Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Understanding Selective Stateless Packet-Based Services
By default, J Series and SRX Series devices running Junos OS use flow-based forwarding. Selective stateless packet-based services allow you to have both flow-based and packet-based services simultaneously on a system. This is achieved by configuring stateless firewall filters (ACLs) that allow you to bypass flow-based (stateful) forwarding. Bypassing flow-based forwarding is useful for deployments where you explicitly want to avoid flow session-scaling constraints.
Figure 20 shows traffic flow with selective stateless packet-based services bypassing flow-based processing.
Figure 20: Traffic Flow with Selective Stateless Packet-Based Services
When the packet comes in on an interface, the input packet filters configured on the interface are applied.
- If the packet matches the conditions specified in the firewall filter, a packet-mode action modifier is set to the packet. The packet-mode action modifier updates a bit field in the packet key buffer—this bit field is used to determine if the flow-based forwarding needs to be bypassed. As a result, the packet with the packet-mode action modifier bypasses the flow-based forwarding completely. The egress interface for the packet is determined via a route lookup. Once the egress interface for the packet is found, filters are applied and the packet is sent to the egress interface where it is queued and scheduled for transmission.
- If the packet does not match the conditions specified in this filter term, it is evaluated against other terms configured in the filter. If, after all terms are evaluated, a packet matches no terms in a filter, the packet is silently discarded. To prevent packets from being discarded, you configure a term in the filter specifying an action to accept all packets.
Packets arriving on interfaces where you have not applied the firewall filter will follow the default flow-based forwarding option.
A defined set of stateless services is available with selective stateless packet-based services:
- IPv4 and IPv6 Routing (unicast and multicast protocols)
- Class of service (CoS)
- Link fragmentation and interleaving (LFI)
- Generic routing encapsulation (GRE)
- Layer 2 Switching
- Multiprotocol Label Switching (MPLS)
- Stateless firewall filters
- Compressed Real-Time Transport Protocol (CRTP)
The following security features are not supported with selective stateless packet-based services—stateful firewall NAT, IPsec VPN, DOS screens, J Flow traffic analysis, WXC integrated security module, security policies, zones, attack detection and prevention, PKI, ALGs, and chassis cluster.
