By default IPv6 traffic is dropped by Juniper SRX Series firewall. We can see this by running show security flow status command
[email protected]_SRX220_Top> show security flow status node0: -------------------------------------------------------------------------- Flow forwarding mode: Inet forwarding mode: flow based Inet6 forwarding mode: drop MPLS forwarding mode: drop ISO forwarding mode: drop Flow trace status Flow tracing status: off Flow session distribution Distribution mode: RR-based node1: -------------------------------------------------------------------------- Flow forwarding mode: Inet forwarding mode: flow based Inet6 forwarding mode: drop MPLS forwarding mode: drop ISO forwarding mode: drop Flow trace status Flow tracing status: off Flow session distribution Distribution mode: RR-based
To allow flow or packet based traffic to pass through the SRX you will need run the command:
set security forwarding-options family inet6 mode (flow-based|packet-based)
Once this is committed you will get a warning explaining a reboot is needed for the change to be applied.
[email protected]_SRX220_Top# commit warning: You have enabled/disabled inet6 flow. You must reboot the system for your change to take effect. If you have deployed a cluster, be sure to reboot all nodes.
After the reboot, we can check that flow (or packet) based IPv6 traffic is passing by checking the show security flow status
[email protected]_SRX220_Top> show security flow status node0: -------------------------------------------------------------------------- Flow forwarding mode: Inet forwarding mode: flow based Inet6 forwarding mode: flow based MPLS forwarding mode: drop ISO forwarding mode: drop Flow trace status Flow tracing status: off Flow session distribution Distribution mode: RR-based node1: -------------------------------------------------------------------------- Flow forwarding mode: Inet forwarding mode: flow based Inet6 forwarding mode: flow based MPLS forwarding mode: drop ISO forwarding mode: drop Flow trace status Flow tracing status: off Flow session distribution Distribution mode: RR-based
The following two tabs change content below.
Keeran Marquis
Network Engineer
Keeran Marquis is a Network Engineer. His main goal is to learn everything within the Networking field, pick up a little bit of scripting, be a poor man sysadmin and share whatever he knows! All Posts are his own views, opinions and experiences, no guarantees they will work for you but point you in the right direction 🙂
Latest posts by Keeran Marquis (see all)
- Life and Times of an Unemployed Professional Speed Dater #3 - August 5, 2018
- Life and Times of an Unemployed Professional Speed Dater #2 - August 5, 2018
- Life and Times of an Unemployed Professional Speed Dater #1 - August 5, 2018
