JUNOS software with enhanced services implements flow-based security and services with packet-based application of filters, policers, traffic shapers and other classification features.
Each packet is processed in the context of its flow state, or session. The first packet in the flow is used to create its state. Decisions made for the first packet of a session are stored and applied to following packets of the same flow. When a packet enters the router, the flow-based Forwarding Engine attempts to match it against an existing session, based on its source and destination IP addresses and ports, its protocol, and its other session information.
If the packet matches an existing session, it is processed according to that flow's session features, security policies, Network Address Translation (NAT), screens, application layer gateways (ALGs),VPNs, and other features applicable to the flow. If the packet does not match an existing session, the Forwarding Engine creates a new one for it. Because it maintains the state of each flow, the router can enable collaboration among sessions—for example, for conferencing.
The router's flow-based Forwarding Engine is complemented by packet-based forwarding features that are applied at the inbound (ingress) and outbound (egress) interfaces. When a packet arrives at an inbound ingress interface on the router, the flow-based Forwarding Engine determines the outgoing interface for the packet and identifies any policers and stateless filters to be applied to the packet. These features are applied to a packet before the packet is handled by flow processing. Before a packet leaves the router, filters and traffic shapers are applied to it.