Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Equal-cost multipath support for flow-based forwarding

0

0

Article ID: KB23417 KB Last Updated: 29 Jul 2020Version: 6.0
Summary:

This article provides information about the support extended by SRX for ECMP flow-based forwarding. SRX, beginning with 12.1, supports it.

Symptoms:

Support extended by SRX for ECMP flow-based forwarding

Cause:
  • Beginning with 12.1, SRX supports equal-cost multipath (ECMP) flow-based forwarding.
  • With ECMP support, next-hop entries for ECMP will be installed in the forwarding table.
  • SRX will forward traffic over ECMP routes in a per-flow load balance manner.
  • Source IP, destination IP, and protocol number will be used in the hashing logic, which is used to determine the next-hop entry.
  • So, traffic with the same source IP, destination IP, and protocol number, which is permitted by the security policy, will be forwarded to the same next-hop.
  • The resulting next-hop entry will be used for the traffic flow and is marked on the traffic flow session.
Solution:
Setup:
       1.1.1.122
          PC1 ---+      +--------+
                 |      |        |
                 +-----SRX     Router----Server
                 |      |        |        192.168.200.1
          PC2----+      +--------+
   1.1.1.123


Here is configuration snap, which is required for ECMP flow-based forwarding:
routing-options {
     forwarding-table {
         export lb;
     }
}
...
policy-options {
     policy-statement lb {
         then {
             load-balance per-packet;
         }
     }
}

SRX has two ECMP routes towards the server:
lab@srx220b.hk> show route 192.168.200/24

inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.200.0/24      *[OSPF/10] 00:25:09, metric 2
                      > to 10.1.90.1 via ge-0/0/5.0
                        to 10.1.89.1 via ge-0/0/7.0

The traffic from PC1 and PC2 will demonstrate the behavior of ECMP flow-base forwarding. Here are the related sessions:
lab@srx220b.hk# run show security flow session protocol tcp
Session ID: 872, Policy name: t2ut/4, Timeout: 1754, Valid
In: 1.1.1.122/43805 --> 192.168.200.1/23;tcp, If: ge-0/0/2.0, Pkts: 77, Bytes: 3199
Out: 192.168.200.1/23 --> 1.1.1.122/43805;tcp, If: ge-0/0/5.0, Pkts: 76, Bytes: 3340

Session ID: 928, Policy name: t2ut/4, Timeout: 1798, Valid
In: 1.1.1.123/49817 --> 192.168.200.1/23;tcp, If: ge-0/0/2.0, Pkts: 88, Bytes: 3648

Out: 192.168.200.1/23 --> 1.1.1.123/49817;tcp, If: ge-0/0/7.0, Pkts: 87, Bytes: 3752

Notice the outgoing entry; the next-hop interface for the session from PC1/PC2 is different.
Modification History:
2020-07-29: Added link to "ECMP Flow-Based Forwarding" document.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search