Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Example: Configuring Layer 3 Services and the Services SDK on Two PICs

 

You can configure the Layer 3 service package and the Services SDK on two PICs. For this example, you must configure an FTP or HTTP client and a server. In this configuration, the client side of the router interface is ge-1/2/2.1 and the server side of the router interface is ge-1/1/0.48. This configuration enables Network Address Translation (NAT) with stateful firewall (SFW) on the uKernel PIC and application identification (APPID), application-aware access list (AACL), and intrusion detection and prevention (IDP) on the Services SDK PIC for FTP or HTTP traffic.

Note

The Services SDK does not support NAT yet. When NAT is required, you can configure the Layer 3 service package to deploy NAT along with the Services SDK such as APPID, AACL, or IDP.

Note

The IDP functionality is deprecated for the MX Series for Junos OS release 17.1R1 and above.

To deploy the Layer 3 service package and the Services SDK on two PICs:

  1. In configuration mode, go to the following hierarchy level:
  2. In the hierarchy level, configure the conditions for the stateful firewall rule r1.

    In this example, the stateful firewall term is ALLOWED-SERVICES. Enclose the application names—junos-ftp, junos-http, and junos-icmp-ping—in brackets for application-name.

  3. Configure the conditions for the stateful firewall rule r2.

    In this example, the stateful firewall term is term1.

  4. Go to the following hierarchy level and verify the configuration:
  5. Go to the following hierarchy level:
  6. In the hierarchy level, configure the NAT pool.

    In this example, the NAT pool is OUTBOUND-SERVICES and the IP address is 10.48.0.2/32.

  7. Configure the NAT rule.

    In this example, the NAT rule is SET-MSR-ADDR, the NAT term is TRANSLATE-SOURCE-ADDR, and the source pool is OUTBOUND-SERVICES. Enclose the application names—junos-ftp, junos-http, and junos-icmp-ping—in parentheses for application-name.

  8. Go to the following hierarchy level and verify the configuration:
  9. Go to the following hierarchy level:
    Note

    The [edit security idp] statements are deprecated for the MX Series for Junos OS release 17.1R1 and above.

  10. In the hierarchy level, configure the IDP policy.

    In this example, the IDP policy is test1, the rule is r1, the predefined attack is FTP:USER:ROOT, and the predefined attack group is "Recommended Attacks".

  11. Configure the trace options for IDP services.

    In this example, the log file name is idp-demo.log.

  12. Go to the following hierarchy level and verify the configuration:
  13. Go to the following hierarchy level:
  14. In the hierarchy level, configure the AACL rules.

    In this example, the AACL rule is app-aware and the term is t1.

  15. Go to the following hierarchy level and verify the configuration:
  16. Go to the following hierarchy level:
  17. Configure the APPID profile.

    In this example, the APPID profile is dummy-profile.

  18. Configure the IDP profile.

    In this example, the IDP profile is test1.

  19. Configure the policy decision statistics profile.

    In this example, the policy decision statistics profile is lpdf-stats.

  20. Configure the AACL rules.

    In this example, the AACL rule name is app-aware.

  21. Configure two stateful firewall rules.

    In this example, the first rule is r1 and the second rule is r2.

  22. In the hierarchy level, configure the service set to bypass traffic on service PIC failure.
  23. Configure interface-specific service set options.

    In this example, the services interface is ms-0/1/0.

  24. Go to the following hierarchy level and verify the configuration:
  25. Go to the following hierarchy level:
  26. In the hierarchy level, configure optional notification parameters for the services interface. Note that it is required only for debugging.

    In this example, the host to notify is local.

  27. Configure two stateful firewall rules.

    In this example, the first rule is r1 and the second rule is r2.

  28. Configure NAT rules.

    In this example, the NAT rule is SET-MSR-ADDR.

  29. Configure interface-specific service set options.

    In this example, the services interface is sp-3/1/0.

  30. Go to the following hierarchy level and verify the configuration:
  31. Go to the following hierarchy level:
  32. In the hierarchy level, configure the interface.

    In this example, the interface is ge-1/2/2.1.

  33. Go to the following hierarchy level:
  34. In the hierarchy level, configure the service set for received packets.

    In this example, the input service set is App-Aware-Set.

  35. Configure the service set for transmitted packets.

    In this example, the output service set is App-Aware-Set.

  36. Go to the following hierarchy level:
  37. In the hierarchy level, configure the interface address.

    In this example, the interface address is 10.10.9.10/30.

  38. Go to the following hierarchy level and verify the configuration:
  39. Go to the following hierarchy level:
  40. In the hierarchy level, configure the interface.

    In this example, the interface is ge-1/1/0.48.

  41. Go to the following hierarchy level:
  42. In the hierarchy level, configure the service set for received packets.

    In this example, the service set is NAT-SFW-SET.

  43. Configure the service set for transmitted packets.

    In this example, the service set is NAT-SFW-SET.

  44. Go to the following hierarchy level:
  45. Configure the interface address.

    In this example, the interface address is 10.48.0.1/31.

  46. Go to the following hierarchy level and verify the configuration:
  47. Go to the following hierarchy level:
  48. In the hierarchy level, configure the interface.

    In this example, the interface is ms-0/1/0.0.

  49. Go to the following hierarchy level:
  50. In the hierarchy level, configure the protocol family.
  51. Go to the following hierarchy level and verify the configuration:
  52. Go to the following hierarchy level:
  53. In the hierarchy level, configure the interface.

    In this example, the interface is sp-3/1/0.0.

  54. Go to the following hierarchy level:
  55. In the hierarchy level, configure optional notification parameters for the services interface. Note that it is required only for debugging.

    In this example, the host to notify is local.

  56. Go to the following hierarchy level:
  57. In the hierarchy level, configure the protocol family.
  58. Go to the following hierarchy level and verify the configuration:
  59. Go to the following hierarchy level:
  60. In the hierarchy level, configure the redundancy settings.
  61. Configure the FPC and PIC.

    In this example, the FPC is in slot 0 and the PIC is in slot 1.

  62. Configure the number of cores dedicated to run control functionality.

    In this example, the number of control cores is 1.

  63. Configure the number of processing cores dedicated to data.

    In this example, the number of data cores is 7.

  64. Configure the size of the object cache in megabytes. Only values in increments of 128 MB are allowed and the maximum value of object cache can be 1280 MB. On MS-100, the value is 512 MB.

    In this example, the size of the object cache is 1280 MB.

  65. Configure the size of the policy database in megabytes.

    In this example, the size of the policy database is 64 MB.

  66. Configure the packages.

    In this example, the first package is jservices-appid, the second package is jservices-aacl, the third package is jservices-llpdf, the fourth package is jservices-idp, and the fifth package is jservices-sfw. jservices-sfw is available only in Junos OS Release 10.1 and later.

  67. Configure the IP network services.
  68. Go to the following hierarchy level and verify the configuration:
Release History Table
Release
Description
The IDP functionality is deprecated for the MX Series for Junos OS release 17.1R1 and above.
The [edit security idp] statements are deprecated for the MX Series for Junos OS release 17.1R1 and above.