- play_arrow Overview
- play_arrow Services Overview
- play_arrow Services Configuration Overview
-
- play_arrow Transitioning to IPv6 Using MAP-E and MAP-T
- play_arrow Transitioning to IPv6 Using MAP-E and MAP-T
- Mapping of Address and Port with Translation (MAP-T)
-
- play_arrow Transition to IPv6 With Softwires
- play_arrow Transition to IPv6 With 6to4 Softwires
- play_arrow Transition to IPv6 With DS-Lite Softwires
- play_arrow Transition to IPv6 With 6rd Softwires
- play_arrow Transition to IPv6 With Inline Softwires
- play_arrow Monitoring and Troubleshooting Softwires
-
- play_arrow ALGs
- play_arrow ALGs
-
- play_arrow Access Security
- play_arrow Stateful Firewalls
- play_arrow IDS on MS-DPC
- play_arrow Network Attack Protection on MS-MPC and MS-MIC
-
- play_arrow IPsec Tunnels
- play_arrow IPsec Overview
- play_arrow Inline IPsec
- play_arrow IPsec Tunnels With Static Endpoints
- play_arrow IPsec Tunnels With Dynamic Endpoints
-
- play_arrow CoS on Services Cards
- play_arrow CoS on Services Cards
- play_arrow Class of Service on Link Services Interfaces
-
- play_arrow Inter-Chassis Redundancy for NAT and Stateful Firewall Flows
- play_arrow Configuring Inter-Chassis MS-MPC and MS-MIC for NAT and Stateful Firewall (Release 16.1 and later)
- play_arrow Configuring Inter-Chassis Stateful Synchronization for NAT and Stateful Firewall (Release 15.1 and earlier)
-
- play_arrow Multilinks
- play_arrow Link Services Interface Redundancy
- play_arrow Link Bundling
-
- play_arrow Traffic Load Balancer
- play_arrow Traffic Load Balancer
-
- play_arrow Services Card Redundancy
- play_arrow Services Card Redundancy for MS-MPC and MS-MIC
- play_arrow Services Card Redundancy for Multiservices PIC
-
- play_arrow Voice Services
- play_arrow Voice Services
-
- play_arrow Layer 2 PPP Tunnels
- play_arrow Layer 2 Tunneling of PPP Packets
-
- play_arrow URL Filtering
- play_arrow URL Filtering
-
- play_arrow Configuration Statements and Operational Commands
Port Control Protocol
Port Control Protocol Overview
Port Control Protocol (PCP) provides a way to control the forwarding of incoming packets by upstream devices, such as NAT44 and firewall devices, and a way to reduce application keepalive traffic. PCP is supported on the MS-DPC, MS-100, MS-400, and MS-500 MultiServices PICs. Starting in Junos OS Release 17.4R1, PCP for NAPT44 is also supported on the MS-MPC and MS-MIC. Starting in Junos 20.2R1, PCP for CGNAT DS-Lite services are supported for Next Gen Services.Starting in Junos OS Release 18.2R1, PCP on the MS-MPC and MS-MIC supports DS-Lite. In Junos OS Release 18.1 and earlier releases, PCP on the MS-MPC and MS-MIC does not support DS-Lite.
PCP is designed to be implemented in the context of both Carrier-Grade NATs (CGNs) and small NATs (for example, residential NATs). PCP enables hosts to operate servers for a long time (as in the case of a webcam) or a short time (for example, while playing a game or on a phone call) when behind a NAT device, including when behind a CGN operated by their ISP. PCP enables applications to create mappings from an external IP address and port to an internal IP address and port. These mappings are required for successful inbound communications destined to machines located behind a NAT or a firewall. After a mapping for incoming connections is created, remote computers must be informed about the IP address and port for the incoming connection. This is usually done in an application-specific manner.
Junos OS supports PCP version 2 and version 1.
PCP consists of the following components:
PCP client—A host or gateway that issues PCP requests to a PCP server in order to obtain and control resources.
