Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential 4-1 Operating Juniper Networks...
-
Upload
ana-annear -
Category
Documents
-
view
223 -
download
0
Transcript of Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential 4-1 Operating Juniper Networks...
Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
4-1
Operating Juniper Networks Routers in the Enterprise
Chapter 7: Services
Copyright © 2007 Juniper Networks, Inc. 7-2Education Services
7-2
Chapter Objectives
After successfully completing this chapter, you will be able to:•Describe the services architecture•List common Layer 2 and Layer 3 services•Explain the purpose of MLPPP•Configure and monitor MLPPP•Explain the purpose of NAT and PAT•Configure and monitor NAT and PAT
Copyright © 2007 Juniper Networks, Inc. 7-3Education Services
7-3
Agenda: Services
Overview of Services and Services Architecture
Overview of MLPPP Configuring and Monitoring MLPPP Overview of NAT and PAT Configuring and Monitoring NAT and PAT
Copyright © 2007 Juniper Networks, Inc. 7-4Education Services
7-4
Disclaimer!
Because of the flexibility and power of the services architecture, services can be complicated•Full coverage of the services architecture and
services offered in JUNOS software is outside the scope of this class
•Our goal is to provide a basic understanding of the services architecture and provide some common configuration and monitoring examples
•Students should attend the AJRE class for detailed coverage of JUNOS software services found in the enterprise
Copyright © 2007 Juniper Networks, Inc. 7-5Education Services
7-5
Overview of Services
Layer 2 services:•MLPPP•MLFR•CRTP
Layer 3 services:•NAT and PAT•Stateful firewall• IPSec VPN•Intrusion detection
Copyright © 2007 Juniper Networks, Inc. 7-6Education Services
7-6
Services Interfaces
Services provided by:•AS PIC•AS Module (M7i)• J-series software processes•Link Services PIC•Tunnel Services PIC•MultiServices PIC
Copyright © 2007 Juniper Networks, Inc. 7-7Education Services
7-7
MultiServices PIC and AS PIC Service Package
Must configure MultiServices PIC and AS PIC for Layer 2 or Layer 3 service package under [edit chassis fpc slot pic pic adaptive-services]:set service-package (layer-2 | layer-3)
Not required for J-series software process or AS Module (M7i)
Copyright © 2007 Juniper Networks, Inc. 7-9Education Services
7-9
J-series Services Architecture
Services are provided by a software instantiation of the M-series and T-series AS PIC•Manifested as a virtual service interface named sp-0/0/0
•Handled as a real-time thread within the forwarding process
JUNOS Kernel
Control Plane
Services Thread
Ingress PIM
0
1
0
1
PFE(fwdd-unix)
Egress PIM
fwdd-rt
UNIX Socke
t
Packets are forwarded to the services interface as
needed
Real-time forwarding and
services threads
Copyright © 2007 Juniper Networks, Inc. 7-10Education Services
7-10
Agenda: Services
Overview of Services and Services Architecture
Overview of MLPPP Configuring and Monitoring MLPPP Overview of NAT and PAT Configuring and Monitoring NAT and PAT
Copyright © 2007 Juniper Networks, Inc. 7-11Education Services
7-11
What Is MLPPP?
