hash-keys (Aggregated Multiservices)
Syntax
hash-keys {
egress-key (destination-ip | source-ip);
ingress-key (destination-ip | source-ip);
}
Hierarchy Level
[edit services service-set service-set-name interface-service load-balancing-options]
Description
Configure the hash keys used for load balancing in aggregated multiservices (AMS) for service applications (Network Address Translation [NAT], stateful firewall, application-level gateway [ALG], HTTP header enrichment, and mobility). The hash keys supported in the ingress and egress direction are the source IP address and destination IP address.
Hash keys are used to define the load-balancing behavior among the various members in the AMS group. For example, if hash-keys is configured as source-ip, then the hashing would be performed based on the source IP address of the packet. Therefore, all packets with the same source IP address land on the same member. Hash keys must be configured with respect to the traffic direction: ingress or egress. For example, if hash-keys is configured as source-ip in the ingress direction, then it should be configured as destination-ip in the egress direction. This is required to ensure that the packets of the same flow reach the same member of the AMS group.
The configuration of the ingress and egress hash keys is mandatory if you are using AMS for NAT. This configuration is not mandatory if you are using AMS for stateful firewall; if the hash keys are not configured, then the defaults are chosen. Refer to Table 1 for the supported hash keys.
The resource-triggered option enables anchor session PICs to
use the load or resource information from the anchor services PICs
to select the AMS member will anchor the services for the subscriber
for load balancing among AMS members. In addition, for mobile subscriber-aware
services (such as HTTP header enrichment), you must configure the resource-triggered statement, which means that the load balancing
is not done using the ingress and egress keys.
Service Set at Ingress Interface |
Service Set at Egress Interface |
|||
| Hash Keys for NAT | ||||
NAT Type |
Ingress hash key |
Egress hash key |
Ingress hash key |
Egress hash key |
source static |
Destination IP address |
Source IP address |
Source IP address |
Destination IP address |
source dynamic |
Source IP address |
Destination IP address |
Destination IP address |
Source IP address |
Network Address Port Translation (NAPT) |
Source IP address |
Destination IP address |
Destination IP address |
Source IP address |
destination static |
Source IP address |
Destination IP address |
Destination IP address |
Source IP address |
| Hash Keys for Stateful Firewall | ||||
Stateful Firewall |
Destination IP address |
Source IP address |
Destination IP address |
Source IP address |
Stateful Firewall |
Source IP address |
Destination IP address |
Source IP address |
Destination IP address |
If NAT is used in the service set (along with stateful firewall and ALG), then the hash keys should be based on the NAT type; otherwise, the hash keys of the stateful firewall should be used.
Options
The egress-keys option is hidden and is deprecated
in Junos OS Release 15.1 and later, and is only maintained for backward
compatibility. It might be removed completely in a future software
release. Load-balancing or steering of traffic occurs, based on the
hash keys in the forward direction. Load-balancing of traffic also
occurs, based on the hash keys in the reverse direction except in
dynamic NAT scenarios (dynamic NAT, NAT64, and NAPT44). For interface-style
services, the ingress hash-key is used for the forward direction
and the egress hash-key is used for the reverse direction. These hash-keys
are configured within the service-set definition by using the ingress-key and egress-key statements at the [edit services service-set service-set-name interface-service
load-balancing-options] hierarchy level. For next-hop style
services, the ingress hash-key on the inside-domain next-hop is used
in the forward direction and the ingress hash-key (not the egress
hash-key) on outside-domain next-hop is used for the reverse direction.
These hash-keys are configured at the logical AMS interface level
by using the ingress-key and egress-key statements
at the [edit interfaces amsN unit logical-unit-number load-balancing-options hash-keys] hierarchy level.
| ingress-key destination-ip | Use the destination IP address of the flow to compute the hash used in load balancing in the ingress flow direction. |
| ingress-key source-ip | Use the source IP address of the flow to compute the hash used in load balancing in the ingress flow direction. |
| egress-key destination-ip | Use the destination IP address of the flow to compute the hash used in load balancing. Configure the hash keys to be used in the egress flow direction. The configuration is mandatory if you are using AMS for Network Address Translation (NAT). This configuration is not mandatory if you are using AMS for stateful firewall; if the hash keys are not configured, then the defaults are chosen. |
| egress-key source-ip | Use the source IP address of the flow to compute the hash used in load balancing. Configure the hash keys to be used in the egress flow direction. |
Required Privilege Level
interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 11.4.