SRX packet mode
JunOS can have two modes which are Flow and Packet mode in the following devices;
- J-series services routers (I think after 9.3 version). This is also called junos enhanced services (junos-es)
- SRX security devices
In default configuration SRX devices work in flow mode by which security policies are in place and unless otherwise allowed, packets are dropped i.e it works as a firewall device. What if you want to configure SRX as a router only device for this you should change from flow mode to packet mode as below.
root@srx# show security forwarding-options family { mpls { mode packet-based; } }
or as SET command
#set security forwarding-options family mpls mode packet-based
For this config to commit properly, you must deactive/remove security policies otherwise you will receive the following warning;
root@host# show ## ## Warning: MPLS mode packet-based not allowed when [security policies] are configured. ## mpls { mode packet-based; }
Commit the config and reboot the device as this is required
#commit >request system reboot
To check the flow mode after the reboot;
root@srx> show security flow status Flow forwarding mode: Inet forwarding mode: packet based <<<<<<--Now we are working as a router Inet6 forwarding mode: drop MPLS forwarding mode: packet based ISO forwarding mode: drop Flow trace status Flow tracing status: off Flow session distribution Distribution mode: RR-based Flow ipsec performance acceleration: off Flow packet ordering Ordering mode: Hardware
Have a nice packet mode!
I’m starting to really like this blog! You make configuring packet mode seem so simple. Great work!
Thanks for this, nice post. The ‘set security forwarding-options family mpls mode packet-based’ command was just what I needed to get my solution working. I needed to strip out all the Firewall services on the SRX and just be a ‘router’.
Hi all, firefly-perimeter JUNOS Software Release [12.1X46-D10.2] “mpls mode packet-based” working incorrectly, if you delete interface or create new you will see warning “you have changed flow mode and you must reboot to take effect”.
Hi Arsen,
that is a known bug. It will be fixed but you should check new release notes to see on which one it is fixed.
Thank you, I’ve fixed this problem, using security zones:
security {
zones {
security-zone accept_all {
interfaces {
all {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
}
Do you know more brief decision?
Hi,
You shouldn’t be allowing every service,zones in all interfaces. If it is for a test no problem. If not better to wait for the fixed release as I am not aware of any workaround yet.
Hi,
Nice post.
One question here come to me. Once we turn SRX to packet / Router mode , Can we use SRX as Virtual chassis ?
Many THanks,
Brju
By virtual chassis, if you mean chassis cluster then no. There isn’t much point to have it in packet mode.Instead you can use VRRP