MLPPP is: •A protocol that allows the connection of multiple
PPP-based links between two devices (routers)•An extension to PPP (defined in RFC 1990)•A Layer 2 service offering in JUNOS software
Copyright © 2007 Juniper Networks, Inc. 7-12Education Services
7-12
Benefits of MLPPP
Benefits:•Creates a virtual link that provides greater
bandwidth than the individual member links•Provides load balancing across member links by
splitting, recombining, and sequencing datagrams across multiple logical data links
Copyright © 2007 Juniper Networks, Inc. 7-13Education Services
7-13
MLPPP Case Study: Symptom
Employees are complaining about unreliable connectivity between Site A and Site B
t1-1/0/0
.1/30
Site A Site B
t1-1/0/0
.2/30
ServiceProvider
fe-0
/0/1
.1/2
4
fe-0/0/1
.1/24
Copyright © 2007 Juniper Networks, Inc. 7-14Education Services
7-14
MLPPP Case Study: Investigation
Investigation shows that maximum capacity for the circuit is reached during peak hours and that packet drops are occurring
t1-1/0/0
.1/30
Site A Site B
t1-1/0/0
.2/30
ServiceProvider
fe-0
/0/1
.1/2
4
fe-0/0/1
.1/24
Bottleneck
Copyright © 2007 Juniper Networks, Inc. 7-15Education Services
7-15
MLPPP Case Study: Solution
t1-1/0/0
t1-1/0/1 t1-1/0/1
t1-1/0/0ls-0/0/0.1 ls-0/0/0.1
Site A Site B
fe-0
/0/1
.1/2
4
fe-0/0/1
.1/24
ServiceProvider
Increase bandwidth capacity between sites by adding a second T1 circuit and using MLPPP
T1 (X) 2 (+) MLPPP =
.1/30 .2/30
Copyright © 2007 Juniper Networks, Inc. 7-16Education Services
7-16
Agenda: Services
Overview of Services and Services Architecture
Overview of MLPPPConfiguring and Monitoring MLPPP Overview of NAT and PAT Configuring and Monitoring NAT and PAT
Copyright © 2007 Juniper Networks, Inc. 7-17Education Services
7-17
interfaces { ls-0/0/0 { unit 0 { family inet { address 172.18.37.6/30; } } } se-1/0/0 { unit 0 { family mlppp { bundle ls-0/0/0.0; } } } se-1/0/1 { unit 0 { family mlppp { bundle ls-0/0/0.0; } } }}
Multilink PPP Configuration (1 of 2) Logically bind one or more physical links to
bundleinterfaces { ls-0/0/0 { unit 0 { family inet { address 172.18.37.5/30; } } } se-1/0/0 { unit 0 { family mlppp { bundle ls-0/0/0.0; } } } se-1/0/1 { unit 0 { family mlppp { bundle ls-0/0/0.0; } } }}
R2 configurationR1 configuration
Copyright © 2007 Juniper Networks, Inc. 7-18Education Services
7-18
Multilink PPP Configuration (2 of 2)
Bundle can have up to 8 member links•Bundle can have minimum-links value specified
• Identifies threshold to maintain bundle state• Value can be from 1 to 8 with a default value of 1
user@host# set interfaces ls-0/0/0 unit 0 minimum-links ?Possible completions: <minimum-links> Minimum number of links to sustain the bundle (1..8)
Pop Quiz: When would you set the minimum-links value at something other than the default value of 1?
Copyright © 2007 Juniper Networks, Inc. 7-19Education Services
7-19
Monitoring MLPPPuser@host> show interfaces ls-0/0/0 Physical interface: ls-0/0/0, Enabled, Physical link is Up… Logical interface ls-0/0/0.0 (Index 68) (SNMP ifIndex 39) Flags: Point-To-Point SNMP-Traps 0x4000 Encapsulation: Multilink-PPP Bandwidth: 16mbps Statistics Frames fps Bytes bps Bundle: Fragments: Input : 4090 0 372190 0 Output: 3649 0 328410 0 Packets: Input : 4093 0 343812 0 Output: 3652 0 307950 0 Link: se-1/0/0.0 Input : 1041 0 94731 0 Output: 840 0 75600 0 se-1/0/1.0 Input : 1041 0 94731 0 Output: 840 0 75600 0 NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured, mpls: Not-configured Protocol inet, MTU: 1500 Flags: None Addresses, Flags: Is-Preferred Is-Primary Destination: 172.18.37.4/30, Local: 172.18.37.5
MemberLinks
Copyright © 2007 Juniper Networks, Inc. 7-20Education Services
7-20
Agenda: Services
Overview of Services and Services Architecture
Overview of MLPPP Configuring and Monitoring MLPPPOverview of NAT and PAT Configuring and Monitoring NAT and PAT
Copyright © 2007 Juniper Networks, Inc. 7-21Education Services
7-21
What are NAT and PAT?
