close

keyboard_arrow_left

Table of Contents Expand all

play_arrow Overview
- play_arrow Next Gen Services Overview
  - Next Gen Services Overview
- play_arrow Configuration Overview
- play_arrow Global System Logging Overview and Configuration
- play_arrow Next Gen Services SNMP MIBS and Traps
  - Next Gen Services SNMP MIBs and Traps
play_arrow Carrier Grade NAT (CGNAT)
- play_arrow Deterministic NAT Overview and Configuration
  - Deterministic NAPT Overview for Next Gen Services
  - Configuring Deterministic NAPT for Next Gen Services
- play_arrow Dynamic Address-Only Source NAT Overview and Configuration
  - Dynamic Address-Only Source Translation Overview
  - Configuring Dynamic Address-Only Source NAT for Next Gen Services
- play_arrow Network Address Port Translation Overview and Configuration
  - Network Address Port Translation (NAPT) Overview
  - Configuring Network Address Port Translation for Next Gen Services
  - Configuring Syslog Events for NAT Rule Conditions with Next Gen Services
- play_arrow NAT46
  - NAT46 Next Gen Services Configuration Examples
- play_arrow Stateful NAT64 Overview and Configuration
  - Stateful NAT64 Overview
  - IPv4 Addresses Embedded in IPv6 Addresses
  - Configuring Next Gen Services Stateful NAT64
- play_arrow IPv4 Connectivity Across IPv6-Only Network Using 464XLAT Overview and Configuration
  - 464XLAT Overview
  - IPv4 Addresses Embedded in IPv6 Addresses
  - Configuring 464XLAT Provider-Side Translator for IPv4 Connectivity Across IPv6-Only Network for Next Gen Services
- play_arrow IPv6 NAT Protocol Translation (NAT PT)
  - IPv6 NAT PT Overview
  - IPv6 NAT-PT Communication Overview
- play_arrow Stateless Source Network Prefix Translation for IPv6 Overview and Configuration
  - Stateless Source Network Prefix Translation for IPv6
- play_arrow Transitioning to IPv6 Using Softwires
  - 6rd Softwires in Next Gen Services
- play_arrow Transitioning to IPv6 Using DS-Lite Softwires
  - DS-Lite Softwires—IPv4 over IPv6 for Next Gen Services
  - Configuring Next Gen Services DS-Lite Softwires
  - DS-Lite Subnet Limitation
  - Protecting CGN Devices Against Denial of Service (DOS) Attacks
- play_arrow Reducing Traffic and Bandwidth Requirements Using Port Control Protocol
  - Port Control Protocol Overview
  - Configuring Port Control Protocol
- play_arrow Transitioning to IPv6 Using Mapping of Address and Port with Encapsulation (MAP-E)
  - Mapping of Address and Port with Encapsulation (MAP-E) for Next Gen Services
  - Equal Cost Multiple Path (ECMP) support for Mapping of Address and Port with Encapsulation (MAP-E)
- play_arrow Monitoring and Troubleshooting Softwires
  - Ping and Traceroute for DS-Lite
  - Monitoring Softwire Statistics
  - Monitoring CGN, Stateful Firewall, and Softwire Flows
- play_arrow Port Forwarding Overview and Configuration
  - Port Forwarding for Next Gen Services
- play_arrow Port Translation Features Overview and Configuration
  - Address Pooling and Endpoint Independent Mapping for Port Translation
  - Round-Robin Port Allocation
  - Secured Port Block Allocation for Port Translation
- play_arrow Static Source NAT Overview and Configuration
  - Static Source NAT Overview
  - Configuring Static Source NAT44 or NAT66 for Next Gen Services
- play_arrow Static Destination NAT Overview and Configuration
  - Static Destination NAT Overview
  - Configuring Static Destination NAT for Next Gen Services
- play_arrow Twice NAPT Overview and Configuration
  - Twice NAPT Overview
  - Configuring Twice NAPT for Next Gen Services
- play_arrow Twice NAT Overview and Configuration
  - Twice Static NAT Overview
  - Configuring Twice Static NAT44 for Next Gen Services
  - Twice Dynamic NAT Overview
  - Configuring Twice Dynamic NAT for Next Gen Services
- play_arrow Class of Service Overview and Configuration
  - Class of Service for Services PICs (Next Gen Services)
play_arrow Stateful Firewall Services
- play_arrow Stateful Firewall Services Overview and Configuration
  - Stateful Firewall Overview for Next Gen Services
  - Configuring Stateful Firewalls for Next Gen Services
play_arrow Intrusion Detection Services
- play_arrow IDS Screens for Network Attack Protection Overview and Configuration
play_arrow Traffic Load Balancing
- play_arrow Traffic Load Balancing Overview and Configuration
  - Traffic Load Balancer Overview
  - Configuring TLB
play_arrow DNS Request Filtering
- play_arrow DNS Request Filtering Overview and Configuration
  - DNS Request Filtering for Disallowed Website Domains
  - DNS Request Filtering System Logging Error Messages
play_arrow URL Filtering
- play_arrow URL Filtering
  - URL Filtering Overview
  - Configuring URL Filtering
play_arrow Integration of Juniper ATP Cloud and Web filtering on MX Routers
- play_arrow Integration of Juniper ATP Cloud and Web filtering on MX Routers
  - Integration of Juniper ATP Cloud and Web Filtering on MX Series Routers
play_arrow Aggregated Multiservices Interfaces
- play_arrow Enabling Load Balancing and High Availability Using Multiservices Interfaces
play_arrow Inter-Chassis Services PIC High Availability
- play_arrow Inter-Chassis Services PIC High Availability Overview and Configuration
play_arrow Application Layer Gateways
- play_arrow Enabling Traffic to Pass Securely Using Application Layer Gateways
play_arrow NAT, Stateful Firewall, and IDS Flows
- play_arrow Inline NAT Services Overview and Configuration
play_arrow Configuration Statements
- Junos CLI Reference Overview

