Default to Junos 11.4, 12.1X44, 12.1X45/46 and 47 for Juniper SRX firewalls is to drop Native ipv6 packets because flow mode for IPv6 is set to "drop". SRX can be configured to either forward IPv6 traffic in "flow" mode (stateful firewall) or "packet" mode (stateless - router behavior).
As with ipv4 traffic, SRX can act as stateful or stateless firewall mode: Meaning both packet mode and flow mode Ipv6 can be configured.
Checking ipv6 forwarding mode on SRX
Code:
root@srx-host> show security flow status
node0:
--------------------------------------------------------------------------
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop
MPLS forwarding mode: drop
ISO forwarding mode: drop
Advanced services data-plane memory mode: Default
Flow trace status
Flow tracing status: on
Flow tracing options: basic
Flow session distribution
Distribution mode: RR-based
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware
Default forwarding mode is "drop".
Enable IPv6 flow mode in srx:
Code:
root@srx-host# set security forwarding-options family inet6 mode ?
Possible completions:
drop Disable forwarding
flow-based Enable flow-based forwarding
packet-based Enable packet-based forwarding
root@srx-host# set security forwarding-options family inet6 mode flow-based
[edit]
root@srx-host# commit and-quit
warning: You have changed inet flow mode.
warning: You must reboot the system for your change to take effect.
If you have deployed a cluster, be sure to reboot all nodes.
warning: You have enabled/disabled inet6 flow.
You must reboot the system for your change to take effect.
If you have deployed a cluster, be sure to reboot all nodes.
commit complete
Exiting configuration mode
root@srx-host> request system reboot
Reboot the system ? [yes,no] (no) yes
Shutdown NOW!
[pid 2882]
After reboot, confirm the forwarding mode for ipv6:
Code:
root@srx-host> show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: flow based
MPLS forwarding mode: drop
ISO forwarding mode: drop
Advanced services data-plane memory mode: Default
Flow trace status
Flow tracing status: on
Flow tracing options: basic
Flow session distribution
Distribution mode: RR-based
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware
Confirm IPv6 flows exist on SRX flow table
Junos refers to IPv6 traffic as
inet6 family and all commands that differentiate between IPv4 and IPv6 use this family.
Code:
> show security flow session family inet6
Session ID: 6044, Policy name: self-traffic-policy/1, Timeout: 58, Valid
In: fe80::fac0:100:d2:3580/1 --> ff02::5/1;ospf, If: gr-0/0/0.0, Pkts: 28282, Bytes: 2149432
Out: ff02::5/1 --> fe80::fac0:100:d2:3580/1;ospf, If: .local..0, Pkts: 0, Bytes: 0
Total sessions: 1
Default to Junos 11.4, 12.1X44, 12.1X45/46 and 47 for Juniper SRX firewalls is to drop Native ipv6 packets because flow mode for IPv6 is set to "drop". SRX can be configured to either forward IPv6 traffic in "flow" mode (stateful firewall) or "packet" mode (stateless - router behavior).
As with ipv4 traffic, SRX can act as stateful or stateless firewall mode: Meaning both packet mode and flow mode Ipv6 can be configured.
[h2]Checking ipv6 forwarding mode on SRX[/h2]
[code]
root@srx-host> show security flow status
node0:
--------------------------------------------------------------------------
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop
MPLS forwarding mode: drop
ISO forwarding mode: drop
Advanced services data-plane memory mode: Default
Flow trace status
Flow tracing status: on
Flow tracing options: basic
Flow session distribution
Distribution mode: RR-based
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware
[/code]
Default forwarding mode is "drop".
[h2]Enable IPv6 flow mode in srx:[/h2]
[code]
root@srx-host# set security forwarding-options family inet6 mode ?
Possible completions:
drop Disable forwarding
flow-based Enable flow-based forwarding
packet-based Enable packet-based forwarding
root@srx-host# set security forwarding-options family inet6 mode flow-based
[edit]
root@srx-host# commit and-quit
warning: You have changed inet flow mode.
warning: You must reboot the system for your change to take effect.
If you have deployed a cluster, be sure to reboot all nodes.
warning: You have enabled/disabled inet6 flow.
You must reboot the system for your change to take effect.
If you have deployed a cluster, be sure to reboot all nodes.
commit complete
Exiting configuration mode
root@srx-host> request system reboot
Reboot the system ? [yes,no] (no) yes
Shutdown NOW!
[pid 2882]
[/code]
After reboot, confirm the forwarding mode for ipv6:
[code]
root@srx-host> show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: flow based
MPLS forwarding mode: drop
ISO forwarding mode: drop
Advanced services data-plane memory mode: Default
Flow trace status
Flow tracing status: on
Flow tracing options: basic
Flow session distribution
Distribution mode: RR-based
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware
[/code]
[h2]Confirm IPv6 flows exist on SRX flow table[/h2]
Junos refers to IPv6 traffic as [b]inet6[/b] family and all commands that differentiate between IPv4 and IPv6 use this family.
[code]> show security flow session family inet6
Session ID: 6044, Policy name: self-traffic-policy/1, Timeout: 58, Valid
In: fe80::fac0:100:d2:3580/1 --> ff02::5/1;ospf, If: gr-0/0/0.0, Pkts: 28282, Bytes: 2149432
Out: ff02::5/1 --> fe80::fac0:100:d2:3580/1;ospf, If: .local..0, Pkts: 0, Bytes: 0
Total sessions: 1[/code]
News 
Site map 
SitemapIndex 
RSS Feed 