PCP server—Typically a CGN gateway or co-located server that receives and processes PCP requests
Junos OS enables configuring PCP servers for mapping flows using NAPT44 capabilities such as port forwarding and port block allocation. Flows can be processed from these sources:
Traffic containing PCP requests received directly from user equipment, as shown in Figure 1.
Figure 1: Basic PCP NAPT44 Topology
Mapping of traffic containing PCP requests added by a router functioning as a DS-Lite softwire initiator (B4). This mode, known as DS-Lite plain mode, is shown in Figure 2.
Figure 2: PCP with DS-Lite Plain Mode
Junos OS does not support deterministic port block allocation for PCP-originated traffic.
Benefits of Port Control Protocol
Many NAT-friendly applications send frequent application-level messages to ensure their sessions are not being timed out by a NAT device. PCP is used to:
Reduce the frequency of these NAT keepalive messages
Reduce bandwidth on the subscriber's access network
Reduce traffic to the server
Reduce battery consumption on mobile devices
Port Control Protocol Version 2
Starting with Junos OS Release 15.1, Port Control Protocol (PCP) version 2 is supported, which is in compliance with RFC 6887. PCP provides a way to control the forwarding of incoming packets by upstream devices, such as NAT44, and firewall devices, and a way to reduce application keep-alive traffic. PCP version 2 supports nonce authentication. PCP allows applications to create mappings from an external IP address and port to an internal IP address and port. A nonce payload prevents a replay attack and it is sent by default unless it is explicitly disabled.
Client nonce verification for version 2 map requests (for refresh or delete) requires that the nonce received in the original map request that causes the PCP mapping to be created is preserved. The version of the initial request that enables the mapping to be created is also preserved. This behavior of saving the nonce and version parameters denotes that 13 bytes per PCP mapping are used. This slight increase in storage space is not significant when matched with the current memory usage of a system for a single requested mapping (taking into account the endpoint-independent mapping (EIM) and endpoint-independent filtering (EIF) that are created along with it). In a customer deployment, PCP causes EIM and EIF mappings to represent a fraction of all such mappings.
Until Junos Release 15.1, services PICs support PCP servers on Juniper Networks routers in accordance with PCP draft version 22 with version 1 message encoding. With PCP being refined from the draft version as defined in Port Control Protocol (PCP) draft-ietf-pcp-base-22 (July 2012 expiration) to a finalized, standard version as defined in RFC 6887 -- Port Control Protocol (PCP), the message encoding changed to version 2 with the addition of a random nonce payload to authenticate peer and map requests as necessary. Version 1 does not decode messages compliant with version 2 format and nonce authentication is not supported. In a real-word network environment, with customer premises equipment (CPE) devices increasingly supporting version 2 only, it is required to parse and send version 2 messages. Backward compatibility with version 1-supporting CPE devices is maintained (version negotiation is part of the standard) and authenticates request nonce payload packets when v2 messages are in use.
The output of the show services pcp statistics command
contains the PCP unsupported version field, which is incremented to
indicate whenever the version is not 1 or 2. A new field, PCP request
nonce does not match existing mapping, is introduced to indicate the
number of PCP version 2 requests that were ignored because the nonce
payload did not match the one recorded in the mapping (authentication
failed). If version 2 is in use, the client nonce is used for authentication.
Configuring Port Control Protocol
This topic describes how to configure port control protocol (PCP). PCP is supported on the MS-DPC, MS-100, MS-400, and MS-500 MultiServices PICs. Starting in Junos OS Release 17.4R1, PCP for NAPT44 is also supported on the MS-MPC and MS-MIC. Starting in Junos OS Release 18.2R1, PCP on the MS-MPC and MS-MIC supports DS-Lite. In Junos OS Release 18.1 and earlier releases, PCP on the MS-MPC and MS-MIC does not support DS-Lite. Starting in Junos OS release 20.2R1 PCP is supported on the MX-SPC3 security services card for CGNAT services.
