Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation Junos OS Flow-Based and Packet-Based Processing User Guide for Security Devices Packet Based Forwarding

Flow-Based and Packet-Based Processing User Guide for Security Devices

keyboard_arrow_up
close
keyboard_arrow_left
Flow-Based and Packet-Based Processing User Guide for Security Devices
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Packet-Based Forwarding

date_range 24-May-24
arrow_backward
arrow_forward

An SRX Series Firewall operate in two different modes: packet mode and flow mode. In flow mode, SRX processes all traffic by analyzing the state or session of traffic. This is also called stateful processing of traffic. In packet mode, SRX processes the traffic on a per-packet basis. This is also known as stateless processing of traffic.

Understanding Packet-Based Processing

Packets that enter and exit a Juniper Networks device running Junos OS can undergo packet-based processing. Packet-based, or stateless, packet processing treats packets discretely. Each packet is assessed individually for treatment. Stateless packet-based forwarding is performed on a packet-by-packet basis without regard to flow or state information. Each packet is assessed individually for treatment.

Figure 1 shows the traffic flow for packet-based forwarding.

Figure 1: Traffic Flow for Packet-Based ForwardingTraffic Flow for Packet-Based Forwarding

As packets enter the device, classifiers, filters and policers are applied to it. Next, the egress interface for the packet is determined through a route lookup. Once the egress interface for the packet is found, filters are applied and the packet is sent to the egress interface where it is queued and scheduled for transmission.

Packet-based forwarding does not require any information about either previous or subsequent packets that belong to a given connection, and any decision to allow or deny traffic is packet specific. This architecture has the benefit of massive scaling because it forwards packets without keeping track of individual flows or state.

Starting with Junos OS Release 15.1X49-D100, for the SRX100, SRX110, SRX210, SRX220, SRX240, SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX650, the maximum capture size for packet captures is expanded to 1520 bytes to allow for captures of 1500 bytes of data and the 12-byte Juniper Ethernet header."

Understanding Selective Stateless Packet-Based Services

Selective stateless packet-based services allow you to use both flow-based and packet-based forwarding simultaneously on a system. You can selectively direct traffic that requires packet-based, stateless forwarding to avoid stateful flow-based forwarding by using stateless firewall filters, also known as access control lists (ACLs). The traffic not so directed follows the default flow-based forwarding path. Bypassing flow-based forwarding can be useful for traffic for which you explicitly want to avoid flow session-scaling constraints.

By default, Juniper Networks Security devices running Junos OS use flow-based forwarding. Selective stateless packet-based services allows you to configure the device to provide only packet-based processing for selected traffic based on input filter terms. Other traffic is processed for flow-based forwarding. Bypassing flow-based forwarding is useful for deployments where you want to avoid session-scaling constraints and session creation and maintenance costs.

When you configure the device for selective stateless packet-based processing, packets entering the system are treated differently depending on certain conditions:

  • If a packet satisfies matching conditions specified in input filter terms, it is marked for packet mode and all configured packet mode features are applied to it. No flow-based security features are applied. It bypasses them.

  • If a packet has not been flagged for packet-mode, it undergoes normal processing. All services except for MPLS can be applied to this traffic.

Figure 2 shows traffic flow with selective stateless packet-based services bypassing flow-based processing.

Figure 2: Traffic Flow with Selective Stateless Packet-Based ServicesTraffic Flow with Selective Stateless Packet-Based Services

When the packet comes in on an interface, the input packet filters configured on the interface are applied.

  • If the packet matches the conditions specified in the firewall filter, a packet-mode action modifier is set to the packet. The packet-mode action modifier updates a bit field in the packet key buffer—this bit field is used to determine if the flow-based forwarding needs to be bypassed. As a result, the packet with the packet-mode action modifier bypasses the flow-based forwarding completely. The egress interface for the packet is determined through a route lookup. Once the egress interface for the packet is found, filters are applied and the packet is sent to the egress interface where it is queued and scheduled for transmission.

  • If the packet does not match the conditions specified in this filter term, it is evaluated against other terms configured in the filter. If, after all terms are evaluated, a packet matches no terms in a filter, the packet is silently discarded. To prevent packets from being discarded, you configure a term in the filter specifying an action to accept all packets.

A defined set of stateless services is available with selective stateless packet-based services:

  • IPv4/IPv6 routing (unicast and multicast protocols)

  • Class of service (CoS)

  • Link fragmentation and interleaving (LFI)

  • Generic routing encapsulation (GRE)

  • Layer 2 switching

  • Multiprotocol Label Switching (MPLS)

  • Stateless firewall filters

  • Compressed Real-Time Transport Protocol (CRTP)

Although traffic requiring MPLS services must be processed in packet mode, under some circumstances it might be necessary to concurrently apply certain services to this traffic that can only be provided in flow mode, such as stateful inspection, NAT, and IPsec. To direct the system to process traffic in both flow and packet modes, you must configure multiple routing instances connected through a tunnel interface. One routing instance must be configured to process the packets in flow mode and the other routing instance must be configured to process the packets in packet mode. When you use a tunnel interface to connect routing instances, traffic between those routing instances is injected again into the forwarding path and it can then be reprocessed using a different forwarding method.

Selective Stateless Packet-Based Services Configuration Overview

This feature is supported on SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, and vSRX Virtual Firewall devices. You configure selective stateless packet-based services using the stateless firewall filters, also known as access control lists (ACLs). You classify traffic for packet-based forwarding by specifying match conditions in the firewall filters and configure a packet-mode action modifier to specify the action. Once match conditions and actions are defined, firewall filters are applied to relevant interfaces.

