Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Secured Port Block Allocation

Secured Port Block Allocation for NAPT44 and NAT64 Overview

Secured port block allocation ensures that when a subscriber requires a port to be assigned for the first time, a block of ports are allocated to the particular user. Here, a subscriber is defined uniquely as a private IP address and service set ID. Because the subscriber has a block of ports assigned to it, all subsequent requests from this subscriber use ports from the assigned block. A new port block is allocated when the current active block is exhausted, or after the active port block timeout interval has expired. You can configure the maximum number of blocks allocated to a user. This behavior of allocation of NAT ports in blocks is different from the traditional NAT utility where the request for a port allocates a single port and not a group of ports in a block.

You can use the secured port block allocation mechanism to allocate ports in blocks for NAPT44 (translation of an IPv4 address to an IPv4 address) and NAT64 (translation of an IPv6 address to an IPv4 address) types. By using secured port block allocation, the port usage might be a little inefficient, depending on traffic patterns. Secured port block allocation is supported on MX series routers with MS-DPCs and on M Series routers with MS-100, MS-400, and MS-500 MultiServices PICS. Starting in Junos OS release 14.2R2, secured port block allocation is supported on MX series routers with MS-MPCs and MS-MICs.

Starting with Junos OS Release 15.1, in an environment in which Junos Address Aware (carrier-grade NAT) is employed, service providers or carrier operators can monitor and track the consumption of resources and types of services being utilized by subscribers or users in an easier and effective manner by using system logging messages recorded for the allocation of ports to clients. By using IP addresses in RADIUS or DHCP logs, evaluation of the logs is performed to analyze an determine the services usage and bandwidth consumption by subscribers. With carrier-grade NAT, because IP addresses are shared by multiple subscribers, examining logs to track the IP addresses and ports that are part of the system logs might be time-consuming and difficult. Also, because ports are allocated and released at frequent intervals depending on the logging-in and closure of subscriber sessions, a large number of logs are triggered for every port allocation and deallocation. As a result, excessive syslogs render it cumbersome to archive and correlate the logs to identify a subscriber. You can now allocate ports in blocks, which reduces the amount of syslogs considerably.

Benefits of Secured Port Block Allocation

  • Reduces the effort to correlate logs to a subscriber

  • Reduces the number of logs

Guidelines for Configuring Secured Port Block Allocation

Keep the following points in mind when you configure secured PBA:

  • Block size is not configurable at the NAT rule level.

  • Increase in setup rate of sessions is not impacted when you configure secured PBA.

  • If a block of a particular size is not available, an out-of-ports message is displayed and smaller-sized blocks are not allocated alternatively in such a scenario.

  • Addresses in the pool using port-block-allocation method cannot be used in any other pool.

  • Port range in the NAT pool must be contiguous.

  • Preserve parity (Allocate ports with same parity as the original port) is not supported with block-allocation of ports.

  • The limitation on the number of open sessions when the specified threshold is reached (for intrusion detection services) and the maximum number of blocks that can be allocated to a user address that is configured for secured PBA are independent functionalities.

  • The functionality to preserve privileged port range after translation is not supported. The blocks are assigned from unprivileged port range (1024-65535). For ports in privileged range, port block allocation method is not applicable.

  • Port usage efficiency is lower when port-block allocation is enabled. PBA does not use ports from 0-1023 of a NAT IP address.

  • If you configure the automatic port assignment method, which enables sequential assignment of ports, the port range from 1024 through 65535 is available for allocation to users.

  • Port blocks can start at any start port that you can configure.

  • The number of ports used is dependent on the block size and the rest of the ports are not be used.

  • An overloaded pool, which indicates an address pool that can be used if the source pool becomes exhausted, is not supported with secured PBA.

  • NAT IP addresses of PBA pool must not overlap with any other pool. Although a validation is not performed to identify whether any overlapping pools exist, you must ensure that the addresses of a pool that is used for PBA are not used in other pools. This condition is because some of the users require the overload pool to use the same IP addresses as that of NAT IP addresses, but a different port range of PBA pool to support the address pooling paired (APP) functionality.

  • The block-size is fixed per NAT pool and is configurable at the NAT pool level. Multiple port blocks can be allocated to a private IP address.

  • You can configure the maximum number of blocks per pool per subscriber by including the max-blocks-per-user max-blocks statement at the [edit services nat pool pool-name port secured-port-block-allocation] hierarchy level. If a subscriber matches two pools, that particular user can be allocated a maximum of port blocks that equals the sum of the maximum number of port blocks for each pool for that subscriber. New requests for NAT ports arrive from the current active block only.

