Juniper J2320-JB-SC Data Sheet
4
Session-Based Forwarding Without the
Performance Hit
Performance Hit
In order to optimize the throughput and latency of the combined
router and firewall, Junos OS implements session-based
forwarding, an innovation that combines the session state
information of a traditional firewall and the next-hop forwarding
of a classic router into a single operation. With Junos OS, a
session that is permitted by the forwarding policy is added to
the forwarding table along with a pointer to the next-hop route.
Established sessions have a single table lookup to verify that the
session has been permitted and to find the next hop. This efficient
algorithm improves throughput and lowers latency for session
traffic when compared with a classic router that performs multiple
table lookups to verify session information and then to find a next-
hop route.
router and firewall, Junos OS implements session-based
forwarding, an innovation that combines the session state
information of a traditional firewall and the next-hop forwarding
of a classic router into a single operation. With Junos OS, a
session that is permitted by the forwarding policy is added to
the forwarding table along with a pointer to the next-hop route.
Established sessions have a single table lookup to verify that the
session has been permitted and to find the next hop. This efficient
algorithm improves throughput and lowers latency for session
traffic when compared with a classic router that performs multiple
table lookups to verify session information and then to find a next-
hop route.
Figure 3 shows the session-based forwarding algorithm. When a
new session is established, the session-based architecture within
Junos OS verifies that the session is allowed by the forwarding
policies. If the session is allowed, Junos OS will look up the next-
hop route in the routing table. It then inserts the session and the
next-hop route into the session and forwarding table and forwards
the packet. Subsequent packets for the established session
require a single table lookup in the session and forwarding table,
and are forwarded to the egress interface.
new session is established, the session-based architecture within
Junos OS verifies that the session is allowed by the forwarding
policies. If the session is allowed, Junos OS will look up the next-
hop route in the routing table. It then inserts the session and the
next-hop route into the session and forwarding table and forwards
the packet. Subsequent packets for the established session
require a single table lookup in the session and forwarding table,
and are forwarded to the egress interface.
Figure 3: Session-based forwarding algorithm
Figure 4: The distributed enterprise
Security Policy Evaluation
and Next-Hop Lookup
Forwarding for
Permitted Traffic
Ingress
Interface
Session Initial
Packet Processing
Table
Update
Disallowed by
Policy: Dropped
Egress
Interface
Session and
Forwarding Table
PSTN
Service Provider
SIP Softswitch
SIP Softswitch
Service Provider
SIP Softswitch
SIP Softswitch
PSTN
SRX210
SRX240
POP
POP
POP
Cl
ear channel T
-1
D
a
ta (B8Z
S)
Channeliz
e
d T
-1
V
oic
e (
AMI)
PBX
EX4200
EX4200
LARGE OFFICE
HEAD QUARTERS
BRANCH
BRANCH
EX4200/EX2200
EX3200/EX2200
Fax
Fax
EX3200/EX2200
FIXED MOBILE SITE
(Mobile – 3G)
SMALL OFFICE
Cellular
Wireless
DSL
SRX100
Mobile
SRX210
INTERNET
SRX650
SRX240