To configure a firewall filter:

  1. Define the address family—First define the address family of the packets that a firewall filter matches. To define the family name, specify inet to filter IPv4/IPv6 packets. Specify mpls to filter MPLS packets. Specify ccc to filter Layer 2 switching cross-connects.
  2. Define terms—Define one or more terms that specify the filtering criteria and the action to take if a match occurs. Each term consists of two components—match conditions and actions.

    • Match conditions—Specify certain characteristics that the packet must match for the action to be performed. You can define various match conditions, such as the IP source address field, IP destination address field, and IP protocol field.

    • Action—Specify what is to be done with the packet if it matches the match conditions. Possible actions are to accept, discard, or reject a packet; go to the next term; or take no action.

      You can specify only one action (or omit it) in a term, but you can specify any combination of action modifiers with it. Action modifiers include a default accept action. For example, if you specify an action modifier and do not specify an action, the specified action modifier is implemented and the packet is accepted.

      The packet-mode action modifier specifies traffic to bypass flow-based forwarding. Like other action modifiers, you can configure the packet-mode action modifier along with other actions, such as accept or count.

  3. Apply firewall filters to interfaces—Apply the firewall filter to the interface to have the firewall filter take effect.

When the packet comes in on an interface, the input packet filters configured on the interface are applied. If the packet matches the specified conditions and packet-mode action is configured, the packet bypasses the flow-based forwarding completely.

When configuring filters, be mindful of the order of the terms within the firewall filter. Packets are tested against each term in the order in which it is listed in the configuration. When the first matching conditions are found, the action associated with that term is applied to the packet and the evaluation of the firewall filter ends, unless the next term action modifier is included. If the next term action is included, the matching packet is then evaluated against the next term in the firewall filter; otherwise, the matching packet is not evaluated against subsequent terms in the firewall filter.

When configuring firewall filters for selective stateless packet-based services:

  • Accurately identify traffic that needs to bypass flow to avoid unnecessary packet drops.

  • Make sure to apply the firewall filter with packet-mode action on all interfaces involved in the packet-based flow path.

  • Make sure to configure host-bound TCP traffic to use flow-based forwarding—exclude this traffic when specifying match conditions for the firewall filter term containing the packet-mode action modifier. Any host-bound TCP traffic configured to bypass flow is dropped. Asynchronous flow-mode processing is not supported with selective stateless packet-based services.

  • Configure input packet filters (not output) with the packet-mode action modifier.

Note:

Nested firewall filters (configuring a filter within the term of another filter) are not supported with selective stateless packet-based services.

Some typical deployment scenarios where you can configure selective stateless packet-based services are as follows:

  • Traffic flow between private LAN and WAN interfaces, such as for Intranet traffic, where end-to-end forwarding is packet-based

  • Traffic flow between private LAN and not-so-secure WAN interfaces, where traffic uses packet-based and flow-based forwarding for secure and not so secure traffic respectively

  • Traffic flow between the private LAN and WAN interface with failover to flow-based IPsec WAN when the private WAN link is down

  • Traffic flow from flow-based LAN to packet-based MPLS WAN

Example: Configuring Selective Stateless Packet-Based Services for End-to-End Packet-Based Forwarding

This example shows how to configure selective stateless packet-based services for end-to-end packet-based forwarding. This feature is supported on the SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, and vSRX Virtual Firewall devices

Requirements

Before you begin:

  • Understand how to configure stateless firewall filters.

  • Establish basic connectivity. .

Overview

In this example, you configure the IP addresses for the interfaces on each of the devices. For R0 it is 10.1.1.2/24 ; for R1 they are 10.1.1.1/24, 10.2.1.1/24, and 203.0.113.1/30; for R2 it is 203.0.113.2/30; and for R3 it is 10.2.1.2/24. You create static routes and associate next-hop addresses for the devices as follows: R0 is 10.1.1.2, R1 is 198.51.100.2, R2 is 203.0.113.1, and R3 is 10.2.1.1.

Then on device R1 you configure a zone called untrust and assign it to interface ge-0/0/3. You also create a zone called trust and assign interfaces ge-0/0/1 and ge-0/0/2 to it. You configure trust and untrust zones to allow all supported application services as inbound services. You allow traffic from any source address, destination address, and application to pass between the zones.

You then create the firewall filter bypass-flow-filter and define the terms bypass-flow-term-1 and bypass-flow-term-2 that match the traffic between internal interfaces ge-0/0/1 and ge-0/0/2 and that contain the packet-mode action modifier. You define the term accept-rest to accept all remaining traffic. Finally, you apply the firewall filter bypass-flow-filter to internal interfaces ge-0/0/1 and ge-0/0/2 (not on the external interface). As a result, all internal traffic bypasses flow-based forwarding and the traffic to and from the Internet does not bypass flow-based forwarding.

Figure 3 shows the network topology used in this example.

Figure 3: Intranet Traffic Using End-to-End Packet-Based ServicesIntranet Traffic Using End-to-End Packet-Based Services

Your company’s branch offices are connected to each other through a private WAN. For this internal traffic, packet forwarding is required because security is not an issue. Hence for this traffic, you decide to configure selective stateless packet-based services to bypass flow-based forwarding. The remaining traffic, to and from the Internet, uses flow-based forwarding.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
{device R0}
[edit]
set interfaces ge-0/0/1 description "Internal 1" unit 0 family inet address 10.1.1.2/24
set routing-options static route 0.0.0.0/0 next-hop 10.1.1.1
content_copy zoom_out_map
{device R1}
set interfaces ge-0/0/1 description "Internal 1" unit 0 family inet address 10.1.1.1/24
set interfaces ge-0/0/2 description "Internal 2" unit 0 family inet address 10.2.1.1/24
set interfaces ge-0/0/3 description "Internet" unit 0 family inet address 203.0.113.1/30
set routing-options static route 0.0.0.0/0 next-hop 203.0.113.2
set security zones security-zone untrust interfaces ge-0/0/3 
set security zones security-zone trust interfaces ge-0/0/1
set security zones security-zone trust interfaces ge-0/0/2
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic system-services all
set security policies from-zone trust to-zone untrust policy Internet-traffic match source-address any destination-address any application any 
set security policies from-zone trust to-zone untrust policy Internet-traffic then permit
set security policies from-zone untrust to-zone trust policy Incoming-traffic match source-address any destination-address any application any
set security policies from-zone untrust to-zone trust policy Incoming-traffic then permit
set security policies from-zone trust to-zone trust policy Intrazone-traffic match source-address any destination-address any application any 
set security policies from-zone trust to-zone trust policy Intrazone-traffic then permit
set firewall family inet filter bypass-flow-filter term bypass-flow-term-1 from source-address 10.1.1.0/24
set firewall family inet filter bypass-flow-filter term bypass-flow-term–1 from destination-address 10.2.1.0/24
set firewall family inet filter bypass-flow-filter term bypass-flow-term-1 then packet-mode
set firewall family inet filter bypass-flow-filter term bypass-flow-term-2 from source-address 10.2.1.0/24
set firewall family inet filter bypass-flow-filter term bypass-flow-term-2 from destination-address 10.1.1.0/24
set firewall family inet filter bypass-flow-filter term bypass-flow-term-2 then packet-mode
set firewall family inet filter bypass-flow-filter term accept-rest then accept
set interfaces ge-0/0/1 description "Internal 1" unit 0 family inet filter input bypass-flow-filer
set interfaces ge-0/0/2 description "Internal 2" unit 0 family inet filter input bypass-flow-filer
content_copy zoom_out_map
{device R2}
set interfaces ge-0/0/3 description "Internet" unit 0 family inet address 10.1.1.2/30
set routing-options static route 0.0.0.0/0 next-hop 10.1.1.1
content_copy zoom_out_map
{device R3}
[edit]
set interfaces ge-0/0/2 description "Internal 2" unit 0 family inet address 10.2.1.2/24
set routing-options static route 0.0.0.0/0 next-hop 10.2.1.1
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure selective stateless packet-based services for end-to-end packet-based forwarding:

  1. Configure the IP addresses for the interfaces on devices R0, R1, R2, and R3.

    content_copy zoom_out_map
    {device R0}
[edit]
user@host# set interfaces ge-0/0/1 description "Internal 1" unit 0 family inet address 10.1.1.2/24
    content_copy zoom_out_map
    {device R1}
[edit]
user@host# set interfaces ge-0/0/1 description "Internal 1" unit 0 family inet address 10.1.1.1/24
user@host# set interfaces ge-0/0/2 description "Internal 2" unit 0 family inet address 10.2.1.1/24
user@host#   set interfaces ge-0/0/3 description "Internet" unit 0 family inet address 203.0.113.1/30
    content_copy zoom_out_map
    {device R2}
[edit]
user@host# set interfaces ge-0/0/3 description "Internet" unit 0 family inet address 203.0.113.1/30
    content_copy zoom_out_map
    {device R3}
[edit]
user@host# set interfaces ge-0/0/2 description "Internal 2" unit 0 family inet address 10.2.1.2/24

  2. Create static routes and associate the appropriate next-hop addresses for devices R0, R1, R2, and R3.

    content_copy zoom_out_map
    {device R0}
[edit]
user@host# set routing-options static route 0.0.0.0/0 next-hop 10.1.1.1
    content_copy zoom_out_map
    {device R1}
[edit]
user@host# set routing-options static route 0.0.0.0/0 next-hop 203.0.113.1
    content_copy zoom_out_map
    {device R2}
[edit]
user@host# set routing-options static route 0.0.0.0/0 next-hop 203.0.113.2
    content_copy zoom_out_map
    {device R3}
[edit]
user@host# set routing-options static route 0.0.0.0/0 next-hop 10.2.1.1

  3. Configure security zones and assign interfaces.

    content_copy zoom_out_map
    {device R1}
[edit]
user@host# set security zones security-zone untrust interfaces ge-0/0/3 
user@host# set security zones security-zone trust interfaces ge-0/0/1
user@host# set security zones security-zone trust interfaces ge-0/0/2

  4. Configure application services for zones.

    content_copy zoom_out_map
    {device R1}
[edit]
user@host# set security zones security-zone trust host-inbound-traffic system-services all
user@host# set security zones security-zone untrust host-inbound-traffic system-services all

  5. Configure a security policy

    content_copy zoom_out_map
    {device R1}
[edit]
user@host# set security policies from-zone trust to-zone untrust policy Internet-traffic match source-address any destination-address any application any 
user@host# set security policies from-zone trust to-zone untrust policy Internet-traffic then permit
user@host# set security policies from-zone untrust to-zone trust policy Incoming-traffic match source-address any destination-address any application any 
user@host# set security policies from-zone untrust to-zone trust policy Incoming-traffic then permit
user@host# set security policies from-zone trust to-zone trust policy Intrazone-traffic match source-address any destination-address any application any 
user@host# set security policies from-zone trust to-zone trust policy Intrazone-traffic then permit

