Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configuring Port Control Protocol

This topic describes how to configure port control protocol (PCP). PCP is supported on the MS-DPC, MS-100, MS-400, and MS-500 MultiServices PICs. Starting in Junos OS Release 17.4R1, PCP for NAPT44 is also supported on the MS-MPC and MS-MIC. Starting in Junos OS Release 18.2R1, PCP on the MS-MPC and MS-MIC supports DS-Lite. In Junos OS Release 18.1 and earlier releases, PCP on the MS-MPC and MS-MIC does not support DS-Lite. Starting in Junos OS release 20.2R1 PCP is supported on the MX-SPC3 security services card for CGNAT services.

Perform the following configuration tasks:

Configuring PCP Server Options

  1. Specify a PCP server name.
  2. Set the IPv4 or IPv6 addresses of the server. For PCP DS-Lite, the ipv6-address must match the address of the AFTR (Address Family Transition Router or softwire concentrator).
    Note:

    Starting in Junos OS Release 18.2R1, PCP on the MS-MPC and MS-MIC supports DS-Lite. In Junos OS Release 18.1 and earlier releases, PCP on the MS-MPC and MS-MIC does not support DS-Lite.

    or

  3. For PCP DS-Lite, provide the name of the DS-Lite softwire concentrator configuration.
  4. Specify the minimum and maximum mapping lifetimes for the server.
  5. Specify the time limits for generating short lifetime or long lifetime errors.
  6. (Optional)—Enable PCP options on the specified PCP server. The following options are available—third-party and prefer-failure. The third-party option is required to enable third-party requests by the PCP client. DS-Lite requires the third-party option. The prefer-failure option requests generation of an error message when the PCP client requests a specific IP address/port that is not available, rather than assigning another available address from the NAT pool. If prefer-failure is not specified NAPT44 assigns an available address/port from the NAT pool based on the configured NAT options.
  7. (Optional)—Specify which NAT pool to use for mapping.
    Note:

    When you do not explicitly specify a NAT pool for mapping, the Junos OS performs a partial rule match based on source IP, source port, and protocol, and the Junos OS uses the NAT pool configured for the first matching rule to allocate mappings for PCP.

    You must use explicit configuration in order to use multiple NAT pools.

    For the MX-SPC3 security services card and Next Gen Services, the nat-options statement supports only one pool name to attach to a PCP server.

  8. (Optional)—Configure the maximum number of mappings per client. The default is 32 and maximum is 128.

Configuring a PCP Rule

A PCP rule has the same basic options as all service set rules:

  • A term option that allows a single rule to have multiple applications.

    A term is not required when running the MX-SPC3 security services card for Next Gen Services.

  • A from option that identifies the traffic that is subject to the rule.

  • A then option that identifies what action is to be taken. In the case of a PCP rule, this option Identifies the pcp server that handles selected traffic

  1. Go to the [edit services pcp rule rule-name] hierarchy level and specify match-direction input.
  2. Go to the [edit services pcp rule rule-name term term-name] hierarchy level and provide a term name.

    This step is not required when running the MX-SPC3 security services card for Next Gen Services.

  3. (Optional)—Provide a from option to filter the traffic to be selected for processing by the rule. When you omit the from option, all traffic handled by the service set’s service interface is subject to the rule. The following options are available at the [edit services pcp rule rule-name term term-name from] hierarchy level:
    application-sets set-name

    Traffic for the application set is processed by the PCP rule.

    This step is not required when running the MX-SPC3 security services card for Next Gen Services.
    applications [ application-name ]

    Traffic for the application is processed by the PCP rule.

    This option is not required when running the MX-SPC3 security services card for Next Gen Services.
    destination-address address <except>

    Traffic for the destination address or prefix is processed by the PCP rule. If you include the except option, traffic for the destination address or prefix is not processed by the PCP rule.
    destination-address-range high maximum-value low minimum-value <except>

    Traffic for the destination address range is processed by the PCP rule. If you include the except option, traffic for the destination address range is not processed by the PCP rule.
    destination-port high maximum-value low minimum-value

    Traffic for the destination port range is processed by the PCP rule.

    destination-prefix-list list-name <except>

    Traffic for a destination address in the prefix list is processed by the PCP rule. If you include the except option, traffic for a destination address in the prefix list is not processed by the PCP rule.
    source-address address <except>

    Traffic from the source address or prefix is processed by the PCP rule. If you include the except option, traffic from the source address or prefix is not processed by the PCP rule.
    source-address-range high maximum-value low minimum-value <except>

    Traffic from the source address range is processed by the PCP rule. If you include the except option, traffic from the source address range is not processed by the PCP rule.
    source-prefix-list list-name <except>

    Traffic from a source address in the prefix list is processed by the PCP rule. If you include the except option, traffic from a source address in the prefix list is not processed by the PCP rule.
  4. Set the then option to identify the target PCP server.

Configuring a NAT Rule

To configure a NAT rule:

  1. Configure the NAT rule name and the match direction.
  2. Specify the NAT pool to use:
  3. Configure the translation type.
  4. If you are using PCP with IPv4-to-IPv4 NAT or with DS-Lite, configure endpoint-independent mapping (EIM) and endpoint-independent filtering (EIF).
    Note:

    The PCP mappings are not created if you do not configure EIM and EIF with PCP for IPv4-to-IPv4 NAT or for DS-Lite.

Configuring a Service Set to Apply PCP

To use PCP, you must provide the rule name (or name of a list of rule names) in the pcp-rule rule-name option.

  1. Go to the [edit services service-set service-set-name hierarchy level.
  2. If this is a new service set, provide basic service set information, including interface information and any other rules that may apply.
  3. Specify the name of the PCP rule or rule list used to send traffic to the specified PCP server.
Note:

Your service set must also identify any required nat-rule and softwire-rule.

SYSLOG Message Configuration

A new syslog class, configuration option, pcp-logs, has been provided to control PCP log generation. It provides the following levels of logging:

  • protocol—All logs related to mapping creation, deletion are included at this level of logging.

  • protocol-error—–All protocol error related logs (such as mapping refresh failed, PCP look up failed, mapping creation failed). are included in this level of logging.

  • system-error—Memory and infrastructure errors are included in this level of logging.

Release History Table
Release
Description
20.2R1
Starting in Junos OS release 20.2R1 PCP is supported on the MX-SPC3 security services card for CGNAT services.
18.2R1
17.4R1
Starting in Junos OS Release 17.4R1, PCP for NAPT44 is also supported on the MS-MPC and MS-MIC.