- play_arrow Overview
- play_arrow Next Gen Services Overview
- play_arrow Configuration Overview
- Configuration Differences Between Adaptive Services and Next Gen Services on the MX-SPC3
- Next Gen Services Feature Configuration Overview
- How to Configure Services Interfaces for Next Gen Services
- How to Configure Interface-Style Service Sets for Next Gen Services
- How to Configure Next-Hop Style Service Sets for Next Gen Services
- How to Configure Service Set Limits for Next Gen Services
- Example: Next Gen Services Inter-Chassis Stateful High Availability for NAT and Stateful Firewall (MX-SPC3)
- Example: Configuring AutoVPN with Pre-Shared Key
- Enabling and Disabling Next Gen Services
- play_arrow Global System Logging Overview and Configuration
- Understanding Next Gen Services CGNAT Global System Logging
- Enabling Global System Logging for Next Gen Services
- Configuring Local System Logging for Next Gen Services
- Configuring System Logging to One or More Remote Servers for Next Gen Services
- System Log Error Messages for Next Gen Services
- Configuring Syslog Events for NAT Rule Conditions with Next Gen Services
- play_arrow Next Gen Services SNMP MIBS and Traps
-
- play_arrow Carrier Grade NAT (CGNAT)
- play_arrow Deterministic NAT Overview and Configuration
- play_arrow Dynamic Address-Only Source NAT Overview and Configuration
- play_arrow Network Address Port Translation Overview and Configuration
- play_arrow NAT46
- play_arrow Stateful NAT64 Overview and Configuration
- play_arrow IPv4 Connectivity Across IPv6-Only Network Using 464XLAT Overview and Configuration
- play_arrow IPv6 NAT Protocol Translation (NAT PT)
- play_arrow Stateless Source Network Prefix Translation for IPv6 Overview and Configuration
- play_arrow Transitioning to IPv6 Using Softwires
- play_arrow Transitioning to IPv6 Using DS-Lite Softwires
- play_arrow Reducing Traffic and Bandwidth Requirements Using Port Control Protocol
- play_arrow Transitioning to IPv6 Using Mapping of Address and Port with Encapsulation (MAP-E)
- play_arrow Monitoring and Troubleshooting Softwires
- play_arrow Port Forwarding Overview and Configuration
- play_arrow Port Translation Features Overview and Configuration
- play_arrow Static Source NAT Overview and Configuration
- play_arrow Static Destination NAT Overview and Configuration
- play_arrow Twice NAPT Overview and Configuration
- play_arrow Twice NAT Overview and Configuration
- play_arrow Class of Service Overview and Configuration
-
- play_arrow Stateful Firewall Services
- play_arrow Stateful Firewall Services Overview and Configuration
-
- play_arrow Intrusion Detection Services
- play_arrow IDS Screens for Network Attack Protection Overview and Configuration
-
- play_arrow Traffic Load Balancing
- play_arrow Traffic Load Balancing Overview and Configuration
-
- play_arrow DNS Request Filtering
- play_arrow DNS Request Filtering Overview and Configuration
-
- play_arrow URL Filtering
- play_arrow URL Filtering
-
- play_arrow Integration of Juniper ATP Cloud and Web filtering on MX Routers
- play_arrow Integration of Juniper ATP Cloud and Web filtering on MX Routers
-
- play_arrow Aggregated Multiservices Interfaces
- play_arrow Enabling Load Balancing and High Availability Using Multiservices Interfaces
-
- play_arrow Application Layer Gateways
- play_arrow Enabling Traffic to Pass Securely Using Application Layer Gateways
-
- play_arrow NAT, Stateful Firewall, and IDS Flows
- play_arrow Inline NAT Services Overview and Configuration
-
- play_arrow Configuration Statements
Next Gen Services Inter-chassis High Availability Overview for NAT, Stateful Firewall, and IDS Flows
Inter-chassis High Availability Overview for NAT, Stateful Firewall, and IDS Flows for Next Gen Services
Carrier-grade NAT, stateful firewall, and IDS flows can be configured with a dual-chassis, redundant data path. Although intra-chassis high availability can be used in an MX Series device by employing the AMS interfaces, this method only deals locally with services PIC failures. If for any reason traffic is switched to a backup router due to some other failure in the router, the session state from the services PIC is lost unless you configure synchronization of the services session states with a services PIC on the backup router.