  6. Create a firewall filter and define terms for all the packet-based forwarding traffic.

    content_copy zoom_out_map
    {device R1}
[edit]
user@host# set firewall family inet filter bypass-flow-filter term bypass-flow-term-1 from source-address 10.1.1.0/24
user@host# set firewall family inet filter bypass-flow-filter term bypass-flow-term–1 from destination-address 10.2.1.0/24
user@host# set firewall family inet filter bypass-flow-filter term bypass-flow-term-1 then packet-mode
user@host# set firewall family inet filter bypass-flow-filter term bypass-flow-term-2 from source-address 10.2.1.0/24
user@host# set firewall family inet filter bypass-flow-filter term bypass-flow-term-2 from destination-address 10.1.1.0/24
user@host# set firewall family inet filter bypass-flow-filter term bypass-flow-term-2 then packet-mode

  7. Specify another term for the remaining traffic.

    content_copy zoom_out_map
    {device R1}
[edit]
user@host# set firewall family inet filter bypass-flow-filter term accept-rest then accept

  8. Apply the firewall filter to relevant interfaces.

    content_copy zoom_out_map
    {device R1}
[edit]
user@host# set interfaces ge-0/0/1 description "Internal 1" unit 0 family inet filter input bypass-flow-filer
user@host# set interfaces ge-0/0/2 description "Internal 2" unit 0 family inet filter input bypass-flow-filer
Results

From configuration mode, confirm your configuration by entering the show interfaces, show routing-options, and show firewall commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
{device R0}
[edit]
user@host# show interfaces
ge-0/0/1 {
    description “Internal 1”
    unit 0 {
        family inet {
            address 10.1.1.2/24
        }
    }
}
content_copy zoom_out_map
{device R0}
[edit]
user@host# show routing-options
static {
    route 0.0.0.0/0 next-hop 10.1.1.1;
}
content_copy zoom_out_map
{device R2}
[edit]
user@host# show interfaces
ge-0/0/3 {
    description “Internet”
    unit 0 { 
        family inet {
            address 203.0.113.2/30;
        }
    }
}
content_copy zoom_out_map
{device R2}
[edit]
user@host# show routing-options
static {
    route 0.0.0.0/0 next-hop 203.0.113.1;
}
content_copy zoom_out_map
{device R3}
[edit]
user@host# show interfaces
ge-0/0/2 {
    description “Internal 2”
    unit 0 { 
        family inet {
            address 10.2.1.2/24;
        }
    }
}
content_copy zoom_out_map
{device R3}
user@host# show routing-options
static {
    route 0.0.0.0/0 next-hop 10.2.1.1;
}
content_copy zoom_out_map
{device R1}
[edit]
user@host# show interfaces
ge-0/0/1 {
    description “internal 1”
    unit 0 { 
        family inet {
            filter {
                input bypass-flow-filter;
                }
            address 10.1.1.1/24;
        }
    }
}
ge-0/0/2 {
    description “Internal 2”
    unit 0 { 
        family inet {
            filter {
                input bypass-flow-filter;
                }
            address 10.2.1.1/24;
        }
    }
}
ge-0/0/3 {
    description “Internet”
    unit 0 { 
        family inet {
            address 203.0.113.1/30;
        }
    }
}
{device R1}
[edit]
user@host# show routing-options
static {
    route 0.0.0.0/0 next-hop 203.0.113.1;
}
{device R1}
[edit]
user@host# show firewall
family inet {
    filter bypass-flow-filter {
        term bypass-flow-term-1 {
            from {
                source-address {
                    10.1.1.0/24;
                }
                destination-address {
                    10.2.1.0/24;
                }
            }
            then packet-mode;
        }
        term bypass-flow-term-2 {
            from {
                source-address {
                    10.2.1.0/24;
                }
                destination-address {
                    10.1.1.0/24;
                }
            }
            then packet-mode;
        }
        term accept-rest {
            then accept;
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying the End-to-End Packet-Based Configuration

Purpose

Verify that the selective stateless packet-based services are configured.

Action

From configuration mode, enter the show interfaces, show routing-options, show security zones, show security policies, and show firewall commands.

Verify that the output shows the intended configuration of the firewall filter, interfaces, and policies.

Verify that the terms are listed in the order in which you want the packets to be tested. You can move terms within a firewall filter by using the insert command.

Verifying Session Establishment on Intranet Traffic

Purpose

Verify that sessions are established when traffic is transmitted to interfaces within the Intranet.

Action

To verify that sessions are established, perform the following tasks:

  1. On device R1, enter the operational mode clear security flow session all command to clear all existing security flow sessions.

  2. On device R0, enter the operational mode ping command to transmit traffic to device R3.

  3. On device R1, with traffic transmitting from devices R0 to R3 through R1, enter the operational mode show security flow session command.

    content_copy zoom_out_map
    Flow Sessions on FPC10 PIC1:
Total sessions: 0

Flow Sessions on FPC10 PIC2:
Total sessions: 0

Flow Sessions on FPC10 PIC3:
Total sessions: 0
Note:

To verify established sessions, make sure to enter the show security flow session command while the ping command is sending and receiving packets.

