Datasheet
4
a pointer to the next-hop route. Established sessions have a single
table lookup to verify that the session has been permitted and to
find the next hop. This ecient algorithm improves throughput and
lowers latency for session trac when compared with a classic
router that performs multiple table lookups to verify session
information and then to find a next-hop route.
Figure 3 shows the session-based forwarding algorithm. When a new
session is established, the session-based architecture within Junos
OS verifies that the session is allowed by the forwarding policies. If
the session is allowed, Junos OS will look up the next-hop route in
the routing table. It then inserts the session and the next-hop route
into the session and forwarding table and forwards the packet.
Subsequent packets for the established session require a single table
lookup in the session and forwarding table, and are forwarded to the
egress interface.
When SRX Series Services Gateways for the branch are
configured as an active/active HA pair, traffic and configuration
is mirrored automatically to provide active firewall and VPN
session maintenance in case of a failure. The branch SRX Series
synchronizes both configuration and runtime information. As a
result, during failover, synchronization of the following information
is shared: connection/session state and flow information, IPSec
security associations, Network Address Translation (NAT) traffic,
address book information, configuration changes, and more. In
contrast to the typical router active/standby resiliency protocols
such as Virtual Router Redundancy Protocol (VRRP), all dynamic
flow and session information is lost and must be reestablished in
the event of a failover. Some or all network sessions will have to
restart depending on the convergence time of the links or nodes. By
maintaining state, not only is the session preserved, but security is
kept intact. In an unstable network, this active/active configuration
also mitigates link flapping affecting session performance.
Session-Based Forwarding Without the
Performance Hit
In order to optimize the throughput and latency of the combined
router and firewall, Junos OS implements session-based forwarding,
an innovation that combines the session state information of a
traditional firewall and the next-hop forwarding of a classic router
into a single operation. With Junos OS, a session that is permitted
by the forwarding policy is added to the forwarding table along with
Security Policy Evaluation
and Next-Hop Lookup
Forwarding for
Permitted Trac
Ingress
Interface
Session Initial
Packet Processing
Table
Update
Disallowed by
Policy: Dropped
Egress
Interface
Session and
Forwarding Table
Figure 3: Session-based forwarding algorithm
Large HA Oce
Mid-sized HA Branch
Private Data Center
Small Oce
SIP
Server
3G
Connectivity
VDSL
SRX110
EX4200
EX3300
EX4200
SRX650 SRX650
WLC800
UC
Server
App Server
Hosted
Server
Web
Server
WLC100
WLA532
SRX550
EX3300
SRX550
SRX240
Small, Link HA Branch
Small Branch with
Cellular Backup
SRX210
CX111
T1/E1 VDSL
DS3/E3SFP
Private WAN
Internet
SF.com
Facebook
Skype
Google
T1/E1
4G LTE
4G LTE
Figure 4: The distributed enterprise