Knowledge Search


×
 

[SRX] How to change forwarding mode for IPv4 from 'flow based' to 'packet based'

  [KB30461] Show Article Properties


Summary:

This article explains how to change the forwarding mode on SRX (Branch Series) or J Series devices from flow-based to packet-based for IPv4 traffic.

Note: The solution described here does not apply to SRX High End devices.

Symptoms:

An SRX device can operate in two different modes: packet mode and flow mode. In flow mode, SRX processes all traffic by analyzing the state or session of traffic. This is also called stateful processing of traffic. In packet mode, SRX processes the traffic as a traditional router on a per-packet basis. This is also known as stateless processing of traffic. Security features like IPsec, NAT, UTM, and so on, do not work in packet mode. By default, Junos OS on SRX devices works in flow mode.

Solution:

To check the forwarding mode:

  1. From operational mode, enter the show security flow status command.

    root> show security flow status
    Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: drop
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
    Advanced services data-plane memory mode: Default
    Flow trace status
    Flow tracing status: off
    Flow session distribution
    Distribution mode: RR-based
    Flow ipsec performance acceleration: off
    Flow packet ordering
    Ordering mode: Hardware


    As you can see, the device is in flow-based mode for IPv4 (inet) traffic.
  2. As the device in packet mode will work as a router (and not a firewall), delete the security feature configuration from the device.

    [edit]
    root# delete security
  3. Change the mode to packet-based using following command:

    [edit]
    root# set security forwarding-options family mpls mode packet-based
  4. Commit the change. The commit completes with the following warning, prompting you to reboot the device to make the changes effective.

    [edit]
    root# commit
    warning: You have changed mpls flow mode.
    You have to reboot the system for your change to take effect.
    If you have deployed a cluster, be sure to reboot all nodes.
    warning: Inet flow mode has been changed to packet-based mode for mpls mode modification.
    warning: You must reboot the system for your change to take effect.
    If you have deployed a cluster, be sure to reboot all nodes.
    commit complete

     

  5. Reboot the device. Reboot both nodes in the case of a cluster.

    [edit]
    root# run request system reboot
    Reboot the system ? [yes,no] (no) yes

Verification:

  1. Once the device is up after reboot, check the flow status again. As you can see, the forwarding mode is now packet-based.

    root> show security flow status
    Flow forwarding mode:
    Inet forwarding mode: packet based 
    Inet6 forwarding mode: drop
    MPLS forwarding mode: packet based
    ISO forwarding mode: drop
    Advanced services data-plane memory mode: Default
    Flow trace status
    Flow tracing status: off
    Flow session distribution
    Distribution mode: RR-based
    Flow ipsec performance acceleration: off
    Flow packet ordering
    Ordering mode: Hardware

Note: This feature is not supported on SRX High End devices. The following warning appears when configured:"Warning: configuration block ignored: unsupported platform"

Note: As of 15.1X49-D70, for the SRX1500 series, SRX4100, SRX4200, devices and vSRX, you do not need to reboot the device when you are switching modes between flow mode and packet mode. For SRX300-Series you do need to reboot.
 
Modification History:

2017-03-21: Added note that solution is not supported on SRX High End devices.
2017-06-22: Added that no need to reboot after 15.1X49-D70.
2017-08-07: Reboot is required for entire SRX300-Series

Related Links: