Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Example: Dual MX Series (ECMP Based Consistent Hashing) and Scaled-Out SRX Series Firewalls (Multinode HA) for NAT and Stateful Firewall

In this configuration, you’ll learn to set up a dual MX Series with scaled-out SRX Series Firewalls in Multinode HA mode for NAT and stateful firewall services.

Overview

Table 1 shows the deployment components used in the example.

Table 1: Deployment Details
CSDS Components Details
Forwarding Layer MX304 with Junos OS Release 23.4R1 or later
Services Layer vSRX 3.0 with Junos OS Release 23.4R1 or later
Redundancy

Dual MX Series in Active/Standby (SRD) for redundancy and ECMP based Consistent Hashing for load balancing.

SRX Series Firewalls in Multinode HA (Active/Backup) and session synchronization.
Features NAPT44 and stateful firewall (IPv4 Support)
Additional Component Gateway router for TRUST and UNTRUST networks. The example uses MX Series. You can use any device.

See Table 2 and Table 3 for traffic flow in Multinode HA pairs.

Table 2: Traffic Flows on MNHA Pair for NAT
Feature Traffic Flow Component IP Address and Port Number

NAPT44 on SRX Series Firewalls for MNHA Pair 1

(SRX1-ACT1, SRX1-ACT2)

 Original source data client 140.0.0.0/8 and port 22279
Original destination Internet server 100.1.1.0/24 and port 70
After NAT source 192.168.64.0/24 and port 2480
After NAT destination 100.1.1.0/24 and port 70

NAPT44 on SRX Series Firewalls for MNHA Pair 2

(SRX1-STA1, SRX1-STA2)

 Original source data client 140.0.0.0/8 and port 22279
Original destination Internet server 100.1.1.0/24 and port 70
After NAT source 192.169.64.0/24 and port 2480
After NAT destination 100.1.1.0/24 and port 70
Table 3: Traffic Flows on MNHA Pair for Stateful Firewall Services
Feature Traffic Flow Component IP Address

Stateful firewall services on SRX Series Firewalls for MNHA Pair 1

(SRX1-ACT1, SRX1-ACT2)

 Source data client 141.0.0.0/8
Destination Internet server 100.1.1.0/24
SRX Series with stateful firewall - Source 141.0.0.0/8
SRX Series with stateful firewall - Destination 100.1.1.0/24

Stateful firewall services on SRX Series Firewalls for MNHA Pair 2

(SRX1-STA1, SRX1-STA2)

 Source data client 141.0.0.0/8
Destination Internet server 100.1.1.0/24
SRX Series with stateful firewall - Source 141.0.0.0/8
SRX Series with stateful firewall - Destination 100.1.1.0/24

Topology Illustration

Figure 1: Dual MX Series (ECMP based Consistent Hashing) and Scaled-Out SRX Series Firewalls (MNHA) for NAT and Stateful Firewall Services Network topology diagram showing Juniper SRX and MX series devices with active and standby configurations. SRX1-ACT1 and SRX2-ACT2 active with NAT pools 192.168.64.0/18 connect to MX1 load balancer in TRUST VR. SRX1-STA1 and SRX2-STA2 standby connect to MX2 in TRUST VR. TRUST VR and UNTRUST VR routing instances manage internal and external traffic. Trust GW handles data clients 90.1.1.1 and 90.1.1.2; Internet GW connects to internet server 100.1.1.0/24. StatefulSync ensures SRX failover. Ethernet interfaces connect devices. Diagram explains traffic flow, redundancy, and load balancing.
Figure 2: Dual MX Series (ECMP based Consistent Hashing) and Scaled-Out SRX Series Firewalls (MNHA) Stateful Synchronization Flow Network diagram showing HA configuration with Juniper SRX and MX devices. Includes interconnections between SRX1-ACT1, SRX2-ACT2, SRX1-STA1, SRX2-STA2 in HA pairs. MX1 active and MX2 standby load balancers. TRUST VR and UNTRUST VR segregate traffic. NAT clients with IP ranges 140.0.0.0/8 and 141.0.0.0/8. Internet server with IP range 100.1.1.0/24. Traffic flow between trusted and untrusted zones, load balancers, and internet.
Figure 3: Dual MX Series (ECMP based Consistent Hashing) and Scaled-Out SRX Series Firewalls (MNHA) NAT Traffic Flow Network diagram of a high-availability system with SRX firewalls, MX load balancers, primary and standby traffic paths, TRUST and UNTRUST virtual routers, and IP addressing for redundancy and security.
Figure 4: Dual MX Series (ECMP based Consistent Hashing) and Scaled-Out SRX Series Firewalls (MNHA) Stateful Firewall Traffic Flow Network diagram showing high-availability system architecture with SRX and MX series devices, virtual routers, and redundant traffic paths.

Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

These configurations are captured from a lab environment and are provided for reference only. Actual configurations might vary based on the specific requirements of your environment.

The following items show a list of configuration components for this example:

  • Configure MX Series (active node)
  • Configure MX Series (standby node)
  • Configure the Gateway router
  • Configure MNHA Pair 1 (active node)
  • Configure MNHA Pair 1 (backup node)
  • Configure MNHA Pair 2 (active node)
  • Configure MNHA Pair 2 (backup node)
Configure MX Series (Active Node)
Configure MX Series (Standby Node)
Configuration on Gateway Router
Configure MNHA Pair 1 (Active Node)
Configure MNHA Pair 1 (Backup Node)
Configure MNHA Pair 2 (Active Node)
Configure MNHA Pair 2 (Backup Node)

Verification

The following items highlight a list of show commands used to verify the feature in this example.

  • Verify MX Series (active node) configuration
  • Verify MX Series (standby node) configuration
  • Verify the Gateway router configuration
  • Verify MNHA Pair 1 (active node) configuration
  • Verify MNHA Pair 1 (backup node) configuration
  • Verify MNHA Pair 2 (active node) configuration
  • Verify MNHA Pair 2 (backup node) configuration
Verify MX Series (Active Node) Configuration
Verify MX Series (Standby Node) Configuration
Verify Gateway Router Configuration
Verify MNHA Pair 1 (Active Node) Configuration
Verify MNHA Pair 1 (Backup Node) Configuration
Verify MNHA Pair 2 (Active Node) Configuration
Verify MNHA Pair 2 (Standby Node) Configuration