Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Results Summary and Analysis

All the test results are summarized in different documents detailing all aspects of the testing. This JVD shows that scale-out can leverage the use of important functions both on the MX Series Router and SRX Series Firewall for their respective target usage:

  • The MX Series Router is used as a load balancer with different options, ECMP CHASH and TLB.
  • The SRX Series Firewall is used as a security service with simple integration with the MX Series Router.
  • Both physical SRX Series Firewall and virtual SRX firewall are used the same way.
  • Simple network integration using BGP and BFD helps in convergence time.
  • Though no scale is tested, the simplicity of adding a new service node shows that this architecture can help to scale in many directions (performances, scaling, and so on) by simply adding new service node without disturbing the global service.

ECMP consistent hashing has shown steady restoration times in milliseconds.

With TLB being used mainly on MX Series Router platforms, it also works with non-tested MX Series Router models, where TLB uses a control function on the RE (like MX304) or on a service card (for example, MS-MPC for MX240). TLB has been in Junos since Junos OS Release 18.1R1 when BGP acquired multipath function. This connection with BGP offers a good solution for service providers who often use it internally and externally.

TLB use case works with restoration timers and shows flexibility in deployment options (aka single or dual MX Series Routers), as well as a better handling of SRX series firewalls in the MNHA cluster.

SRX Series Firewall features leveraged in this JVD focus on stateful firewall and SNAT however, did not get into higher layer security features. The fact that the scale-out architecture can handle standalone and SRX Series Firewalls clusters, using an even distribution among multiple SRX Series Firewalls without disturbing traffic, shows that the SRX layer 7 security service can easily be added to this usage.

Note that with ECMP, all the SRX Series Firewall need to be of the same model, whereas with TLB, it is not mandatory to have same devices, for example some SRX Series Firewalls in a SFW groups and other SRX Series Firewalls in a SNAT group. The number of groups is around 2,000 per MX Series Router and the number of SRX Series Firewall member is around 256.

The scale-out solution is considered as an alternative of the monolithic scale-up approach. It uses the chassis based SRX Series Firewall or security services on MX240/480/960 with MX-SPC3 service cards independently. However, nothing prevents such architectures to benefit from both to leverage possibilities to add new services and the power of those existing platforms. The upcoming smaller platforms like the MX304 and SRX4700 may help to create smaller footprint architectures.

On the management front, automation is used to build and test the solution with the various use cases and tests. In summary, scripting is used with Junos access using Netconf. Lots of scripting already exists in the field (or Juniper automation places like GitHub) using Ansible, Terraform, Python, PyEZ (Python Easy for Junos), etc. Some advanced users have scripted Junos, and API that are available to integrate with the existing management framework.

The Security Director (on-prem or cloud) has an important place for delivering common configuration to the security service layer (like security policies, address objects, NAT pools, etc.). This gives visibility to the security events and logs generated by each SRX Series Firewall.

Junos integration with BGP (peering between the MX Series Router and the SRX Series Firewall, including the right BFD timers) allows you to create a matching environment with Juniper solutions working seamlessly together. The redundancy of each router and security solution allows you to maintain steady traffic while providing addition of new capacities in a simple way. Similar configuration statements on box routes (MX Series Router) and security (SRX Series Firewall) provides a simple and seamless management of this solution.