Routing

Hello!

How on MS-MPC limit flow session number per subscriber ? What version of software you can do this ?

Hello,

You can limit flows indirectly by limiting ports:

        pool CGNAT3-napt44-pool {
            address-range low 198.18.2.0 high 198.18.3.239;
            port {
                automatic {
                    random-allocation;
                }
            }
            address-allocation round-robin;
            mapping-timeout 120;
            limit-ports-per-address 1024;
        }

HTH

Thanks

Alex

Thank you!

its works!

How limit session per IP on CGNAT? 🙂

Only use PBA?

Hello,

Assuming You don't turn on EIM nor EIF on MS-MPC|MIC, then either PBA or "limit-ports-per-address" restrict the number of master flows to 1 per port which is what You strive for, as I understand.

With EIM turned on, then if src.port is constant (i.e. Bittrrent client) then neither PBA, nor "limit-ports-per-address" restrict outgoing master flows/sessions.

With EIF turned on, then unsolicited flows incoming from internet won't be restricted by PBA nor by "limit-ports-per-address".

HTH

Thanks

Alex

You mean the number of sessions/flows on the per reap-IP/white IP ? 

Hello,

---

@radeon-1 wrote:

 

 

You mean the number of sessions/flows on the per reap-IP/white IP ? 

---

As I mentioned before, without EIM and without EIF, either "limit-ports-per-address" or PBA restrict the number of master flows to 1 per xlated port. Given that each "real IP/white IP" in NAT pool has 64512 available ports to be translated into by default (JNPR CGNAT does not have separate TCP and UDP port spaces), this will restrict the number of sessions to 64512 per "real IP/white IP".

HTH

Thanks

Alex

EIM and EIF turned on, but distributuon on Pool's adress bad...

Settings on my CGNAT

admin@M9_mx480> show services nat pool detail 
Interface: ms-0/0/0, Service set: DELTA
  NAT pool: DELTA_REAL_IP, Translation type: NAPT-44
    Address range: 111.111.111.1-111.111.111.1
    Port range: 1024-65535, Ports in use: 0, Out of port errors: 0, Max ports used: 3
    AP-P out of port errors: 0

Interface: mams-0/0/0 (ams0), Service set: AMS
  NAT pool: POOL-M9_BRAS, Translation type: NAPT-44
    Address range: 111.111.111.2-111.111.111.32
    Address range: 111.111.111.126-111.111.111.127
    Port range: 1024-65535, Ports in use: 74276, Out of port errors: 28868740, Max ports used: 146664
    AP-P out of port errors: 0

Interface: mams-0/1/0 (ams0), Service set: AMS
  NAT pool: POOL-M9_BRAS, Translation type: NAPT-44
    Address range: 111.111.111.33-111.111.111.63
    Port range: 1024-65535, Ports in use: 74614, Out of port errors: 16448425, Max ports used: 162218
    AP-P out of port errors: 0

Interface: mams-0/2/0 (ams0), Service set: AMS
  NAT pool: POOL-M9_BRAS, Translation type: NAPT-44
    Address range: 111.111.111.64-111.111.111.94
    Port range: 1024-65535, Ports in use: 80809, Out of port errors: 24445033, Max ports used: 144549
    AP-P out of port errors: 0

Interface: mams-0/3/0 (ams0), Service set: AMS
  NAT pool: POOL-M9_BRAS, Translation type: NAPT-44
    Address range: 111.111.111.95-111.111.111.125
    Port range: 1024-65535, Ports in use: 86385, Out of port errors: 19831525, Max ports used: 151456
    AP-P out of port errors: 0

{master}
admin@M9_mx480> 


{master}
admin@M9_mx480> show services nat mappings summary 

Service Interface:                                          ms-0/0/0  
Total number of address mappings:                           1838      
Total number of endpoint independent port mappings:         56279     
Total number of endpoint independent filters:               0         

Service Interface:                                          ms-0/1/0  
Total number of address mappings:                           1861      
Total number of endpoint independent port mappings:         58639     
Total number of endpoint independent filters:               0         

Service Interface:                                          ms-0/2/0  
Total number of address mappings:                           1842      
Total number of endpoint independent port mappings:         62164     
Total number of endpoint independent filters:               0         

Service Interface:                                          ms-0/3/0  
Total number of address mappings:                           1866      
Total number of endpoint independent port mappings:         65797     
Total number of endpoint independent filters:               0         

