[j-nsp] NAT Redundancy on Juniper routers
Hi all, I am trying to achieve redundancy on Juniper routers while performing NAT. I have two Juniper MX960 router on the backbone with VRRP setup.I am configuring NAT on R1 successfull.Same NAT rules are existing on the other router but on R2,static route which is pointing sp interface is deactivated.Is there anyway to achieve automatic failover capability on NAT?In other words if something happened on R1, can R2 handle all NAT process without doing anything? Kind regards, Gokhan Gumus ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] NAT Redundancy on Juniper routers
Hello Gokhan Gumus, AFAIK this is not possible at the moment since flows are not shared between MSDPCs even inside same MX box let alone different physical boxes. So if R1 goes down the: 1/ TCP flows need to reestablish starting from 3-way handshake 2/ UDP flows with ALG need to reestablish starting from scratch (every ALG has different procedures) 3/ non-ALG UDP flows _can_ continue as if nothing happened depending on protocol, e.g. p2p UDP flows will resume from last xferred piece 4/ ICMP flows continue as if nothing happened If you need physical-box-redundant NAT I'd suggest to use SRX cluster. HTH Rgds Alex - Original Message - From: Gökhan Gümüs ggu...@gmail.com To: juniper-nsp@puck.nether.net Sent: Monday, January 10, 2011 12:15 PM Subject: [j-nsp] NAT Redundancy on Juniper routers Hi all, I am trying to achieve redundancy on Juniper routers while performing NAT. I have two Juniper MX960 router on the backbone with VRRP setup.I am configuring NAT on R1 successfull.Same NAT rules are existing on the other router but on R2,static route which is pointing sp interface is deactivated.Is there anyway to achieve automatic failover capability on NAT?In other words if something happened on R1, can R2 handle all NAT process without doing anything? Kind regards, Gokhan Gumus ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] NAT Redundancy on Juniper routers
Hi Alex, Thanks for the response. So there is nothing i can do at this moment :( Regards, Gokhan On Mon, Jan 10, 2011 at 1:43 PM, Alex alex.arsen...@gmail.com wrote: Hello Gokhan Gumus, AFAIK this is not possible at the moment since flows are not shared between MSDPCs even inside same MX box let alone different physical boxes. So if R1 goes down the: 1/ TCP flows need to reestablish starting from 3-way handshake 2/ UDP flows with ALG need to reestablish starting from scratch (every ALG has different procedures) 3/ non-ALG UDP flows _can_ continue as if nothing happened depending on protocol, e.g. p2p UDP flows will resume from last xferred piece 4/ ICMP flows continue as if nothing happened If you need physical-box-redundant NAT I'd suggest to use SRX cluster. HTH Rgds Alex - Original Message - From: Gökhan Gümüs ggu...@gmail.com To: juniper-nsp@puck.nether.net Sent: Monday, January 10, 2011 12:15 PM Subject: [j-nsp] NAT Redundancy on Juniper routers Hi all, I am trying to achieve redundancy on Juniper routers while performing NAT. I have two Juniper MX960 router on the backbone with VRRP setup.I am configuring NAT on R1 successfull.Same NAT rules are existing on the other router but on R2,static route which is pointing sp interface is deactivated.Is there anyway to achieve automatic failover capability on NAT?In other words if something happened on R1, can R2 handle all NAT process without doing anything? Kind regards, Gokhan Gumus ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] NAT Redundancy on Juniper routers
Actually on a second thought I reckon You might be able to achieve physical-box NAT redundancy using static NAT and IP-ALG but: 1/ it is not scalable (static NAT is 1:1) 2/ I never tried this myself :-) Where the port translation is involved the sequence of events is as I described below. Rgds Alex - Original Message - From: Gökhan Gümüs To: Alex Cc: juniper-nsp@puck.nether.net Sent: Monday, January 10, 2011 12:46 PM Subject: Re: [j-nsp] NAT Redundancy on Juniper routers Hi Alex, Thanks for the response. So there is nothing i can do at this moment :( Regards, Gokhan On Mon, Jan 10, 2011 at 1:43 PM, Alex alex.arsen...