Junos Asymmetric Routing

Mark Hermsdorfer mark at hermsdorfer.net
Fri May 28 12:37:28 UTC 2010

On Thu, May 27, 2010 at 8:38 PM, Ken Gilmour <ken.gilmour at gmail.com> wrote:

> Yes I believe that would be the default if the session was initiated on the
> inside, but if it comes from outside on a particular interface which is not
> the default route, why would the router then send the packet out another
> interface? Should the device not route session-based traffic according to
> where it originated?

As others have pointed out typically interfaces are not kept track of in
state tables.  Having said that, I've worked in the past with the ScreenOS
based SSG platforms that do this.  So if you're coming from an SSG
background this makes sense.

These devices seem to keep track of source interface in their state tables.
For example I've worked on a one-arm'ed Load Balancer with no Source NAT
such that one would typically require some policy based routing to get the
traffic back to the LB, to be have the Destination NAT handled.  However,
with a Juniper SSG, as the router, it's state tables kept track of the
interfaces and routed traffic correctly without any policy based routing
required.  When I took over administration of that environment I spent some
time trying to figure out how the routing worked since there was no
configuration such as policy based routes that would make sense.

Having said that, If the JunOS based SRX platform does not do session
tracking in the same was as the SSG platform it would seem that the most
reasonable solution would be to NAT the traffic as has already been pointed


Mark Hermsdorfer

More information about the NANOG mailing list