Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

NAT Traffic Flow in Single MX Series (ECMP Based Consistent Hashing) and Scaled-Out SRX Series Firewalls (Standalone)

In this topic, you’ll see how NAT traffic flows in a single MX Series with ECMP based Consistent Hashing load balancing with the standalone SRX Series Firewalls.

In this topology, you must:

  • Configure a single MX Series with two interfaces for the TRUST and UNTRUST routing instances.
  • Configure eBGP/BFD on each interface.
  • Configure the load balancing policy with source hash for route 0/0 in the forwarding table.
  • Configure unique NAT pool IP address range per SRX Series Firewall.

Figure 1 illustrates the step-by-step traffic flow.

Figure 1: NAT Traffic Flow with Single MX Series (ECMP based Consistent Hashing) and Scaled-Out SRX Series Firewalls (Standalone) NAT Traffic Flow with Single MX Series (ECMP based Consistent Hashing) and Scaled-Out SRX Series Firewalls (Standalone)

The MX Series is a single router that is configured with multiple logical interfaces towards scaled-out SRX Series Firewalls on the TRUST and UNTRUST VR direction.

  1. The SRX Series Firewalls receive 0/0 route on the UNTRUST side and advertises using eBGP to the MX Series on the TRUST side. The MX Series imports these routes on the TRUST side using the ECMP based Consistent Hashing policy.
  2. The SRX Series Firewalls receive the client prefix route on the TRUST side and advertises the NAT pool route prefix using eBGP to the MX Series on the UNTRUST side.
  3. MX Series TRUST side has the ECMP routes for 0/0 route, and the UNTRUST side has unique route for the NAT pool route prefix.
  4. The forward traffic flow from client-to-server reaches the MX Series router on the TRUST instance and matches route 0/0 route and takes any one ECMP next-hop to the SRX Series Firewall based on the source IP address hash value.
  5. The SRX Series Firewall creates a NAT flow session and routes the packet to the MX Series on the UNTRUST direction towards the server.
  6. The reverse traffic flow from server-to-client reaches the MX Series on the UNTRUST instance and matches unique NAT pool prefix route and takes the same SRX Series Firewall where the forward flow is anchored. This ensures symmetricity is maintained in the SRX Series Firewalls.
  7. When an SRX Series Firewall is down, Consistent Hashing on the MX Series router ensures that the sessions on the other SRX Series Firewall are not disturbed and only sessions on the impacted SRX Series Firewalls are redistributed. The redistributed sessions get an IP address from different NAT pool for source NAT and hence the application restarts its TCP/UDP session.