[j-nsp] mx80 napt-44 with ms-mic on 13.2R5
Alexander Arseniev
arseniev at btinternet.com
Wed Sep 24 14:01:12 EDT 2014
"service-filter" is a stateless firewall filter which has only 2
actions: either "then service" meaning "divert to Service PIC" (be it
MS-PIC, MS-DPC NPU, MS-MIC etc) ; or "then skip" meaning "do NOT divert
to Service PIC, route the usual way".
"services stateful-firewall" stanza is for defining stateful-firewall
(SFW) services on Service PIC itself. This SFW service is less
sophisticated than SRX SFW (filters basic attacks like Teardrop/Land but
cannot filter more complicated attacks like Winnuke) but has more
throughput.
There are cases when You have to use both. I.e. to offer granulated SFW
service to different customer subnets on same interface and/or spread
the load between >1 Service PIC, You have to use both "service-filter"
and "services stateful-firewall" stanzas.
I suggest You read "Junos Enterprise Routing" book which has excellent
primer on Juniper router services (interface-style vs nexthop style,
SFW, NAT, also IPSec) - either 1st or 2nd edition is fine since basics
did not change between the two.
HTH
Thanks
Alex
On 24/09/2014 18:13, ryanL wrote:
> alex, thank you. very helpful. of course i particularly like your
> alternative, and that's what i thought i was accomplishing in the
> first place. guess not!
>
> can you explain the diff between `set firewall family inet
> service-filter` vs the documentation example which references `set
> services stateful-firewall` as part of the services set, and which is
> more appropriate to use here in an ms-mic situation?
>
> On Wed, Sep 24, 2014 at 10:00 AM, Alexander Arseniev
> <arseniev at btinternet.com <mailto:arseniev at btinternet.com>> wrote:
>
> I see You are using interface-style NAT - please exclude all
> control traffic in the service-filters from being diverted to
> MS-MIC, like below (rough cut, only BGP and BFD are excluded as an
> example):
>
> set firewall family inet service-filter sf-in term 1 from protocol tcp
> set firewall family inet service-filter sf-in term 1 from port 179
> set firewall family inet service-filter sf-in term 1 then skip
> set firewall family inet service-filter sf-in term 2 from protocol udp
> set firewall family inet service-filter sf-in term 2 from port [
> 3784 4784 ]
> set firewall family inet service-filter sf-in term 2 then skip
> set firewall family inet service-filter sf-in term 3 then service
> set firewall family inet service-filter sf-out term 1 from
> protocol tcp
> set firewall family inet service-filter sf-out term 1 from port 179
> set firewall family inet service-filter sf-out term 1 then skip
> set firewall family inet service-filter sf-out term 2 from
> protocol udp
> set firewall family inet service-filter sf-out term 2 from port [
> 3784 4784 ]
> set firewall family inet service-filter sf-out term 2 then skip
> set firewall family inet service-filter sf-out term 3 then service
> set interfaces ge-0/0/0.0 family inet service input service-set
> SSET1 service-filter sf-in
> set interfaces ge-0/0/0.0 family inet service output service-set
> SSET1 service-filter sf-out
>
> Alternatively, You can construct service-filters in such a way
> that only "interested" traffic is diverted to MS-MIC:
>
> set firewall family inet service-filter sf-in term 1 from
> source-address 10/8
> set firewall family inet service-filter sf-in term 1 from
> destination-address 0/0
> set firewall family inet service-filter sf-in term 1 from
> destination-address 10/8 except
> set firewall family inet service-filter sf-in term 1 then service
> set firewall family inet service-filter sf-in term 2 then skip
>
> set firewall family inet service-filter sf-out term 1 from
> destination-address <your nat pool route here>
> set firewall family inet service-filter sf-out term 1 then service
> set firewall family inet service-filter sf-out term 2 then skip
>
> set interfaces ge-0/0/0.0 family inet service input service-set
> SSET1 service-filter sf-in
> set interfaces ge-0/0/0.0 family inet service output service-set
> SSET1 service-filter sf-out
>
> HTH
> Thanks
> Alex
>
> On 24/09/2014 17:37, ryanL wrote:
>> thanks for the replies, folks. indeed it was the no-translation
>> thing that is hanging up the commit, and not the reported napt-44
>> statement. silly defect.