NAT is a mechanism that converts IP addresses from one address realm to another address realm in a one-to-one mapping fashion
PAT—also known as Network Address Port Translation (NAPT)—translates addresses in a many-to-one fashion making use of port numbers to distinguish individual sessions
Both NAT and PAT are typically used to translate private addresses to unique and globally routable addresses
Copyright © 2007 Juniper Networks, Inc. 7-22Education Services
7-22
Benefits of NAT and PAT
NAT and PAT provide the following benefits:•Conserve address space•Useful during mergers and ISP migration•Permit sharing of a single, outside, global address
Copyright © 2007 Juniper Networks, Inc. 7-23Education Services
7-23
NAT and PAT Example (1 of 2)
Internet access requires a public, globally routable address•Router performs NAT services between private
and public address realms
Internet
.1/2
4
.2/30
Private AddressRealm
Public AddressRealm
.1/30
.100/24
Copyright © 2007 Juniper Networks, Inc. 7-24Education Services
7-24
NAT and PAT Example (2 of 2)
Private host address was translated to public, globally routable address•Router maintains state for session•Process is transparent to host
Inside Local
NAT/PAT
.100
10.1.1.0/24 201.1.8.0/30
10.1.1.100
SRC-IP
221.1.8.5DST-IP
36033
SRC-Port
80
DST-Port
6Protocol
201.1.8.1SRC-IP
221.1.8.5DST-IP
1025
SRC-Port
80
DST-Port
6Protocol
.1 .2
Private/Inside Public/Outside
Outside
Global
.1
Copyright © 2007 Juniper Networks, Inc. 7-25Education Services
7-25
NAT and PAT Address Assignment
Static address assignment:•One-to-one mapping between private and public addresses for lifetime of
NAT operation Dynamic address assignment:
•Public addresses within pool are dynamically assigned based on usage requirements
•Once session ends, public address is returned to pool and made available to other hosts that might require a public IP address
Copyright © 2007 Juniper Networks, Inc. 7-26Education Services
7-26
Application-Level Gateways
Automatically takes action based on Layers 4–7 information•Performs translation on addresses and ports in
payload•Updates session table to allow extra connections
Copyright © 2007 Juniper Networks, Inc. 7-27Education Services
7-27
ALG Example
Active FTP•Client contacts server on TCP/21•Client listens for data connection on ephemeral
port•Client sends server PORT command with IP
address and TCP port•Server opens data connection to IP address and
port in PORT commandControl Connection(Client contacts server on TCP/21)
Data Connection(Server contacts client on ephemeral TCP port)
Copyright © 2007 Juniper Networks, Inc. 7-28Education Services
7-28
Agenda: Services
Overview of Services and Services Architecture
Overview of MLPPP Configuring and Monitoring MLPPP Overview of NAT and PATConfiguring and Monitoring NAT and PAT
Copyright © 2007 Juniper Networks, Inc. 7-29Education Services
7-29
Building Blocks of NAT and PAT
NAT configuration:•Define services interface•Create NAT pool•Define NAT rules•Create service set
NAT application:•Apply service set to interface performing NAT
Apply service set to
interface performing
NAT
Define services interface
Define NAT rules
Create NAT pool
Cre
ate
serv
ice s
et
Copyright © 2007 Juniper Networks, Inc. 7-30Education Services
7-30
Goals:•Ensure that traffic originating on the 10.222.101.0/24 subnet is
delivered to Tokyo with a 172.18.37.5 source address•Assume that multiple sources could be active at the same time
Sample NAT and PAT Topology
Outside (Untrusted)
Inside (Trusted)
Tokyo lo0: 24.1
London lo0: 36.1
fe-2/0/1
.1
se-1/0/0 se-1/0/1.5 .6
172.18.37.4/30
10.2
22.1
01.0
/24
Copyright © 2007 Juniper Networks, Inc. 7-31Education Services
7-31
Define services interface
NAT and PAT Configuration: Defining the Services Interface
Define the services interface
[edit]lab@London# edit interfaces
[edit interfaces]lab@London# set sp-0/0/0 unit 0 family inet
[edit interfaces]lab@London# show ...sp-0/0/0 { unit 0 { family inet; }}...
