Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Enabling Flow-Based Processing for IPv6 Traffic

 

You have the following options for handling IPv6 traffic:

  • Drop—Do not forward IPv6 packets. This is the default behavior.

  • Packet-based forwarding—Do not create a session and process according to packet-based features only (includes firewall filters and class of service).

  • Flow-based forwarding—Create a session and process according to packet-based features (including firewall filters and class of service) but also flow-based security features, such as screens and firewall security policy.

To enable flow-based processing for IPv6 traffic, modify the mode statement at the [edit security forwarding-options family inet6] hierarchy level:

The following example shows the CLI commands you use to configure forwarding for IPv6 traffic:

[edit]

user@host# set security forwarding-options family inet6 mode ?
[edit]

user@host# set security forwarding-options family inet6 mode flow-based


user@host# show security forwarding-options

If you change the forwarding option mode for IPv6, you might need to perform a reboot to initialize the configuration change. Table 1 summarizes device status upon configuration change.

Table 1: Device Status Upon Configuration Change

Configuration Change

Commit Warning

Reboot Required

Impact on Existing Traffic Before Reboot

Impact on New Traffic Before Reboot

Drop to flow-based

Yes

Yes

Dropped

Dropped

Drop to packet-based

No

No

Packet-based

Packet-based

Flow-based to packet-based

Yes

Yes

None

Flow sessions created

Flow-based to drop

Yes

Yes

None

Flow sessions created

Packet-based to flow-based

Yes

Yes

Packet-based

Packet-based

Packet-based to drop

No

No

Dropped

Dropped