Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation
keyboard_arrow_up
close
keyboard_arrow_left
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
keyboard_arrow_right

Configuring Port Control Protocol

date_range 24-Nov-23

This topic describes how to configure port control protocol (PCP). PCP is supported on the MS-DPC, MS-100, MS-400, and MS-500 MultiServices PICs. Starting in Junos OS Release 17.4R1, PCP for NAPT44 is also supported on the MS-MPC and MS-MIC. Starting in Junos OS Release 18.2R1, PCP on the MS-MPC and MS-MIC supports DS-Lite. In Junos OS Release 18.1 and earlier releases, PCP on the MS-MPC and MS-MIC does not support DS-Lite. Starting in Junos OS release 20.2R1 PCP is supported on the MX-SPC3 security services card for CGNAT services.

Perform the following configuration tasks:

Configuring PCP Server Options

  1. Specify a PCP server name.
    content_copy zoom_out_map
    user @host# edit services pcp server server-name
    
  2. Set the IPv4 or IPv6 addresses of the server. For PCP DS-Lite, the ipv6-address must match the address of the AFTR (Address Family Transition Router or softwire concentrator).
    Note:

    Starting in Junos OS Release 18.2R1, PCP on the MS-MPC and MS-MIC supports DS-Lite. In Junos OS Release 18.1 and earlier releases, PCP on the MS-MPC and MS-MIC does not support DS-Lite.

    content_copy zoom_out_map
    [edit services pcp server server-name]
    user @host# set ipv6-address ipv6-address
    

    or

    content_copy zoom_out_map
    [edit services pcp server server-name]
    user @host# set ipv4-address ipv4-address
    
  3. For PCP DS-Lite, provide the name of the DS-Lite softwire concentrator configuration.
    content_copy zoom_out_map
    [edit services pcp server server-name]
    user @host# set softwire-concentrator softwire-concentrator-name
    
  4. Specify the minimum and maximum mapping lifetimes for the server.
    content_copy zoom_out_map
    [edit services pcp server server-name]
    user @host# set mapping-lifetime-minimum mapping-lifetime-min
    user @host# set mapping-lifetime-maximum mapping-lifetime-max
    
  5. Specify the time limits for generating short lifetime or long lifetime errors.
    content_copy zoom_out_map
    [edit services pcp server server-name]
    user @host# set short-lifetime-error short-lifetime-error
    user @host# set long-lifetime-error long-lifetime-error
    
  6. (Optional)—Enable PCP options on the specified PCP server. The following options are available—third-party and prefer-failure. The third-party option is required to enable third-party requests by the PCP client. DS-Lite requires the third-party option. The prefer-failure option requests generation of an error message when the PCP client requests a specific IP address/port that is not available, rather than assigning another available address from the NAT pool. If prefer-failure is not specified NAPT44 assigns an available address/port from the NAT pool based on the configured NAT options.
    content_copy zoom_out_map
    [edit services pcp server server-name]
    user @host# set pcp-options third-party
    user @host# set pcp-options prefer-failure 
    
  7. (Optional)—Specify which NAT pool to use for mapping.
    content_copy zoom_out_map
    [edit services pcp server server-name]
    user @host# set nat-options pool-name1 <poolname2...>
    
    Note:

    When you do not explicitly specify a NAT pool for mapping, the Junos OS performs a partial rule match based on source IP, source port, and protocol, and the Junos OS uses the NAT pool configured for the first matching rule to allocate mappings for PCP.

    You must use explicit configuration in order to use multiple NAT pools.

    For the MX-SPC3 security services card and Next Gen Services, the nat-options statement supports only one pool name to attach to a PCP server.

  8. (Optional)—Configure the maximum number of mappings per client. The default is 32 and maximum is 128.
    content_copy zoom_out_map
    [edit services pcp server server-name]
    user @host# set max-mappings-per-client max-mappings-per-client
    

Configuring a PCP Rule

A PCP rule has the same basic options as all service set rules:

  • A term option that allows a single rule to have multiple applications.

    A term is not required when running the MX-SPC3 security services card for Next Gen Services.

  • A from option that identifies the traffic that is subject to the rule.

  • A then option that identifies what action is to be taken. In the case of a PCP rule, this option Identifies the pcp server that handles selected traffic

  1. Go to the [edit services pcp rule rule-name] hierarchy level and specify match-direction input.
    content_copy zoom_out_map
    user @host# edit services pcp rule rule-name 
    user @host# set match-direction input
    
  2. Go to the [edit services pcp rule rule-name term term-name] hierarchy level and provide a term name.
    content_copy zoom_out_map
    user @host# edit term term-name
    

    This step is not required when running the MX-SPC3 security services card for Next Gen Services.