@gmail.com wrote: Hello Gokhan Gumus, AFAIK this is not possible at the moment since flows are not shared between MSDPCs even inside same MX box let alone different physical boxes. So if R1 goes down the: 1/ TCP flows need to reestablish starting from 3-way handshake 2/ UDP flows with ALG need to reestablish starting from scratch (every ALG has different procedures) 3/ non-ALG UDP flows _can_ continue as if nothing happened depending on protocol, e.g. p2p UDP flows will resume from last xferred piece 4/ ICMP flows continue as if nothing happened If you need physical-box-redundant NAT I'd suggest to use SRX cluster. HTH Rgds Alex - Original Message - From: Gökhan Gümüs ggu...@gmail.com To: juniper-nsp@puck.nether.net Sent: Monday, January 10, 2011 12:15 PM Subject: [j-nsp] NAT Redundancy on Juniper routers Hi all, I am trying to achieve redundancy on Juniper routers while performing NAT. I have two Juniper MX960 router on the backbone with VRRP setup.I am configuring NAT on R1 successfull.Same NAT rules are existing on the other router but on R2,static route which is pointing sp interface is deactivated.Is there anyway to achieve automatic failover capability on NAT?In other words if something happened on R1, can R2 handle all NAT process without doing anything? Kind regards, Gokhan Gumus ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] NAT Redundancy on Juniper routers
Actually i am doing Static-Nat 1:1 :( Rgds, Gokhan On Mon, Jan 10, 2011 at 1:55 PM, Alex alex.arsen...@gmail.com wrote: Actually on a second thought I reckon You might be able to achieve physical-box NAT redundancy using static NAT and IP-ALG but: 1/ it is not scalable (static NAT is 1:1) 2/ I never tried this myself :-) Where the port translation is involved the sequence of events is as I described below. Rgds Alex - Original Message - *From:* Gökhan Gümüş ggu...@gmail.com *To:* Alex alex.arsen...@gmail.com *Cc:* juniper-nsp@puck.nether.net *Sent:* Monday, January 10, 2011 12:46 PM *Subject:* Re: [j-nsp] NAT Redundancy on Juniper routers Hi Alex, Thanks for the response. So there is nothing i can do at this moment :( Regards, Gokhan On Mon, Jan 10, 2011 at 1:43 PM, Alex alex.arsen...@gmail.com wrote: Hello Gokhan Gumus, AFAIK this is not possible at the moment since flows are not shared between MSDPCs even inside same MX box let alone different physical boxes. So if R1 goes down the: 1/ TCP flows need to reestablish starting from 3-way handshake 2/ UDP flows with ALG need to reestablish starting from scratch (every ALG has different procedures) 3/ non-ALG UDP flows _can_ continue as if nothing happened depending on protocol, e.g. p2p UDP flows will resume from last xferred piece 4/ ICMP flows continue as if nothing happened If you need physical-box-redundant NAT I'd suggest to use SRX cluster. HTH Rgds Alex - Original Message - From: Gökhan Gümüs ggu...@gmail.com To: juniper-nsp@puck.nether.net Sent: Monday, January 10, 2011 12:15 PM Subject: [j-nsp] NAT Redundancy on Juniper routers Hi all, I am trying to achieve redundancy on Juniper routers while performing NAT. I have two Juniper MX960 router on the backbone with VRRP setup.I am configuring NAT on R1 successfull.Same NAT rules are existing on the other router but on R2,static route which is pointing sp interface is deactivated.Is there anyway to achieve automatic failover capability on NAT?In other words if something happened on R1, can R2 handle all NAT process without doing anything? Kind regards, Gokhan Gumus ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] NAT Redundancy on Juniper routers
Then you are in a better position than I thought :-) Just change your NAT rule(s) to include match on junos-ip ALG which skips L4 checks like TCP 3WHS being complete, and test. Let us know the test results please. Rgds Alex - Original Message - From: Gökhan Gümüş To: Alex Cc: juniper-nsp@puck.nether.net Sent: Monday, January 10, 2011 1:01 PM Subject: Re: [j-nsp] NAT Redundancy on Juniper routers Actually i am doing Static-Nat 1:1 :( Rgds, Gokhan On Mon, Jan 10, 2011 at 1:55 PM, Alex alex.arsen...@gmail.com wrote: Actually on a second thought I reckon You might be able to achieve physical-box NAT redundancy using static NAT and IP-ALG but: 1/ it is not scalable (static NAT is 1:1) 2/ I never tried this myself :-) Where the port translation is involved the sequence of events is as I described below. Rgds Alex - Original Message - From: Gökhan Gümüş To: Alex Cc: juniper-nsp@puck.nether.net Sent: Monday, January 10, 2011 12:46 PM Subject: Re: [j-nsp] NAT Redundancy on Juniper routers Hi Alex, Thanks for the response. So there is nothing i can do at this moment :( Regards, Gokhan On Mon, Jan 10, 2011 at 1:43 PM, Alex alex.arsen...