Inter-chassis high availability provides this synchronization, and controls switchovers between the services PICs in the redundancy pair. Inter-chassis high availability is a primary-secondary model, not an active-active cluster. Only one services PIC in a redundancy pair, the current primary, receives traffic to be serviced.
To configure interchassis high availability for NAT, stateful firewall, and IDS, you configure:
Stateful synchronization, which replicates the session state from the primary services PICs on the primary to the backup services PIC on the other chassis.
Inter-chassis services redundancy, which controls primary role switchovers in the services PIC redundancy pair, based on monitored events. Most operators would not want to employ stateful synchronization without also implementing services redundancy.
Benefits
Interchassis high availability provides automatic switchovers from a services PIC on one chassis to a services PIC on another chassis, while providing uninterrupted services for customer traffic.
Example: Next Gen Services Inter-Chassis Stateful High Availability for NAT and Stateful Firewall (MX-SPC3)
This example shows how to configure Next Gen Services inter-chassis high availability for stateful firewall and NAT services.
Requirements
This example uses the following hardware and software components:
Two MX480 routers with MX-SPC3 services cards
Junos OS Release 19.3R2, 19.4R1 or later
Overview
Two MX 3D routers are identically configured to facilitate stateful failover for firewall and NAT services in case of a chassis failure.
Configuration
To configure inter-chassis high availability for this example, perform these tasks:
- CLI Quick Configuration
- Configuring Interfaces for Chassis 1.
- Configure Routing Information for Chassis 1
- Configuring NAT and Stateful Firewall for Chassis 1
- Configuring the Service Set
- Configuring Interfaces for Chassis 2
- Configure Routing Information for Chassis 2
CLI Quick Configuration
To quickly configure this example on the routers, copy the following commands and paste them into the router terminal window after removing line breaks and substituting interface information specific to your site.
The following configuration is for chassis 1.
[edit] set interfaces vms-4/0/0 redundancy-options redundancy-peer ipaddress 5.5.5.2 set interfaces vms-4/0/0 redundancy-options routing-instance HA set interfaces vms-4/0/0 unit 10 ip-address-owner service-plane set interfaces vms-4/0/0 unit 10 family inet address 5.5.5.1/32 set interfaces vms-4/0/0 unit 20 family inet set interfaces vms-4/0/0 unit 20 service-domain inside set interfaces vms-4/0/0 unit 30 family inet set interfaces vms-4/0/0 unit 30 service-domain outside set interfaces ge-2/0/0 vlan-tagging set interfaces ge-2/0/0 unit 0 vlan-id 100 family inet address 20.1.1.1/24 set routing-instances HA instance-type vrf set routing-instances HA interface ge-2/0/0.0 set routing-instances HA interface vms-4/0/0.10 set routing-instances HA route-distinguisher 1:1 set policy-options policy-statement dummy term 1 then reject set routing-instances HA vrf-import dummy set routing-instances HA vrf-export dummy set routing-instances HA routing-options static route route 5.5.5.1/32 next-hop vms-4/0/0.10 set routing-instances HA routing-options static route route 5.5.5.2/32 next-hop 20.1.1.2 set services nat pool p2 address 32.0.0.0/24 set services nat pool p2 port automatic random-allocation set services nat pool p2 address-allocation round-robin set services nat rule r2 match-direction input set services nat rule r2 term t1 from source-address 129.0.0.0/8 set services nat rule r2 term t1 from source-address 128.0.0.0/8 set services nat rule r2 term t1 then translated source-pool p2 set services nat rule r2 term t1 then translated translation-type napt-44 set services nat rule r2 term t1 then translated address-pooling paired set services nat rule r2 term t1 then syslog set services stateful-firewall rule r2 match-direction input set services stateful-firewall rule r2 term t1 from source-address any-unicast set services stateful-firewall rule r2 term t1 then accept set services stateful-firewall rule r2 term t1 then syslog set services service-set ss2 replicate-services replication-threshold 180 set services service-set ss2 replicate-services stateful-firewall set services service-set ss2 replicate-services nat set services service-set ss2 stateful-firewall-rules r2 set services service-set ss2 nat-rules r2 set services service-set ss2 next-hop-service inside-service-interface vms-4/0/0.20 set services service-set ss2 next-hop-service outside-service-interface vms-4/0/0.30 set services service-set ss2 syslog host local class session-logs set services service-set ss2 syslog host local class stateful-firewall-logs set services service-set ss2 syslog host local class nat-logs
The following configuration is for chassis 2. The NAT, stateful firewall, and service-set information must be identical for chassis 1 and 2.