>>
>> i'm using this now:
>>
>> rule NAT-RULE1 {
>> match-direction input;
>> term term-2 {
>> from {
>> source-address {
>> 10.0.0.0/8 <http://10.0.0.0/8>;
>> }
>> destination-address {
>> 0.0.0.0/0 <http://0.0.0.0/0>;
>> 10.0.0.0/8 <http://10.0.0.0/8> except; #<---- (good suggestion)
>> }
>> }
>> then {
>> translated {
>> source-pool NP2;
>> translation-type {
>> napt-44;
>>
>> and that seems to commit ok.
>>
>> however, implementing this on customer-facing interfaces broke
>> the customer, dropped BGP sessions, etc. my goal is to only nat
>> traffic if it is sourced from 10/8 and destined to anything other
>> than 10/8. the NAT pool is a static discard route exported in
>> iBGP to ensure that this router attracts return internet traffic
>> in order to keep proper state.
>>
>> what am i doing wrong? the documentation is quite poor for this
>> module's implementation, and sadly i don't have a lab to play with.
>>
>> On Wed, Sep 24, 2014 at 2:13 AM, Alexander Arseniev
>> <arseniev at btinternet.com <mailto:arseniev at btinternet.com>> wrote:
>>
>> napt44 is most definitely is supported on MS-MIC
>> http://www.juniper.net/techpubs/en_US/junos13.2/topics/reference/general/nat-implementations-feature-comparison.html
>>
>> What is not supported is "no-translation" knob.
>> Please change Your config to (rough cut):
>> 1/ delete term-1, and
>> 2/ change term-2 to:
>>
>> + term term-2 {
>> + from {
>> + source-address {
>> + 10.0.0.0/8 <http://10.0.0.0/8>;
>> + }
>> + destination-address {
>> + 0.0.0.0/0 <http://0.0.0.0/0>;
>> + 10.0.0.0/8 <http://10.0.0.0/8> except;
>> + }
>> + }
>> + then {
>> + translated {
>> + source-pool NP2;
>> + translation-type {
>> + napt-44;
>> + }
>>
>> - then re-test and report back please.
>> Thanks
>> Alex
>>
>>
>> On 24/09/2014 06:47, ryanL wrote:
>>
>> has anyone been successful here? i'm getting the
>> following error, even
>> though juniper's docs seem to indicate this is supported
>> on the ms-mic with
>> 13.2.
>>
>> my ref guides are:
>> http://www.juniper.net/techpubs/en_US/junos13.2/information-products/topic-collections/config-guide-services/index.html?features-ms-mic.html
>> http://www.juniper.net/techpubs/en_US/junos13.2/topics/example/nat-nat44-config-ms-mpc.html
>>
>> ry at iad1-er2# show | compare
>> [edit]
>> + services {
>> + service-set SSET1 {
>> + nat-rules NAT-RULE1;
>> + interface-service {
>> + service-interface ms-0/2/0;
>> + }
>> + }
>> + nat {
>> + pool NP2 {
>> + address <pub_space>/28;
>> + port {
>> + automatic;
>> + }
>> + }
>> + rule NAT-RULE1 {
>> + match-direction input;
>> + term term-1 {
>> + from {
>> + source-address {
>> + 10.0.0.0/8 <http://10.0.0.0/8>;
>> + }
>> + destination-address {
>> + 10.0.0.0/8 <http://10.0.0.0/8>;
>> + }
>> + }
>> + then {
>> + no-translation;
>> + }
>> + }
>> + term term-2 {
>> + from {
>> + source-address {
>> + 10.0.0.0/8 <http://10.0.0.0/8>;
>> + }
>> + }
>> + then {
>> + translated {
>> + source-pool NP2;
>> + translation-type {
>> + napt-44;
>> + }
>> + }
>> + }
>> + }
>> + }
>> + }
>> + }
>> [edit interfaces]
>> + ms-0/2/0 {
>> + unit 0 {
>> + family inet;
>> + }
>> + }
>>
>> [edit]
>> ry at iad1-er2# commit check
>> [edit services]
>> 'service-set SSET1'
>> translation type not supported on ms-interface
>> error: configuration check-out failed
>>
>> [edit]
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> <mailto:juniper-nsp at puck.nether.net>
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> <mailto:juniper-nsp at puck.nether.net>
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>>
>
>
More information about the juniper-nsp
mailing list