Understanding the Data Path for J Series Services Routers

Figure 8 shows the path of a data packet as it traverses the services router. Refer to Figure 6 to see how the flow module in Figure 8 fits in with the Junos operating system (Junos OS) architecture of the software.

As a packet transits the router, it takes the following path. This packet walk brings together the packet-based processing and flow-based processing that Junos OS performs on the packet.

• Understanding the Forwarding Processing
• Understanding the Session-Based Processing
• Understanding Forwarding Features

Understanding the Forwarding Processing

Junos OS performs forwarding processing as follows:

1. The packet enters the system and is treated on a per-packet basis.
2. The system applies stateless policing filters and class-of-service (CoS) classification to the packet.

   For details, see the Junos OS Routing Protocols and Policies Configuration Guide for Security Devices, the Junos OS Class of Service Configuration Guide for Security Devices, and the Junos OS CLI Reference.

Understanding the Session-Based Processing

After forwarding processing, Junos OS performs session lookup and either first-packet processing or fast-path processing on the packet.

Session Lookup

If the packet has not already been dropped, Junos OS performs session lookup to determine whether the packet belongs to an existing session. The system uses six match criteria to perform the session lookup:

• Session token
• Source and destination IP addresses
• Source and destination ports
• Protocol

If the packet does not match an existing session, the system creates a new session for it. This process is called the first-packet path. (See First-Packet Path Processing.)

If the packet matches a session, fast-path processing is performed. (See Fast-Path Processing.)

First-Packet Path Processing

If a packet does not match an existing session, Junos OS creates a new session for it as follows:

1. For the first packet, the system creates a session based on the routing for the packet and the policy lookup so that the packet becomes the first packet of a flow.
2. Depending on the protocol and whether the service is TCP or UDP, the session is programmed with a timeout value.
   • For TCP, the default timeout is 1800 seconds.
   • For UDP, the default timeout is 60 seconds.

   You can configure these timeouts to be more or less aggressive. If you have changed the session timeout value, the new value is applied here. If no traffic uses the session during the service timeout period, the router ages out the session and releases its memory for reuse.

3. Firewall screens are applied.

   Session initialization screens are applied.

4. Route lookup is performed.
5. The destination zone is determined:
   1. The system determines a packet's incoming zone by the interface through which it arrives.
   2. The system determines a packet's outgoing zone by route lookup.

   Together they determine which policy is applied to the packet.

6. Policy lookup is performed.

   The system checks the packet against policies you have defined to determine how the packet is to be treated.

7. If Network Address Translation (NAT) is used, the system performs address allocation.
8. The system sets up the Application Layer Gateway (ALG) service vector.
9. The system creates and installs the session.

   Decisions made for the first packet of a flow are cached in a flow table for use with following related flows.

   For example, the system determines asymmetric traffic by doing a reverse route lookup on the packet. If the first packet of a flow has ingressed on an interface for a zone, then the reply traffic for this flow needs to egress out of the same interface on which the first packet ingressed; otherwise, the traffic is considered asymmetric and will be dropped.

10. Fast-path processing is applied to the packet.

Fast-Path Processing

If a packet matches a session, Junos OS performs fast-path processing as follows:

1. Configured screens are applied.
2. TCP checks are performed.
3. NAT is applied.
4. Forwarding features are applied. See Understanding Forwarding Features.

Understanding Forwarding Features

After the packet has passed through session-based processing, Junos OS prepares the packet and transmits it as follows:

1. Routing packet filters are applied.
2. Traffic shaping is applied.
3. The packet is transmitted.

For information about packet filters and CoS traffic shaping, see the Junos OS Class of Service Configuration Guide for Security Devices.

Related Topics

• Junos OS Feature Support Reference for SRX Series and J Series Devices
• Understanding Stateful and Stateless Data Processing for J Series Services Routers
• NAT Overview
• Security Policies Overview
• ALG Overview