[j-nsp] mx80 napt-44 with ms-mic on 13.2R5
ryanL
ryan.landry at gmail.com
Wed Sep 24 14:04:18 EDT 2014
very much appreciated, alex.
On Wed, Sep 24, 2014 at 11:01 AM, Alexander Arseniev <
arseniev at btinternet.com> wrote:
> "service-filter" is a stateless firewall filter which has only 2 actions:
> either "then service" meaning "divert to Service PIC" (be it MS-PIC, MS-DPC
> NPU, MS-MIC etc) ; or "then skip" meaning "do NOT divert to Service PIC,
> route the usual way".
> "services stateful-firewall" stanza is for defining stateful-firewall
> (SFW) services on Service PIC itself. This SFW service is less
> sophisticated than SRX SFW (filters basic attacks like Teardrop/Land but
> cannot filter more complicated attacks like Winnuke) but has more
> throughput.
> There are cases when You have to use both. I.e. to offer granulated SFW
> service to different customer subnets on same interface and/or spread the
> load between >1 Service PIC, You have to use both "service-filter" and
> "services stateful-firewall" stanzas.
> I suggest You read "Junos Enterprise Routing" book which has excellent
> primer on Juniper router services (interface-style vs nexthop style, SFW,
> NAT, also IPSec) - either 1st or 2nd edition is fine since basics did not
> change between the two.
> HTH
> Thanks
> Alex
>
>
>
> On 24/09/2014 18:13, ryanL wrote:
>
> alex, thank you. very helpful. of course i particularly like your
> alternative, and that's what i thought i was accomplishing in the first
> place. guess not!
>
> can you explain the diff between `set firewall family inet service-filter`
> vs the documentation example which references `set services
> stateful-firewall` as part of the services set, and which is more
> appropriate to use here in an ms-mic situation?
>
> On Wed, Sep 24, 2014 at 10:00 AM, Alexander Arseniev <
> arseniev at btinternet.com> wrote:
>
>> I see You are using interface-style NAT - please exclude all control
>> traffic in the service-filters from being diverted to MS-MIC, like below
>> (rough cut, only BGP and BFD are excluded as an example):
>>
>> set firewall family inet service-filter sf-in term 1 from protocol tcp
>> set firewall family inet service-filter sf-in term 1 from port 179
>> set firewall family inet service-filter sf-in term 1 then skip
>> set firewall family inet service-filter sf-in term 2 from protocol udp
>> set firewall family inet service-filter sf-in term 2 from port [ 3784
>> 4784 ]
>> set firewall family inet service-filter sf-in term 2 then skip
>> set firewall family inet service-filter sf-in term 3 then service
>> set firewall family inet service-filter sf-out term 1 from protocol tcp
>> set firewall family inet service-filter sf-out term 1 from port 179
>> set firewall family inet service-filter sf-out term 1 then skip
>> set firewall family inet service-filter sf-out term 2 from protocol udp
>> set firewall family inet service-filter sf-out term 2 from port [ 3784
>> 4784 ]
>> set firewall family inet service-filter sf-out term 2 then skip
>> set firewall family inet service-filter sf-out term 3 then service
>> set interfaces ge-0/0/0.0 family inet service input service-set SSET1
>> service-filter sf-in
>> set interfaces ge-0/0/0.0 family inet service output service-set SSET1
>> service-filter sf-out
>>
>> Alternatively, You can construct service-filters in such a way that only
>> "interested" traffic is diverted to MS-MIC:
>>
>> set firewall family inet service-filter sf-in term 1 from source-address
>> 10/8
>> set firewall family inet service-filter sf-in term 1 from
>> destination-address 0/0
>> set firewall family inet service-filter sf-in term 1 from
>> destination-address 10/8 except
>> set firewall family inet service-filter sf-in term 1 then service
>> set firewall family inet service-filter sf-in term 2 then skip
>>
>> set firewall family inet service-filter sf-out term 1 from
>> destination-address <your nat pool route here>
>> set firewall family inet service-filter sf-out term 1 then service
>> set firewall family inet service-filter sf-out term 2 then skip
>>
>> set interfaces ge-0/0/0.0 family inet service input service-set SSET1
>> service-filter sf-in
>> set interfaces ge-0/0/0.0 family inet service output service-set SSET1
>> service-filter sf-out
>>
>> HTH
>> Thanks
>> Alex
>>
>> On 24/09/2014 17:37, ryanL wrote:
>>
>> thanks for the replies, folks. indeed it was the no-translation thing
>> that is hanging up the commit, and not the reported napt-44 statement.
