[j-nsp] NAPT pool "address" vs "address-range"

David B Funk dbfunk at engineering.uiowa.edu
Mon Dec 28 23:28:45 EST 2015 

When defining an address pool for NAPT you can use either
  "address CIDR/blk" or "address-range low a.b.c.d high e.f.g.h"
and you'd think they'd do the same thing (with correct choice of values).

In an M120 w/ 10.4R8.5 they did but in an MX480 w/13.3R6.5 they don't.

Specifically with a config of:

[service nat]
         pool 29-160-nat-pool {
             address 128.255.29.160/28;
             port {
                 automatic;
             }
         }
used in a NAT service

On the M120 you get a static route:
   root at rtr-sc01b> show route protocol static

   inet.0: 109 destinations, 117 routes (108 active, 0 holddown, 1 hidden)
   + = Active Route, - = Last Active, * = Both
   [bunch of stuff omitted]
   128.255.29.160/28  *[Static/1] 161w5d 03:26:09
                         Service to khaki-nat-service


But similar config ("address 128.255.20.160/28") on a MX480 get a static route:
   root at rtr-sc02a> show route protocol static

   inet.0: 57 destinations, 57 routes (56 active, 0 holddown, 1 hidden)
   + = Active Route, - = Last Active, * = Both

   128.255.20.161/32  *[Static/1] 4d 02:03:58
                         Service to khaki-nat-service
   128.255.20.162/31  *[Static/1] 4d 02:03:58
                         Service to khaki-nat-service
   128.255.20.164/30  *[Static/1] 4d 02:03:58
                         Service to khaki-nat-service
   128.255.20.168/30  *[Static/1] 4d 02:03:58
                         Service to khaki-nat-service
   128.255.20.172/31   [Static/1] 00:00:14
                         Service to khaki-nat-service
   128.255.20.174/32   [Static/1] 00:00:14
                         Service to khaki-nat-service


On the MX480 by changing that nat pool def to:
[service nat]
         pool 29-160-nat-pool {
             address-range low 128.255.20.160 high 128.255.20.175;
             port {
                 automatic;
             }
         }

All of a sudden the static route becomes:
   root at rtr-sc02a> show route protocol static

   inet.0: 52 destinations, 52 routes (51 active, 0 holddown, 1 hidden)
   + = Active Route, - = Last Active, * = Both

   128.255.20.160/28  *[Static/1] 00:05:24
                         Service to khaki-nat-service

Bottom line on the MX480 it's not willing to use the full range of the /28 CIDR block
for addresses in that pool, but by explicitly listing the full range  it works.
The M120 didn't have this behaivor.

So what gives?


-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

More information about the juniper-nsp mailing list