Stateful Firewall Traffic Flow in Single MX Series (ECMP Based Consistent Hashing) and Scaled-Out SRX Series Firewalls (Standalone)
In this topic, you’ll see how stateful firewall traffic flows in a single MX Series with ECMP based Consistent Hashing load balancing with the standalone SRX Series Firewalls.
In this topology, you must:
- Configure a single MX Series with two interfaces for the TRUST and UNTRUST routing instances.
- Configure eBGP/BFD on each interface.
- Configure the load balancing policy with source hash for route 0/0 in the forwarding table.
- Configure the load balancing policy with destination hash for client prefixes routes in the forwarding table.
Figure 1 illustrates the step-by-step traffic flow.
Figure 1: Stateful Firewall Traffic Flow with Single MX Series (ECMP based Consistent Hashing)
and Scaled-Out SRX Series Firewalls (Standalone)
The MX Series is a single router configured with multiple logical interfaces towards scaled-out SRX Series Firewalls on the TRUST and UNTRUST VR direction.
- The SRX Series Firewalls receive 0/0 route on the UNTRUST side and advertises using eBGP to the MX Series on the TRUST side. The MX Series imports these routes on the TRUST side using the ECMP based Consistent Hashing policy.
- The SRX Series Firewalls receive the client prefix route on the TRUST side and advertises using eBGP to the MX Series on the UNTRUST side. The MX Series imports these routes on the UNTRUST side using the ECMP based Consistent Hashing policy.
- MX Series TRUST side has the ECMP routes for 0/0 route, and the UNTRUST side has ECMP routes for the client prefix routes.
- The forward traffic flow from client-to-server, reaches the MX Series router on the TRUST instance and matches route 0/0 route and takes any one ECMP next-hop to the SRX Series Firewall based on the source IP address hash value.
- The SRX Series Firewall creates an stateful firewall flow session and routes the packet to the MX Series on the UNTRUST direction towards the server.
- The reverse traffic flow from server-to-client, reaches the MX Series on the UNTRUST instance and matches client prefix route and takes the same ECMP next-hop based on the calculated destination IP based hash value.
- The source and destination IP address of the stateful firewall session doesn't change. The calculated hash value remains the same and takes the same ECMP next-hop SRX Series Firewall on the forward and reverse flows. This ensures that the symmetricity is maintained in the SRX Series Firewalls.
- When an SRX Series Firewall is down, Consistent Hashing on the MX Series router ensures that the sessions on the other SRX Series Firewall are not disturbed and only sessions on the impacted SRX Series Firewalls are redistributed. But the applications might restart the session as the firewalls are deployed in standalone mode.