Routing

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  Filter based forwarding prior NAT

    Posted 07-07-2023 05:30

    Hello all,

    I faced weird traffic behaviour by forwarding specific traffic to the specific interface for NAT... I am not 100% sure I am will describe the statement clear but I will try all my best :)

    My task requirement is to NAT traffic from the specific prefix-list on certain interface (with the NAT pool allocation). From the implementation point of view I decided to forward specific traffic on incoming interface ae2.1276 towards ae2.3072.

    I am getting full-view from the Uplink-1 and Uplink-2, Uplink-3 - no routes. All 3 outgoing interfaces have the same nat rule but with two terms. Term NAT-SPECIFIC has source and destination prefix-list conditions and should be evaluated only on ae2.3072,  terms NAT-ALG and NAT-noALG should be evaluated on ae0.384, ae1.810 accordingly for the non specific traffic.

    Configuration block:

    NAT interface and service-set:

    # show services service-set NAT
    nat-rules NAT-permit;
    interface-service {
        service-interface ams0.1;
        load-balancing-options {
            hash-keys {
                ingress-key source-ip;
                egress-key destination-ip;
            }
        }
    }
    
    # show interfaces ams0
    description "AMS NAT";
    load-balancing-options {
        member-interface mams-0/0/0;
        member-interface mams-0/1/0;
        member-interface mams-0/2/0;
        member-interface mams-0/3/0;
        member-failure-options {
            drop-member-traffic {
                rejoin-timeout 1000;
                enable-rejoin;
            }
        }
    }
    services-options {
        jflow-log {
            message-rate-limit 50000;
        }
    }
    unit 1 {
        family inet;
    }

    Nat pool and rule:

    # show services nat
    pool NAT {
        address XX.XX.XX.XX/25;
        port {
            automatic {
                random-allocation;
            }
        }
        address-allocation round-robin;
        mapping-timeout 300;
    }
    pool SPECIFIC-POOL {
        address YY.YY.YY.YY/28;
        port {
            automatic {
                random-allocation;
            }
        }
        address-allocation round-robin;
        mapping-timeout 300;
    }
    rule NAT-permit {
        match-direction output;
        term NAT-SPECIFIC {
            from {
                source-prefix-list {
                    NAT-SERVERS;
                    NAT-CLIENTS;
                }
                destination-prefix-list {
                    SPECIFIC-LIST;
                }
            }
            then {
                translated {
                    source-pool SPECIFIC-POOL;
                    translation-type {
                        napt-44;
                    }
                }
            }
        }
        term NAT-ALG {
            from {
                source-prefix-list {
                    NAT-SERVERS;
                    NAT-CLIENTS;
                }
                applications junos-pptp;
            }
            then {
                translated {
                    source-pool NAT;
                    translation-type {
                        napt-44;
                    }
                    address-pooling paired;
                }
            }
        }
        term NAT-noALG {
            from {
                source-prefix-list {
                    NAT-SERVERS;
                    NAT-CLIENTS;
                }
            }
            then {
                translated {
                    source-pool NAT;
                    translation-type {
                        napt-44;
                    }
                    address-pooling paired;
                }
            }
        }
    }

    Uplink interfaces overview:

    # show interfaces ae0.384
    description Uplink-1;
    vlan-id 384;
    family inet {
        service {
            input {
                service-set NAT service-filter NAT-in;
            }
            output {
                service-set NAT service-filter NAT-out;
            }
        }
        address 192.168.1.1/30;
    }
    
    # show interfaces ae1.810
    description Uplink-2;
    vlan-id 810;
    family inet {
        service {
            input {
                service-set NAT service-filter NAT-in;
            }
            output {
                service-set NAT service-filter NAT-out;
            }
        }
        address 192.168.2.1/31;
    }
    
    # show interfaces ae2.3072
    description Uplink-2;
    vlan-id 3072;
    family inet {
        service {
            input {
                service-set NAT service-filter NAT-SPEFIC-in;
            }
            output {
                service-set NAT service-filter NAT-out;
            }
        }
        address 192.168.3.1/31;
    }

    NAT service filters:

    # show firewall family inet service-filter NAT-in
    term nat-pool-prefix-to-service {
        from {
            destination-address {
                XX.XX.XX.XX/25;
            }
        }
        then service;
    }
    term accept-all {
        then skip;
    }
    
    # show firewall family inet service-filter NAT-out
    term nat-networks-to-service {
        from {
            source-prefix-list {
                NAT-SERVERS;
                NAT-CLIENTS;
            }
        }
        then service;
    }
    term accept-all {
        then skip;
    }
    
    # show firewall family inet service-filter NAT-SPECIFIC-in
    term nat-pool-prefix-to-service {
        from {
            destination-address {
                YY.YY.YY.YY/28;
            }
        }
        then service;
    }
    term accept-all {
        then skip;
    }

    Incoming interface and filter based forwarding definition:

    # show interfaces ae2.1276
    description OSPF-Bridge;
    vlan-id 1276;
    family inet {
        filter {
            input SPECIFIC-PBR;
        }
        address 10.0.0.62/26;
    }
    
    # show firewall filter SPECIFIC-PBR
    term PBR {
        from {
            destination-prefix-list {
                SPECIFIC-LIST;
            }
        }
        then {
            count pbr-1276;
            log;
            next-interface {
                ae2.3072;
                routing-instance specific;
            }
        }
    }
    term ACC {
        then accept;
    }
    
    # show routing-options rib-groups
    specific {
        import-rib [ inet.0 scpecific.inet.0 ];
    }
    
    # show routing-options interface-routes
    rib-group inet cpecific;
    
    # show policy-options prefix-list SPECIFIC-LIST
    8.8.8.8/32

    Route:

    > show route 8.8.8.8
    
    inet.0: 955260 destinations, 2865903 routes (955259 active, 0 holddown, 19 hidden)
    + = Active Route, - = Last Active, * = Both
    
    8.8.8.0/24         *[BGP/170] 01:52:59, localpref 100
                          AS path: 28761 15169 I, validation-state: unverified
                        >  to 192.168.2.2 via ae1.810
                        [BGP/170] 10w3d 05:45:51, localpref 100
                          AS path: 6789 48084 15169 I, validation-state: unverified
                        >  to 192.168.1.1 via ae0.384
    
    specific.inet.0: 21 destinations, 21 routes (20 active, 0 holddown, 1 hidden)
    + = Active Route, - = Last Active, * = Both
    
    0.0.0.0/0          *[Static/5] 3w6d 00:05:01
                        >  to 192.168.3.2 via ae2.3072

    Device:

    > show chassis hardware
    Hardware inventory:
    Item             Version  Part number  Serial number     Description
    Chassis                                JN11AAC14AFB      MX480
    Midplane         REV 05   710-017414   ACAA6353          MX480 Midplane
    FPM Board        REV 02   710-017254   YS2154            Front Panel Display
    PEM 0            Rev 10   740-029970   QCS1414U0BV       PS 1.4-2.52kW; 90-264V AC in
    PEM 1            Rev 10   740-029970   QCS1414U041       PS 1.4-2.52kW; 90-264V AC in
    PEM 2            Rev 10   740-029970   QCS1414U0EU       PS 1.4-2.52kW; 90-264V AC in
    PEM 3            Rev 10   740-029970   QCS1414U0JP       PS 1.4-2.52kW; 90-264V AC in
    Routing Engine 0 REV 08   750-072923   CAMS6211          RE-S-2X00x6
    Routing Engine 1 REV 08   750-072923   CAMS6208          RE-S-2X00x6
    CB 0             REV 03   750-055976   CAEN8524          Enhanced MX SCB 2
    CB 1             REV 05   750-055976   CAEW4284          Enhanced MX SCB 2
    FPC 0            REV 27   750-038768   CACV0089          MS-MPC
      CPU                     BUILTIN      BUILTIN           MS-MPC-PMB
      PIC 0                   BUILTIN      BUILTIN           MS-MPC-PIC
      PIC 1                   BUILTIN      BUILTIN           MS-MPC-PIC
      PIC 2                   BUILTIN      BUILTIN           MS-MPC-PIC
      PIC 3                   BUILTIN      BUILTIN           MS-MPC-PIC
    FPC 1            REV 39   750-028467   CABX5917          MPC 3D 16x 10GE
      CPU            REV 12   711-029089   CABX5983          AMPC PMB
      PIC 0                   BUILTIN      BUILTIN           4x 10GE(LAN) SFP+
        Xcvr 0                NON-JNPR     FT20150318008     SFP+-10G-ER
        Xcvr 1                NON-JNPR     JOXPC6122         SFP+-10G-USR
        Xcvr 2       4        NON-JNPR     PT2004300230      SFP+-10G-ER
        Xcvr 3       GD       NON-JNPR     PT2004300244      SFP+-10G-ER
      PIC 1                   BUILTIN      BUILTIN           4x 10GE(LAN) SFP+
        Xcvr 0                NON-JNPR     GL2002270047      SFP+-10G-SR
      PIC 2                   BUILTIN      BUILTIN           4x 10GE(LAN) SFP+
        Xcvr 0       _        NON-JNPR     Z2001150124       SFP+-10G-SR
        Xcvr 1                NON-JNPR     Z2001150125       SFP+-10G-SR
        Xcvr 2       FZ       NON-JNPR     W2207142415       SFP+-10G-LR
        Xcvr 3                NON-JNPR     W2207142411       SFP+-10G-LR
      PIC 3                   BUILTIN      BUILTIN           4x 10GE(LAN) SFP+
        Xcvr 3                NON-JNPR     FP21061095        SFP+-10G-SR
    Fan Tray