set interfaces vms-4/0/0 redundancy-options redundancy-peer ipaddress 5.5.5.1 set interfaces vms-4/0/0 redundancy-options routing-instance HA set interfaces vms-4/0/0 unit 10 ip-address-owner service-plane set interfaces vms-4/0/0 unit 10 family inet address 5.5.5.2/32 set interfaces vms-4/0/0 unit 20 family inet set interfaces vms-4/0/0 unit 20 service-domain inside set interfaces vms-4/0/0 unit 30 family inet set interfaces vms-4/0/0 unit 30 service-domain outside set interfaces ge-2/0/0 vlan-tagging set interfaces ge-2/0/0 unit 0 vlan-id 100 family inet address 20.1.1.2/24 set routing-instances HA instance-type vrf set routing-instances HA interface ge-2/0/0.0 set routing-instances HA interface vms-4/0/0.10 set routing-instances HA route-distinguisher 1:1 set policy-options policy-statement dummy term 1 then reject set routing-instances HA vrf-import dummy set routing-instances HA vrf-export dummy set routing-instances HA routing-options static route 5.5.5.2/32 next-hop vms-4/0/0.10 set routing-instances HA routing-options static route 5.5.5.1/32 next-hop 20.1.1.1 set services nat pool p2 address 32.0.0.0/24 set services nat pool p2 port automatic random-allocation set services nat pool p2 address-allocation round-robin set services nat rule r2 match-direction input set services nat rule r2 term t1 from source-address 129.0.0.0/8 set services nat rule r2 term t1 from source-address 128.0.0.0/8 set services nat rule r2 term t1 then translated source-pool p2 set services nat rule r2 term t1 then translated translation-type napt-44 set services nat rule r2 term t1 then translated address-pooling paired set services nat rule r2 term t1 then syslog set services stateful-firewall rule r2 match-direction input set services stateful-firewall rule r2 term t1 from source-address any-unicast set services stateful-firewall rule r2 term t1 then accept set services stateful-firewall rule r2 term t1 then syslog set services service-set ss2 replicate-services replication-threshold 180 set services service-set ss2 replicate-services stateful-firewall set services service-set ss2 replicate-services nat set services service-set ss2 stateful-firewall-rules r2 set services service-set ss2 nat-rules r2 set services service-set ss2 next-hop-service inside-service-interface vms-4/0/0.20 set services service-set ss2 next-hop-service outside-service-interface vms-4/0/0.30 set services service-set ss2 syslog host local class session-logs set services service-set ss2 syslog host local class stateful-firewall-logs set services service-set ss2 syslog host local class nat-logs
Configuring Interfaces for Chassis 1.
Step-by-Step Procedure
The interfaces for each of the HA pair of routers are configured identically with the exception of the following service PIC options:
redundancy-options redundancy-peer ipaddress addressunit unit-number family inet address addressof a unit, other than 0, that contains theip-address-owner service-planeoption
To configure interfaces:
Configure the redundant service PIC on chassis 1.
content_copy zoom_out_map[edit interfaces} user@host# set interfaces vms-4/0/0 redundancy-options redundancy-peer ipaddress 5.5.5.2 user@host# set interfaces vms-4/0/0 redundancy-options routing-instance HA user@host# set interfaces vms-4/0/0 unit 10 ip-address-owner service-plane user@host# set interfaces vms-4/0/0 unit 10 family inet address 5.5.5.1/32 user@host# set interfaces vms-4/0/0 unit 20 family inet user@host# set interfaces vms-4/0/0 unit 20 service-domain inside user@host# set interfaces vms-4/0/0 unit 30 family inet user@host# set interfaces vms-4/0/0 unit 30 service-domain outside
Configure the interfaces for chassis 1 that are used as interchassis links for synchronization traffic.
content_copy zoom_out_mapuser@host# set interfaces ge-2/0/0 vlan-tagging user@host# set interfaces ge-2/0/0 unit 0 vlan-id 100 family inet address 20.1.1.1/24
Configure remaining interfaces as needed.
