Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
external-header-nav
keyboard_arrow_up
{ "lCode": "en_US", "lName": "English", "folder": "en_US" }
English
 

forwarding-options (Security)

date_range 23-Sep-20

Syntax

content_copy zoom_out_map
forwarding-options {
family {
inet6 {
mode (drop | flow-based | packet-based);
}
iso {
mode packet-based;
}
mpls {
mode packet-based;
}
mode {
tap {
inspect-pass-through-tunnel {
gre;
ipip;
}
interface [ interface ... ];
}
}
no-allow-dataplane-sleep;
resource-manager {
cpu {
re re;
}
}
interface [ interface ... ];
}
}
}

Hierarchy Level

content_copy zoom_out_map
[edit security]

Release Information

Statement introduced in Junos OS Release 8.5.

secure-wire option introduced in Junos OS Release 19.3R1.

resource-manager option introduced in Junos OS Release 19.4R1 for vSRX.

mode option introduced in Junos OS Release 20.1R1.

no-allow-dataplane-sleep option introduced in Junos OS Release 20.3R1 for vSRX 3.0.

Description

Determine how the inet6, iso, and mpls protocol families manage security forwarding options.

Note
  • Packet-based processing is not supported on the following SRX Series devices: SRX5400, SRX5600, and SRX5800.

  • On SRX Series devices, the default mode for processing traffic is flow mode. You can configure SRX Series devices to operate in packet mode to process MPLS packets.

    To configure the packet mode on SRX Series device, use the following command:

    user@host# set security forwarding-options family mpls mode packet-based

    Selective stateless packet-based services allows you to configure the device to provide only packet-based processing for selected traffic based on input filter terms.

  • Starting in Junos OS Release 20.3R1, you can enable or disable dataplane sleep using the option no-allow-dataplane-sleep.

Options

modeSpecify TAP mode.
inspect-pass-through-tunnelSpecify TAP mode to inspect pass through IP-IP or GRE tunnel.
interfaceSpecify TAP mode interface name. You can configure up to eight TAP interfaces.
no-allow-dataplane-sleepDisable dataplane sleep by configuring this option. To enable sleep on dataplane, delete this configuration.
resource-managerDisplay forward option status and the CPU and memory allocated for the advance services and to verify the vCPU allocation between routing engine and flow RT threads.
secure-wireSpecify a name for the secure wire interface mapping.
interface-name-1 interface-name-2Specify a pair of peer logical interfaces that constitutes the secure wire mapping.

The remaining statements are explained separately. See CLI Explorer.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

external-footer-nav