Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Application-Based Multipath Routing

Application-Based Multipath Routing Overview

Traffic for video and voice are sensitive to packet loss, latency and jitter. Packet loss directly leads to degradation in the quality of voice and video calls. in voice or video calls.

To ensure timely delivery of these sensitive application traffic, application-based multipath routing (also referred as multipath routing in this document) is supported on SRX Series Firewalls to allow the sending device to create copies of packets, send each copy through two or more WAN links.

Multipath identifies two or more paths based on the SLA configuration and sends out a copy of the original traffic on all the identified paths.

On the other end, among the multiple copies of the packet received, the receiving device selects the first received packet and drops the subsequent ones. On the receiving device, while the copy of the packet is in progress, multipath calculates the jitter and packet loss for the combined links and then estimates the jitter and packet loss for the same traffic on individual links. You can compare the reduction in packet loss when combined links are used instead of individual links used for traffic.

Sending the multiple copies of the application traffic ensures that if there is a packet loss or delay, the other link might still deliver the packet to the endpoint.

SRX Series Firewalls support application-based multipath routing starting in Junos OS Release 15.1X49-D160 in standalone mode.

SRX Series Firewalls support application-based multipath routing starting in Junos OS Release 19.2R1 and Junos OS Release 15.1X49-D170 in chassis cluster mode.

Multipath routing leverages following functionality:

  • Application identification details from Deep Packet Inspection(DPI)

  • APBR functionality for packet forwarding feature

  • AppQoE service for SLA association.

Supported Use Cases

  • SD-WAN hub and spoke topology

  • SD-WAN mesh topology

Limitations

  • All the selected WAN links must be of ECMP paths for a destination.

  • All the selected WAN interfaces which need to be a part of multipath routing sessions must belong to one single zone

  • Multipath routing feature is supported only between two book-ended security devices.

Benefits of Multipath Routing

  • Multipath support in SD-WAN uses case enhances application experience by reducing packet loss, faster delivery of the packet, and less jitter that results in better quality of service for the traffic especially for the voice and video traffic.

Understanding Workflow in Multipath Routing

The following sequences are involved in applying multipath routing:

  • Junos OS application identification identifies applications and once an application is identified, its information is saved in the application system cache (ASC).

  • Application policy-based routing (APBR) queries the application system cache (ASC) module to get the application attributes details.

  • APBR uses the application details to look for a matching rule in the APBR profile (application profile). If a matching rule is found, the traffic is redirected to the specified routing instance for the route lookup.

  • AppQoE checks whether an SLA is enabled for a session. If the session is candidate for an SLA measurement, and if multipath routing is configured, then multipath routing is triggered.

  • Based on the SLA rule, multipath routing obtains the underlay link types and corresponding overlays on which packet duplication needs to be performed. Multipath routing can be triggered based on the configuration of an SLA rule. When multipath routing is configured within an SLA rule for a specific application, AppQoE functionality is disabled for all sessions of that application matching the SLA rule.

  • Based on the application traffic and the configured bandwidth limit, multipath identifies two or more paths and triggers a copy of the original traffic on all the identified paths. Multipath routing path selection is done on the overlay paths. The parameters to limit the bandwidth is based on the underlay link-speed and selection is based on link-type.

  • On the receiving device, while the copy of the packet is in progress, multipath calculates the jitter and packet loss for the combined links and then estimates the jitter and packet-loss for same traffic on individual links.

  • On the receiving device, multipath routing accepts packets of a session arriving through different links, maintain sequence of a packet arriving on different CoS queues, and drop any duplicates.

Multipath routing copies packets on all the links belonging to a rule till the bandwidth limit is reached. The bandwidth limit is calculated based on the least link speed identified for that rule. This is applicable for all the sessions for all the applications which match that multipath routing rule. Once the limit is reached, multipath routing stops copying of packets and starts a timer for a time period as configured in max-time-wait option in the multipath routing configuration. When the timer expires, it restarts the copying of the packets again.

AMR Improvements

Starting in Junos OS Release 21.2R1, following enhancements are introduced for AMR:

AMR Support for Reverse Traffic

you can apply multipath functionality on the reverse traffic. Now both the sending device and the receiving device can create copies of packets, and send each copy through two WAN links to the destination device. This enhancement ensures uninterrupted delivery of the sensitive application traffic at both directions.

By default, AMR for the reverse traffic is disabled. You can enable it with the following CLI option:

To disable AMR for the reverse traffic, use the following CLI option:

AMR support for the reverse wing traffic is available when the devices are operating in HA mode. Note that the packets in the queue are dropped during HA failover.

Queuing Mechanism for Out-of-Order Packets

Starting in Junos OS Release 21.2R1, queuing mechanism for the out-of-order packets at the receiving device is improved.

Previously, the AMR receiving device discarded out-of-order packets resulting in packet loss and degrade in the quality-of-service. With the queuing mechanism, when the receiving device receives out-of-order packets, it further waits for some more packets to arrive, and then buffers those packets in the queue for short duration. This buffering helps in reordering of packets and prevents discarding of packets.

AMR Support for APBR Profile

Starting in Junos OS Release 21.2R1, the security device supports AMR when used with a APBR profile configured with a APBR policy. You can create the APBR policy by defining source addresses, destination addresses, and applications as match conditions.

In the previous releases of Junos OS, you could attach an APBR profile to an incoming security zone of the ingress traffic. In this case, the APBR was applied per security zone basis.

Following example shows configuration snippet of a APBR policy by defining source addresses, destination addresses, and applications as match conditions. An SLA rule is applied for the traffic matching APBR policy rules. A multipath rule associated with the SLA rule gets applied and multipath routing functionality is enabled for the session.

Link Selection

In previous releases, for application-based multipath routing, the link selection mechanism was either default (one of the first two available links) or based on the link type (IP/MPLS) configuration AppQoE underlay-interface configuration.

Starting in Junos OS Release 21.2R1, you can specify the link preference options as generic routing encapsulation (GRE) and secure tunnel (st). The device directly selects one of the specified interfaces for multipath routing.

If you have not configured the link-preference, then the AMR selects links from the first two available links from the configured paths.

You can specify link preferences using the following CLI option:

AMR in SLA Violation Mode or Standalone Mode

Starting in Junos OS Release 21.2R1, AMR is enabled in one of the following two modes:

  • SLA violation mode—When the AppQoE detects SLA violation on all the links, it enables the AMR. AMR is disabled when SLA is met on any of the links based on the timer configuration .

  • Standalone mode—When you've configured AMR without configuring SLA metrics, then AMR is enabled independent of AppQoE status. In this mode, when bandwidth limit is reached, then AMR is paused for a default duration and then restarted.

Example:

Following is a samp configuration of an SLA metrics. SLA metrics specifies requirement parameters, which are used by AppQoE to evaluate the SLA of the link. To accomplish the SLA, AppQoE monitors the network for sources of failures or congestion. If the performance of a link is below acceptable levels as specified by the SLA, the situation is considered as an SLA violation. If the LA violation is noticed on all the links, AMR is enabled in SLA violation mode.

If the SLA metrics configuration (as shown in example above) is not available in the AMR configuration, then AMR is enabled in standalone mode.

Support for IPv6 Traffic

Application-based multipath routing supports IPv6 traffic:

  • IPv6 traffic over IPv4 tunnels (Junos OS Release 21.2R1)
  • IPv6 traffic over IPv6 tunnels (Junos OS Release 21.3R1)

Support AMR over IPsec and Generic Routing Encapsulation (GRE) Sessions

  • Application-based multipath routing over direct IPsec tunnels without GRE (Junos OS Release 21.2R1)
  • Application-based multipath routing over direct Generic Routing Encapsulation (GRE) tunnels without IPsec (Junos OS Release 21.2R1)
  • Application-based multipath routing over direct IPsec tunnels without GRE for IPv6 traffic (Junos OS Release 21.3R1)
  • Application-based multipath routing over direct GRE tunnels without IPsec for IPv6 traffic (Junos OS Release 21.3R1)
  • Application-based multipath routing over MPLS-over-GRE-over-IPsec for IPv6 traffic (Junos OS Release 21.3R1)

Application-Based Multipath Routing Sample Configuration

Sample application based multipath routing configuration (hub and spoke topology)

This section covers sample application based multipath routing configuration for hub and spoke topology. The configuration uses the SLA set by the APBR and works independent of APPQoE. For APPQoE SLA, see Application Quality of Experience . You can configure the device for additional features like link selection based on preference, path selection based on link type, and multipath routing support over IPsec and GRE tunnels. Multipath routing can be configured with Contrail Service Orchestrator. See Contrail Service Orchestration (CSO) Deployment Guide for details.

Spoke side device basic configuration

Hub side device basic configuration

Link preference configuration

Link type based path selection configuration

Interface based configuration at application based multipath routing level

IPsec VPN configuration with IPv6 tunnels and IPv4 traffic at spoke side device for application based multipath routing

Note:

For GRE tunnels replace ipsec with gre. For IPv4 tunnel, IPv4 traffic and IPv6 traffic, replace the configuration with IPv4 and IPv6 appropriately.

Example: Configuring Application-Based Multipath Routing

This example shows how to configure multipath routing to provide quality of experience (QoE) by enabling real-time monitoring of the application traffic according to the specified SLA.

Requirements

  • Supported SRX Series Firewall with Junos OS Release 15.1X49-D160, Junos OS Release 19.2R1, or later. This configuration example is tested for Junos OS Release 15.1X49-D160.

  • Valid application identification feature license installed on a security device.

  • Appropriate security policies to enforce rules for the transit traffic, in terms of what traffic can pass through the device, and the actions that need to take place on the traffic as it passes through the device.

  • Enable application tracking support enabled for the zone. See Application Tracking.

  • Ensure that following features are configured:

Overview

To ensure uninterrupted delivery of these sensitive application traffic, application-based multipath routing is supported on security devices to allow the sending device to create copies of packets, and send each copy through two WAN links to the destination.

Multipath routing identifies two paths based on the SLA configuration and creates duplicate copy of the application traffic and sends the traffic simultaneously on different physical paths. On the receiving device, while the copy of the packet is in progress, multipath routing estimates on the reduction in jitter, RTT and packet loss and analyzes the quality of service for routing the traffic to the best link to provide SLA to the end user. This also helps in estimation on the reduction in jitter, RTT and packet loss is done. If both the copies are received on the remote end, then the first received packet is considered, and drops the subsequent ones.

Table 1 provides the details of the parameters used in this example.

Table 1: Configuration Parameters for Multipath Rule, SLA Rule, and APBR

Parameter

Options

Values

Multipath rule (multi1)

Number of paths

2

bandwidth-limit

60

Maximum time to wait

60

Link type

MPLS, IP

application

junos:YAHOO, junos:GOOGLE

application-group

junos:web

SLA rule (sla1)

Associated multipath rule

multi1

APBR profile (apbr1)

Match applications

junos:YAHOO

APBR rule

rule1

SLA rule

sla1

Underlay interface

ge-0/0/2 and ge-0/0/3

  • Speed: 800 Mbps

In this example, you configure a multipath rules for junos:YAHOO and junos:GOOGLE application traffic. Then configure an SLA rule and associate multipath rules with multipath rule.

Next, associate the SLA rules with APBR rules created for the Yahoo application. APBR uses the application details to look for a matching rule in the APBR profile (application profile).

Multipath rule is applied on the traffic matching junos:YAHOO or junos:GOOGLE, and forwarded to and the next-hop address as specified in the routing instance.

Multipath routing obtains the underlay link types and corresponding overlays on which packet duplication is required based on the SLA rule. Based on the application traffic and the configured bandwidth limit, multipath identifies two or more paths and triggers a copy of the original traffic on all the identified paths.

When traffic reaches on receiving end, the receiving device accepts packets of a session arriving through different links, and maintains sequence of a packet arriving on different CoS queues and drops any duplicate packets.

Note:

Ensure that configuration is the same across the devices on both the sending-side and on the receiving-side device is such that devices can to act as both sender and a receiver.

Configuration

Configure Multipath Rules for Application Traffic (Device Configured to Send Traffic)

Step-by-Step Procedure

Configure APBR profiles for different applications traffic and associate SLA rule and multipath rule.

  1. Create routing instances.

  2. Group one or more routing tables to form a RIB group and import routes into the routing tables.

  3. Configure AppQoE as service. You must configure AppQoE as service for host inbound traffic for a desired zone.

  4. Create the APBR profile and define the rules.

  5. Configure active probe parameters.

  6. Configure metrics profile.

  7. Configure underlay interfaces.

    if link-type is not configured under the underlay interfaces option, the default link-type IP is used and default link-speed of 1000 Mbps is considered.

  8. Configure overlay paths.

  9. Configure destination path groups.

  10. Configure multipath rule.

  11. Configure SLA rule.

  12. Associate an SLA rule to multipath rule.

Configure Multipath Rules for Application Traffic (Device Configured to Receive Traffic))

Step-by-Step Procedure

The variables configured in this step are the same for both the sending and receiving device.

  1. Configure multipath rule on the receiving device.

Results

From configuration mode, confirm your configuration by entering the show commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

Hub-side device multipath rule configuration

If you are done configuring the device, enter commit from configuration mode.

Verification

Displaying Multipath Rule Status

Purpose

Display the details of the multipath rule on the device configured to send traffic.

Action

From operational mode, enter the show security advance-policy-based-routing multipath rule command.

Meaning

The command output displays the multipath rule details.

Display Multipath Rule Statistics for An Application

Purpose

Display the details of the application traffic on the device configured to receive traffic

Action

From operational mode, enter the show security advance-policy-based-routing multipath rule rule-name application application-name command.

Meaning

The command output displays the multipath rule for the application.

Displaying Multipath Rule Policies

Purpose

Display the details of the multipath rule on the device configured to send traffic.

Action

From operational mode, enter the show security advance-policy-based-routing multipath rule command.

Meaning

The command output displays the details on the traffic handled with multipath rule applied.

Displaying Multipath Rule Status

Purpose

Display the details of the multipath rule on the device configured to receive traffic

Action

From operational mode, enter the show security advance-policy-based-routing multipath rule command.

Meaning

Output displays details related to multipath rule.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
21.2R1
AMR support for the traffic in reverse direction
21.2R1
AMR support for the queuing mechanism for out-of-order packets at the receiving device
21.2R1
Association of AMR rules and SLA rules with advanced policy-based routing (APBR) rule in a APBR profile
21.2R1
Link selection option that includes overlay-interfaces such as generic routing encapsulation (GRE) and secure tunnel (st)
21.2R1
Enabling of AMR in one of the two modes—SLA violation mode or standalone mode
21.2R1
AMR support for IPv6 traffic
21.2R1
Support for AMR over IPsec and Generic Routing Encapsulation (GRE) sessions
15.1X49-D170
SRX Series Firewalls in chassis cluster mode support application-based multipath routing starting in Junos OS Release 19.2R1 and Junos OS Release 15.1X49-D170.
15.1X49-D160
SRX Series Firewalls support application-based multipath routing starting in Junos OS Release 15.1X49-D160 (standalone mode).