Apply service set to interface
performing NAT
Define NAT rules
Create NAT pool
Cre
ate
serv
ice s
et
Service interface requires a single logical
unit with family inet
Copyright © 2007 Juniper Networks, Inc. 7-32Education Services
7-32
Create a NAT pool
[edit]lab@London# edit services
[edit services]lab@London# set nat pool global-out address 172.18.37.5
[edit services]lab@London# set nat pool global-out port automatic
[edit services]lab@London# show nat { pool global-out { address 172.18.37.5/32; port automatic; }}
NAT pool named global (user defined)
Router assigns port numbers (you can define
the range)
Create NAT pool
Apply service set to interface
performing NAT
Define services interface
Define NAT rules
Cre
ate
serv
ice s
et
NAT and PAT Configuration: Creating a NAT Pool
Copyright © 2007 Juniper Networks, Inc. 7-33Education Services
7-33
NAT and PAT Configuration: Defining the NAT Rules (1 of 2)
Define the NAT rules: Translate all outbound traffic [edit]
lab@London# edit services nat rule nat-out
[edit services nat rule nat-out]lab@London# show match-direction output;term nat-with-alg { from { application-sets junos-algs-outbound; } then { translated { source-pool global-out; translation-type { source dynamic; } } }}term nat-no-alg { then { translated { source-pool global-out; translation-type { source dynamic; }…
Create NAT pool
Apply service set to interface
performing NAT
Define services interface
Define NAT rules
Cre
ate
serv
ice s
et
se-1/0/0.0
SSInput
Output
Set match direction from
interface’s perspective
User-defined NAT rule and
terms
NAT pool referenced
Address assignment
method
Default application set
enables ALG tracking
Copyright © 2007 Juniper Networks, Inc. 7-34Education Services
7-34
Create NAT pool
Apply service set to interface
performing NAT
Define services interface
Define NAT rules
Cre
ate
serv
ice s
et
NAT and PAT Configuration: Defining the NAT Rules (2 of 2)
[edit services nat rule nat-out]lab@London# up
[edit services nat]lab@London# edit rule no-nat-in
[edit services nat rule no-nat-in]lab@London# set match-direction input
[edit services nat rule no-nat-in]lab@London# set term all then no-translation
[edit services nat rule no-nat-in]lab@London# show match-direction input;term all { then { no-translation; }}
Define the NAT rules: Allow all inbound traffic without translation
User-defined NAT rule and
term
se-1/0/0.0
SSInput
Output
Set match direction from
interface’s perspective
Copyright © 2007 Juniper Networks, Inc. 7-35Education Services
7-35
[edit services nat rule no-nat-in]lab@London# top edit services service-set nat-ss
[edit services service-set nat-ss]lab@London# set nat-rules nat-out
[edit services service-set nat-ss]lab@London# set nat-rules no-nat-in
[edit services service-set nat-ss]lab@London# set interface-service service-interface sp-0/0/0.0
[edit services service-set nat-ss]lab@London# show nat-rules nat-out;nat-rules no-nat-in;interface-service { service-interface sp-0/0/0.0;}
Create a service setUser-defined service set
named nat-ss
Links NAT rules and service interface to
service set
Apply service set to interface
performing NAT
Define NAT rules
Create NAT pool
Cre
ate
serv
ice s
et
Define services interface
NAT and PAT Configuration: Creating a Service Set
Copyright © 2007 Juniper Networks, Inc. 7-36Education Services
7-36
NAT and PAT Application
Apply a service set to the interface performing NAT
[edit interfaces se-1/0/0]lab@London# show unit 0 { family inet { service { input { service-set nat-ss; } output { service-set nat-ss; } } address 172.18.37.5/30; }}
Apply service set to
interface performing
NAT
Define services interface
Define NAT rules
Create NAT pool
Cre
ate
serv
ice s
et
Apply nat-ss service set in both input and output
directions
Copyright © 2007 Juniper Networks, Inc. 7-37Education Services
7-37
Monitoring NAT and PAT (1 of 2)
Use show services nat pool to view NAT usage and pool-related details
A single flow is currently active
Address and port range for NAT pool
NAT pool name and address assignment
method used
lab@London> show services nat pool Interface: sp-0/0/0, Service set: nat-outboundNAT pool Type Address Port Ports usedglobal dynamic 172.18.37.5-172.18.37.5 512-65535 1
Copyright © 2007 Juniper Networks, Inc. 7-38Education Services
7-38
Monitoring NAT and PAT (2 of 2)
Use show services stateful-firewall flows to view NAT flow details
Direction of flow
State of flow
lab@London> show services stateful-firewall flows Interface: sp-0/0/0, Service set: nat-outboundFlow State Dir Frm countICMP 172.18.37.6:1024 -> 172.18.37.5 Watch I 118 NAT dest 172.18.37.5:1024 -> 10.222.101.2:66 ICMP 10.222.101.2:66 -> 172.18.37.6 Watch O 118 NAT source 10.222.101.2:66 -> 172.18.37.5:1024
Copyright © 2007 Juniper Networks, Inc. 7-39Education Services
7-39
Review Questions
1. List several services offered in JUNOS software.
2.What is the purpose of the services interface?
3.What advantages can MLPPP provide?4.What limitations does NAT overcome?5.What methods are used to assign addresses
in NAT? 6.What is an ALG? 7.What steps are required to implement NAT?
Copyright © 2007 Juniper Networks, Inc. 7-40Education Services
7-40
Lab 5: Services (MLPPP and NAT)
Configure and monitor MLPPP. Configure and monitor NAT.
Copyright © 2007 Juniper Networks, Inc. 7-41Education Services
7-41Education Services