Perform the following configuration tasks:
- Configuring PCP Server Options
- Configuring a PCP Rule
- Configuring a NAT Rule
- Configuring a Service Set to Apply PCP
- SYSLOG Message Configuration
Configuring PCP Server Options
Configuring a PCP Rule
A PCP rule has the same basic options as all service set rules:
A
termoption that allows a single rule to have multiple applications.A term is not required when running the MX-SPC3 security services card for Next Gen Services.
A
fromoption that identifies the traffic that is subject to the rule.A
thenoption that identifies what action is to be taken. In the case of a PCP rule, this option Identifies the pcp server that handles selected traffic
Configuring a NAT Rule
To configure a NAT rule:
Configuring a Service Set to Apply PCP
To use PCP, you must provide the rule name (or name of a list
of rule names) in the pcp-rule rule-name option.
Your service set must also identify any required nat-rule and softwire-rule.
SYSLOG Message Configuration
A new syslog class, configuration option, pcp-logs, has been provided to control PCP log generation. It provides the
following levels of logging:
protocol—All logs related to mapping creation, deletion are included at this level of logging.protocol-error—–All protocol error related logs (such as mapping refresh failed, PCP look up failed, mapping creation failed). are included in this level of logging.system-error—Memory and infrastructure errors are included in this level of logging.
Monitoring Port Control Protocol Operations
You can monitor Port Control Protocol (PCP) operations with the following operational commands:
For MS-MPCs use the
show services nat mappings pcpcommand.Note:PCP is not supported for Next Gen Services in Junos OS Release 19.3R2
For MS-MPCs use the
show services nat mappings endpoint-independentcommand.For Next Gen Services use the
show services nat source mappings endpoint-independentcommand.show services pcp statistics protocol
The following are examples of the output of these commands.
user@host> show services nat mappings pcp Interface: sp-0/0/0, Service set: in NAT pool: p PCP Client : 10.1.1.2 PCP lifetime : 995 Mapping : 10.1.1.2 : 9000 --> 8.8.8.8 : 1025 Session Count : 1 Mapping State : Active DS-LITE output: =============== PCP Client : 2222::1 PCP lifetime : 106 Mapping : 88.1.0.47 : 47 --> 70.70.70.1 :41972 Session Count : 1 Mapping State : Active B4 Address : 2222::1
user@host> show services nat mappings endpoint-independent Interface: sp-0/0/0, Service set: in NAT pool: p Mapping : 10.1.1.2 :57400 --> 8.8.8.8 : 1024 Session Count : 0 Mapping State : Timeout PCP Client : 10.1.1.2 PCP lifetime : 991 Mapping : 10.1.1.2 : 9000 --> 8.8.8.8 : 1025 Session Count : 1 Mapping State : Active DS-LITE output: =============== PCP Client : 2222::1 PCP lifetime : 190 Mapping : 88.1.1.3 : 4001 --> 70.70.70.2 :58989 Session Count : 1 Mapping State : Active B4 Address : 2222::1
user@host> show services pcp statistics protocol Protocol Statistics: Operational Statistics Map request received :0 Peer request received :0 Other operational counters :0 Option Statistics Unprocessed requests received :0 Third party requets received :0 Prefer fail option received :0 Filter option received :0 Other options counters :0 Option optional received :0 Result Statistics PCP success :0 PCP unsupported version :0 Not authorized :0 Bad requests :0 Unsupported opcode :0 Unsupported option :0 Bad option :0 Network failure :0 Out of resources :0 Unsupported protocol :0 User exceeded quota :0 Cannot provide external :0 Address mismatch :0 Excessive number of remote peers :0 Processing error :0 Other result counters :0
Example: Configuring Port Control Protocol with NAPT44
PCP is supported on the MS-DPC, MS-100, MS-400, and MS-500 MultiServices PICS. Starting in Junos OS Release 17.4R1, PCP for NATP44 is also supported on the MS-MPC and MS-MIC.
Requirements
Hardware Requirements
UEs with PCP clients.
An MX 3D Router with an MS-DPC services PIC.
Software Requirements
Junos OS 13.2
Layer-3 Services Package
Overview
An ISP wants to enable UEs with PCP clients to maintain connections to servers without timing out. The PCP clients generate PCP requests for the type and duration of the connection they require. Connections may be of a long duration, such as applications using a webcam, or a shorter duration, such as online games. An MX 3D router provides a PCP server to interpret PCP client requests, and NAPT44. Figure 3 shows the basic topology for this example.
PCP Configuration
- CLI Quick Configuration
- Chassis Configuration
- Interface Configuration
- NAT Configuration
- PCP Configuration
- Service Set Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
set chassis fpc 2 pic 0 adaptive-services service-package layer-3 set interfaces sp-2/0/0 services-options inactivity-timeout 180 cgn-pic set interfaces sp-2/0/0 unit 0 family inet set interfaces xe-3/2/0 unit 0 family inet service input service-set sset_0 set interfaces xe-3/2/0 unit 0 family inet service output service-set sset_0 set interfaces xe-3/2/0 unit 0 family inet address 30.0.0.1/24 set interfaces xe-5/0/0 unit 0 family inet address 25.0.0.1/24 set services nat pool pcp-pool address 44.0.0.0/16 set services nat pool pcp-pool port automatic random-allocation address-allocation round-robin set services nat pool pcp-pool address-allocation round-robin set services nat rule pcp-rule match-direction input set services nat rule pcp-rule term t0 then translated source-pool pcp-pool translation-type napt-44 set services nat rule pcp-rule term t0 then translated mapping-type endpoint-independent filtering-type endpoint-independent set services nat rule pcp-rule term t0 then translated mapping-type endpoint-independent filtering-type endpoint-independent set services pcp server pcp-s1 ipv4-address 124.124.124.122 set services pcp server pcp-s1 mapping-lifetime-minimum 600 mapping-lifetime-maximum 86500 set services pcp server pcp-s1 short-lifetime-error 120 long-lifetime-error 1200 set services pcp server pcp-s1 max-mappings-per-client 128 pcp-options third-party prefer-failure set services service-set sset_0 pcp-rules r1 set services service-set sset_0 nat-rules pcp-rule set services service-set sset_0 interface-service service-interface sp-2/0/0.0
Chassis Configuration
Step-by-Step Procedure
To configure the service PIC (FPC 2 Slot 0) with the Layer 3 service package:
Go to the [edit chassis] hierarchy level.
content_copy zoom_out_mapuser@host# edit chassis
Configure the Layer 3 service package.
content_copy zoom_out_map[edit chassis]user@host# set fpc 2 pic 0 adaptive-services service-package layer-3
Results
user@host# show chassis fpc 2 pic 0
pcp-rules pcp-napt44-rule;
nat-rules pcp-rule;
interface-service {
service-interface sp-2/0/0.0;
}Interface Configuration
Step-by-Step Procedure
Configure the services MS-DPC.
content_copy zoom_out_mapuser@host# set interfaces sp-2/0/0 services-options inactivity-timeout 180 cgn-pic user@host# set interfaces sp-2/0/0 unit 0 family inet
Configure the customer-facing interface used for NAT and PCP services.
content_copy zoom_out_mapuser@host# set interfaces xe-3/2/0 unit 0 family inet service input service-set sset_0 user@host# set interfaces xe-3/2/0 unit 0 family inet service output service-set sset_0 user@host# set interfaces xe-3/2/0 unit 0 family inet address 30.0.0.1/24
Configure the Internet-facing interface.