  3. (Optional)—Provide a from option to filter the traffic to be selected for processing by the rule. When you omit the from option, all traffic handled by the service set’s service interface is subject to the rule. The following options are available at the [edit services pcp rule rule-name term term-name from] hierarchy level:
    application-sets set-name

    Traffic for the application set is processed by the PCP rule.

    This step is not required when running the MX-SPC3 security services card for Next Gen Services.

    applications [ application-name ]

    Traffic for the application is processed by the PCP rule.

    This option is not required when running the MX-SPC3 security services card for Next Gen Services.

    destination-address address <except>

    Traffic for the destination address or prefix is processed by the PCP rule. If you include the except option, traffic for the destination address or prefix is not processed by the PCP rule.

    destination-address-range high maximum-value low minimum-value <except>

    Traffic for the destination address range is processed by the PCP rule. If you include the except option, traffic for the destination address range is not processed by the PCP rule.

    destination-port high maximum-value low minimum-value

    Traffic for the destination port range is processed by the PCP rule.

    destination-prefix-list list-name <except>

    Traffic for a destination address in the prefix list is processed by the PCP rule. If you include the except option, traffic for a destination address in the prefix list is not processed by the PCP rule.

    source-address address <except>

    Traffic from the source address or prefix is processed by the PCP rule. If you include the except option, traffic from the source address or prefix is not processed by the PCP rule.

    source-address-range high maximum-value low minimum-value <except>

    Traffic from the source address range is processed by the PCP rule. If you include the except option, traffic from the source address range is not processed by the PCP rule.

    source-prefix-list list-name <except>

    Traffic from a source address in the prefix list is processed by the PCP rule. If you include the except option, traffic from a source address in the prefix list is not processed by the PCP rule.

  4. Set the then option to identify the target PCP server.
    content_copy zoom_out_map
    [edit services pcp rule rule-name term term-name]
    user @host# set then pcp-server server-name
    

Configuring a NAT Rule

To configure a NAT rule:

  1. Configure the NAT rule name and the match direction.
    content_copy zoom_out_map
     [edit services nat]
    user@host# set rule rule-name match-direction match-direction
    
  2. Specify the NAT pool to use:
    content_copy zoom_out_map
     [edit services nat rule-name term term-name then translated]
    user@host# set source-pool nat-pool-name 
    
  3. Configure the translation type.
    content_copy zoom_out_map
     [edit services nat rule-name term term-name then  translated]
    user@host# set translation-type translation-type
    
  4. If you are using PCP with IPv4-to-IPv4 NAT or with DS-Lite, configure endpoint-independent mapping (EIM) and endpoint-independent filtering (EIF).
    content_copy zoom_out_map
     [edit services nat rule-name term term-name then  translated]
    user@host# set mapping-type endpoint-independent
    user@host# set filtering-type endpoint-independent
    
    Note:

    The PCP mappings are not created if you do not configure EIM and EIF with PCP for IPv4-to-IPv4 NAT or for DS-Lite.

Configuring a Service Set to Apply PCP

To use PCP, you must provide the rule name (or name of a list of rule names) in the pcp-rule rule-name option.

  1. Go to the [edit services service-set service-set-name hierarchy level.
    content_copy zoom_out_map
    user @host# edit services service-set service-set-name 
    
  2. If this is a new service set, provide basic service set information, including interface information and any other rules that may apply.
  3. Specify the name of the PCP rule or rule list used to send traffic to the specified PCP server.
    content_copy zoom_out_map
    [edit services service-set service-set-name ]
    user @host# set pcp-rule rule-name | rule-listname 
    
Note:

Your service set must also identify any required nat-rule and softwire-rule.

SYSLOG Message Configuration

A new syslog class, configuration option, pcp-logs, has been provided to control PCP log generation. It provides the following levels of logging:

  • protocol—All logs related to mapping creation, deletion are included at this level of logging.

  • protocol-error—–All protocol error related logs (such as mapping refresh failed, PCP look up failed, mapping creation failed). are included in this level of logging.

  • system-error—Memory and infrastructure errors are included in this level of logging.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
20.2R1
Starting in Junos OS release 20.2R1 PCP is supported on the MX-SPC3 security services card for CGNAT services.
18.2R1
17.4R1
Starting in Junos OS Release 17.4R1, PCP for NAPT44 is also supported on the MS-MPC and MS-MIC.
footer-navigation