list Table of Contents

English

Configuring Port Control Protocol

date_range 24-Nov-23

arrow_backward

arrow_forward

This topic describes how to configure port control protocol (PCP). PCP is supported on the MS-DPC, MS-100, MS-400, and MS-500 MultiServices PICs. Starting in Junos OS Release 17.4R1, PCP for NAPT44 is also supported on the MS-MPC and MS-MIC. Starting in Junos OS Release 18.2R1, PCP on the MS-MPC and MS-MIC supports DS-Lite. In Junos OS Release 18.1 and earlier releases, PCP on the MS-MPC and MS-MIC does not support DS-Lite. Starting in Junos OS release 20.2R1 PCP is supported on the MX-SPC3 security services card for CGNAT services.

Perform the following configuration tasks:

Configuring PCP Server Options

Specify a PCP server name.

content_copy zoom_out_map
user @host# edit services pcp server server-name

Set the IPv4 or IPv6 addresses of the server. For PCP DS-Lite, the ipv6-address must match the address of the AFTR (Address Family Transition Router or softwire concentrator).
Note:
Starting in Junos OS Release 18.2R1, PCP on the MS-MPC and MS-MIC supports DS-Lite. In Junos OS Release 18.1 and earlier releases, PCP on the MS-MPC and MS-MIC does not support DS-Lite.
```
[edit services pcp server server-name]
user @host# set ipv6-address ipv6-address
```
or
```
[edit services pcp server server-name]
user @host# set ipv4-address ipv4-address
```
For PCP DS-Lite, provide the name of the DS-Lite softwire concentrator configuration.
```
[edit services pcp server server-name]
user @host# set softwire-concentrator softwire-concentrator-name
```

Specify the minimum and maximum mapping lifetimes for the server.

content_copy zoom_out_map
[edit services pcp server server-name]
user @host# set mapping-lifetime-minimum mapping-lifetime-min
user @host# set mapping-lifetime-maximum mapping-lifetime-max

Specify the time limits for generating short lifetime or long lifetime errors.

content_copy zoom_out_map
[edit services pcp server server-name]
user @host# set short-lifetime-error short-lifetime-error
user @host# set long-lifetime-error long-lifetime-error

(Optional)—Enable PCP options on the specified PCP server. The following options are available—third-party and prefer-failure. The third-party option is required to enable third-party requests by the PCP client. DS-Lite requires the third-party option. The prefer-failure option requests generation of an error message when the PCP client requests a specific IP address/port that is not available, rather than assigning another available address from the NAT pool. If prefer-failure is not specified NAPT44 assigns an available address/port from the NAT pool based on the configured NAT options.
```
[edit services pcp server server-name]
user @host# set pcp-options third-party
user @host# set pcp-options prefer-failure 
```
(Optional)—Specify which NAT pool to use for mapping.
```
[edit services pcp server server-name]
user @host# set nat-options pool-name1 <poolname2...>
```
Note:
When you do not explicitly specify a NAT pool for mapping, the Junos OS performs a partial rule match based on source IP, source port, and protocol, and the Junos OS uses the NAT pool configured for the first matching rule to allocate mappings for PCP.

You must use explicit configuration in order to use multiple NAT pools.

For the MX-SPC3 security services card and Next Gen Services, the nat-options statement supports only one pool name to attach to a PCP server.
(Optional)—Configure the maximum number of mappings per client. The default is 32 and maximum is 128.
```
[edit services pcp server server-name]
user @host# set max-mappings-per-client max-mappings-per-client
```

Configuring a PCP Rule

A PCP rule has the same basic options as all service set rules:

A term option that allows a single rule to have multiple applications.

