Juniper SRX650 SRX650-BASE-SRE6-645AP Datenbogen
Produktcode
SRX650-BASE-SRE6-645AP
4
contrast to the typical router active/standby resiliency protocols
such as Virtual Router Redundancy Protocol (VRRP), all dynamic
flow and session information is lost and must be reestablished in
the event of a failover. Some or all network sessions will have to
restart depending on the convergence time of the links or nodes. By
maintaining state, not only is the session preserved, but security is
kept intact. In an unstable network, this active/active configuration
also mitigates link flapping affecting session performance.
such as Virtual Router Redundancy Protocol (VRRP), all dynamic
flow and session information is lost and must be reestablished in
the event of a failover. Some or all network sessions will have to
restart depending on the convergence time of the links or nodes. By
maintaining state, not only is the session preserved, but security is
kept intact. In an unstable network, this active/active configuration
also mitigates link flapping affecting session performance.
Session-Based Forwarding Without the
Performance Hit
Performance Hit
In order to optimize the throughput and latency of the combined
router and firewall, Junos OS implements session-based forwarding,
an innovation that combines the session state information of a
traditional firewall and the next-hop forwarding of a classic router
into a single operation. With Junos OS, a session that is permitted
by the forwarding policy is added to the forwarding table along with
a pointer to the next-hop route. Established sessions have a single
table lookup to verify that the session has been permitted and to
find the next hop. This efficient algorithm improves throughput and
lowers latency for session traffic when compared with a classic
router that performs multiple table lookups to verify session
information and then to find a next-hop route.
router and firewall, Junos OS implements session-based forwarding,
an innovation that combines the session state information of a
traditional firewall and the next-hop forwarding of a classic router
into a single operation. With Junos OS, a session that is permitted
by the forwarding policy is added to the forwarding table along with
a pointer to the next-hop route. Established sessions have a single
table lookup to verify that the session has been permitted and to
find the next hop. This efficient algorithm improves throughput and
lowers latency for session traffic when compared with a classic
router that performs multiple table lookups to verify session
information and then to find a next-hop route.
Figure 3 shows the session-based forwarding algorithm. When a
new session is established, the session-based architecture within
Junos OS verifies that the session is allowed by the forwarding
policies. If the session is allowed, Junos OS will look up the next-
hop route in the routing table. It then inserts the session and the
next-hop route into the session and forwarding table and forwards
the packet. Subsequent packets for the established session
require a single table lookup in the session and forwarding table,
and are forwarded to the egress interface.
new session is established, the session-based architecture within
Junos OS verifies that the session is allowed by the forwarding
policies. If the session is allowed, Junos OS will look up the next-
hop route in the routing table. It then inserts the session and the
next-hop route into the session and forwarding table and forwards
the packet. Subsequent packets for the established session
require a single table lookup in the session and forwarding table,
and are forwarded to the egress interface.
Security Policy Evaluation
and Next-Hop Lookup
Forwarding for
Permitted Traffic
Ingress
Interface
Session Initial
Packet Processing
Table
Update
Disallowed by
Policy: Dropped
Egress
Interface
Session and
Forwarding Table
Figure 3: Session-based forwarding algorithm
Large HA Office
Small HA Branch
Private Data Center
Small Office
SIP
Server
3G
Connectivity
VDSL
SRX110
EX3300
EX3300
EX3300
SRX650
SRX650
WLC800
UC
Server
App Server
Hosted
Server
Web
Server
WLC200
WLA532
SRX240
EX3300
SRX240
SRX220
Small, Link HA Branch
Small Branch with
Cellular Backup
SRX210
AX411
CX111
AX411
Serial
T1/E1
SFP
AX411
Private WAN
Internet
SF.com
Facebook
Skype
Google Doc
T1/E1
4G LTE
4G LTE
Figure 4: The distributed enterprise