2.3 Transit Traffic & Packet Flow

Key Takeaways

  • Transit traffic passes through the device and is forwarded entirely by the Packet Forwarding Engine using the local forwarding table, without involving the Routing Engine
  • Exception and host-inbound traffic (packets destined to the device itself, or packets the PFE cannot forward locally) is punted up to the Routing Engine for handling
  • Routing Engine protection limits and prioritizes traffic punted to the RE so a flood of exception traffic cannot overwhelm the control plane
  • The Routing Engine builds the routing table and selects active routes; the active routes are installed into the forwarding table that the PFE actually uses to forward packets
  • Understanding the routing-table-to-forwarding-table relationship is the foundation for the later Routing Fundamentals objective
Last updated: May 2026

Why Packet Flow Matters for JNCIA-Junos

Quick Answer: Most traffic through a Junos device is transit traffic — packets passing through to some other destination — and the Packet Forwarding Engine (PFE) handles it entirely using its local forwarding table, never touching the Routing Engine (RE). Traffic that is destined to the device itself, or that the PFE cannot forward locally, is exception traffic and is punted up to the RE. Routing Engine protection keeps that exception path from overwhelming the control plane. This packet-flow model is the bridge into the Routing Fundamentals objective.

This is one of the most conceptually important sections in the exam because it ties the architecture (Section 2.2) to real packet behavior and to routing/forwarding tables.

Transit Traffic: The Common Case

Transit traffic enters one interface and is destined for a network reachable through another interface — the device is just an intermediate hop. The flow is:

  1. Packet arrives at an ingress PFE interface.
  2. The PFE performs a forwarding-table lookup using longest-prefix match.
  3. The PFE applies any input/output firewall filters, class-of-service, and rewrite operations.
  4. The PFE sends the packet out the egress interface.

The RE is not involved per packet. Because the RE already computed the forwarding table and pushed a copy to the PFE, transit forwarding happens entirely in the high-speed forwarding plane. This is why control-plane load does not directly slow normal forwarding.

   in -->[ PFE: FIB lookup + filters + CoS ]--> out      (transit: stays in PFE)

   in -->[ PFE detects "for me" / can't forward ]
             |  punt
             v
        [ Routing Engine ]                              (exception/host-inbound)

Exception and Host-Inbound Traffic

Not all traffic can be handled purely by the PFE. Exception traffic is anything the PFE must hand up to the RE, including:

  • Host-inbound traffic: packets destined to the device itself — for example, an SSH or Telnet session to the device, an SNMP query, a ping to a device interface, or routing-protocol packets (the RE runs the protocols).
  • Packets requiring control-plane processing: for example, certain ICMP responses (such as TTL-expired generating a time-exceeded message) or packets needing services the PFE cannot complete locally.

This hand-up is called a punt: the PFE punts the packet over the internal link to the RE. Host-outbound traffic is the reverse — the RE originates packets (such as routing updates or its own ping replies) that the PFE then sends out.

Traffic typeHandled byExample
TransitPFE onlyPacket routed through the device to another network
Host-inboundPunted to RESSH to the device, SNMP poll, BGP/OSPF packets, ping to an interface
Host-outboundOriginated by RE, sent via PFERouting-protocol updates, device-sourced ping replies
ExceptionPunted to RETTL-expired handling, packets needing control-plane services

Routing Engine Protection (Concept)

Because exception traffic is punted to the RE, a large volume of such traffic — accidental or malicious (for example, a flood of packets aimed at the device's own address) — could overload the control plane and degrade routing or management. Routing Engine protection is the principle of limiting, filtering, and prioritizing traffic destined to the RE so the control plane stays healthy.

At JNCIA-Junos level you need the concept, not deep configuration: legitimate host-inbound traffic (your management session, routing protocols) must still reach the RE, while excessive or unwanted traffic to the RE is rate-limited or filtered. This protects the "brain" so the "muscle" (PFE) keeps forwarding transit traffic even under attack. It directly builds on the control-plane/forwarding-plane separation from Section 2.2.

Routing Table and Forwarding Table Relationship (Intro)

The two tables are related but distinct, and confusing them is a common exam mistake:

TableLives on / used byBuilt fromPurpose
Routing table (RIB)Routing Engine (control plane)All learned routes: static, direct, dynamic protocolsHolds all candidate routes and selects the active route per destination
Forwarding table (FIB)Pushed to and used by the PFE (forwarding plane)Only the active routes selected from the routing tableUsed for the actual per-packet forwarding decision

The flow is one-directional: routing sources populate the routing table on the RE, the RE selects the best (active) route for each destination, and only those active routes are installed into the forwarding table that the PFE uses to forward packets. So the routing table is the full decision space; the forwarding table is the committed result the hardware acts on.

This intro is intentionally high-level. The dedicated Routing Fundamentals objective expands on route preference, multiple routing tables, routing instances, and static routes — but the core mental model is set here: RE decides (routing table) → PFE forwards (forwarding table).

Test Your Knowledge

A packet enters a Junos device and is destined for a network reachable out another interface. Which component forwards it and what does it use?

A
B
C
D
Test Your Knowledge

Which of the following is an example of host-inbound (exception) traffic that gets punted to the Routing Engine?

A
B
C
D
Test Your Knowledge

What problem does Routing Engine protection address?

A
B
C
D
Test Your Knowledge

Which statement best describes the relationship between the routing table and the forwarding table in Junos?

A
B
C
D