Knowledge Search


×
 

Equal-cost multipath support on SRX for flow-based forwarding

  [KB23417] Show Article Properties


Summary:
This article provides information about the support extended by SRX for ECMP flow-based forwarding. SRX, beginning with 12.1, supports it.


Symptoms:
Support extended by SRX for ECMP flow-based forwarding
Cause:
  • Beginning with 12.1, SRX supports equal-cost multipath (ECMP) flow-based forwarding.

  • With ECMP support, next-hop entries for ECMP will be installed in the forwarding table.

  • SRX will forward traffic over ECMP routes in a per-flow load balance manner.

  • Source IP, destination IP, and protocol number will be used in the hashing logic, which is used to determine the next-hop entry.

  • So, traffic with the same source IP, destination IP, and protocol number, which is permitted by the security policy, will be forwarded to the same next-hop.

  • The resulting next-hop entry will be used for the traffic flow and is marked on the traffic flow session.
Solution:
Setup:
       1.1.1.122
          PC1 ---+      +--------+
                 |      |        |
                 +-----SRX     Router----Server
                 |      |        |        192.168.200.1
          PC2----+      +--------+
   1.1.1.123


Here is configuration snap, which is required for ECMP flow-based forwarding:
routing-options {
     forwarding-table {
         export lb;
     }
}
...
policy-options {
     policy-statement lb {
         then {
             load-balance per-packet;
         }
     }
}

SRX has two ECMP routes towards the server:
lab@srx220b.hk> show route 192.168.200/24

inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.200.0/24      *[OSPF/10] 00:25:09, metric 2
                      > to 10.1.90.1 via ge-0/0/5.0
                        to 10.1.89.1 via ge-0/0/7.0

The traffic from PC1 and PC2 will demonstrate the behavior of ECMP flow-base forwarding. Here are the related sessions:
lab@srx220b.hk# run show security flow session protocol tcp
Session ID: 872, Policy name: t2ut/4, Timeout: 1754, Valid
In: 1.1.1.122/43805 --> 192.168.200.1/23;tcp, If: ge-0/0/2.0, Pkts: 77, Bytes: 3199
Out: 192.168.200.1/23 --> 1.1.1.122/43805;tcp, If: ge-0/0/5.0, Pkts: 76, Bytes: 3340

Session ID: 928, Policy name: t2ut/4, Timeout: 1798, Valid
In: 1.1.1.123/49817 --> 192.168.200.1/23;tcp, If: ge-0/0/2.0, Pkts: 88, Bytes: 3648
Out: 192.168.200.1/23 --> 1.1.1.123/49817;tcp, If: ge-0/0/7.0, Pkts: 87, Bytes: 3752

Notice the outgoing entry; the next-hop interface for the session from PC1/PC2 is different.

Related Links: