Navigation
Supported Platforms
Configuring MX Series Router Cloud CPE NAT Services on the PE1 Router to Route Internet Traffic
Complete the following tasks to configure the PE1 router at Site 1:
- Configuring MX Series Router Cloud CPE NAT Services
- Configuring the Service Interfaces for NAT
- Defining the Service Rules
- Configuring the Interface, Bridge Domain, and IRB Interface
Configuring MX Series Router Cloud CPE NAT Services
The Junos OS provides carrier-grade NAT (CGN) for IPv4 and IPv6 networks. To enable the NAT service for the cCPE services:
- Configure the properties for the MS-DPC and enable the
extension provider service package application. [edit]edit chassis fpc 4 pic 0 adaptive-services service-package layer-3
- Verify the configuration.
user@host# showchassis { fpc 4 { pic 0 { adaptive-services { service-package layer-3; } } } }
Configuring the Service Interfaces for NAT
To configure the inside and outside service interfaces:
- Configure the inside interface.[edit]user@host# set interfaces sp-2/0/0 unit 1 family inetuser@host# set interfaces sp-2/0/0 unit 1 service-domain inside
- Configure the outside interface.[edit]user@host# set interfaces sp-2/0/0 unit 2 family inetuser@host# set interfaces sp-2/0/0 unit 2 service-domain outside
Defining the Service Rules
In this sample procedure, the service set contains only the NAT service. You can also add other services like stateful firewall. To define the service rules to be applied to traffic:
- Configure the next-hop service set.
- Configure a name for the service set.[edit]user@host# edit services service-set acme-services
- Configure a name for the NAT rules. [edit services service-set acme-services]user@host# set nat-rules acme-nat-rule
- Define the next-hop service for the inside service interface.[edit services service-set acme-services]user@host# set next-hop-service inside-service-interface sp-2/0/0.1
- Define the next-hop service for the outside service interface.[edit services service-set acme-services]user@host# set next-hop-service outside-service-interface sp-2/0/0.2
- Configure a name for the service set.
- Configure the public address pool and ports.
- Configure the public address pool name.
- Specify the address or address prefix for NAT.[edit services nat pool acme-public-pool]user@host# set address public-address
- Configure the NAT port to be assigned automatically by
the router. [edit services nat pool acme-public-pool]user@host# set port automatic
- Configure the NAT rules.
- Specify the name of the NAT rule.
- Specify the direction in which the rule match is applied. [edit services nat rule acme-nat-rule]user@host# set match-direction input
- Define the NAT term actions. [edit services nat rule acme-nat-rule]user@host# set term translate then translated source-pool acme-public-pooluser@host# set translation-type napt-44
Configuring the Interface, Bridge Domain, and IRB Interface
To configure the interface, bridge domain, and IRB interface:
- Configure the interface for VLAN tagging and flexible
Ethernet services encapsulation.[edit]user@host# edit interfaces ge-1/2/3 user@host# set vlan-tagginguser@host# set encapsulation flexible-ethernet-services
- Configure the subscriber VLAN.
- Configure the logical interface. [edit interfaces ge-1/2/3]user@host# edit unit 105
- Configure the encapsulation for the logical interface.[edit interfaces ge-1/2/3 unit 105 ]user@host# set encapsulation vlan-bridge
- Bind an 802.1Q VLAN tag ID to the logical interface.[edit interfaces ge-1/2/3 unit 105]user@host# set vlan-id 105
- Configure the logical interface for Layer 2 bridging.[edit interfaces ge-1/2/3 unit 105]user@host# set family bridge
- Configure the logical interface.
- Configure the IRB interface.
- Configure the logical interface used for internal VPN
traffic as the IRB interface.
- Specify the private subnet of the VPN site on the IRB interface.
- Configure the logical interface used for internal VPN
traffic as the IRB interface.
- Configure the bridge domain.
- Configure the bridge domain name.
- Associate the subscriber’s VLAN ID with the bridge
domain. [edit bridge-domains bd-105]user@host# set vlan-id 105
- Specify the interface name for the bridge domain.[edit bridge-domains bd-105]user@host# set interface ge-1/2/3.105
- Specify the routing interface to include in the bridge
domain. [edit bridge-domains bd-105]user@host# set routing-interface irb.105
- Configure the bridge domain name.
- Configure the routing instance.
- Configure the name of the routing instance.
- Configure the routing instance as a VRF instance.[edit routing-instances acme]user@host# set instance-type vrf
- Reference the IRB interface by specifying irb.vlan-id.[edit routing-instances acme]user@host# set interface irb.105
- Add the NAT inside interface to the routing instance by
specifying the inside interface name and route distinguisher attached
to the route.[edit routing-instances acme]user@host# set interface sp-2/0/0.1user@host# set route-distinguisher 65535:1
- Specify the VPN’s community. VRF import and export
policies are automatically generated.[edit routing-instances acme]user@host# set vrf-target target:65535:5
- Map the inner label of a packet to a specific VRF table.
This enables examination of the encapsulated IP header.[edit routing-instances acme]user@host# set vrf-table-label
- Add a static route to send Internet traffic to the inside
interface of NAT service.[edit routing-instances acme]user@host# set routing-options static route 0.0.0.0/0 next-hop sp-2/0/0.1
Note: You must advertise this route to remote PE routers through a VPN export policy.
- Configure the name of the routing instance.