  • Ports can be allocated randomly from the current active block, which specifies whether ports should be allocated sequentially or randomly within the port block.

  • A block is active for a timeout interval that you can define by including the active-block-timeout timeout-seconds at the [edit services nat pool pool-name port secured-port-block-allocation] hierarchy level. After the timeout period, a new block is allocated even if ports are available in the active block. The default timeout of an active block is 120 seconds. When you configure it as 0 (infinite), the active block transitions to inactive only when it runs out of ports and a new block is allocated.

  • If the maximum number of blocks of blocks is exceeded, and a new request is received, the active block is moved to a block that contains available ports. Any non-active block without any ports in use is freed to NAT pool.

  • In addition to tracking port blocks assigned to each private IP address, actual ports in use are also computed and maintained. This metric is used to calculate port usage efficiency.

  • A syslog message is generated for each block allocation and release. The format of the message is similar to the messages recorded for individual port allocation and release.

  • Session setup rate is the same or slightly improved than the existing non-block allocation setup rate. NAT pool using block-port allocation method can have partial port ranges. If the address is used for port forwarding, those ports can be removed from the pool port range. You can configure partial port ranges by using the port range low minimum-value high maximum-value random-allocation statement at the [edit services nat pool nat-pool-name] hierarchy level. Port block allocation works in the same manner as NAPT44 for TCP, UDP, and ICMP traffic.

  • Randomness can be achieved by allocating ports randomly within the block and changing active block periodically. The block of ports do not contain random ports (ports within the block are sequential). This capability is supported with aggregated multiservices (ams) interfaces.

  • The starting port number is calculated differently in the microkernel and in Junos OS Extension-Provider packages. In the microkernel, the starting or first port is the nearest multiple of the block size after 1023. In that implementation, more ports are wasted because ports are wasted at the beginning and the end of the port range depending on the block size. In Junos OS Extension-Provider packages, the start port of a block is not restricted to a multiple of the block size. The start port can start at the lower boundary of the range of the port configured.

Configuring Secured Port Block Allocation

Secured port block allocation is supported on MX series routers with MS-DPCs and on M Series routers with MS-100, MS-400, and MS-500 MultiServices PICS. Secured port block allocation is supported on MX series routers with MS-MPCs and MS-MICs starting in Junos OS release 14.2R2. To configure secured port block allocation:

  1. At the [edit services nat pool nat-pool-name] hierarchy level, create a pool.

    For example:

  2. Define the range of addresses to be translated, specifying the upper and lower limits of the range or an address prefix that describes the range.


    For example:

  3. Define the range of ports to be used in the translation, or use automatic port assignment by the Junos OS. You can optionally specify random assignment of ports; sequential assignment is the default.


    For example:



    When you configure a port range, the range should be a multiple of the port block-size value (see Step 4). When the nat pool port range is not a multiple of the port block-size value, the number of ports or port-blocks that are effectively available for use is less than the configured number of ports and port-blocks.

    When you configure automatic assignment of ports, the available port range for allocation is 1024 through 65535. Automatic allocation can result in no ports being available for use. Use the show services nat pool command on the Routing Engine after you configure the port block allocation method to determine the number of ports and port blocks available for allocation to users.

  4. Configure secured port block allocation. Specify active-block-timeout, block-size, and max-blocks-per-address, or accept the default values for those options.

    For example:


In order for secured-port-block-allocation configuration changes to take effect, you must reboot the services PIC whenever you change any of the following nat pool options:

  • nat-pool-name

  • address or address-range

  • port range

  • port secured-port-block-allocation block-size

  • port secured-port-block-allocation max-blocks-per-address.

  • port secured-port-block-allocation active-block-timeout.

  • from hierarchy in the nat rule


If you make any configuration changes related to a NAT pool that has secured port block allocation configured, you must delete the existing NAT address pool, wait at least 5 seconds, and then configure a new NAT address pool. We also strongly recommend that you perform this procedure if you make any changes to the NAT pool configuration, even when secured port block allocation is not configured.


MS-MICs and MS-MPCs support up to a maximum of nine million port blocks per NPU. If your configuration exceeds this maximum supported number, one or more service sets might not be activated on that NPU.

Release History Table
Starting in Junos OS release 14.2R2, secured port block allocation is supported on MX series routers with MS-MPCs and MS-MICs.