Starting in Junos OS Release 15.1X49-D30 and Junos OS Release 17.3R1, the session flow summaries include CP session IDs.

content_copy zoom_out_map
{device R0}
user@host> ping 203.0.113.6
content_copy zoom_out_map
PING 203.0.113.6 (203.0.113.6): 56 data bytes
64 bytes from 203.0.113.6: icmp_seq=0 ttl=63 time=2.326 ms
64 bytes from 203.0.113.6: icmp_seq=1 ttl=63 time=2.569 ms
64 bytes from 203.0.113.6: icmp_seq=2 ttl=63 time=2.565 ms
64 bytes from 203.0.113.6: icmp_seq=3 ttl=63 time=2.563 ms
64 bytes from 203.0.113.6: icmp_seq=4 ttl=63 time=2.306 ms
64 bytes from 203.0.113.6: icmp_seq=5 ttl=63 time=2.560 ms
64 bytes from 203.0.113.6: icmp_seq=6 ttl=63 time=4.130 ms
64 bytes from 203.0.113.6: icmp_seq=7 ttl=63 time=2.316 ms
...
content_copy zoom_out_map
{device R1}
user@host> show security flow session
content_copy zoom_out_map
Flow Sessions on FPC10 PIC1:
Total sessions: 0

Flow Sessions on FPC10 PIC2:
Total sessions: 0

Flow Sessions on FPC10 PIC3:
Total sessions: 0

The output shows traffic transmitting from R0 to R3 and no sessions are established. In this example, you applied the bypass-flow-filter with the packet-mode action modifier on interfaces Internal 1 and Internal 2 for your company’s Intranet traffic. This output verifies that the traffic between the two interfaces is correctly bypassing flow-based forwarding and hence no sessions are established.

Verifying Session Establishment on Internet Traffic

Purpose

Verify that sessions are established when traffic is transmitted to the Internet.

Action

To verify that traffic to the Internet is using flow-based forwarding and sessions are established, perform the following tasks:

  1. On device R1, enter the operational mode clear security flow session all command to clear all existing security flow sessions.

  2. On device R0, enter the operational mode ping command to transmit traffic to device R2.

  3. On device R1, with traffic transmitting from R0 to R2 through R1, enter the operational mode show security flow session command.

Note:

To verify established sessions, make sure to enter the show security flow session command while the ping command is sending and receiving packets.

content_copy zoom_out_map
{device R0}
user@host> ping 10.2.1.2  -c 10
content_copy zoom_out_map
PING 10.2.1.2 (10.2.1.2) 56(84) bytes of data.
64 bytes from 10.2.1.2: icmp_seq=1 ttl=63 time=6.07 ms
64 bytes from 10.2.1.2: icmp_seq=2 ttl=63 time=4.24 ms
64 bytes from 10.2.1.2: icmp_seq=3 ttl=63 time=2.85 ms
64 bytes from 10.2.1.2: icmp_seq=4 ttl=63 time=6.14 ms
...
content_copy zoom_out_map
{device R1}
user@host>show security flow session
content_copy zoom_out_map
Flow Sessions on FPC10 PIC1:

Session ID: 410000077, Policy name: Internet-traffic/5, Timeout: 2, Valid
  In: 10.1.1.2/3 --> 10.2.1.2/32055;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84, CP Session ID: 410000198
  Out: 10.2.1.2/32055 --> 10.1.1.2/3;icmp, If: ge-0/0/2.0, Pkts: 1, Bytes: 84, CP Session ID: 410000198
Total sessions: 1

Flow Sessions on FPC10 PIC2:

Session ID: 420000079, Policy name: Internet-traffic/5, Timeout: 2, Valid
  In: 10.1.1.2/5 --> 10.2.1.2/32055;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84, CP Session ID: 420000163
  Out: 10.2.1.2/32055 --> 10.1.1.2/5;icmp, If: ge-0/0/2.0, Pkts: 1, Bytes: 84, CP Session ID: 420000163
Total sessions: 1

Flow Sessions on FPC10 PIC3:

Session ID: 430000090, Policy name: Internet-traffic/5, Timeout: 4, Valid
  In:10.1.1.2/7 --> 10.2.1.2/32055;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84, CP Session ID: 430000088
  Out: 10.2.1.2/32055 --> 10.1.1.2/7;icmp, If: ge-0/0/2.0, Pkts: 1, Bytes: 84, CP Session ID: 430000088
Total sessions: 1

The output shows traffic transmitting from devices R0 to R1 and established sessions. In this example, you did not apply the bypass-flow-filter with the packet-mode action modifier on interface Internet for your company’s Internet traffic. This output verifies that the traffic to the Internet is correctly using flow-based forwarding and hence sessions are established.

Transmit traffic from device R3 to R2 and use the commands in this section to verify established sessions.

Example: Configuring Selective Stateless Packet-Based Services for Packet-Based to Flow-Based Forwarding

This example shows how to configure selective stateless packet-based services for packet-based to flow-based forwarding. This feature is supported on SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, and vSRX Virtual Firewall devices.

Requirements

Before you begin:

  • Understand how to configure stateless firewall filters.

  • Establish basic connectivity. .

Overview

In this example, you configure the IP addresses for the interfaces on each of the devices. For device R0 as 198.51.100.9/24; for R1 the are198.51.100.10/24 and 203.0.113.5/24; and for R2 it is 203.0.113.9/24. On device R1, you set an internal service interface lt-0/0/0 between routing instances and configure a peer relationship between two virtual devices. You then create two security zones, Primary-VR-zone and Internet-VR-zone, assign related interfaces to them, and configure them to allow all supported applications and protocols.

