- play_arrow Overview
- play_arrow Services Overview
- play_arrow Services Configuration Overview
-
- play_arrow Network Address Translation
- play_arrow NAT Overview
- play_arrow Stateful NAT64
- play_arrow Static Source NAT
- play_arrow Static Destination NAT
- play_arrow Network Address Port Translation
- play_arrow Deterministic NAT
- play_arrow NAT Protocol Translation
- play_arrow IPv4 Connectivity Across IPv6-Only Network Using 464XLAT
- play_arrow Port Control Protocol
- play_arrow Secured Port Block Allocation
- play_arrow Port Forwarding
- play_arrow Dynamic Address-Only Source Translation
- play_arrow Inline NAT
- play_arrow Stateless Source Network Prefix Translation for IPv6
- play_arrow Monitoring NAT
- play_arrow Packet Translation and GRE Tunneling
-
- play_arrow Transitioning to IPv6 Using MAP-E and MAP-T
- play_arrow Transitioning to IPv6 Using MAP-E and MAP-T
- Mapping of Address and Port with Translation (MAP-T)
-
- play_arrow ALGs
- play_arrow ALGs
-
- play_arrow Access Security
- play_arrow Stateful Firewalls
- play_arrow IDS on MS-DPC
- play_arrow Network Attack Protection on MS-MPC and MS-MIC
-
- play_arrow IPsec Tunnels
- play_arrow IPsec Overview
- play_arrow Inline IPsec
- play_arrow IPsec Tunnels With Static Endpoints
- play_arrow IPsec Tunnels With Dynamic Endpoints
-
- play_arrow CoS on Services Cards
- play_arrow CoS on Services Cards
- play_arrow Class of Service on Link Services Interfaces
-
- play_arrow Inter-Chassis Redundancy for NAT and Stateful Firewall Flows
- play_arrow Configuring Inter-Chassis MS-MPC and MS-MIC for NAT and Stateful Firewall (Release 16.1 and later)
- play_arrow Configuring Inter-Chassis Stateful Synchronization for NAT and Stateful Firewall (Release 15.1 and earlier)
-
- play_arrow Multilinks
- play_arrow Link Services Interface Redundancy
- play_arrow Link Bundling
-
- play_arrow Traffic Load Balancer
- play_arrow Traffic Load Balancer
-
- play_arrow Services Card Redundancy
- play_arrow Services Card Redundancy for MS-MPC and MS-MIC
- play_arrow Services Card Redundancy for Multiservices PIC
-
- play_arrow Voice Services
- play_arrow Voice Services
-
- play_arrow Layer 2 PPP Tunnels
- play_arrow Layer 2 Tunneling of PPP Packets
-
- play_arrow URL Filtering
- play_arrow URL Filtering
-
- play_arrow Configuration Statements and Operational Commands
DS-Lite Softwires
Configuring a DS-Lite Softwire Concentrator
DS-Lite is supported on Multiservices 100, 400, and 500 PICs on M Series routers, and on MX Series routers equipped with Multiservices DPCs. Starting in Junos OS release 17.4R1, DS-Lite is supported on MX Series routers with MS-MPCs and MS-MICs.Starting in Junos OS release 19.2R1, DS-Lite is supported on MX Virtual Chassis and MX Broadband Network Gateway (BNG) routers.
To configure a DS-Lite softwire concentrator:
See Also
Configuring IPv6 Multicast Interfaces
Configure multicast filters on Ethernet interfaces when IPv6 NAT is used for neighbor discovery. This enables the router to process softwire-initiated flows in both directions.
To configure IPv6 multicast interfaces:
See Also
Example: Basic DS-Lite Configuration
DS-Lite employs IPv4-over-IPv6 tunnels to cross an IPv6 access network to reach a carrier-grade IPv4-IPv4 NAT. This facilitates the phased introduction of IPv6 on the Internet by providing backward compatibility with IPv4. See Understanding IPv6 Dual-Stack Lite.
Requirements
The following hardware components can perform DS-Lite:
M Series Multiservice Edge routers with Multiservices PICs.
T Series Core routers with Multiservices PICs.
