in] top edit services service-set nat-ss [edit services service-set nat-ss] set nat-rules nat-out [edit services service-set nat-ss] set nat-rules no-nat-in [edit services service-set nat-ss] set interface-service service-interface sp-0/0/0.0 [edit services service-set nat-ss] show nat-rules nat-out; nat-rules no-nat-in; interface-service { service-interface sp-0/0/0.0; } Create a service set User-defined service set named nat-ss Links NAT rules and service interface to service set Apply service set to interface performing NAT Define NAT rules Create NAT pool Create service set Define services interface NAT and PAT Configuration: Creating a Service Set

Copyright © 2007 Juniper Networks, Inc Education Services 7-36 NAT and PAT Application Apply a service set to the interface performing NAT [edit interfaces se-1/0/0] show unit 0 { family inet { service { input { service-set nat-ss; } output { service-set nat-ss; } address /30; } Apply service set to interface performing NAT Define services interface Define NAT rules Create NAT pool Create service set Apply nat-ss service set in both input and output directions

Copyright © 2007 Juniper Networks, Inc Education Services 7-37 Monitoring NAT and PAT (1 of 2) Use show services nat pool to view NAT usage and pool-related details A single flow is currently active Address and port range for NAT pool NAT pool name and address assignment method used show services nat pool Interface: sp-0/0/0, Service set: nat-outbound NAT pool Type Address Port Ports used global dynamic

Copyright © 2007 Juniper Networks, Inc Education Services 7-38 Monitoring NAT and PAT (2 of 2) Use show services stateful-firewall flows to view NAT flow details Direction of flow State of flow show services stateful-firewall flows Interface: sp-0/0/0, Service set: nat-outbound Flow State Dir Frm count ICMP :1024 -> Watch I 118 NAT dest :1024 -> :66 ICMP :66 -> Watch O 118 NAT source :66 -> :1024

Copyright © 2007 Juniper Networks, Inc Education Services 7-39 Review Questions 1.List several services offered in JUNOS software. 2.What is the purpose of the services interface? 3.What advantages can MLPPP provide? 4.What limitations does NAT overcome? 5.What methods are used to assign addresses in NAT? 6.What is an ALG? 7.What steps are required to implement NAT?

Copyright © 2007 Juniper Networks, Inc Education Services 7-40 Lab 5: Services (MLPPP and NAT) Configure and monitor MLPPP. Configure and monitor NAT.

Copyright © 2007 Juniper Networks, Inc Education Services 7-41 Education Services