@gmail.com wrote: Hello Gokhan Gumus, AFAIK this is not possible at the moment since flows are not shared between MSDPCs even inside same MX box let alone different physical boxes. So if R1 goes down the: 1/ TCP flows need to reestablish starting from 3-way handshake 2/ UDP flows with ALG need to reestablish starting from scratch (every ALG has different procedures) 3/ non-ALG UDP flows _can_ continue as if nothing happened depending on protocol, e.g. p2p UDP flows will resume from last xferred piece 4/ ICMP flows continue as if nothing happened If you need physical-box-redundant NAT I'd suggest to use SRX cluster. HTH Rgds Alex - Original Message - From: Gökhan Gümüs ggu...@gmail.com To: juniper-nsp@puck.nether.net Sent: Monday, January 10, 2011 12:15 PM Subject: [j-nsp] NAT Redundancy on Juniper routers Hi all, I am trying to achieve redundancy on Juniper routers while performing NAT. I have two Juniper MX960 router on the backbone with VRRP setup.I am configuring NAT on R1 successfull.Same NAT rules are existing on the other router but on R2,static route which is pointing sp interface is deactivated.Is there anyway to achieve automatic failover capability on NAT?In other words if something happened on R1, can R2 handle all NAT process without doing anything? Kind regards, Gokhan Gumus ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] NAT Redundancy on Juniper routers
Keep in mind that if you haven't already done so, you will need to have both an 'inside' and 'outside' rule for your NAT translation since the junos-ip ALG is unidirectional. From: Alex alex.arsen...@gmail.com To: Gökhan Gümüş ggu...@gmail.com Cc: juniper-nsp@puck.nether.net Sent: Mon, January 10, 2011 7:18:25 AM Subject: Re: [j-nsp] NAT Redundancy on Juniper routers Then you are in a better position than I thought :-) Just change your NAT rule(s) to include match on junos-ip ALG which skips L4 checks like TCP 3WHS being complete, and test. Let us know the test results please. Rgds Alex - Original Message - From: Gökhan Gümüş To: Alex Cc: juniper-nsp@puck.nether.net Sent: Monday, January 10, 2011 1:01 PM Subject: Re: [j-nsp] NAT Redundancy on Juniper routers Actually i am doing Static-Nat 1:1 :( Rgds, Gokhan On Mon, Jan 10, 2011 at 1:55 PM, Alex alex.arsen...@gmail.com wrote: Actually on a second thought I reckon You might be able to achieve physical-box NAT redundancy using static NAT and IP-ALG but: 1/ it is not scalable (static NAT is 1:1) 2/ I never tried this myself :-) Where the port translation is involved the sequence of events is as I described below. Rgds Alex - Original Message - From: Gökhan Gümüş To: Alex Cc: juniper-nsp@puck.nether.net Sent: Monday, January 10, 2011 12:46 PM Subject: Re: [j-nsp] NAT Redundancy on Juniper routers Hi Alex, Thanks for the response. So there is nothing i can do at this moment :( Regards, Gokhan On Mon, Jan 10, 2011 at 1:43 PM, Alex alex.arsen...@gmail.com wrote: Hello Gokhan Gumus, AFAIK this is not possible at the moment since flows are not shared between MSDPCs even inside same MX box let alone different physical boxes. So if R1 goes down the: 1/ TCP flows need to reestablish starting from 3-way handshake 2/ UDP flows with ALG need to reestablish starting from scratch (every ALG has different procedures) 3/ non-ALG UDP flows _can_ continue as if nothing happened depending on protocol, e.g. p2p UDP flows will resume from last xferred piece 4/ ICMP flows continue as if nothing happened If you need physical-box-redundant NAT I'd suggest to use SRX cluster. HTH Rgds Alex - Original Message - From: Gökhan Gümüs ggu...@gmail.com To: juniper-nsp@puck.nether.net Sent: Monday, January 10, 2011 12:15 PM Subject: [j-nsp] NAT Redundancy on Juniper routers Hi all, I am trying to achieve redundancy on Juniper routers while performing NAT. I have two Juniper MX960 router on the backbone with VRRP setup.I am configuring NAT on R1 successfull.Same NAT rules are existing on the other router but on R2,static route which is pointing sp interface is deactivated.Is there anyway to achieve automatic failover capability on NAT?In other words if something happened on R1, can R2 handle all NAT process without doing anything? Kind regards, Gokhan Gumus ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