MX Series 5G Universal Routing Platforms with Multiservices DPCs. Starting in Junos OS release 17.4R1, DS-Lite is supported on MX Series routers with MS-MPCs and MS-MICs.Starting in Junos OS release 19.2R1, DS-Lite is supported on MX Virtual Chassis and MX Broadband Network Gateway (BNG) routers.
Configuration Overview and Topology
This example describes how configure an MX Series router with an MS-DPC as an AFTR to facilitate the flow shown in Figure 1.
In this example, the DS-Lite softwire concentrator, or AFTR, is an MX Series router with two Gigabit interfaces and a Services DPC. The interface facing the B4 element is ge-3/1/5 and the interface facing the Internet is ge-3/1/0.
Configuration
- Chassis Configuration
- Interfaces Configuration
- Network Address and Port Translation Configuration
- Softwire Configuration
- Service Set Configuration
Chassis Configuration
Step-by-Step Procedure
To configure the service PIC (FPC 0 Slot 0) with the Layer 3 service package:
Enter the edit chassis hierarchy level.
content_copy zoom_out_mapuser@host# edit chassisConfigure the Layer 3 service package.
content_copy zoom_out_map[edit chassis]user@host# set fpc 0 pic 0 adaptive-services service-package layer-3
Interfaces Configuration
Step-by-Step Procedure
To configure interfaces facing the B4 (softwire initiator) and facing the Internet:
Go the
[edit interfaces]edit hierachy level for ge-3/1/0, which faces the Internet.content_copy zoom_out_maphost# edit interfaces ge-3/1/0Define the interface.
content_copy zoom_out_map[edit interfaces ge-3/1/0]user@host# set description AFTR-Internet user@host# set unit 0 family inet address 128.0.0.2/24Go to the
[edit interfaces]hierachy level for ge-3/1/5, which faces the B4.content_copy zoom_out_mapuser@host# up 1
[edit]user@host# edit interfaces ge-3/1/5Define the interface.
content_copy zoom_out_map[edit interfaces ge-3/1/5]user@host# set description AFTR-B4 user@host# set unit 0 family inet user@host# edit unit 0 family inet6[edit unit 0 family inet6]user@host# set service input service-set sset user@host# set service output service-set sset user@host# set address 2001:0:0:2::1/48Go to the
[edit interfaces]hierarchy level for sp-0/0/0, used to host the DS-Lite AFTR.content_copy zoom_out_map[edit]user@host# edit interfaces sp-0/0/0Define the interface.
content_copy zoom_out_map[edit interfaces sp-0/0/0]user@host# set description AFTR-B4 user@host# set unit 0 family inet user@host# edit unit 0 family inet6
Results
user@host# show interfaces ge-3/1/0
description AFTR-Internet;
unit 0 {
family inet {
address 128.0.0.2/24;
}
}
user@host# show interfaces ge-3/1/5
description AFTR-B4;
unit 0 {
family inet;
family inet6 {
service {
input {
service-set sset;
}
output {
service-set sset;
}
}
address 2001:0:0:2::1/48;
}
}
user@host# show interfaces sp-o/o/o
unit 0 {
family inet;
family inet6;
}Network Address and Port Translation Configuration
Step-by-Step Procedure
To configure NAPT:
Go to the
[edit services nat]hierarchy level.content_copy zoom_out_mapuser@host# edit services nat
[edit services nat]Define a NAT pool p1.
content_copy zoom_out_mapuser@host# set pool p1 address 129.0.0.1/32 port automaticDefine a NAT rule, beginning with the match direction.
content_copy zoom_out_map[edit services nat]user@host# set rule r1 match-direction inputDefine a term for the rule, beginning with a from clause.
content_copy zoom_out_map[edit services nat]user@host# set rule r1 term t1 from source-address 10.0.0.0/16Define the desired translation in a then clause. In this case, use dynamic source translation.
content_copy zoom_out_map[edit services nat]user@host# set rule r1 term t1 then translated source-pool p1 translation-type napt-44(Optional) Configure logging of translation information for the rule.
content_copy zoom_out_map[edit services nat]user@host# set rule r1 term t1 then syslog
Results
user@host# show services nat
pool p1 {
address 129.0.0.1/32;
port {
automatic;
}
}
rule r1 {
match-direction input;
term t1 {
from {
source-address {
10.0.0.0/16;
}
}
then {
translated {
source-pool p1;
translation-type {
napt-44;
}
}
syslog;
}
}Softwire Configuration
Step-by-Step Procedure
To configure the DS-Lite softwire concentrator and associated rules:
Go to the
[edit services softwire]hierarchy level.content_copy zoom_out_mapuser@host# edit services softwireDefine the DS-Lite softwire concentrator.
content_copy zoom_out_map[edit services softwire]user@host# set softwire-concentrator ds-lite ds-1 softwire-address 1001::1 mtu-v6 1460Define the softwire rule.
content_copy zoom_out_map[edit services softwire]user@host# set rule r1 match-direction input term t1 then ds-lite ds1.
Results
user@host# show services softwire
softwire-concentrator {
ds-lite ds1 {
softwire-address 1001::1;
mtu-v6 1460;
}
}
rule r1 {
match-direction input;
term t1 {
then {
ds-lite ds1;
}
}
}Service Set Configuration
Step-by-Step Procedure
Configure a service set that includes softwire and NAT rules and specifies either interface-service or next-hop service. This example uses a next-hop service.
Go to the
[edit services service-set]hierarchy level, naming the service set.content_copy zoom_out_mapuser@host# edit services service-set ssetDefine the NAT rule to be used for IPv4-to-IPv4 translation.
content_copy zoom_out_map[edit services service-set sset]user@host# set nat-rules r1Define the softwire rule to define the softwire tunnel.
content_copy zoom_out_map[edit services service-set sset]user@host# set softwire-rules r1Define the interface service,
content_copy zoom_out_map[edit services service-set sset]user@host# set interface-service service-interface sp-0/0/0.0Tip:In order to avoid or minimize IPv6 fragmentation, you can configure a TCP maximum segment size (MSS) for your service set.
(Optional) Define a TCP MSS.
content_copy zoom_out_map[edit services service-set sset]user@host# set tcp-mss 1024
Results
user@host# show services service-set
syslog {
host local {
services any;
}
}
softwire-rules r1;
nat-rules r1;
interface-service {
service-interface sp-0/0/0;
}
}Example: Configuring DS-Lite and 6rd in the Same Service Set
Requirements
The following hardware components can perform DS-Lite:
M Series Multiservice Edge routers with Multiservices PICs.
T Series Core routers with Multiservices PICs.
MX Series 5G Universal Routing Platforms with Multiservices DPCs. Starting in Junos OS release 17.4R1, DS-Lite is supported on MX Series routers with MS-MPCs and MS-MICs.Starting in Junos OS release 19.2R1, DS-Lite is supported on MX Virtual Chassis and MX Broadband Network Gateway (BNG) routers.Starting in Junos OS release 20.2R1, DS-Lite is supported for CGNAT Next Gen Services on MX240, MX480 and MX960 routers.
Overview
This example describes a softwire solution that includes DS-Lite and 6rd in the same service set.
Configuration
- Chassis Configuration
- Softwire Concentrator, Softwire Rule, Stateful Firewall Rule Configuration
- NAT Configuration for DS-Lite
- Service Set Configuration
Chassis Configuration
Step-by-Step Procedure
To configure the chassis:
Configure the ingress interface.
content_copy zoom_out_mapuser@host# edit interfaces ge-1/2/0 [edit interfaces ge-1/2/0] user@host# set unit 0 family inet service input service-set v6rd-dslite-service-set user@host# set unit 0 family inet service output service-set v6rd-dslite-service-set user@host# set unit 0 family inet address address 10.10.10.1/24 user@host# set unit 0 family inet6 service input service-set v6rd-dslite-service-set user@host# set unit 0 family inet6 service output service-set v6rd-dslite-service-set user@host# set unit 0 family inet6 address address address 2001::1/16
Here the service set is applied on the inet (IPv4) and inet6 (IPv6) families of subunit 0. Both DS-Lite IPv6 traffic and 6rd IPv4 traffic hits the service filter and is sent to the services PIC.