>> silly defect.
>>
>> i'm using this now:
>>
>> rule NAT-RULE1 {
>> match-direction input;
>> term term-2 {
>> from {
>> source-address {
>> 10.0.0.0/8;
>> }
>> destination-address {
>> 0.0.0.0/0;
>> 10.0.0.0/8 except; #<---- (good suggestion)
>> }
>> }
>> then {
>> translated {
>> source-pool NP2;
>> translation-type {
>> napt-44;
>>
>> and that seems to commit ok.
>>
>> however, implementing this on customer-facing interfaces broke the
>> customer, dropped BGP sessions, etc. my goal is to only nat traffic if
>> it is sourced from 10/8 and destined to anything other than 10/8. the NAT
>> pool is a static discard route exported in iBGP to ensure that this router
>> attracts return internet traffic in order to keep proper state.
>>
>> what am i doing wrong? the documentation is quite poor for this
>> module's implementation, and sadly i don't have a lab to play with.
>>
>> On Wed, Sep 24, 2014 at 2:13 AM, Alexander Arseniev <
>> arseniev at btinternet.com> wrote:
>>
>>> napt44 is most definitely is supported on MS-MIC
>>>
>>> http://www.juniper.net/techpubs/en_US/junos13.2/topics/reference/general/nat-implementations-feature-comparison.html
>>> What is not supported is "no-translation" knob.
>>> Please change Your config to (rough cut):
>>> 1/ delete term-1, and
>>> 2/ change term-2 to:
>>>
>>> + term term-2 {
>>> + from {
>>> + source-address {
>>> + 10.0.0.0/8;
>>> + }
>>> + destination-address {
>>> + 0.0.0.0/0;
>>> + 10.0.0.0/8 except;
>>> + }
>>> + }
>>> + then {
>>> + translated {
>>> + source-pool NP2;
>>> + translation-type {
>>> + napt-44;
>>> + }
>>>
>>> - then re-test and report back please.
>>> Thanks
>>> Alex
>>>
>>>
>>> On 24/09/2014 06:47, ryanL wrote:
>>>
>>>> has anyone been successful here? i'm getting the following error, even
>>>> though juniper's docs seem to indicate this is supported on the ms-mic
>>>> with
>>>> 13.2.
>>>>
>>>> my ref guides are:
>>>>
>>>> http://www.juniper.net/techpubs/en_US/junos13.2/information-products/topic-collections/config-guide-services/index.html?features-ms-mic.html
>>>>
>>>> http://www.juniper.net/techpubs/en_US/junos13.2/topics/example/nat-nat44-config-ms-mpc.html
>>>>
>>>> ry at iad1-er2# show | compare
>>>> [edit]
>>>> + services {
>>>> + service-set SSET1 {
>>>> + nat-rules NAT-RULE1;
>>>> + interface-service {
>>>> + service-interface ms-0/2/0;
>>>> + }
>>>> + }
>>>> + nat {
>>>> + pool NP2 {
>>>> + address <pub_space>/28;
>>>> + port {
>>>> + automatic;
>>>> + }
>>>> + }
>>>> + rule NAT-RULE1 {
>>>> + match-direction input;
>>>> + term term-1 {
>>>> + from {
>>>> + source-address {
>>>> + 10.0.0.0/8;
>>>> + }
>>>> + destination-address {
>>>> + 10.0.0.0/8;
>>>> + }
>>>> + }
>>>> + then {
>>>> + no-translation;
>>>> + }
>>>> + }
>>>> + term term-2 {
>>>> + from {
>>>> + source-address {
>>>> + 10.0.0.0/8;
>>>> + }
>>>> + }
>>>> + then {
>>>> + translated {
>>>> + source-pool NP2;
>>>> + translation-type {
>>>> + napt-44;
>>>> + }
>>>> + }
>>>> + }
>>>> + }
>>>> + }
>>>> + }
>>>> + }
>>>> [edit interfaces]
>>>> + ms-0/2/0 {
>>>> + unit 0 {
>>>> + family inet;
>>>> + }
>>>> + }
>>>>
>>>> [edit]
>>>> ry at iad1-er2# commit check
>>>> [edit services]
>>>> 'service-set SSET1'
>>>> translation type not supported on ms-interface
>>>> error: configuration check-out failed
>>>>
>>>> [edit]
>>>> _______________________________________________
>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>>
>>>
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>
>>
>>
>
>
More information about the juniper-nsp
mailing list