    > show chassis firmware
    Part                     Type       Version
    FPC 0                    ROM        Juniper ROM Monitor Version 13.2b1
                             O/S        Version 18.4R3-S11.1 by builder on 2022-01-11 00:16:33 UTC
    FPC 1                    ROM        Juniper ROM Monitor Version 12.3b1
                             O/S        Version 18.4R3-S11.1 by builder on 2022-01-11 00:10:12 UTC

    Tests and problem:

    Tracing 8.8.8.8 from the NAT-SERVERS prefix-list is FBF counter increase (pbr-1276) and traffic in the firewall log, but from the trace goes to the Uplink-1 based on the routing table route. Only when I add 8.8.8.8 specific route via ae2.3072 the implementation works correct. 

    I hope, I described it more or less clear and  some one can put the light on my problem.

    Kind regards,

    Volodymyr.



    ------------------------------
    Vladimir Shunkov
    ------------------------------



  • 2.  RE: Filter based forwarding prior NAT

    Posted 07-08-2023 05:24

    I think, you need to configure the firewall filter SPECIFIC-PBR on the ae2.3072 interface as well. It will ensure, all specific traffic is forwarded to the ae2.3072 interface, where it can be NAT by the NAT rule NAT-permit.



    ------------------------------
    Md.Kamruzzaman Khan
    ------------------------------



  • 3.  RE: Filter based forwarding prior NAT

    Posted 07-08-2023 06:08

    Filter based forwarding is based on the ingress interface and does not need to be deployed on the egress interface.

    And the match conditions in this case seem to be the destination address of google dns and not a source address of the clients.  I'm not sure I follow why the google dns is there and think that might be why the traffic is not matching as desired.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 4.  RE: Filter based forwarding prior NAT

    Posted 07-11-2023 12:47

    ae2.1276 ingress interface, google dns was just an example which I used in order to replace real customer corporate IPs.



    ------------------------------
    Volodymyr Shunkov
    ------------------------------



  • 5.  RE: Filter based forwarding prior NAT

    Posted 07-11-2023 12:48

    Hello, I believe additional FBF configuration on outgoing interface is redundant.  I have already working FBF configuration on MX80, but without NAT.  Up on my understanding once the packet forwarded to the RI specific  with default route/next-hop (btw, I had config typo on posting initial config cpecific -> specific ) and was targeted to the specific interface the only thing if left to leave the device. And I am not if this behaviour can be caused by extra NAT configuration.



    ------------------------------
    Volodymyr Shunkov
    ------------------------------



  • 6.  RE: Filter based forwarding prior NAT

    Posted 07-19-2023 06:52
    Hi all,
     
    After spending time configuring and testing, I finally have an explanation for the behavior I observed regarding NAT and routing. Now, the remaining task is to find the proper configuration (and it would be helpful to understand the flow between RE/PFE and the service).
     
    During my testing, I removed the input/output service from ae2.3072, and as a result, the Google DNS traffic stopped passing through. However, the firewall counter "pbr-1276" continued to increment, indicating that the packet was forwarded to the RI specific to ae2.3072 but got lost.
     
    # show | compare
    [edit interfaces ae2 unit 3072 family inet]
    -       service {
    -           input {
    -               service-set NAT service-filter NAT-SPEFIC-in;
    -           }
    -           output {
    -               service-set NAT service-filter NAT-out;
    -           }
    -       }
    This discovery helps me understand why my implementation didn't work as expected and challenges my previous assumptions. It seems that after the NAT service evaluation, the packet is sent back to the RE for the routing decision.
     
    Unfortunately, I couldn't find any JunOS packet flow documentation specifically related to NAT service evaluation. If any of you have any thoughts or references to share, they would be greatly appreciated.
     
    Thank you.


    ------------------------------
    Volodymyr Shunkov
    ------------------------------



  • 7.  RE: Filter based forwarding prior NAT

    Posted 07-19-2023 06:59

    I'm having trouble visualizing the flow in your configuration.  But this might help someone else see the process.  The flow chart below is how nat is applied during SRX processing.  The firewall filter is applied before nat rule processing.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------