Results
user@host# show interfaces
ge-2/0/0 {
vlan-tagging;
unit 0 {
vlan-id 100;
family inet {
address 20.1.1.1/24;
}
}
}
vms-4/0/0 {
redundancy-options {
redundancy-peer {
ipaddress 5.5.5.2;
}
routing-instance HA;
}
unit 10 {
ip-address-owner service-plane;
family inet {
address 5.5.5.1/32;
}
}
unit 20 {
family inet;
family inet6;
service-domain inside;
}
unit 30 {
family inet;
family inet6;
service-domain outside;
}
}
}
Configure Routing Information for Chassis 1
Step-by-Step Procedure
Detailed routing configuration is not included for this example. A routing instance is required for the HA synchronization traffic between the chassis as follows:
Configure routing instances for Chassis 1.
content_copy zoom_out_mapuser@host# set routing-instances HA instance-type vrf user@host# set routing-instances HA interface ge-2/0/0.0 user@host# set routing-instances HA interface vms-4/0/0.10 user@host# set routing-instances HA route-distinguisher 1:1 user@host# set policy-options policy-statement dummy term 1 then reject user@host# set routing-instances HA vrf-import dummy user@host# set routing-instances HA vrf-export dummy user@host# set routing-instances HA routing-options static route route 5.5.5.1/32 next-hop vms-4/0/0.10 user@host# set routing-instances HA routing-options static route route 5.5.5.2/32 next-hop 20.1.1.2
Results
user@host# show routing-instances
HA {
instance-type vrf;
interface ge-2/0/0.0;
interface vms-4/0/0.10;
route-distinguisher 1:1;
vrf-import dummy;
vrf-export dummy;
routing-options {
static {
route 5.5.5.1/32 next-hop vms-4/0/0.10;
route 5.5.5.2/32 next-hop 20.1.1.2;
}
}
}
Configuring NAT and Stateful Firewall for Chassis 1
Step-by-Step Procedure
Configure NAT and stateful firewall identically on both routers. To configure NAT and stateful firewall:
Configure NAT as needed.
content_copy zoom_out_mapuser@host# set services nat pool p2 address 32.0.0.0/24 user@host# set services nat pool p2 port automatic random-allocation user@host# set services nat pool p2 address-allocation round-robin user@host# set services nat rule r2 match-direction input user@host# set services nat rule r2 term t1 from source-address 129.0.0.0/8 user@host# set services nat rule r2 term t1 from source-address 128.0.0.0/8 user@host# set services nat rule r2 term t1 then translated source-pool p2 user@host# set services nat rule r2 term t1 then translated translation-type napt-44 user@host# set services nat rule r2 term t1 then translated address-pooling paired user@host# set services nat rule r2 term t1 then syslog
Configure stateful firewall as needed.
content_copy zoom_out_mapuser@host# set services stateful-firewall rule r2 match-direction input user@host# set services stateful-firewall rule r2 term t1 from source-address any-unicast user@host# set services stateful-firewall rule r2 term t1 then accept user@host# set services stateful-firewall rule r2 term t1 then syslog
Results
user@host# show services nat
nat {
pool p2 {
address 32.0.0.0/24;
port {
automatic {
random-allocation;
}
}
address-allocation round-robin;
}
rule r2 {
match-direction input;
term t1 {
from {
source-address {
129.0.0.0/8;
128.0.0.0/8;
}
}
then {
translated {
source-pool p2;
translation-type {
napt-44;
}
address-pooling paired;
}
syslog;
}
}
}
}
}
user@host show services stateful-firewell
rule r2 {
match-direction input;
term t1 {
from {
source-address {
any-unicast;
}
}
then {
accept;
syslog;
}
}
}
Configuring the Service Set
Step-by-Step Procedure
Configure the the service set identically on both routers. To configure the service set:
Configure the service set replication options.
content_copy zoom_out_mapuser@host# set services service-set ss2 replicate-services replication-threshold 180 user@host# set services service-set ss2 replicate-services stateful-firewall user@host# set services service-set ss2 replicate-services nat
Configure references to NAT and stateful firewall rules for the service set.
content_copy zoom_out_mapuser@host# set services service-set ss2 stateful-firewall-rules r2 user@host# set services service-set ss2 nat-rules r2
Configure next-hop service interface on the vms-PIC.