A term is not required when running the MX-SPC3 security services card for Next Gen Services.
A from option that identifies the traffic that is subject to the rule.
A then option that identifies what action is to be taken. In the case of a PCP rule, this option Identifies the pcp server that handles selected traffic

Go to the [edit services pcp rule rule-name] hierarchy level and specify match-direction input.
```
user @host# edit services pcp rule rule-name 
user @host# set match-direction input
```
Go to the [edit services pcp rule rule-name term term-name] hierarchy level and provide a term name.
```
user @host# edit term term-name
```
This step is not required when running the MX-SPC3 security services card for Next Gen Services.

(Optional)—Provide a from option to filter the traffic to be selected for processing by the rule. When you omit the from option, all traffic handled by the service set’s service interface is subject to the rule. The following options are available at the [edit services pcp rule rule-name term term-name from] hierarchy level:

`application-sets set-name`	Traffic for the application set is processed by the PCP rule. This step is not required when running the MX-SPC3 security services card for Next Gen Services.
`applications [ application-name ]`	Traffic for the application is processed by the PCP rule. This option is not required when running the MX-SPC3 security services card for Next Gen Services.
`destination-address address <except>`	Traffic for the destination address or prefix is processed by the PCP rule. If you include the `except` option, traffic for the destination address or prefix is not processed by the PCP rule.
`destination-address-range high maximum-value low minimum-value <except>`	Traffic for the destination address range is processed by the PCP rule. If you include the `except` option, traffic for the destination address range is not processed by the PCP rule.
`destination-port high maximum-value low minimum-value`	Traffic for the destination port range is processed by the PCP rule.
`destination-prefix-list list-name <except>`	Traffic for a destination address in the prefix list is processed by the PCP rule. If you include the `except` option, traffic for a destination address in the prefix list is not processed by the PCP rule.
`source-address address <except>`	Traffic from the source address or prefix is processed by the PCP rule. If you include the `except` option, traffic from the source address or prefix is not processed by the PCP rule.
`source-address-range high maximum-value low minimum-value <except>`	Traffic from the source address range is processed by the PCP rule. If you include the `except` option, traffic from the source address range is not processed by the PCP rule.
`source-prefix-list list-name <except>`	Traffic from a source address in the prefix list is processed by the PCP rule. If you include the `except` option, traffic from a source address in the prefix list is not processed by the PCP rule.

Set the then option to identify the target PCP server.

content_copy zoom_out_map
[edit services pcp rule rule-name term term-name]
user @host# set then pcp-server server-name

Configuring a NAT Rule

To configure a NAT rule:

Configure the NAT rule name and the match direction.

content_copy zoom_out_map
 [edit services nat]
user@host# set rule rule-name match-direction match-direction

Specify the NAT pool to use:

content_copy zoom_out_map
 [edit services nat rule-name term term-name then translated]
user@host# set source-pool nat-pool-name 

Configure the translation type.

content_copy zoom_out_map
 [edit services nat rule-name term term-name then  translated]
user@host# set translation-type translation-type

If you are using PCP with IPv4-to-IPv4 NAT or with DS-Lite, configure endpoint-independent mapping (EIM) and endpoint-independent filtering (EIF).
```
 [edit services nat rule-name term term-name then  translated]
user@host# set mapping-type endpoint-independent
user@host# set filtering-type endpoint-independent
```
Note:
The PCP mappings are not created if you do not configure EIM and EIF with PCP for IPv4-to-IPv4 NAT or for DS-Lite.

Configuring a Service Set to Apply PCP

To use PCP, you must provide the rule name (or name of a list of rule names) in the pcp-rule rule-name option.

Go to the [edit services service-set service-set-name hierarchy level.
```
user @host# edit services service-set service-set-name 
```
If this is a new service set, provide basic service set information, including interface information and any other rules that may apply.
Specify the name of the PCP rule or rule list used to send traffic to the specified PCP server.
```
[edit services service-set service-set-name ]
user @host# set pcp-rule rule-name | rule-listname 
```

Note:

Your service set must also identify any required nat-rule and softwire-rule.

SYSLOG Message Configuration

A new syslog class, configuration option, pcp-logs, has been provided to control PCP log generation. It provides the following levels of logging:

protocol—All logs related to mapping creation, deletion are included at this level of logging.
protocol-error—–All protocol error related logs (such as mapping refresh failed, PCP look up failed, mapping creation failed). are included in this level of logging.
system-error—Memory and infrastructure errors are included in this level of logging.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release

Description

20.2R1

Starting in Junos OS release 20.2R1 PCP is supported on the MX-SPC3 security services card for CGNAT services.

18.2R1

17.4R1

Starting in Junos OS Release 17.4R1, PCP for NAPT44 is also supported on the MS-MPC and MS-MIC.

arrow_backward PREVIOUS Port Control Protocol Overview

NEXT arrow_forward Mapping of Address and Port with Encapsulation (MAP-E) for Next Gen Services

Next Gen Services Interfaces User Guide for Routing Devices

ON THIS PAGE