Example: Dual MX Series (ECMP Based Consistent Hashing) and Scaled-Out SRX Series Firewalls (Multinode HA) for NAT and Stateful Firewall

Overview

Table 1 shows the deployment components used in the example.

Table 1: Deployment Details

CSDS Components	Details
Forwarding Layer	MX304 with Junos OS Release 23.4R1 or later
Services Layer	vSRX 3.0 with Junos OS Release 23.4R1 or later
Redundancy	Dual MX Series in Active/Standby (SRD) for redundancy and ECMP based Consistent Hashing for load balancing. SRX Series Firewalls in Multinode HA (Active/Backup) and session synchronization.
Features	NAPT44 and stateful firewall (IPv4 Support)
Additional Component	Gateway router for TRUST and UNTRUST networks. The example uses MX Series. You can use any device.

See Table 2 and Table 3 for traffic flow in Multinode HA pairs.

Table 2: Traffic Flows on MNHA Pair for NAT

Feature	Traffic Flow Component	IP Address and Port Number
NAPT44 on SRX Series Firewalls for MNHA Pair 1 (SRX1-ACT1, SRX1-ACT2)	Original source data client	140.0.0.0/8 and port 22279
	Original destination Internet server	100.1.1.0/24 and port 70
	After NAT source	192.168.64.0/24 and port 2480
	After NAT destination	100.1.1.0/24 and port 70
NAPT44 on SRX Series Firewalls for MNHA Pair 2 (SRX1-STA1, SRX1-STA2)	Original source data client	140.0.0.0/8 and port 22279
	Original destination Internet server	100.1.1.0/24 and port 70
	After NAT source	192.169.64.0/24 and port 2480
	After NAT destination	100.1.1.0/24 and port 70

Table 3: Traffic Flows on MNHA Pair for Stateful Firewall Services

Feature	Traffic Flow Component	IP Address
Stateful firewall services on SRX Series Firewalls for MNHA Pair 1 (SRX1-ACT1, SRX1-ACT2)	Source data client	141.0.0.0/8
	Destination Internet server	100.1.1.0/24
	SRX Series with stateful firewall - Source	141.0.0.0/8
	SRX Series with stateful firewall - Destination	100.1.1.0/24
Stateful firewall services on SRX Series Firewalls for MNHA Pair 2 (SRX1-STA1, SRX1-STA2)	Source data client	141.0.0.0/8
	Destination Internet server	100.1.1.0/24
	SRX Series with stateful firewall - Source	141.0.0.0/8
	SRX Series with stateful firewall - Destination	100.1.1.0/24

Topology Illustration

Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

These configurations are captured from a lab environment and are provided for reference only. Actual configurations might vary based on the specific requirements of your environment.

The following items show a list of configuration components for this example:

• Configure MX Series (active node)
• Configure MX Series (standby node)
• Configure the Gateway router
• Configure MNHA Pair 1 (active node)
• Configure MNHA Pair 1 (backup node)
• Configure MNHA Pair 2 (active node)
• Configure MNHA Pair 2 (backup node)

Verification

The following items highlight a list of show commands used to verify the feature in this example.

• Verify MX Series (active node) configuration
• Verify MX Series (standby node) configuration
• Verify the Gateway router configuration
• Verify MNHA Pair 1 (active node) configuration
• Verify MNHA Pair 1 (backup node) configuration
• Verify MNHA Pair 2 (active node) configuration
• Verify MNHA Pair 2 (backup node) configuration