Then you configure policies and specify that all packets are permitted. You configure a virtual device routing instance Internet-VR and assign interfaces for flow-based forwarding. You enable OSPF on devices R0, R1, and R2. On Device R2, you configure the filter bypass-flow-filter with the term bypass-flow-term that contains the packet-mode action modifier. Because you have not specified any match conditions, this filter applies to all traffic that traverses the interfaces on which it is applied.

Finally, on device R1 you apply the firewall filter bypass-flow-filter to internal interfaces ge-0/0/2.0 and lt-0/0/0.0. You do not apply the filter to the interfaces associated with the Internet-VR routing instance. As a result, all traffic that traverses the LAN interfaces associated with the primary routing instance uses packet-based forwarding and all traffic that traverses the Internet-VR routing instance uses flow-based forwarding.

Figure 4 shows the network topology used in this example.

Figure 4: Selective Stateless Packet-Based Services for Packet-Based ForwardingSelective Stateless Packet-Based Services for Packet-Based Forwarding

The interface facing the private LAN does not need any security services, but the interface facing the WAN needs security. In this example, you decide to configure both packet-based and flow-based forwarding for secure and not so secure traffic by configuring two routing instances—one handling the packet-based forwarding and the other handling the flow-based forwarding.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
{device R0}
set interfaces description “Connect to Primary VR” ge-0/0/2 unit 0 family inet address 198.51.100.9/24
set protocols ospf area 0.0.0.0 interface ge-0/0/2.0
content_copy zoom_out_map
{device R1}
set interfaces description “Connect to R0” ge-0/0/2 unit 0 family inet address 198.51.100.10/24
set interfaces description “Connect to R2” ge-0/0/3 unit 0 family inet address 203.0.113.5/24  
set interfaces lt-0/0/0 unit 0 encapsulation frame-relay dlci 100 peer-unit 1 family inet address 192.0.2.1/16
set interfaces lt-0/0/0 unit 1 encapsulation frame-relay dlci 100 peer-unit 0 family inet address 192.0.2.2/16  
set security zones security-zone Primary-VR-zone host-inbound-traffic system-services all
set security zones security-zone Primary-VR-zone host-inbound-traffic protocols all
set security zones security-zone Primary-VR-zone interfaces ge-0/0/2.0
set security zones security-zone Primary-VR-zone interfaces lt-0/0/0.0
set security zones security-zone Internet-VR-zone host-inbound-traffic system-services all
set security zones security-zone Internet-VR-zone host-inbound-traffic protocols all
set security zones security-zone Internet-VR-zone interfaces ge-0/0/3.0
set security zones security-zone Internet-VR-zone interfaces lt-0/0/0.1
set security policies default-policy permit-all
set routing-instances Internet-VR instance-type virtual-router interface lt-0/0/0.1
set routing-instances Internet-VR instance-type virtual-router interface ge-0/0/3.0
set protocols ospf area 0.0.0.0 interface ge-0/0/2.0
set protocols ospf area 0.0.0.0 interface lt-0/0/0.0
set routing-instances Internet-VR protocols ospf area 0.0.0.0 interface lt-0/0/0.1
set routing-instances Internet-VR protocols ospf area 0.0.0.0 interface ge-0/0/3.0
set firewall family inet filter bypass-flow-filter term bypass-flow-term then accept
set firewall family inet filter bypass-flow-filter term bypass-flow-term then packet-mode
set interfaces ge-0/0/2 unit 0 family inet filter input bypass-flow-filter
set interfaces lt-0/0/0 unit 0 family inet filter input bypass-flow-filter
content_copy zoom_out_map
{device R2}
set interfaces description “Connect to Internet-VR” ge-0/0/3 unit 0 family inet address 203.0.113.9/24
set protocols ospf area 0.0.0.0 interface ge-0/0/3
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure selective stateless packet-based services for end-to-end packet-based forwarding:

  1. Configure the IP addresses for the interfaces.

    content_copy zoom_out_map
    {device R0}
[edit]
user@host# set interfaces description “Connect to Primary VR” ge-0/0/2 unit 0 family inet address 198.51.100.9/24
    content_copy zoom_out_map
    {device R1}
[edit]
user@host# set interfaces description “Connect to R0” ge-0/0/2 unit 0 family inet address 198.51.100.10/24
user@host# set interfaces description “Connect to R2” ge-0/0/3 unit 0 family inet address 203.0.113.5/24
    content_copy zoom_out_map
    {device R2}
[edit]
user@host# set interfaces description “Connect to Internet-VR” ge-0/0/3 unit 0 family inet address 203.0.113.9/24

  2. Set an internal service interface between routing instances.

    content_copy zoom_out_map
    {device R1}
[edit]
user@host# set interfaces lt-0/0/0 unit 0 encapsulation frame-relay dlci 100 peer-unit 1 family inet address 192.0.2.1/16
user@host# set interfaces lt-0/0/0 unit 1 encapsulation frame-relay dlci 100 peer-unit 0 family inet address 192.0.2.2/16

  3. Configure security zones.

    content_copy zoom_out_map
    {device R1}
[edit]
user@host# set security zones security-zone Primary-VR-zone host-inbound-traffic system-services all
user@host# set security zones security-zone Primary-VR-zone host-inbound-traffic protocols all
user@host# set security zones security-zone Primary-VR-zone interfaces ge-0/0/2.0
user@host# set security zones security-zone Primary-VR-zone interfaces lt-0/0/0.0
user@host# set security zones security-zone Internet-VR-zone host-inbound-traffic system-services all
user@host# set security zones security-zone Internet-VR-zone host-inbound-traffic protocols all
user@host# set security zones security-zone Internet-VR-zone interfaces ge-0/0/3.0
user@host# set security zones security-zone Internet-VR-zone interfaces lt-0/0/0.1