content_copy zoom_out_mapuser@host# set interfaces xe-5/0/0 unit 0 family inet address 25.0.0.1/24
Results
user@host#
sp-2/0/0 {
services-options {
inactivity-timeout 180;
cgn-pic;
}
unit 0 {
family inet;
}
}
xe-3/2/0 {
unit 0 {
family inet {
service {
input {
service-set sset_0;
}
output {
service-set sset_0;
}
}
address 30.0.0.1/24;
}
}
}
xe-5/0/0 {
unit 0 {
family inet {
address 25.0.0.1/24;
}
}
}NAT Configuration
Step-by-Step Procedure
Go the
[edit services nat]hierarchy.content_copy zoom_out_mapuser@host# edit services nat
Configure a NAT pool called
pcp-pool.content_copy zoom_out_map[edit services nat]user@host# set pool pcp-pool address 44.0.0.0/16 user@host# set pool pcp-pool port automatic random-allocation user@host# set pool pcp-pool address-allocation round-robinConfigure a NAT rule called
pcp-rule.content_copy zoom_out_map[edit services nat]user@host# set rule pcp-rule term t0 then translated source-pool pcp-pool translation-type napt-44 user@host# set rule pcp-rule term t0 then translated mapping-type endpoint-independent filtering-type endpoint-independent
Results
user@host# show services nat
pool pcp-pool {
address 44.0.0.0/16;
port {
automatic {
random-allocation;
}
}
address-allocation round-robin;
}
rule pcp-rule {
match-direction input;
term t0 {
then {
translated {
source-pool pcp-pool;
translation-type {
napt-44;
}
mapping-type endpoint-independent;
filtering-type {
endpoint-independent;
}
}
}
}
}PCP Configuration
Step-by-Step Procedure
To configure the PCP server and PCP rule options.
Go to the
edit services pcphierarchy level for serverpcp-s1content_copy zoom_out_mapuser@host# edit services pcp server pcp-s1
Configure the PCP server options.
content_copy zoom_out_map[edit services pcp server pcp-s1] user@host# set ipv4-address 124.124.124.122 user@host# set mapping-lifetime-minimum 600 user@host# set mapping-lifetime-maximum 86500 user@host# set short-lifetime-error 120 user@host# set long-lifetime-error 1200 user@host# set max-mappings-per-client 128 user@host# set pcp-options third-party prefer-failure
Create the PCP rule.
content_copy zoom_out_map[edit services pcp rule pcp-napt44-rule user@host# edit rule pcp-napt44-rule
Configure the PCP rule options.
content_copy zoom_out_map[edit services pcp rule pcp-napt44-rule] user@host# set match-direction input user@host# set term t0 then pcp-server pcp-s1
Results
user@host# show services pcp
server pcp-s1 {
ipv4-address 124.124.124.122;
mapping-lifetime-minimum 600;
mapping-lifetime-maximum 86500;
short-lifetime-error 120;
long-lifetime-error 1200;
max-mappings-per-client 128;
pcp-options third-party prefer-failure;
}
rule pcp-napt44-rule {
match-direction input;
term t0 {
then {
pcp-server pcp-s1;
}
}
}Service Set Configuration
Step-by-Step Procedure
Create a service set,
sset_0, at theedit services service-sethierarchy level.content_copy zoom_out_mapuser@host# edit services service-set sset_0
content_copy zoom_out_mapservice-set sset_0 { pcp-rules pcp-napt44-rule; nat-rules pcp-rule; interface-service { service-interface sp-2/0/0.0; } }Identify the NAT rule associated with the service set.
content_copy zoom_out_map[edit services service-set sset_0] user@host# set nat-rules pcp-rule
Identify the PCP rule associated with the service set.
content_copy zoom_out_map[edit services service-set sset_0] user@host# set pcp-rules r1
Identify the service interface associated with the service set.
content_copy zoom_out_map[edit services service-set sset_0] user@host# set interface-service service-interface sp-2/0/0.0
Results
user@host# show
pcp-rules pcp-napt44-rule;
nat-rules pcp-rule;
interface-service {
service-interface sp-2/0/0.0;
}Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