{master}
admin@M9_mx480> 



{master}
admin@M9_mx480> show configuration services nat    
pool POOL-M9_BRAS {
    address-range low 111.111.111.2 high 111.111.111.127;
    port {
        automatic {
            random-allocation;
        }
    }
    address-allocation round-robin;
    mapping-timeout 120;
    limit-ports-per-address 1024;
}
pool DELTA_REAL_IP {
    address 111.111.111.1/32;
    port {
        automatic {
            random-allocation;
        }
    }
    address-allocation round-robin;
}
rule AMS {
    match-direction input;
    term OFFICE {
        from {
            source-address {
                192.168.72.0/24;
            }
            application-sets ALG_WITHOUT_EIM_EIF;
        }
        then {
            translated {
                source-pool POOL-M9_BRAS;
                translation-type {
                    napt-44;
                }
                address-pooling paired;
            }
        }
    }
    term OFFICE_IEM {
        from {
            source-address {
                192.168.72.0/24;
            }
        }
        then {
            translated {
                source-pool POOL-M9_BRAS;
                translation-type {
                    napt-44;
                }
                mapping-type endpoint-independent;
                filtering-type {
                    endpoint-independent;
                }
                address-pooling paired;
            }
        }
    }
    term BRAS {
        from {
            source-prefix-list {
                BRAS_NETWORK_NAT;
            }
            application-sets ALG_WITHOUT_EIM_EIF;
        }
        then {
            translated {
                source-pool POOL-M9_BRAS;
                translation-type {
                    napt-44;
                }
                address-pooling paired;
            }
        }
    }
    term BRAS_IEM {
        from {
            source-prefix-list {
                BRAS_NETWORK_NAT;
            }
        }
        then {
            translated {
                source-pool POOL-M9_BRAS;
                translation-type {
                    napt-44;
                }
                mapping-type endpoint-independent;
                filtering-type {
                    endpoint-independent;
                }
                address-pooling paired;
            }
        }
    }
    term BRAS_Services {
        from {
            source-prefix-list {
                BRAS_Services;
            }
            application-sets ALG_WITHOUT_EIM_EIF;
        }
        then {
            translated {
                source-pool POOL-M9_BRAS;
                translation-type {      
                    napt-44;
                }
                address-pooling paired;
            }
        }
    }
    term BRAS_Services_IEM {
        from {
            source-prefix-list {
                BRAS_Services;
            }
        }
        then {
            translated {
                source-pool POOL-M9_BRAS;
                translation-type {
                    napt-44;
                }
                mapping-type endpoint-independent;
                filtering-type {
                    endpoint-independent;
                }
                address-pooling paired;
            }
        }
    }
}
rule DELTA_REAL-IP {
    match-direction input;
    term 10 {
        from {
            source-address {
                192.168.72.0/24;
            }
            destination-address {
                216.146.46.10/32;
            }
            source-prefix-list {
                BRAS_NETWORK_NAT;
            }
        }
        then {
            translated {
                source-pool DELTA_REAL_IP;
                translation-type {
                    napt-44;
                }
                address-pooling paired;
            }
        }
    }
}
                                        
{master}
admin@M9_mx480> 

Hi there,

---

@radeon-1 wrote:

EIM and EIF turned on, but distributuon on Pool's adress bad...

---

Sorry, what exactly is "bad"? 

Thanks

Alex

Incomplete utilization of the pool... in other words, I would like to as many free IP used by CGNAT

Hello,

---

@radeon-1 wrote:

Incomplete utilization of the pool... in other words, I would like to as many free IP used by CGNAT

---

What makes You think there are completely unused IPs in Your pool?

Please post the printout:

show services nat mappings address-pooling-paired | no-more

I bet You will see that every public IP in the pool will have at least 1 private IP mapped into it, and it will likely to show dozens of private IPs (~1800/31=60) are mapped into every single public IP.

HTH

Thanks

Alex

Hmm...its good?

Attachment(s)

nats_flow.txt   1.03 MB 1 version

Hello,

Of course it is.

Here is the full list of Your public IPs which have at least 1 private IP mapped into it ("mapped" means "have translations ongoing").

111.111.111.10
111.111.111.100
111.111.111.101
111.111.111.102
111.111.111.103
111.111.111.104
111.111.111.105
111.111.111.106
111.111.111.107
111.111.111.108
111.111.111.109
111.111.111.11
111.111.111.110
111.111.111.111
111.111.111.112
111.111.111.113
111.111.111.114
111.111.111.115
111.111.111.116
111.111.111.117
111.111.111.118
111.111.111.119
111.111.111.12
111.111.111.120
111.111.111.121
111.111.111.122
111.111.111.123
111.111.111.124
111.111.111.125
111.111.111.126
111.111.111.127
111.111.111.13
111.111.111.14
111.111.111.15
111.111.111.16
111.111.111.17
111.111.111.18
111.111.111.19
111.111.111.2
111.111.111.20
111.111.111.21
111.111.111.22
111.111.111.23
111.111.111.24
111.111.111.25
111.111.111.26
111.111.111.27
111.111.111.28
111.111.111.29
111.111.111.3
111.111.111.30
111.111.111.31
111.111.111.32
111.111.111.33
111.111.111.34
111.111.111.35
111.111.111.36
111.111.111.37
111.111.111.38
111.111.111.39
111.111.111.4
111.111.111.40
111.111.111.41
111.111.111.42
111.111.111.43
111.111.111.44
111.111.111.45
111.111.111.46
111.111.111.47
111.111.111.48
111.111.111.49
111.111.111.5
111.111.111.50
111.111.111.51
111.111.111.52
111.111.111.53
111.111.111.54
111.111.111.55
111.111.111.56
111.111.111.57
111.111.111.58
111.111.111.59
111.111.111.6
111.111.111.60
111.111.111.61
111.111.111.62
111.111.111.63
111.111.111.64
111.111.111.65
111.111.111.66
111.111.111.67
111.111.111.68
111.111.111.69
111.111.111.7
111.111.111.70
111.111.111.71
111.111.111.72
111.111.111.73
111.111.111.74
111.111.111.75
111.111.111.76
111.111.111.77
111.111.111.78
111.111.111.79
111.111.111.8
111.111.111.80
111.111.111.81
111.111.111.82
111.111.111.83
111.111.111.84
111.111.111.85
111.111.111.86
111.111.111.87
111.111.111.88
111.111.111.89
111.111.111.9
111.111.111.90
111.111.111.91
111.111.111.92
111.111.111.93
111.111.111.94
111.111.111.95
111.111.111.96
111.111.111.97
111.111.111.98
111.111.111.99

As far as I can see, there is no gaps in this list, so ALL and EVERY public IP in Your pool has translations.

As for why You have so many unused PORTS - this is entirely different topic, and I believe with 8 MILLION public ports and very few private IPs (I counted 7513 unique private IPs in the file You provided), the pool PORTS utilization is going to be low.

HTH

Thanks

Alex