  4. Configure policies.

    content_copy zoom_out_map
    {device R1}
[edit]
user@host# set security policies default-policy permit-all

  5. Configure a virtual device routing instance.

    content_copy zoom_out_map
    {device R1}
[edit]
user@host# set routing-instances Internet-VR instance-type virtual-router interface lt-0/0/0.1
user@host# set routing-instances Internet-VR instance-type virtual-router interface ge-0/0/3.0

  6. Enable OSPF on all interfaces in the network.

    content_copy zoom_out_map
    {device R0}
[edit]
user@host# set protocols ospf area 0.0.0.0 interface ge-0/0/2.0
    content_copy zoom_out_map
    {device R1 for Primary-VR}
[edit]
user@host# set protocols ospf area 0.0.0.0 interface ge-0/0/2.0
user@host# set protocols ospf area 0.0.0.0 interface lt-0/0/0.0
    content_copy zoom_out_map
    {device R1 for Internet-VR}
[edit]
user@host#  set routing-instances Internet-VR protocols ospf area 0.0.0.0 interface lt-0/0/0.1
user@host#  set routing-instances Internet-VR protocols ospf area 0.0.0.0 interface ge-0/0/3.0
    content_copy zoom_out_map
    {device R2}
[edit]
user@host# set protocols ospf area 0.0.0.0 interface ge-0/0/3

  7. Create a firewall filter and define a term for packet-based forwarding traffic.

    content_copy zoom_out_map
    {device R1}
[edit]
user@host# set firewall family inet filter bypass-flow-filter term bypass-flow-term then accept
user@host# set firewall family inet filter bypass-flow-filter term bypass-flow-term then packet-mode

  8. Apply the firewall filter to relevant interfaces.

    content_copy zoom_out_map
    {device R1}
[edit]
user@host# set interfaces ge-0/0/2 unit 0 family inet filter input bypass-flow-filter
user@host# set interfaces lt-0/0/0 unit 0 family inet filter input bypass-flow-filter
Results

From configuration mode, confirm your configuration by entering the show interfaces, show protocols, show security, show routing-instances, and show firewall commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
{device R0}
[edit]
user@host# show interfaces
ge-0/0/2 {
    description “Connect to Primary-VR”
    unit 0 {
        family inet {
            address 198.51.100.9/24
        }
    }
}
content_copy zoom_out_map
{device R0}
[edit]
user@host# show protocols
ospf {
    area 0.0.0.0/0 {
        interface ge-0/0/2.0;
    }
}
content_copy zoom_out_map
{device R2}
[edit]
user@host# show interfaces
ge-0/0/3 {
    description “Connect to Internet-VR”
    unit 0 { 
        family inet {
            address 203.0.113.9/24;
        }
    }
}
content_copy zoom_out_map
{device R2}
[edit]
user@host# show protocols
ospf {
    area 0.0.0.0/0 {
        interface ge-0/0/3.0;
    }
}
content_copy zoom_out_map
{device R1}
[edit]
user@host# show interfaces
ge-0/0/2 {
    description “Connect to R0”
    unit 0 { 
        family inet {
            filter {
                input bypass-flow-filter;
                }
            address 198.51.100.10/24;
        }
    }
}
lt-0/0/0 {
    unit 0 { 
        encapsulation frame-relay;
        dlci 100;
        peer-unit 1;
        family inet {
            filter {
                input bypass-flow-filter
            }
            address 192.0.2.1/16;
        }
    }
    unit 1{ 
        encapsulation frame-relay;
        dlci 100;
        peer-unit 0;
        family inet {
            address 192.0.2.2/16 ;
        }
    }
}
{device R1}
[edit]
user@host# show protocols
ospf {
    area 0.0.0.0/0 {
        interface ge-0/0/2.0;
        interface lt-0/0/0.0;
    }
}
{device R1}
[edit]
user@host# show firewall
filter bypass-flow-filter {
    term bypass-flow-term {
        then {
            packet-mode;
            accept;
        }
    }
}
content_copy zoom_out_map
{device R1}
[edit]
user@host# show routing-instances
Internet-VR {
    instance-type virtual-router;
    interface lt-0/0/0.1;
    interface ge-0/0/3.0;
    protocols {
        ospf {
            area 0.0.0.0 {
                interface ge-0/0/3.0;
                lt-0/0/0.1;
            }
        }
    }
}
content_copy zoom_out_map
{device R1}
[edit]
user@host# show security
security zone Primary-VR-zone {
    host-inbound-traffic {
        system-services {
            all;
            {
            protocols {
            all;
        {
    {
    intefaces {
    ge-0/0/2.0;
    lt-0/0/0.0;
    {
{
security zone Internet-VR-zone {
    host-inbound-traffic {
        system-services {
            all;
        {
        protocols {
            all;
        }
    }
    intefaces {
    ge-0/0/3.0;
    lt-0/0/0.1;
    {
{
policies {
    default-policy {
        permit-all;
    }
}

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying the Packet-Based to Flow-Based Configuration

Purpose

Verify that the selective stateless packet-based services are configured for packet-based to flow-based forwarding.

