A packet undergoes flow-based processing after any packet-based filters and policers have been applied to it.
Figure 1 shows an architectural overview of traffic flow in a Services Router running JUNOS software. See Figure 3 to follow the path of the traffic as it traverses through the Flow services module.
Figure 1: Traffic Flow for Flow-Based Processing
A flow is a stream of related packets that meet the same matching criteria and share the same characteristics. JUNOS software treats packets belonging to the same flow in the same manner.
Configuration settings that determine the fate of a packet—such as the security policy that applies to it, whether the packet is sent through an IPsec tunnel, if it requires an Application Layer Gateway (ALG), if Network Address Translation (NAT) is applied to translate the packet's address—are assessed for the first packet of a flow. The settings are then applied to the rest of the packets in the flow.
To determine if a packet belongs to an existing flow, the router attempts to match the packet's information to that of an existing flow based on the following six match criteria:
If the packet matches an existing flow, processing for the packet is assessed in the context of its flow state, which is maintained by the flow's session. If it does not match the session for an existing flow, the packet is used to create a flow state and a session is allocated for it.
 | Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |