420 likes | 686 Views
Operating Juniper Networks Routers in the Enterprise. Chapter 7: Services. Chapter Objectives. After successfully completing this chapter, you will be able to: Describe the services architecture List common Layer 2 and Layer 3 services Explain the purpose of MLPPP
E N D
Operating Juniper Networks Routers in the Enterprise Chapter 7: Services
Chapter Objectives • After successfully completing this chapter, you will be able to: • Describe the services architecture • List common Layer 2 and Layer 3 services • Explain the purpose of MLPPP • Configure and monitor MLPPP • Explain the purpose of NAT and PAT • Configure and monitor NAT and PAT
Agenda: Services • Overview of Services and Services Architecture • Overview of MLPPP • Configuring and Monitoring MLPPP • Overview of NAT and PAT • Configuring and Monitoring NAT and PAT
Disclaimer! • Because of the flexibility and power of the services architecture, services can be complicated • Full coverage of the services architecture and services offered in JUNOS software is outside the scope of this class • Our goal is to provide a basic understanding of the services architecture and provide some common configuration and monitoring examples • Students should attend the AJRE class for detailed coverage of JUNOS software services found in the enterprise
Overview of Services • Layer 2 services: • MLPPP • MLFR • CRTP • Layer 3 services: • NAT and PAT • Stateful firewall • IPSec VPN • Intrusion detection
Services Interfaces • Services provided by: • AS PIC • AS Module (M7i) • J-series software processes • Link Services PIC • Tunnel Services PIC • MultiServices PIC
MultiServices PIC and AS PIC Service Package • Must configure MultiServices PIC and AS PIC for Layer 2 or Layer 3 service package under [edit chassis fpc slot pic pic adaptive-services]:set service-package (layer-2 | layer-3) • Not required for J-series software process or AS Module (M7i)
J-series Services Architecture • Services are provided by a software instantiation of the M-series and T-series AS PIC • Manifested as a virtual service interface named sp-0/0/0 • Handled as a real-time thread within the forwarding process Control Plane JUNOS Kernel UNIX Socket Ingress PIM Egress PIM PFE (fwdd-unix) 0 0 Real-time forwarding and services threads fwdd-rt Packets are forwarded to the services interface as needed Services Thread 1 1
Agenda: Services • Overview of Services and Services Architecture • Overview of MLPPP • Configuring and Monitoring MLPPP • Overview of NAT and PAT • Configuring and Monitoring NAT and PAT
What Is MLPPP? • MLPPP is: • A protocol that allows the connection of multiple PPP-based links between two devices (routers) • An extension to PPP (defined in RFC 1990) • A Layer 2 service offering in JUNOS software
Benefits of MLPPP • Benefits: • Creates a virtual link that provides greater bandwidth than the individual member links • Provides load balancing across member links by splitting, recombining, and sequencing datagrams across multiple logical data links
Site A Site B Service Provider t1-1/0/0 .2/30 t1-1/0/0 .1/30 fe-0/0/1 .1/24 fe-0/0/1 .1/24 MLPPP Case Study: Symptom • Employees are complaining about unreliable connectivity between Site A and Site B
fe-0/0/1 .1/24 fe-0/0/1 .1/24 MLPPP Case Study: Investigation • Investigation shows that maximum capacity for the circuit is reached during peak hours and that packet drops are occurring Site A Site B Service Provider t1-1/0/0 .2/30 t1-1/0/0 .1/30 Bottleneck
Site A Site B t1-1/0/0 t1-1/0/0 ls-0/0/0.1 ls-0/0/0.1 t1-1/0/1 t1-1/0/1 fe-0/0/1 .1/24 fe-0/0/1 .1/24 MLPPP Case Study: Solution • Increase bandwidth capacity between sites by adding a second T1 circuit and using MLPPP Service Provider .1/30 .2/30 T1 (X) 2 (+) MLPPP =
Agenda: Services • Overview of Services and Services Architecture • Overview of MLPPP • Configuring and Monitoring MLPPP • Overview of NAT and PAT • Configuring and Monitoring NAT and PAT
Multilink PPP Configuration (1 of 2) • Logically bind one or more physical links to bundle R2 configuration R1 configuration interfaces { ls-0/0/0 { unit 0 { family inet { address 172.18.37.6/30; } } } se-1/0/0 { unit 0 { family mlppp { bundle ls-0/0/0.0; } } } se-1/0/1 { unit 0 { family mlppp { bundle ls-0/0/0.0; } } } } interfaces { ls-0/0/0 { unit 0 { family inet { address 172.18.37.5/30; } } } se-1/0/0 { unit 0 { family mlppp { bundle ls-0/0/0.0; } } } se-1/0/1 { unit 0 { family mlppp { bundle ls-0/0/0.0; } } } }
Multilink PPP Configuration (2 of 2) • Bundle can have up to 8 member links • Bundle can have minimum-links value specified • Identifies threshold to maintain bundle state • Value can be from 1 to 8 with a default value of 1 user@host# set interfaces ls-0/0/0 unit 0 minimum-links ? Possible completions: <minimum-links> Minimum number of links to sustain the bundle (1..8) Pop Quiz: When would you set the minimum-links value at something other than the default value of 1?
Monitoring MLPPP user@host> show interfaces ls-0/0/0 Physical interface: ls-0/0/0, Enabled, Physical link is Up … Logical interface ls-0/0/0.0 (Index 68) (SNMP ifIndex 39) Flags: Point-To-Point SNMP-Traps 0x4000 Encapsulation: Multilink-PPP Bandwidth: 16mbps Statistics Frames fps Bytes bps Bundle: Fragments: Input : 4090 0 372190 0 Output: 3649 0 328410 0 Packets: Input : 4093 0 343812 0 Output: 3652 0 307950 0 Link: se-1/0/0.0 Input : 1041 0 94731 0 Output: 840 0 75600 0 se-1/0/1.0 Input : 1041 0 94731 0 Output: 840 0 75600 0 NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured, mpls: Not-configured Protocol inet, MTU: 1500 Flags: None Addresses, Flags: Is-Preferred Is-Primary Destination: 172.18.37.4/30, Local: 172.18.37.5 Member Links
Agenda: Services • Overview of Services and Services Architecture • Overview of MLPPP • Configuring and Monitoring MLPPP • Overview of NAT and PAT • Configuring and Monitoring NAT and PAT
What are NAT and PAT? • NAT is a mechanism that converts IP addresses from one address realm to another address realm in a one-to-one mapping fashion • PAT—also known as Network Address Port Translation (NAPT)—translates addresses in a many-to-one fashion making use of port numbers to distinguish individual sessions • Both NAT and PAT are typically used to translate private addresses to unique and globally routable addresses
Benefits of NAT and PAT • NAT and PAT provide the following benefits: • Conserve address space • Useful during mergers and ISP migration • Permit sharing of a single, outside, global address
Internet NAT and PAT Example (1 of 2) • Internet access requires a public, globally routable address • Router performs NAT services between private and public address realms Private Address Realm Public Address Realm .1/30 .2/30 .1/24 .100/24
SRC-IP SRC-IP DST-IP DST-IP SRC-Port SRC-Port DST-Port DST-Port Protocol Protocol 201.1.8.1 10.1.1.100 221.1.8.5 221.1.8.5 1025 36033 80 80 6 6 NAT and PAT Example (2 of 2) • Private host address was translated to public, globally routable address • Router maintains state for session • Process is transparent to host Private/Inside Public/Outside 10.1.1.0/24 201.1.8.0/30 .1 .2 .100 .1 Outside Global Inside Local NAT/PAT
NAT and PAT Address Assignment • Static address assignment: • One-to-one mapping between private and public addresses for lifetime of NAT operation • Dynamic address assignment: • Public addresses within pool are dynamically assigned based on usage requirements • Once session ends, public address is returned to pool and made available to other hosts that might require a public IP address
Application-Level Gateways • Automatically takes action based on Layers 4–7 information • Performs translation on addresses and ports in payload • Updates session table to allow extra connections
ALG Example • Active FTP • Client contacts server on TCP/21 • Client listens for data connection on ephemeral port • Client sends server PORT command with IP address and TCP port • Server opens data connection to IP address and port in PORT command Control Connection (Client contacts server on TCP/21) Data Connection (Server contacts client on ephemeral TCP port)
Agenda: Services • Overview of Services and Services Architecture • Overview of MLPPP • Configuring and Monitoring MLPPP • Overview of NAT and PAT • Configuring and Monitoring NAT and PAT
Building Blocks of NAT and PAT • NAT configuration: • Define services interface • Create NAT pool • Define NAT rules • Create service set • NAT application: • Apply service set to interface performing NAT Define services interface Create NAT pool Create service set Define NAT rules Apply service set to interface performing NAT
Outside (Untrusted) Inside (Trusted) fe-2/0/1 se-1/0/0 se-1/0/1 London Tokyo .1 10.222.101.0/24 .5 .6 172.18.37.4/30 lo0: 36.1 lo0: 24.1 Sample NAT and PAT Topology • Goals: • Ensure that traffic originating on the 10.222.101.0/24 subnet is delivered to Tokyo with a 172.18.37.5 source address • Assume that multiple sources could be active at the same time
NAT and PAT Configuration: Defining the Services Interface • Define the services interface Define services interface Service interface requires a single logical unit with family inet Create NAT pool [edit] lab@London# edit interfaces [edit interfaces] lab@London# set sp-0/0/0 unit 0 family inet [edit interfaces] lab@London# show ... sp-0/0/0 { unit 0 { family inet; } } ... Create service set Define NAT rules Apply service set to interface performing NAT