Action

From configuration mode, enter the show interfaces, show protocols, show security, show routing-instances, and show firewall commands.

Verify that the output shows the intended configuration of the firewall filter, routing instances, interfaces, and policies.

Verify that the terms are listed in the order in which you want the packets to be tested. You can move terms within a firewall filter by using the insert command.

Verifying Session Establishment on LAN Traffic

Purpose

Verify that the sessions are established when traffic is transmitted on interfaces within the LAN.

Action

To verify that sessions are established, perform the following tasks:

  1. On device R1, from operational mode enter the clear security flow session all command to clear all existing security flow sessions.

  2. On device R0, from operational mode enter the ping command to transmit traffic to device Primary-VR.

  3. On device R1, with traffic transmitting from devices R0 through R1, from operational mode enter the show security flow session command.

Note:

To verify established sessions, ensure that you enter the show security flow session command while the ping command is sending and receiving packets.

content_copy zoom_out_map
{device R0}
user@host> ping 192.0.2.1
content_copy zoom_out_map
PING 192.0.2.1 (192.0.2.1): 56 data bytes
64 bytes from 192.0.2.1: icmp_seq=0 ttl=63 time=2.208 ms
64 bytes from 192.0.2.1: icmp_seq=1 ttl=63 time=2.568 ms
64 bytes from 192.0.2.1: icmp_seq=2 ttl=63 time=2.573 ms
64 bytes from 192.0.2.1: icmp_seq=3 ttl=63 time=2.310 ms
64 bytes from 192.0.2.1: icmp_seq=4 ttl=63 time=1.566 ms
64 bytes from 192.0.2.1: icmp_seq=5 ttl=63 time=1.569 ms
...
content_copy zoom_out_map
{device R1}
user@host> show security flow session
content_copy zoom_out_map
0 sessions displayed

The output shows traffic transmitting from R0 to Primary-VR and no sessions are established. In this example, you applied the bypass-flow-filter with the packet-mode action modifier on interfaces ge-0/0/0 and lt-0/0/0.0 for your company’s LAN traffic. This output verifies that the traffic between the two interfaces is correctly bypassing flow-based forwarding and hence no sessions are established.

Verifying Session Establishment on Internet Traffic

Purpose

Verify that sessions are established when traffic is transmitted to the Internet.

Action

To verify that traffic to the Internet is using flow-based forwarding and sessions are established, perform the following tasks:

  1. On device R1, from operational mode enter the clear security flow session all command to clear all existing security flow sessions.

  2. On device R0, from operational mode enter the ping command to transmit traffic to device R2.

  3. On device R1, with traffic transmitting from R0 to R2 through R1, from operational mode enter the show security flow session command.

    content_copy zoom_out_map
    root@host> show security flow session
Flow Sessions on FPC10 PIC1:
Total sessions: 0

Flow Sessions on FPC10 PIC2:
Total sessions: 0

Flow Sessions on FPC10 PIC3:
Total sessions: 0
Note:

To verify established sessions, ensure that you enter the show security flow session command while the ping command is sending and receiving packets.

content_copy zoom_out_map
{device R0}
user@host> ping 192.0.2.1 -c 10
content_copy zoom_out_map
PING 60.0.0.1 (60.0.0.1) 56(84) bytes of data.
64 bytes from 192.0.2.1: icmp_seq=1 ttl=64 time=1.98 ms
64 bytes from 192.0.2.1: icmp_seq=2 ttl=64 time=1.94 ms
64 bytes from 192.0.2.1: icmp_seq=3 ttl=64 time=1.92 ms
64 bytes from 192.0.2.1: icmp_seq=4 ttl=64 time=1.89 ms

...
content_copy zoom_out_map
{device R1}
user@host> show security flow session
content_copy zoom_out_map
Session ID: 189900, Policy name: default-policy/2, Timeout: 2
  In: 198.51.100.9/0 --> 192.0.2.1/5924;icmp, If: lt-0/0/0.1
  Out: 192.0.2.1/5924 --> 198.51.100.9/0;icmp, If: ge-0/0/3.0

Session ID: 189901, Policy name: default-policy/2, Timeout: 2
  In: 198.51.100.9/1 --> 192.0.2.1/5924;icmp, If: lt-0/0/0.1
  Out: 192.0.2.1/5924 --> 198.51.100.9/1;icmp, If: ge-0/0/3.0

Session ID: 189902, Policy name: default-policy/2, Timeout: 4
  In: 198.51.100.9/2 --> 192.0.2.1/5924;icmp, If: lt-0/0/0.1
  Out: 192.0.2.1/5924 --> 198.51.100.9/2;icmp, If: ge-0/0/3.0

 3 sessions displayed

The output shows traffic transmitting from devices R0 to R2 and established sessions. In this example, you did not apply the bypass-flow-filter with the packet-mode action modifier on routing instance Internet-VR for your company’s Internet traffic. This output verifies that the traffic to the Internet is correctly using flow-based forwarding and hence sessions are established.

Note that sessions are established only when traffic is flowing between lt-0/0/0.1 and ge-0/0/3 and not when traffic is flowing between ge-0/0/2 and lt-0/0/0.0.

Related Documentation

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
15.1X49-D30
Starting in Junos OS Release 15.1X49-D30 and Junos OS Release 17.3R1, the session flow summaries include CP session IDs.
arrow_backward PREVIOUS Monitoring X2 Traffic
NEXT arrow_forward Reverse Route Packet Mode using Virtual Router
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top