Configure TCP Port Forwarding for Remote Device Management
To use TCP port forwarding, you configure the mapping between the TCP listening address/listening port combination on the BNG and the TCP port forwarding address/port combination where the BNG forwards the incoming data stream. TCP port forwarding is used when the BNG, together with one or more access nodes, is treated by an external management or provisioning system as a single addressable point of management. The remote devices have private addresses and are not publicly accessible. The TCP port forwarding connections enable the BNG to demultiplex and multiplex management requests exchanged between the access nodes and the management system.
The listening port is monitored by the BNG for connections to be triggered by external management systems or a remote device. The listening address is a particular IPv4 address on the BNG that the triggering entity (external management/provisioning system or remote device) must use when attempting to trigger connections on the listening port.
By default, TCP connections are accepted from any source prefix. You can optionally configure one or more IPv4 prefixes from which TCP connections are accepted on the listening port. You can use a /32 IPv4 mask to specify a single address as the source or you can use other masks to specify an IPv4 subnet as the source. You can configure an unlimited number of prefixes for each listening port. To configure multiple prefixes, however, you must include the statement multiple times, once for each additional source prefix.
Although not shown in the following steps, you can also configure TCP port forwarding in a non-default routing instance.
To configure a TCP mapping of a single TCP connection pair for TCP port forwarding:
The following sample configuration might be used for the topology shown in TCP Port Forwarding for Remote Device Management. In each step, the listening address is the public address of the BNG for management. A different listening port is assigned for the TACACS+ server, the management platform, and each remote device.
Configure the TACACS+ server connection. The BNG monitors port 8020 and its public address for TCP traffic from any of its remote devices to the TACACS server. It accepts traffic only from the subnet shared by the OLTs. It forwards acceptable traffic to the TACACS+ server on the IANA-assigned port number for TACACS, 49. The BNG supports four simultaneous TCP connections on the listening port/address combination, one for each OLT.
[edit system services tcp-forwarding] user@host# edit listening-port 8020 listening-address 203.0.113.50 user@host# set allowed-source 192.0.0.1/24 user@host# set forwarding-address 198.51.100.1 user@host# set forwarding-port 49 user@host# set max-connections 4
Configure the NETCONF XML protocol connection to each remote device: OLT1, OLT2, OLT3, and OLT4. The BNG monitors its public address and four different ports for TCP traffic from the management platform to the remote devices. Each port is associated with one of the remote devices. The BNG accepts traffic only from the management platform address, 198.51.100.3. Accepted traffic is forwarded to the associated device on the IANA-assigned port number for the NETCONF XML protocol over SSH, 830. Only one TCP connection is supported for each device.
Configure the NETCONF XML protocol connection to OLT1.
[edit system services tcp-forwarding] user@host# edit listening-port 8000 listening-address 203.0.113.50 user@host# set allowed-source 198.51.100.3/32 user@host# set forwarding-address 192.0.0.2 user@host# set forwarding-port 830 user@host# set max-connections 1
Configure the NETCONF XML protocol connection to OLT2.
[edit system services tcp-forwarding] user@host# edit listening-port 8001 listening-address 203.0.113.50 user@host# set allowed-source 198.51.100.3/32 user@host# set forwarding-address 192.0.0.3 user@host# set forwarding-port 830 user@host# set max-connections 1
Configure the NETCONF XML protocol connection to OLT3.
[edit system services tcp-forwarding] user@host# edit listening-port 8002 listening-address 203.0.113.50 user@host# set allowed-source 198.51.100.3/32 user@host# set forwarding-address 192.0.0.4 user@host# set forwarding-port 830 user@host# set max-connections 1
Configure the NETCONF XML protocol connection to OLT4.
[edit system services tcp-forwarding] user@host# edit listening-port 8003 listening-address 203.0.113.50 user@host# set allowed-source 198.51.100.3/32 user@host# set forwarding-address 192.0.0.5 user@host# set forwarding-port 830 user@host# set max-connections 1