Table of Contents
Advertisement
Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
To use JSF to run stateful firewall, you must configure the
[edit chassis fpc slot pic slot adaptive-services service-package extension-provider
package]
hierarchy level. In addition, you must configure stateful firewall rules and a
service set with a Multiservice interface. To check the configuration, use the
configuration services stateful-firewall
information on the interface, use the
[Services Interfaces]
Transition of IPv4 traffic to IPv6 addresses using Dual Stack Lite (DS-Lite)—Adds
support for DS-Lite, a means for transitioning IPv4 traffic to IPv6 addresses. This
transition will become necessary as the supply of unique IPv4 addresses nears
exhaustion. New subscriber homes are allocated IPv6 addresses and IPv6-capable
equipment; DS-Lite provides a method for the private IPv4 addresses behind the IPv6
equipment to reach the IPv4 network. An IPv4 host communicates with a NAT endpoint
over an IPv6 network using softwires. DS-Lite creates the IPv6 softwires that terminate
on the services PIC. Packets coming out of the softwire can then have other services
such as NAT applied on them.
[Services Interfaces, System Basics and Services Command Reference]
Round-robin allocation for NATP addresses—You can now specify round-robin address
allocation from NAT pools when you use NATP. In the default method of
address-allocation, NAT addresses are allocated sequentially. All of the addresses in
a given range must be allocated before addresses from a different range are allocated.
The following example illustrates the sequential (legacy) implementation, which is
still available to provide backward compatibility.
pool napt {
address-range low 9.9.99.1 high 9.9.99.3;
address-range low 9.9.99.4 high 9.9.99.6;
address-range low 9.9.99.8 high 9.9.99.10;
address-range low 9.9.99.12 high 9.9.99.13;
port {
range low 3333 high 3334;
}
}
In this example, for each unique source address, a new address range is used for
allocation only when there are no ports available in the previous address range. Address
9.9.99.4:3333 is picked only when all ports for addresses in the first range are exhausted.
The first connection is allocated NAT address 9.9.99.1:3333.
The second connection is allocated 9.9.99.1:3334.
The third connection is allocated 9.9.99.2:3333.
The fourth connection is allocated 9.9.99.2:3334, and so on.
To configure round-robin allocation for NAT pools, include the
configuration statement at the
round-robin
level. When you use round-robin allocation, one port is allocated from each address
in a range before repeating the process for each address in the next range. After ports
jservices-sfw
command. To show the run time (dynamic state)
show services sessions
command.
address-allocation
[edit services nat pool pool-name]
package at the
show
hierarchy
27
Advertisement
Table of Contents
