Enabling Flow-Based Processing for IPv6 Traffic
By default, the SRX Series or J Series device drops IPv6 traffic. To enable processing by security features such as zones, screens, and firewall policies, you must enable flow-based forwarding for IPv6 traffic.
To enable flow-based forwarding for IPv6 traffic, modify the mode statement at the [edit security forwarding-options family inet6] hierarchy level:
The following example shows the CLI commands you use to configure forwarding for IPv6 traffic.
- Use the set command to change the forwarding
option mode for IPv6 to flow-based.
[edit]
user@host# set security forwarding-options family inet6 mode flow-based - Use the show command to review your configuration.
[edit]
user@host# show security forwarding-optionsfamily { inet6 { mode flow-based; } } - Check your changes to the configuration before
committing.
[edit]
user@host# commit checkwarning: You have enabled/disabled inet6 flow. You must reboot the system for your change to take effect. If you have deployed a cluster, be sure to reboot all nodes. configuration check succeeds
- Commit the configuration.
[edit]
user@host# commitwarning: You have enabled/disabled inet6 flow. You must reboot the system for your change to take effect. If you have deployed a cluster, be sure to reboot all nodes. commit complete
- At an appropriate time, reboot the device.
Table 9 summarizes device status upon forwarding option configuration change.
Table 9: Device Status Upon Configuration Change
Configuration Change | Commit Warning | Reboot Required | Impact on Existing Traffic Before Reboot | Impact on New Traffic Before Reboot |
|---|---|---|---|---|
Drop to flow-based | Yes | Yes | Dropped | Dropped |
Drop to packet-based | No | No | Packet-based | Packet-based |
Flow-based to packet-based | Yes | Yes | None | Flow sessions created |
Flow-based to drop | Yes | Yes | None | Flow sessions created |
Packet-based to flow-based | Yes | Yes | Packet-based | Packet-based |
Packet-based to drop | No | No | Dropped | Dropped |
To process IPv6 traffic, you also need to configure IPv6 addresses for the transit interfaces that receive and forward the traffic. For information on the inet6 protocol family and procedures for configuring IPv6 addresses for interfaces, see the Junos OS Interfaces Configuration Guide for Security Devices.
Related Topics
- Junos OS Feature Support Reference for SRX Series and J Series Devices
- Understanding IP Version 6 (IPv6)
- Using Filters to Display IPv6 Session and Flow Information for SRX Series Services Gateways
Hide Navigation Pane
Show Navigation Pane
Download
SHA1