Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides :: Juniper SRX IPv6 forwarding

Author:

mandrei99 [ Thu Jan 15, 2015 6:13 am ]

Post subject:

Juniper SRX IPv6 forwarding - flow mode or packet mode.

Default to Junos 11.4, 12.1X44, 12.1X45/46 and 47 for Juniper SRX firewalls is to drop Native ipv6 packets because flow mode for IPv6 is set to "drop". SRX can be configured to either forward IPv6 traffic in "flow" mode (stateful firewall) or "packet" mode (stateless - router behavior).

As with ipv4 traffic, SRX can act as stateful or stateless firewall mode: Meaning both packet mode and flow mode Ipv6 can be configured.

Checking ipv6 forwarding mode on SRX

Code:

root@srx-host> show security flow status 
node0:
--------------------------------------------------------------------------
  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: drop
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
    Advanced services data-plane memory mode: Default
  Flow trace status
    Flow tracing status: on
    Flow tracing options: basic 
  Flow session distribution
    Distribution mode: RR-based
  Flow ipsec performance acceleration: off
  Flow packet ordering
    Ordering mode: Hardware

Default forwarding mode is "drop".

Enable IPv6 flow mode in srx:

Code:

root@srx-host# set security forwarding-options family inet6 mode ?
Possible completions:
  drop                 Disable forwarding
  flow-based           Enable flow-based forwarding
  packet-based         Enable packet-based forwarding
root@srx-host# set security forwarding-options family inet6 mode flow-based      
[edit]
root@srx-host# commit and-quit 
warning: You have changed inet flow mode.
warning: You must reboot the system for your change to take effect.
If you have deployed a cluster, be sure to reboot all nodes.
warning: You have enabled/disabled inet6 flow.
You must reboot the system for your change to take effect.
If you have deployed a cluster, be sure to reboot all nodes.
commit complete
Exiting configuration mode

root@srx-host> request system reboot 
Reboot the system ? [yes,no] (no) yes 

Shutdown NOW!
[pid 2882]

After reboot, confirm the forwarding mode for ipv6:

Code:

root@srx-host> show security flow status      

  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: flow based
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
    Advanced services data-plane memory mode: Default
  Flow trace status
    Flow tracing status: on
    Flow tracing options: basic 
  Flow session distribution
    Distribution mode: RR-based
  Flow ipsec performance acceleration: off
  Flow packet ordering
    Ordering mode: Hardware

Confirm IPv6 flows exist on SRX flow table

Junos refers to IPv6 traffic as inet6 family and all commands that differentiate between IPv4 and IPv6 use this family.

Code:

> show security flow session family inet6            
Session ID: 6044, Policy name: self-traffic-policy/1, Timeout: 58, Valid
  In: fe80::fac0:100:d2:3580/1 --> ff02::5/1;ospf, If: gr-0/0/0.0, Pkts: 28282, Bytes: 2149432
  Out: ff02::5/1 --> fe80::fac0:100:d2:3580/1;ospf, If: .local..0, Pkts: 0, Bytes: 0
Total sessions: 1

Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides https://forum.ivorde.com/

Juniper SRX IPv6 forwarding - flow mode or packet mode. https://forum.ivorde.com/juniper-srx-ipv6-forwarding-flow-mode-or-packet-mode-t19671.html	Page 1 of 1

Page 1 of 1	All times are UTC - 5 hours [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/