All packets undergo fast path-processing. However, if a session exists for a packet, the packet undergoes fast-path processing and bypasses the first-packet process. When there is already a session for the packet’s flow, the packet does not transit the central point.
Here is how fast-path processing works: NPUs at the egress and ingress interfaces contain session tables that include the identification of the SPU that manages a packet’s flow. Because the NPUs have this session information, all traffic for the flow, including reverse traffic, is sent directly to that SPU for processing.
To illustrate the fast-path process, this section uses an example with a source “a” and a destination “b”. The direction from source to destination for the packets of the flow is referred to as (a->b). The direction from destination to source is referred to as (b->a).
This section describes how a packet is handled when it arrives at a services gateway’s IOC.
The NPU performs sanity checks and applies some screens, such as denial-of-service (DoS) screens, to the packet.
Example: Packet (a ->b) arrives at NPU1. NPU1 performs sanity checks on the packet, applies DoS screens to it, and checks its session table for a tuple match. It finds a match and that a session exists for the packet on SPU1. NPU1 forwards the packet to SPU1 for processing.
Most of a packet’s processing occurs on the SPU to which its session is assigned. The packet is processed for packet-based features such as stateless firewall filters, traffic shapers, and classifiers, if applicable. Configured flow-based security and related services such as firewall features, NAT, ALGs, and so forth, are applied to the packet. (For information on how security services are determined for a session, see Zones and Policies.)
Example: SPU1 receives packet (a->b) from NPU1. It checks its session table to verify that the packet belongs to one of its sessions. Then it processes packet (a ->b) according to input filters and CoS features that apply to its input interface. The SPU applies the security features and services that are configured for the packet’s flow to it, based on its zone and policies. If any are configured, it applies output filters, traffic shapers and additional screens to the packet.
Example: SPU1 forwards packet (a ->b) to NPU2, and NPU2 applies DoS screens.
Example: The interface transmits packet (a->b) from the device.
This step mirrors Step 1 exactly in reverse. See Step 1 in this section for details.
Example: Packet (b->a) arrives at NPU2. NPU2 checks its session table for a tuple match. It finds a match and that a session exists for the packet on SPU1. NPU2 forwards the packet to SPU1 for processing.
This step is the same as Step 2 except that it applies to reverse traffic. See Step 2 in this section for details.
Example: SPU1 receives packet (b->a) from NPU2. It checks its session table to verify that the packet belongs to the session identified by NPU2. Then it applies packet-based features configured for the NPU1’s interface to the packet. It processes packet (b->a) according to the security features and other services that are configured for its flow, based on its zone and policies. (See Zones and Policies.)
This step is the same as Step 3 except that it applies to reverse traffic. See Step 3 in this section for details.
Example: SPU1 forwards packet (b->a) to NPU1. NPU1 processes any screens configured for the interface.
This step is the same as Step 4 except that it applies to reverse traffic. See Step 4 in this section for details.
Example: The interface transmits packet (b->a) from the device.
Figure 8 illustrates the process a packet undergoes when it reaches the services gateway and a session exists for the flow that the packet belongs to.
Figure 8: "Packet Walk” for Fast Path Processing
 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |