Juniper SRX210-PWR-60W-IT データシート
4
Session-Based Forwarding Without the
Performance Hit
Performance Hit
In order to optimize the throughput and latency of the combined
router and firewall, Junos OS implements session-based forwarding,
an innovation that combines the session state information of a
traditional firewall and the next-hop forwarding of a classic router
into a single operation. With Junos OS, a session that is permitted
by the forwarding policy is added to the forwarding table along with
a pointer to the next-hop route. Established sessions have a single
table lookup to verify that the session has been permitted and to
find the next hop. This efficient algorithm improves throughput and
lowers latency for session traffic when compared with a classic
router that performs multiple table lookups to verify session
information and then to find a next-hop route.
router and firewall, Junos OS implements session-based forwarding,
an innovation that combines the session state information of a
traditional firewall and the next-hop forwarding of a classic router
into a single operation. With Junos OS, a session that is permitted
by the forwarding policy is added to the forwarding table along with
a pointer to the next-hop route. Established sessions have a single
table lookup to verify that the session has been permitted and to
find the next hop. This efficient algorithm improves throughput and
lowers latency for session traffic when compared with a classic
router that performs multiple table lookups to verify session
information and then to find a next-hop route.
Figure 3 shows the session-based forwarding algorithm. When a new
session is established, the session-based architecture within Junos
OS verifies that the session is allowed by the forwarding policies. If
session is established, the session-based architecture within Junos
OS verifies that the session is allowed by the forwarding policies. If
the session is allowed, Junos OS will look up the next-hop route in
the routing table. It then inserts the session and the next-hop route
into the session and forwarding table and forwards the packet.
Subsequent packets for the established session require a single table
lookup in the session and forwarding table, and are forwarded to the
egress interface.
the routing table. It then inserts the session and the next-hop route
into the session and forwarding table and forwards the packet.
Subsequent packets for the established session require a single table
lookup in the session and forwarding table, and are forwarded to the
egress interface.
Security Policy Evaluation
and Next-Hop Lookup
Forwarding for
Permitted Traffic
Ingress
Interface
Session Initial
Packet Processing
Table
Update
Disallowed by
Policy: Dropped
Egress
Interface
Session and
Forwarding Table
Figure 3: Session-based forwarding algorithm
Large HA Office
Mid-sized HA Branch
Private Data Center
Small Office
SIP
Server
3G
Connectivity
VDSL
SRX110
EX4200
EX3300
EX4200
SRX650
SRX650
WLC800
UC
Server
App Server
Hosted
Server
Web
Server
WLC200
WLA532
SRX550
EX3300
SRX550
SRX240
Small, Link HA Branch
Small Branch with
Cellular Backup
SRX210
AX411
CX111
AX411
T1/E1
VDSL
DS3/E3
SFP
AX411
Private WAN
Internet
SF.com
Facebook
Skype
Google
T1/E1
4G LTE
4G LTE
Figure 4: The distributed enterprise