SRX packet mode

JunOS can have two modes which are Flow and Packet mode in the following devices;

  • J-series services routers (I think after 9.3 version). This is also called junos enhanced services (junos-es)
  • SRX security devices

In default configuration SRX devices work in flow mode by which security policies are in place and unless otherwise allowed, packets are dropped i.e it works as a firewall device. What if you want to configure SRX as a router only device for this you should change from flow mode to packet mode as below.

root@srx# show security forwarding-options 
family {
    mpls {
        mode packet-based;
    }
}

or as SET command

#set security forwarding-options family mpls mode packet-based

For this config to commit properly, you must deactive/remove security policies otherwise you will receive the following warning;

root@host# show
##
## Warning: MPLS mode packet-based not allowed when [security policies] are configured.
##
mpls {
   mode packet-based;
}

Commit the config and reboot the device as this is required

#commit
>request system reboot

To check the flow mode after the reboot;

root@srx> show security flow status 
  Flow forwarding mode:
    Inet forwarding mode: packet based  <<<<<<--Now we are working as a router
    Inet6 forwarding mode: drop
    MPLS forwarding mode: packet based
    ISO forwarding mode: drop
  Flow trace status
    Flow tracing status: off
  Flow session distribution
    Distribution mode: RR-based
  Flow ipsec performance acceleration: off
  Flow packet ordering
    Ordering mode: Hardware

Have a nice packet mode!

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


8 thoughts on “SRX packet mode”

  1. Thanks for this, nice post. The ‘set security forwarding-options family mpls mode packet-based’ command was just what I needed to get my solution working. I needed to strip out all the Firewall services on the SRX and just be a ‘router’.

  2. Hi all, firefly-perimeter JUNOS Software Release [12.1X46-D10.2] “mpls mode packet-based” working incorrectly, if you delete interface or create new you will see warning “you have changed flow mode and you must reboot to take effect”.

    1. Hi Arsen,
      that is a known bug. It will be fixed but you should check new release notes to see on which one it is fixed.

  3. Thank you, I’ve fixed this problem, using security zones:
    security {
    zones {
    security-zone accept_all {
    interfaces {
    all {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    }
    }
    }
    }
    Do you know more brief decision?

    1. Hi,
      You shouldn’t be allowing every service,zones in all interfaces. If it is for a test no problem. If not better to wait for the fixed release as I am not aware of any workaround yet.

      1. Hi,

        Nice post.
        One question here come to me. Once we turn SRX to packet / Router mode , Can we use SRX as Virtual chassis ?

        Many THanks,

        Brju

        1. By virtual chassis, if you mean chassis cluster then no. There isn’t much point to have it in packet mode.Instead you can use VRRP

Leave a Reply to ArsenCancel reply

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading