IPv6, Juniper, Networking, Routing, Security

How to enable IPv6 flow (or packet) mode on SRX

1 Comment

By default IPv6 traffic is dropped by Juniper SRX Series firewall. We can see this by running show security flow status command

[email protected]_SRX220_Top> show security flow status 
node0:
--------------------------------------------------------------------------
  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: drop
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
  Flow trace status
    Flow tracing status: off
  Flow session distribution
    Distribution mode: RR-based

node1:
--------------------------------------------------------------------------
  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: drop
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
  Flow trace status
    Flow tracing status: off
  Flow session distribution
    Distribution mode: RR-based

To allow flow or packet based traffic to pass through the SRX you will need run the command:

set security forwarding-options family inet6 mode (flow-based|packet-based)

Once this is committed you will get a warning explaining a reboot is needed for the change to be applied.

[email protected]_SRX220_Top# commit 
warning: You have enabled/disabled inet6 flow.
You must reboot the system for your change to take effect.
If you have deployed a cluster, be sure to reboot all nodes.

After the reboot, we can check that flow (or packet) based IPv6 traffic is passing by checking the show security flow status

[email protected]_SRX220_Top> show security flow status                
node0:
--------------------------------------------------------------------------
  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: flow based
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
  Flow trace status
    Flow tracing status: off
  Flow session distribution
    Distribution mode: RR-based

node1:
--------------------------------------------------------------------------
  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: flow based
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
  Flow trace status
    Flow tracing status: off
  Flow session distribution
    Distribution mode: RR-based
The following two tabs change content below.
My Twitter profileMy LinkedIn profileMy Instagram profile

Keeran Marquis

Network Engineer
Keeran Marquis is a Network Engineer. His main goal is to learn everything within the Networking field, pick up a little bit of scripting, be a poor man sysadmin and share whatever he knows! All Posts are his own views, opinions and experiences, no guarantees they will work for you but point you in the right direction šŸ™‚
Share this:
Share

One thought on “How to enable IPv6 flow (or packet) mode on SRX”

  1. iptv

    Great site. A lot of helpful information here. Iā€™m sending it to several buddies ans also sharing in delicious. And naturally, thank you in your sweat!

    Reply »

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.