Define services interface Create NAT pool Create service set Define NAT rules Apply service set to interface performing NAT NAT and PAT Configuration: Creating a NAT Pool • Create a NAT pool NAT pool named global (user defined) [edit] lab@London# edit services [edit services] lab@London# set nat pool global-out address 172.18.37.5 [edit services] lab@London# set nat pool global-out port automatic [edit services] lab@London# show nat { pool global-out { address 172.18.37.5/32; port automatic; } } Router assigns port numbers (you can define the range)
Define services interface Input Create NAT pool se-1/0/0.0 SS Output Create service set Define NAT rules Apply service set to interface performing NAT NAT and PAT Configuration: Defining the NAT Rules (1 of 2) • Define the NAT rules: Translate all outbound traffic User-defined NAT rule and terms [edit] lab@London# edit services nat rule nat-out [edit services nat rule nat-out] lab@London# show match-direction output; term nat-with-alg { from { application-sets junos-algs-outbound; } then { translated { source-pool global-out; translation-type { source dynamic; } } } } term nat-no-alg { then { translated { source-pool global-out; translation-type { source dynamic; } … Set match direction from interface’s perspective Default application set enables ALG tracking Address assignment method NAT pool referenced
Define services interface Create NAT pool Create service set Define NAT rules Apply service set to interface performing NAT Input se-1/0/0.0 SS Output NAT and PAT Configuration: Defining the NAT Rules (2 of 2) • Define the NAT rules: Allow all inbound traffic without translation [edit services nat rule nat-out] lab@London# up [edit services nat] lab@London# edit rule no-nat-in [edit services nat rule no-nat-in] lab@London# set match-direction input [edit services nat rule no-nat-in] lab@London# set term all then no-translation [edit services nat rule no-nat-in] lab@London# show match-direction input; term all { then { no-translation; } } User-defined NAT rule and term Set match direction from interface’s perspective
Define services interface Create NAT pool Create service set Define NAT rules Apply service set to interface performing NAT NAT and PAT Configuration: Creating a Service Set • Create a service set User-defined service set named nat-ss [edit services nat rule no-nat-in] lab@London# top edit services service-set nat-ss [edit services service-set nat-ss] lab@London# set nat-rules nat-out [edit services service-set nat-ss] lab@London# set nat-rules no-nat-in [edit services service-set nat-ss] lab@London# set interface-service service-interface sp-0/0/0.0 [edit services service-set nat-ss] lab@London# show nat-rules nat-out; nat-rules no-nat-in; interface-service { service-interface sp-0/0/0.0; } Links NAT rules and service interface to service set
Define services interface Create NAT pool Create service set Define NAT rules Apply service set to interface performing NAT NAT and PAT Application • Apply a service set to the interface performing NAT [edit interfaces se-1/0/0] lab@London# show unit 0 { family inet { service { input { service-set nat-ss; } output { service-set nat-ss; } } address 172.18.37.5/30; } } Apply nat-ssservice set in both input and output directions
Monitoring NAT and PAT (1 of 2) • Use show services nat pool to view NAT usage and pool-related details lab@London> show services nat pool Interface: sp-0/0/0, Service set: nat-outbound NAT pool Type Address Port Ports used global dynamic 172.18.37.5-172.18.37.5 512-65535 1 A single flow is currently active Address and port range for NAT pool NAT pool name and address assignment method used
Monitoring NAT and PAT (2 of 2) • Use show services stateful-firewall flowsto view NAT flow details Direction of flow lab@London> show services stateful-firewall flows Interface: sp-0/0/0, Service set: nat-outbound Flow State Dir Frm count ICMP 172.18.37.6:1024 -> 172.18.37.5 Watch I 118 NAT dest 172.18.37.5:1024 -> 10.222.101.2:66 ICMP 10.222.101.2:66 -> 172.18.37.6 Watch O 118 NAT source 10.222.101.2:66 -> 172.18.37.5:1024 State of flow
Review Questions • List several services offered in JUNOS software. • What is the purpose of the services interface? • What advantages can MLPPP provide? • What limitations does NAT overcome? • What methods are used to assign addresses in NAT? • What is an ALG? • What steps are required to implement NAT?
Lab 5: Services (MLPPP and NAT) • Configure and monitor MLPPP. • Configure and monitor NAT.