Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Routing, Interfaces, and NAT for User Logical Systems

The user logical system enables you to configure routing protocols, interfaces and NAT. Routing protocols handles all routing messages. NAT is a mechanism to translate the IP address of a computer or group of computers into a single public address when the packets are sent out to the internet. For more information, see the following topics:

Understanding Logical Systems Network Address Translation

Network Address Translation (NAT) is a method for modifying or translating network address information in packet headers. Either or both source and destination addresses in a packet may be translated. NAT can include the translation of port numbers as well as IP addresses.

Any combination of static, destination, or source NAT can be configured in the root or user logical systems. Configuring NAT in a logical system is the same as configuring NAT in a root system. The primary administrator can configure and monitor NAT in the primary logical system as well as any user logical system.

Starting in Junos OS Release 18.2R1, the NAT functionality is supported for logical systems on SRX4100, and SRX4200 devices in addition to existing support on SRX1500, SRX5400, SRX5600, and SRX5800 devices.

For each user logical system, the primary administrator can configure the maximum and reserved numbers for the following NAT resources:

  • Source NAT pools and destination NAT pools

  • IP addresses in source NAT pools with and without port address translation

  • Rules for source, destination, and static NAT

  • Persistent NAT bindings

  • IP addresses that support port overloading

From a user logical system, the user logical system administrator can use the operational command show system security-profile with a NAT option to view the number of NAT resources allocated to the user logical system.

Note:

The primary administrator can configure a security profile for the primary logical system that specifies the maximum and reserved numbers of NAT resources applied to the primary logical system. The number of resources configured in the primary logical system count toward the maximum number of NAT resources available on the device.

From a user logical system, the user logical system administrator can use the show security nat command to view the information about NAT for the user logical system. From the primary logical system, the primary administrator can use the same command to view information for the primary logical system, a specific user logical system, or all logical systems.

See Also

Example: Configuring Network Address Translation for a User Logical Systems

This example shows how to configure static NAT for a user logical system.

Requirements

Before you begin:

Overview

This example configures the ls-product-design user logical system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.

Devices in the ls-product-design-untrust zone access a specific host in the ls-product-design-trust zone by way of the address 12.1.1.200/32. For packets that enter the ls-product-design logical system from the ls-product-design-untrust zone with the destination IP address 12.1.1.200/32, the destination IP address is translated to the 12.1.1.100/32. This example configures the static NAT described in Table 1.

Table 1: User Logical System Static NAT Configuration

Feature

Name

Configuration Parameters

Static NAT rule set

rs1

  • Rule r1 to match packets from the ls-product-design-untrust zone with destination address 12.1.1.200/32.

  • Destination IP address in matching packets is translated to 12.1.1.100/32.

Proxy ARP

Address 12.1.1.200 on interface lt-0/0/0.3.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure NAT in a user logical system:

  1. Log in to the user logical system as the logical system administrator and enter configuration mode.

  2. Configure a static NAT rule set.

  3. Configure a rule that matches packets and translates the destination address in the packets.

  4. Configure proxy ARP.

Results

From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Static NAT Configuration

Purpose

Verify that there is traffic matching the static NAT rule set.

Action

From operational mode, enter the show security nat static rule command. View the Translation hits field to check for traffic that matches the rule.

Verifying NAT Application to Traffic

Purpose

Verify that NAT is being applied to the specified traffic.

Action

From operational mode, enter the show security flow session command.

See Also

Example: Configuring Interfaces and Routing Instances for a User Logical Systems

This example shows how to configure interfaces and routing instances for a tenant system.

Requirements

Before you begin:

Overview

This example configures the ls-product-design user logical system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.

This example configures the interfaces and routing instances described in Table 2.

Table 2: User Logical System Interface and Routing Instance Configuration

Feature

Name

Configuration Parameters

Interface

ge-0/0/5.1

  • IP address 12.1.1.1/24

  • VLAN ID 700

Routing instance

pd-vr1

  • Instance type: virtual router

  • Includes interfaces ge-0/0/5.1 and lt-0/0/0.3

  • Static routes:

    • 13.1.1.0/24 next-hop 10.0.1.3

    • 14.1.1.0/24 next-hop 10.0.1.4

    • 12.12.1.0/24 next-hop 10.0.1.1

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure an interface and a routing instance in a user logical system:

  1. Log in to the user logical system as the logical system administrator and enter configuration mode.

  2. Configure the logical interface for a user logical system.

  3. Configure the routing instance and assign interfaces.

  4. Configure static routes.

Results

From configuration mode, confirm your configuration by entering the show interfaces and show routing-instances commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

Note:

The primary administrator configures the lt-0/0/0.3 interface. Thus, the lt-0/0/0.3 configuration appears in the show interfaces output even though you did not configure this item.

If you are done configuring the device, enter commit from configuration mode.

See Also

Example: Configuring OSPF Routing Protocol for a User Logical Systems

This example shows how to configure OSPF for a user logical system.

Requirements

Before you begin:

Overview

In this example, you configure OSPF for the ls-product-design user logical system, shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.

This example enables OSPF routing on the ge-0/0/5.1 and lt-0/0/0.3 interfaces in the ls-product-design user logical system. You configure the following routing policies to export routes from the Junos OS routing table into OSPF in the pd-vr1 routing instance:

  • ospf-redist-direct—Routes learned from directly connected interfaces.

  • ospf-redist-static—Static routes.

  • ospf-to-ospf—Routes learned from OSPF.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure OSPF for the user logical system:

  1. Log in to the user logical system as the user logical system administrator and enter configuration mode.

  2. Create routing policies that accept routes.

  3. Apply the routing policies to routes exported from the Junos OS routing table into OSPF.

  4. Enable OSPF on the logical interfaces.

Results

From configuration mode, confirm your configuration by entering the show policy-options and show routing-instances commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying OSPF Interfaces

Purpose

Verify OSPF-enabled interfaces.

Action

From the CLI, enter the show ospf interface instance pd-vr1 command.

Verifying OSPF Neighbors

Purpose

Verify OSPF neighbors.

Action

From the CLI, enter the show ospf neighbor instance pd-vr1 command.

Verifying OSPF Routes

Purpose

Verify OSPF routes.

Action

From the CLI, enter the show ospf route instance pd-vr1 command.

See Also

Related Documentation