[j-nsp] mx80 napt-44 with ms-mic on 13.2R5

ryanL ryan.landry at gmail.com
Wed Sep 24 13:13:03 EDT 2014


alex, thank you. very helpful. of course i particularly like your
alternative, and that's what i thought i was accomplishing in the first
place. guess not!

can you explain the diff between `set firewall family inet service-filter`
vs the documentation example which references `set services
stateful-firewall` as part of the services set, and which is more
appropriate to use here in an ms-mic situation?

On Wed, Sep 24, 2014 at 10:00 AM, Alexander Arseniev <
arseniev at btinternet.com> wrote:

>  I see You are using interface-style NAT - please exclude all control
> traffic in the service-filters from being diverted to MS-MIC, like below
> (rough cut, only BGP and BFD are excluded as an example):
>
> set firewall family inet service-filter sf-in term 1 from protocol tcp
> set firewall family inet service-filter sf-in term 1 from port 179
> set firewall family inet service-filter sf-in term 1 then skip
> set firewall family inet service-filter sf-in term 2 from protocol udp
> set firewall family inet service-filter sf-in term 2 from port [ 3784 4784
> ]
> set firewall family inet service-filter sf-in term 2 then skip
> set firewall family inet service-filter sf-in term 3 then service
> set firewall family inet service-filter sf-out term 1 from protocol tcp
> set firewall family inet service-filter sf-out term 1 from port 179
> set firewall family inet service-filter sf-out term 1 then skip
> set firewall family inet service-filter sf-out term 2 from protocol udp
> set firewall family inet service-filter sf-out term 2 from port [ 3784
> 4784 ]
> set firewall family inet service-filter sf-out term 2 then skip
> set firewall family inet service-filter sf-out term 3 then service
> set interfaces ge-0/0/0.0 family inet service input service-set SSET1
> service-filter sf-in
> set interfaces ge-0/0/0.0 family inet service output service-set SSET1
> service-filter sf-out
>
> Alternatively, You can construct service-filters in such a way that only
> "interested" traffic is diverted to MS-MIC:
>
> set firewall family inet service-filter sf-in term 1 from source-address
> 10/8
> set firewall family inet service-filter sf-in term 1 from
> destination-address 0/0
> set firewall family inet service-filter sf-in term 1 from
> destination-address 10/8 except
> set firewall family inet service-filter sf-in term 1 then service
> set firewall family inet service-filter sf-in term 2 then skip
>
> set firewall family inet service-filter sf-out term 1 from
> destination-address <your nat pool route here>
> set firewall family inet service-filter sf-out term 1 then service
> set firewall family inet service-filter sf-out term 2 then skip
>
> set interfaces ge-0/0/0.0 family inet service input service-set SSET1
> service-filter sf-in
> set interfaces ge-0/0/0.0 family inet service output service-set SSET1
> service-filter sf-out
>
> HTH
> Thanks
> Alex
>
>  On 24/09/2014 17:37, ryanL wrote:
>
> thanks for the replies, folks. indeed it was the no-translation thing that
> is hanging up the commit, and not the reported napt-44 statement. silly
> defect.
>
>  i'm using this now:
>
>      rule NAT-RULE1 {
>         match-direction input;
>         term term-2 {
>             from {
>                 source-address {
>                     10.0.0.0/8;
>                 }
>                 destination-address {
>                     0.0.0.0/0;
>                     10.0.0.0/8 except;  #<---- (good suggestion)
>                 }
>             }
>             then {
>                 translated {
>                     source-pool NP2;
>                     translation-type {
>                         napt-44;
>
>  and that seems to commit ok.
>
>  however, implementing this on customer-facing interfaces broke the
> customer, dropped BGP sessions, etc. my goal is to only nat traffic if it
> is sourced from 10/8 and destined to anything other than 10/8. the NAT pool
> is a static discard route exported in iBGP to ensure that this router
> attracts return internet traffic in order to keep proper state.
>
>  what am i doing wrong? the documentation is quite poor for this module's
> implementation, and sadly i don't have a lab to play with.
>
> On Wed, Sep 24, 2014 at 2:13 AM, Alexander Arseniev <
> arseniev at btinternet.com> wrote:
>
>> napt44 is most definitely is supported on MS-MIC
>>
>> http://www.juniper.net/techpubs/en_US/junos13.2/topics/reference/general/nat-implementations-feature-comparison.html
>> What is not supported is "no-translation" knob.
>> Please change Your config to (rough cut):
>> 1/ delete term-1, and
>> 2/ change term-2 to:
>>
>> +              term term-2 {
>> +                  from {
>> +                      source-address {
>> +                          10.0.0.0/8;
>> +                      }
>>  +                      destination-address {
>> +                          0.0.0.0/0;
>> +                          10.0.0.0/8 except;
>> +                      }
>> +                  }
>> +                  then {
>> +                      translated {
>> +                          source-pool NP2;
>> +                          translation-type {
>> +                              napt-44;
>> +                          }
>>
>>  - then re-test and report back please.
>> Thanks
>> Alex
>>
>>
>> On 24/09/2014 06:47, ryanL wrote:
>>
>>>  has anyone been successful here? i'm getting the following error, even
>>> though juniper's docs seem to indicate this is supported on the ms-mic
>>> with
>>> 13.2.
>>>
>>> my ref guides are:
>>>
>>> http://www.juniper.net/techpubs/en_US/junos13.2/information-products/topic-collections/config-guide-services/index.html?features-ms-mic.html
>>>
>>> http://www.juniper.net/techpubs/en_US/junos13.2/topics/example/nat-nat44-config-ms-mpc.html
>>>
>>> ry at iad1-er2# show | compare
>>> [edit]
>>> +  services {
>>> +      service-set SSET1 {
>>> +          nat-rules NAT-RULE1;
>>> +          interface-service {
>>> +              service-interface ms-0/2/0;
>>> +          }
>>> +      }
>>> +      nat {
>>> +          pool NP2 {
>>> +              address <pub_space>/28;
>>> +              port {
>>> +                  automatic;
>>> +              }
>>> +          }
>>> +          rule NAT-RULE1 {
>>> +              match-direction input;
>>> +              term term-1 {
>>> +                  from {
>>> +                      source-address {
>>> +                          10.0.0.0/8;
>>> +                      }
>>> +                      destination-address {
>>> +                          10.0.0.0/8;
>>> +                      }
>>> +                  }
>>> +                  then {
>>> +                      no-translation;
>>> +                  }
>>> +              }
>>> +              term term-2 {
>>> +                  from {
>>> +                      source-address {
>>> +                          10.0.0.0/8;
>>> +                      }
>>> +                  }
>>> +                  then {
>>> +                      translated {
>>> +                          source-pool NP2;
>>> +                          translation-type {
>>> +                              napt-44;
>>> +                          }
>>> +                      }
>>> +                  }
>>> +              }
>>> +          }
>>> +      }
>>> +  }
>>> [edit interfaces]
>>> +   ms-0/2/0 {
>>> +       unit 0 {
>>> +           family inet;
>>> +       }
>>> +   }
>>>
>>> [edit]
>>> ry at iad1-er2# commit check
>>> [edit services]
>>>    'service-set SSET1'
>>>      translation type not supported on ms-interface
>>> error: configuration check-out failed
>>>
>>> [edit]
>>>   _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
>


More information about the juniper-nsp mailing list