Configure the egress interface (IPv6 Internet). The IPv4 server that the DS-Lite clients are trying to reach is at 200.200.200.2/24, and the IPv6 server is at 3ABC::2/16.
content_copy zoom_out_mapuser@host# edit interfaces ge-1/2/2 [edit interfaces ge-1/2/2] user@host# set unit 0 family inet address 200.200.200.1/24 user@host# set unit 0 family inet6 address 3ABC::1/16
Configure the services PIC.
content_copy zoom_out_mapuser@host# edit interfaces sp-3/0/0 [edit interfaces sp-3/0/0] user@host# set unit 0 family inet user@host# set unit 0 family inet6
Results
[edit interfaces]
user@host# show
ge-1/2/0 {
unit 0 {
family inet {
service {
input {
service-set v6rd-dslite-service-set;
}
output {
service-set v6rd-dslite-service-set;
}
}
address 10.10.10.1/24;
}
family inet6 {
service {
input {
service-set v6rd-dslite-service-set;
}
output {
service-set v6rd-dslite-service-set;
}
}
address 2001::1/16;
}
}
}
ge-1/2/2 {
unit 0 {
family inet {
address 200.200.200.1/24;
}
family inet6 {
address 3ABC::1/16;
}
}
}
sp-3/0/0 {
unit 0 {
family inet;
family inet6;
}
}
Softwire Concentrator, Softwire Rule, Stateful Firewall Rule Configuration
Step-by-Step Procedure
To configure the softwire concentrator, softwire rule, and stateful firewall rule:
Configure the DS-Lite and 6rd softwire concentrators.
content_copy zoom_out_mapuser@host# edit services softwire softwire-concentrator ds-lite ds1 [edit services softwire softwire-concentrator ds-lite ds1] user@host# set softwire-address 1001::1 user@host# mtu-v6 9192 usert@host# up 1 usert@host# edit v6rd v6rd-dom1 [edit services softwire softwire-concentrator v6rd v6rd-dom1] user@host# set softwire-address 30.30.30.1 user@host# set ipv4-prefix 10.10.10.0/24 user@host# set v6rd-prefix 3040::0/16 user@host# set mtu-v4 9192
Configure the softwire rules.
content_copy zoom_out_mapuser@host# edit services softwire rule v6rd-r1] [edit services softwire rule v6rd-r1] user@host# set match-direction input user@host# set term t1 then v6rd v6rd-dom1 user@host# up 1 user@host# edit services softwire] [edit services softwire] user@host# edit rule dslite-r1 [edit services softwire rule dslite-r1] user@host# set term dslite-t1 then ds-lite ds1
The following routes are added by the services PIC daemon on the Routing Engine:
content_copy zoom_out_mapuser@host# run show route 30.30.30.1 inet.0: 43 destinations, 46 routes (42 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both 30.30.30.1/32 *[Static/786432] 00:24:11 Service to v6rd-dslite-service-set [edit] user@host# run show route 3040::0/16 inet6.0: 23 destinations, 33 routes (23 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 3040::/16 *[Static/786432] 00:24:39 Service to v6rd-dslite-service-setcontent_copy zoom_out_mapuser@host# run show route 1001::1 inet6.0: 33 destinations, 43 routes (33 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 1001::1/128 *[Static/1] 1w2d 22:05:41 Service to v6rd-dslite-service-setConfigure a stateful firewall rule.
content_copy zoom_out_mapuser@host# edit services stateful-firewall rule r1 [edit services stateful-firewall rule r1] user@host# set match-direction input-output user@host# set term t1 then accept
content_copy zoom_out_map[edit services stateful-firewall] rule r1 { match-direction input-output; term t1 { then { accept; } } }
Results
[edit services softwire]
user@host# show
softwire-concentrator {
ds-lite ds1 {
softwire-address 1001::1;
mtu-v6 9192;
}
v6rd v6rd-dom1 {
softwire-address 30.30.30.1;
ipv4-prefix 10.10.10.0/24;
v6rd-prefix 3040::0/16;
mtu-v4 9192;
}
}
rule v6rd-r1 {
match-direction input;
term t1 {
then {
v6rd v6rd-dom1;
}
}
}
rule dslite-r1 {
match-direction input;
term dslite-t1 {
then {
ds-lite ds1;
}
}
}
[edit services stateful-firewall]
user@host# show
rule r1 {
match-direction input-output;
term t1 {
then {
accept;
}
}
}
NAT Configuration for DS-Lite
Step-by-Step Procedure
To configure NAT for DS-Lite:
Configure a NAT pool for DS-Lite.