content_copy zoom_out_mapuser@host# set services service-set ss2 next-hop-service inside-service-interface vms-4/0/0.20 user@host# set services service-set ss2 next-hop-service outside-service-interface vms-4/0/0.30
Configure desired logging options.
content_copy zoom_out_mapuser@host# set services service-set ss2 syslog host local class session-logs user@host# set services service-set ss2 syslog host local class stateful-firewall-logs user@host# set services service-set ss2 syslog host local class nat-logs
Results
user@host# show services service-set ss2
syslog {
host local {
class {
session-logs;
inactive: stateful-firewall-logs;
nat-logs;
}
}
}
replicate-services {
replication-threshold 180;
stateful-firewall;
nat;
}
stateful-firewall-rules r2;
inactive: nat-rules r2;
next-hop-service {
inside-service-interface vms-3/0/0.20;
outside-service-interface vms-3/0/0.30;
}
}
Configuring Interfaces for Chassis 2
Step-by-Step Procedure
The interfaces for each of the HA pair of routers are configured identically with the exception of the following service PIC options:
redundancy-options redundancy-peer ipaddress addressunit unit-number family inet address addressof a unit, other than 0, that contains theip-address-owner service-planeoption
Configure the redundant service PIC on chassis 2.
The
redundancy-peer ipaddresspoints to the address of the unit (unit 10) on vms-4/0/0 on chassis on chassis 1 that contains theip-address-owner service-planestatement.content_copy zoom_out_map[edit interfaces} set interfaces vms-4/0/0 redundancy-options redundancy-peer ipaddress 5.5.5.1 user@host# set interfaces vms-4/0/0 redundancy-options routing-instance HA user@host# set interfaces vms-4/0/0 unit 10 ip-address-owner service-plane user@host# set interfaces vms-4/0/0 unit 10 family inet address 5.5.5.2/32 user@host# set interfaces vms-4/0/0 unit 20 family inet user@host# set interfaces vms-4/0/0 unit 20 service-domain inside user@host# set interfaces vms-4/0/0 unit 30 family inet user@host# set interfaces vms-4/0/0 unit 30 service-domain outside
Configure the interfaces for chassis 2 that are used as interchassis links for synchronization traffic
content_copy zoom_out_mapuser@host# set interfaces ge-2/0/0 vlan-tagging user@host# set interfaces ge-2/0/0 unit 0 vlan-id 100 family inet address 20.1.1.2/24
Configure remaining interfaces for chassis 2 as needed.
Results
user@host# show interfaces
vms-4/0/0 {
redundancy-options {
redundancy-peer {
ipaddress 5.5.5.1;
}
routing-instance HA;
}
unit 0 {
family inet;
}
unit 10 {
ip-address-owner service-plane;
family inet {
address 5.5.5.2/32;
}
}
ge-2/0/0 {
vlan-tagging;
unit 0 {
vlan-id 100;
family inet {
address 20.1.1.2/24;
}
}
unit 10 {
vlan-id 10;
family inet {
address 2.10.1.2/24;
}
Configure Routing Information for Chassis 2
Step-by-Step Procedure
Detailed routing configuration is not included for this example. A routing instance is required for the HA synchronization traffic between the two chassis and is included here.
Configure routing instances for chassis 2.
content_copy zoom_out_mapuser@host# set routing-instances HA instance-type vrf user@host# set routing-instances HA interface ge-2/0/0.0 user@host# set routing-instances HA interface vms-4/0/0.10 user@host# set routing-instances HA route-distinguisher 1:1 user@host# set policy-options policy-statement dummy term 1 then reject user@host# set routing-instances HA vrf-import dummy user@host# set routing-instances HA vrf-export dummy user@host# set routing-instances HA routing-options static route 5.5.5.2/32 next-hop vms-4/0/0.10 user@host# set routing-instances HA routing-options static route 5.5.5.1/32 next-hop 20.1.1.1
Note:The following configuration steps are identical to the steps shown for chassis 1.
Configuring NAT and Stateful Firewall
Configuring the Service Set
Results
user@host# show services routing-instances
HA {
instance-type vrf;
interface xe-2/2/0.0;
interface vms-4/0/0.10;
route-distinguisher 1:1;
vrf-import dummy;
vrf-export dummy;
routing-options {
static {
route 5.5.5.2/32 next-hop vms-4/0/0.10;
route 5.5.5.1/32 next-hop 20.1.1.1;
}
}
