NAT Configuration for Junos Space Network Management Platform Overview
To manage devices, Junos Space Network Management Platform supports connections initiated by the devices or Junos Space Platform. If a device is managed through a device-initiated connection, Junos Space Platform pushes the device management IP addresses of Junos Space and configures the outbound SSH stanza on the device when the device is discovered or when the device management IP addresses are modified. During device discovery and reconnection to devices, the devices initiate an outbound SSH connection to Junos Space Platform. If a device is managed through a connection initiated by Junos Space, an SSH connection is initiated to the device from Junos Space Platform.
Enabling NAT on your Junos Space setup allows devices placed outside your Junos Space setup to connect to Junos Space Platform and the Junos Space application. Enabling a NAT server on your Junos Space setup uses IP addresses translated through NAT as outbound SSH configuration to connect devices and trap IP addresses translated through NAT to send traps, rather than the actual device management and trap IP addresses. These translated IP addresses are updated and sent to the devices that are managed using a NAT server, after NAT is configured, or when the NAT configuration is updated.
You configure and enable Network Address Translation (NAT) server on a running Junos Space setup from the Administration workspace. You can also configure and enable NAT by using the Junos Space CLI when you create a Junos Space setup during the initial deployment. If you configure a NAT server, you must set a forwarding rule on the NAT server to enable communication between the Junos Space fabric and the devices managed through the NAT server. For more information about enabling NAT when you are configuring the Junos Space Virtual Appliance as a Junos Space node or Fault Monitoring and Performance Monitoring (FMPM) node, see one of the following:
-
To configure NAT when you are configuring a Junos Space Virtual Appliance, see the Configuring a Junos Space Virtual Appliance as a Junos Space Node, Configuring a Junos Space Virtual Appliance as a Standalone or Primary FMPM Node, and Changing the Network and System Settings of a Junos Space Virtual Appliance topics in the Junos Space Virtual Appliance Installation and Configuration Guide.
You can configure the disaster recovery feature and allow database replication in realtime with NAT configuration enabled on your Junos Space setup.
Enabling NAT on a Junos Space setup has the following impact on discovering and managing devices in Junos Space Platform:
When you configure NAT for the first time, by default, the devices that are managed on Junos Space Platform are not updated with the IP addresses of the Junos Space fabric that are translated through NAT.
During device discovery, you can choose whether to use the NAT server to route device-initiated connections to Junos Space Platform and manage them through the NAT server. For more information, see Device Discovery Profiles Overview.
When adding devices using the Model Devices feature, if you choose to use the NAT configuration, the IP addresses of the Junos Space fabric that are translated through NAT are available in the configlet generated from the modeled instance.
For managed devices routed through a NAT server, Junos Space Platform features such as SSH access to device, Launch WebUI of the devices, and Reactivate an RMA device from the Junos Space UI use the IP addresses of the Junos Space fabric that are translated through NAT.
Modifying only the NAT address in the network configuration of a Junos Space fabric from the CLI does not trigger a reboot. Junos Space Platform creates a job to update the NAT configuration on all devices managed through the NAT server.
If you simultaneously modify the NAT configuration and other network settings from the CLI, the NAT configuration changes are discarded and adialog box is displayed with the following message: “Changes to NAT will be discarded as the system required reboot.”
The following sections describe the NAT configuration updated on devices when different interfaces of a Junos Space node are used to deploy the Junos Space fabric :
Using eth0 for Device Management Without a Dedicated Network Monitoring Node
If you use eth0 interface to communicate to devices, the eth0 IP address of each node in the fabric is configured in the outbound SSH configuration on the devices. The virtual IP address (VIP) of the Junos Space setup is set as the trap target to receive SNMP traps from the devices.
Junos Space Platform automatically populates the IP addresses of the Junos Space nodes and the VIP address on the NAT Configuration page. The NAT configuration that is pushed as the outbound SSH connection and the trap target to which the device must send traps are generated as follows:
If the devices are in your internal network:
outbound ssh
<configuration ...> <system> <services> <outbound-ssh> <client> <name>cluster_CLUSTERNAME</name> <device-id>9A1E0</device-id> ... <services>netconf</services> <servers> <name>$NODE1_ETH0_IP</name> <port>7804</port> </servers> <servers> <name>$NODE2_ETH0_IP</name> <port>7804</port> </servers> ... </client> </outbound-ssh> </services> </system> </configuration>
trap target
<configuration> <snmp> <v3> <target-address> <name>TA_SPACE</name> <address>$SPACE_ETH0_VIP</address> </target-address> </v3> </snmp> </configuration>
If the devices are in your external (to the NAT server) network:
outbound ssh
<configuration ...> <system> <services> <outbound-ssh> <client> <name>cluster_CLUSTERNAME</name> <device-id>E9A1E0</device-id> ... <services>netconf</services> <servers> <name>$NODE1_NAT_SSH_IP</name> <port>$NODE1_NAT_SSH_PORT</port> </servers> <servers> <name>$NODE2_NAT_SSH_IP</name> <port>$NODE2_NAT_SSH_PORT</port> </servers> ... </client> </outbound-ssh> </services> </system> </configuration>
trap target
<configuration> <snmp> <v3> <target-address> <name>TA_SPACE</name> <address>$SPACE_NAT_VIP</address> <port>$SPACE_NAT_TRAP_PORT</port> </target-address> </v3> </snmp> </configuration
A NAT server should be configured with a rule to forward device-initiated
connections destined to $NODEx_NAT_SSH_IP
and $NODEx_NAT_SSH_PORT
to $NODEx_ETH0_IP:7804
. Similarly, traps destined to $SPACE_NAT_VIP
and $SPACE_NAT_TRAP_PORT
must be
forwarded to $SPACE_ETH0_VIP:162
.
Using eth3 for Device Management Without a Dedicated Network Monitoring Node
If you use eth3 interface to communicate to devices, the eth3 IP address of each node in the fabric is configured in the outbound SSH configuration on the devices. The eth3 IP address of the active node (that currently works as a Network Monitoring node) is set as the trap target to receive SNMP traps from the devices.
Junos Space Platform automatically populates the IP addresses of the Junos Space nodes and the address of the network monitoring node on the NAT Configuration page. The NAT configuration that is pushed as the outbound SSH connection and the trap target to which the device must send traps are generated as follows:
If the devices are in your internal network:
outbound ssh
<configuration ...> <system> <services> <outbound-ssh> <client> <name>cluster_CLUSTERNAME</name> <device-id>9A1E0</device-id> ... <services>netconf</services> <servers> <name>$NODE1_ETH3_IP</name> <port>7804</port> </servers> <servers> <name>$NODE2_ETH3_IP</name> <port>7804</port> </servers> ... </client> </outbound-ssh> </services> </system> </configuration>
trap target
<configuration> <snmp> <v3> <target-address> <name>TA_SPACE</name> <address>$NODEopennms_ETH3_IP</address> </target-address> </v3> </snmp> </configuration>
If the devices are in your external (to the NAT server) network:
outbound ssh
<configuration ...> <system> <services> <outbound-ssh> <client> <name>cluster_CLUSTERNAME</name> <device-id>E9A1E0</device-id> ... <services>netconf</services> <servers> <name>$NODE1_NAT_SSH_IP</name> <port>$NODE1_NAT_SSH_PORT</port> </servers> <servers> <name>$NODE2_NAT_SSH_IP</name> <port>$NODE2_NAT_SSH_PORT</port> </servers> ... </client> </outbound-ssh> </services> </system> </configuration>
trap target
<configuration> <snmp> <v3> <target-address> <name>TA_SPACE</name> <address>$NODEopennms_NAT_TRAP_IP</address> <port>$NODEopennms_NAT_TRAP_PORT</port> </target-address> </v3> </snmp> </configuration
A NAT server should be configured with a rule to forward device-initiated
connections destined to $NODEx_NAT_SSH_IP
and $NODEx_NAT_SSH_PORT
, to $NODEx_ETH3_IP:7804
. Similarly, traps destined to $NODEopennms_NAT_TRAP_IP
and $NODEopennms_NAT_TRAP_PORT
must be forwarded to $NODEopennms_ETH3_IP:162
.
Using eth0 or eth3 for Device Management With a Dedicated Network Monitoring Node
If you use eth3 interface to communicate to devices, the eth3 IP address of each node is configured in the outbound SSH configuration on the devices. Similarly, if you use eth0 interface to communicate to devices, the eth0 IP address of each node is configured in the outbound SSH configuration on the devices. The VIP address of the dedicated Network Monitoring node is configured as the trap target to send SNMP traps from the devices.
Junos Space Platform automatically populates the IP addresses of the Junos Space nodes and the VIP address on the NAT Configuration page. The NAT configuration that is pushed as the outbound SSH connection and the trap target to which the device must send traps are generated as follows:
If the devices are in your internal network:
outbound ssh
<configuration ...> <system> <services> <outbound-ssh> <client> <name>cluster_CLUSTERNAME</name> <device-id>9A1E0</device-id> ... <services>netconf</services> <servers> <name>$NODE1_ETH0_IP</name> <port>7804</port> </servers> <servers> <name>$NODE2_ETH0_IP</name> <port>7804</port> </servers> ... </client> </outbound-ssh> </services> </system> </configuration>
trap target
<configuration> <snmp> <v3> <target-address> <name>TA_SPACE</name> <address>$OPENNMSNODE_ETH0_VIP</address> </target-address> </v3> </snmp> </configuration>
If the devices are in your external (to the NAT server) network:
outbound ssh
<configuration ...> <system> <services> <outbound-ssh> <client> <name>cluster_CLUSTERNAME</name> <device-id>E9A1E0</device-id> ... <services>netconf</services> <servers> <name>$NODE1_NAT_SSH_IP</name> <port>$NODE1_NAT_SSH_PORT</port> </servers> <servers> <name>$NODE2_NAT_SSH_IP</name> <port>$NODE2_NAT_SSH_PORT</port> </servers> ... </client> </outbound-ssh> </services> </system> </configuration>
trap target
<configuration> <snmp> <v3> <target-address> <name>TA_SPACE</name> <address>$OPENNMSNODE_NAT_VIP</address> <port>$OPENNMSNODE_NAT_TRAP_PORT</port> </target-address> </v3> </snmp> </configuration
A NAT server should be configured with a rule to forward device-initiated
connections destined to $NODEx_NAT_SSH_IP
and $NODEx_NAT_SSH_PORT
, to $NODEx_ETH0_IP:7804
. Similarly, traps destined to $OPENNMSNODE_NAT_VIP
and $OPENNMSNODE_NAT_TRAP_PORT
must be forwarded to $OPENNMSNODE_ETH0_VIP:162
.