Understanding Selective Stateless Packet-Based Services

By default, J Series and SRX Series devices running JUNOS Software use flow-based forwarding. You can change the context in which your device is running from secure context (using flow-based forwarding) to router context (using packet-based forwarding) by using a predefined template configuration file. Switching between secure and router contexts does allow you both packet-based and flow-based forwarding, but you have to choose one or the other forwarding mode.

Selective stateless packet-based services allow you to have both flow-based and packet-based services simultaneously on a system. This is achieved by configuring stateless firewall filters (ACLs) that allow you to bypass flow-based (stateful) forwarding. Bypassing flow-based forwarding is useful for deployments where you explicitly want to avoid flow session-scaling constraints.

Figure 14 shows traffic flow with selective stateless packet-based services bypassing flow-based processing.

Figure 14: Traffic Flow with Selective Stateless Packet-Based Services

When the packet comes in on an interface, the input packet filters configured on the interface are applied.

• If the packet matches the conditions specified in the firewall filter, a packet-mode action modifier is set to the packet. The packet-mode action modifier updates a bit field in the packet key buffer—this bit field is used to determine if the flow-based forwarding needs to be bypassed. As a result, the packet with the packet-mode action modifier bypasses the flow-based forwarding completely. The egress interface for the packet is determined via a route lookup. Once the egress interface for the packet is found, filters are applied and the packet is sent to the egress interface where it is queued and scheduled for transmission.
• If the packet does not match the conditions specified in this filter term, it is evaluated against other terms configured in the filter. If, after all terms are evaluated, a packet matches no terms in a filter, the packet is silently discarded. To prevent packets from being discarded, you configure a term in the filter specifying an action to accept all packets.

Packets arriving on interfaces where you have not applied the firewall filter will follow the default flow-based forwarding option.

A defined set of stateless services is available with selective stateless packet-based services:

• IPv4 and IPv6 Routing (unicast and multicast protocols)
• Class of service (CoS)
• Link fragmentation and interleaving (LFI)
• Generic routing encapsulation (GRE)
• Layer 2 Switching
• Multiprotocol Label Switching (MPLS)
• Stateless firewall filters
• Compressed Real-Time Transport Protocol (CRTP)

The following security features are not supported with selective stateless packet-based services—stateful firewall NAT, IPsec VPN, DOS screens, J-flow traffic analysis, WXC integrated security module, security policies, zones, attack detection and prevention, PKI, ALGs, and chassis cluster.

Related Topics

• Understanding Secure and Router Contexts
• Understanding Packet-Based and Flow-Based Forwarding