Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Stateful Firewall Traffic Flow in a Single MX Series Router (ECMP-Based Consistent Hashing) and Scaled-Out SRX Series Firewalls (Standalone)

In this topic, you’ll see how stateful firewall traffic flows in a single MX Series router with ECMP-based Consistent Hashing load balancing with the standalone SRX Series Firewalls.

See Figure 1 for the topology. In this topology, you must:

  • Configure a single MX Series router with two interfaces for the TRUST and UNTRUST routing instances.
  • Configure external BGP (EBGP) or Bidirectional Forwarding Detection (BFD) on each interface.
  • Configure the load balancing policy with source hash for route 0/0 in the forwarding table.
  • Configure the load balancing policy with destination hash for client prefixe routes in the forwarding table.

Figure 1 illustrates the step-by-step traffic flow.

Figure 1: Stateful Firewall Traffic Flow with Single MX Series Router (ECMP-Based Consistent Hashing) and Scaled-Out SRX Series Firewalls (Standalone) Stateful Firewall Traffic Flow with Single MX Series Router (ECMP-Based Consistent Hashing) and Scaled-Out SRX Series Firewalls (Standalone)

The MX Series router is a single device configured with multiple logical interfaces toward scaled-out SRX Series Firewalls on the TRUST and UNTRUST VR direction.

  1. The SRX Series Firewalls receive the 0/0 route on the UNTRUST side and advertise using EBGP to the MX Series router on the TRUST side. The MX Series router imports these routes on the TRUST side using the ECMP-based Consistent Hashing policy.
  2. The SRX Series Firewalls receive the client prefix route on the TRUST side and advertise using EBGP to the MX Series router on the UNTRUST side. The MX Series router imports these routes on the UNTRUST side using the ECMP-based Consistent Hashing policy.
  3. The MX Series router on the TRUST side has the ECMP routes for the 0/0 route, and the UNTRUST side has ECMP routes for the client prefix routes.
  4. The forward traffic flow from client-to-server, reaches the MX Series router on the TRUST instance and matches route 0/0 route and takes any one ECMP next-hop to the SRX Series Firewall based on the source IP address hash value.
  5. The SRX Series Firewall creates an stateful firewall flow session and routes the packet to the MX Series router on the UNTRUST direction towards the server.
  6. The reverse traffic flow from the server to the client, reaches the MX Series router on the UNTRUST instance and matches client prefix route and takes the same ECMP next-hop based on the calculated destination IP based hash value.
  7. The source and destination IP addresses of the stateful firewall session doesn't change. The calculated hash value remains the same and takes the same ECMP next hop SRX Series Firewall on the forward and reverse flows. This ensures that the symmetricity is maintained in the SRX Series Firewalls.
  8. When an SRX Series Firewall is down, Consistent Hashing on the MX Series router ensures that the sessions on the other SRX Series Firewall are not disturbed and only sessions on the impacted SRX Series Firewalls are redistributed. But the applications might restart the session as the firewalls are deployed in standalone mode.