content_copy zoom_out_mapuser@host# edit services nat pool dslite-pool [edit services nat pool dslite-pool] user@host# set address-range low 33.33.33.1 high 33.33.33.32 user@host# set port automatic
Configure a NAT rule.
content_copy zoom_out_mapuser@host# up 1 [edit services nat rule dslite-nat-r1] user@host# set match-direction input user@host# set term dslite-nat-t1 from source-address 20.20.0.0/16 then translated translation-type napt-44
Results
[edit services nat]
user@host# show
pool dslite-pool {
address-range low 33.33.33.1 high 33.33.33.32;
port {
automatic;
}
}
rule dslite-nat-r1 {
match-direction input;
term dslite-nat-t1 {
from {
source-address {
20.20.0.0/16;
}
}
then {
translated {
source-pool dslite-pool;
translation-type {
source dynamic;
}
}
}
}
}
Because of this NAT rule, the following NAT routes are installed for the reverse DS-Lite traffic:
user@host# run show route 33.33.33.0/24
inet.0: 48 destinations, 52 routes (47 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
33.33.33.1/32 *[Static/1] 1w2d 23:08:38
Service to v6rd-dslite-service-set
33.33.33.2/31 *[Static/1] 1w2d 23:08:38
Service to v6rd-dslite-service-set
33.33.33.4/30 *[Static/1] 1w2d 23:08:38
Service to v6rd-dslite-service-set
33.33.33.8/29 *[Static/1] 1w2d 23:08:38
Service to v6rd-dslite-service-set
33.33.33.16/28 *[Static/1] 1w2d 23:08:38
Service to v6rd-dslite-service-set
33.33.33.32/32 *[Static/1] 1w2d 23:08:38
Service to v6rd-dslite-service-set
The NAT rule triggers address translation for the traffic coming from 20.20.0.0/16 to public address range 33.33.33.1 to 33.33.33.32.
Service Set Configuration
Step-by-Step Procedure
This service set has a stateful firewall rule and 6rd rule for 6rd service. The service set also includes a softwire rule for DS-Lite and a NAT rule to perform address translation for all DS-Lite traffic. The NAT rule performs NAPT translation in the forward direction on the source address and port of the DS-Lite traffic.
To configure the service set:
Define the service set.
content_copy zoom_out_mapuser@host# edit services service-set v6rd-dslite-service-set
Configure the service set rules.
content_copy zoom_out_map[edit services service-set v6rd-dslite-service-set] user@host# set softwire-rules dslite-r1 user@host# set stateful-firewall-rules r1 user@host# set nat-rules dslite-nat-r1
Configure the service set interface-service.
content_copy zoom_out_map[edit services service-set v6rd-dslite-service-set] user@host# set interface-service service-interface sp-3/0/0
Results
[edit services service-set]
user@host# show
v6rd-dslite-service-set {
softwire-rules v6rd-r1;
softwire-rules dslite-r1;
stateful-firewall-rules r1;
nat-rules dslite-nat-r1;
interface-service {
service-interface sp-3/0/0;
}
DS-Lite Subnet Limitation
- DS-Lite Per Subnet Limitation Overview
- Configuring DS-Lite Per Subnet Session Limitation to Prevent Denial of Service Attacks
DS-Lite Per Subnet Limitation Overview
Junos OS enables you to limit the number of softwire flows from a subscriber’s basic bridging broadband (B4) device at a given point in time, preventing subscribers from excessive use of addresses within the subnet. This limitation reduces the risk of denial-of-service (DoS) attacks. This limitation is supported on MX Series routers equipped with MS-DPCs. Starting in Junos OS Release 18.2R1, MS-MPCs and MS-MICs also support the subnet limitation feature.Starting in Junos OS Release 19.2R1, MX Virtual Chassis and MX Broadband Network Gateway (BNG) routers also support the subnet limitation feature.Starting in Junos OS release 20.2R1, DS-Lite is supported for CGNAT Next Gen Services on MX240, MX480 and MX960 routers.
A household using IPv6 with DS-Lite is a subnet, not just an individual IP address. The subnet limitation feature associates a subscriber and mapping with an IPv6 prefix instead of an IPv6 address. A subscriber can use any IPv6 addresses in that prefix as a DS-Lite B4 address and potentially exhaust carrier-grade NAT resources. The subnet limitation feature enables greater control of resource utilization by identifying a subscriber with a prefix instead of a specific address.
The subnet limit provides the following features:
Flows utilize the complete B4 address.
Prefix length can be configured per service set under softwire-options for the individual service-set.
Port blocks are allocated per prefix of the subscriber B4 device, and not on each B4 address (if the prefix length is less than 128). If the prefix length is 128, then each IPv6 address is treated as a B4. Port blocks are allocated per 128-bit IPv6 address.
Session limit, defined under the DS-Lite softwire concentrator configuration, limits the number of IPv4 sessions for the prefix.
EIM, EIF, and PCP mappings are created per softwire tunnel (full 128 bit IPv6 address). Stale mappings time out based on timeout values.
If prefix length is configured , then PCP
max-mappings-per-subscriber(configurable underpcp-server) is based on the prefix only, and not the full B4 address.SYSLOGS for PBA allocation and release contain the prefix portion of the address completed with all zeros. SYSLOGS for PCP allocate and release, flow creation and deletion will still contain the complete IPv6 address.
The show services nat mappings address-pooling-paired operational command output now shows the mapping for the prefix.
The mapping shows the address of the active B4.
The show services softwire statistics ds-lite output
includes a new field that displays the number of times the session
limit was exceeded for the MPC.
For Next Gen Services on MX240, MX480, and MX960 routers, the
subnet limit statistic is displayed in the Softwire session limit
exceeded field.
show services softwire statistics (MX-SPC3)
user@host> show services softwire statistics
vms-2/0/0
Total Session Interest events :3
Total Session Destroy events :2
Total Session Public Request events :0
Total Session Accepts :1
Total Session Discards :0
Total Session Ignores :0
Total Session extension alloc failures :0
Total Session extension set failures :0
Softwire statistics
Total Softwire sessions created :1
Total Softwire sessions deleted :2
Total Softwire sessions created for reverse packets :1
Total Softwire session create failed for reverse pkts :0
Total Softwire rule match success :1
Total Softwire rule match failed :0
Softwire session limit exceeded :0
Softwire packet statistics
Total Packets processed :1
Total packets encapsulated :1
Total packets decapsulated :1
Encapsulation errors :0
Decapsulation errors :0
Encapsulated pkts re-inject failures :0
Decapsulated pkts re-inject failures :0
DS-Lite ICMPv4 Echo replies sent :0
DS-Lite ICMPv4 TTL exceeded messages sent :0
ICMPv6 ECHO request messages received destined to AFTR :0
ICMPv6 ECHO reply messages sent from AFTR :0
ICMPv6 ECHO requests to AFTR process failures :0
V6 untunnelled packets destined to AFTR dropped :1
Softwire policy add errors :0
Softwire policy delete errors :0
Softwire policy memory alloc failures :0
Softwire Untunnelled packets ignored :0
Softwire Misc errors
DS-Lite ICMPv4 TTL exceed message process errors :0
See Also
Configuring DS-Lite Per Subnet Session Limitation to Prevent Denial of Service Attacks
You can configure the DS-Lite per subnet limitation on MX Series routers equipped with MS-DPCs. Starting in Junos OS Release 18.2R1, MS-MPCs and MS-MICs also support the subnet limitation feature. Starting in Junos OS Release 20.2R1, the Next Gen Services MX-SPC3 security services card supports the subnet limitation feature.
Starting in Junos OS Release 19.2R1, MX Virtual Chassis and MX Broadband Network Gateway (BNG) routers also support the subnet limitation feature.
To configure DS-Lite per subnet session limitation:
See Also
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
mtu-v6 option is supported on MX
Series routers with MS-MPCs or MS-MICs.