2.3 Transit Traffic & Packet Flow
Key Takeaways
- Transit traffic passes through the device and is forwarded entirely by the Packet Forwarding Engine using the local forwarding table, without involving the Routing Engine
- Exception and host-inbound traffic (packets destined to the device itself, or packets the PFE cannot forward locally) is punted up to the Routing Engine for handling
- Routing Engine protection limits and prioritizes traffic punted to the RE so a flood of exception traffic cannot overwhelm the control plane
- The Routing Engine builds the routing table and selects active routes; the active routes are installed into the forwarding table that the PFE actually uses to forward packets
- Understanding the routing-table-to-forwarding-table relationship is the foundation for the later Routing Fundamentals objective
Why Packet Flow Matters for JNCIA-Junos
Quick Answer: Most traffic through a Junos device is transit traffic — packets passing through to some other destination — and the Packet Forwarding Engine (PFE) handles it entirely using its local forwarding table, never touching the Routing Engine (RE). Traffic that is destined to the device itself, or that the PFE cannot forward locally, is exception traffic and is punted up to the RE. Routing Engine protection keeps that exception path from overwhelming the control plane. This packet-flow model is the bridge into the Routing Fundamentals objective.
This is one of the most conceptually important sections in the exam because it ties the architecture (Section 2.2) to real packet behavior and to routing/forwarding tables.
Transit Traffic: The Common Case
Transit traffic enters one interface and is destined for a network reachable through another interface — the device is just an intermediate hop. The flow is:
- Packet arrives at an ingress PFE interface.
- The PFE performs a forwarding-table lookup using longest-prefix match.
- The PFE applies any input/output firewall filters, class-of-service, and rewrite operations.
- The PFE sends the packet out the egress interface.
The RE is not involved per packet. Because the RE already computed the forwarding table and pushed a copy to the PFE, transit forwarding happens entirely in the high-speed forwarding plane. This is why control-plane load does not directly slow normal forwarding.
in -->[ PFE: FIB lookup + filters + CoS ]--> out (transit: stays in PFE)
in -->[ PFE detects "for me" / can't forward ]
| punt
v
[ Routing Engine ] (exception/host-inbound)
Exception and Host-Inbound Traffic
Not all traffic can be handled purely by the PFE. Exception traffic is anything the PFE must hand up to the RE, including:
- Host-inbound traffic: packets destined to the device itself — for example, an SSH or Telnet session to the device, an SNMP query, a ping to a device interface, or routing-protocol packets (the RE runs the protocols).
- Packets requiring control-plane processing: for example, certain ICMP responses (such as TTL-expired generating a time-exceeded message) or packets needing services the PFE cannot complete locally.
This hand-up is called a punt: the PFE punts the packet over the internal link to the RE. Host-outbound traffic is the reverse — the RE originates packets (such as routing updates or its own ping replies) that the PFE then sends out.
| Traffic type | Handled by | Example |
|---|---|---|
| Transit | PFE only | Packet routed through the device to another network |
| Host-inbound | Punted to RE | SSH to the device, SNMP poll, BGP/OSPF packets, ping to an interface |
| Host-outbound | Originated by RE, sent via PFE | Routing-protocol updates, device-sourced ping replies |
| Exception | Punted to RE | TTL-expired handling, packets needing control-plane services |
Routing Engine Protection (Concept)
Because exception traffic is punted to the RE, a large volume of such traffic — accidental or malicious (for example, a flood of packets aimed at the device's own address) — could overload the control plane and degrade routing or management. Routing Engine protection is the principle of limiting, filtering, and prioritizing traffic destined to the RE so the control plane stays healthy.
At JNCIA-Junos level you need the concept, not deep configuration: legitimate host-inbound traffic (your management session, routing protocols) must still reach the RE, while excessive or unwanted traffic to the RE is rate-limited or filtered. This protects the "brain" so the "muscle" (PFE) keeps forwarding transit traffic even under attack. It directly builds on the control-plane/forwarding-plane separation from Section 2.2.
Routing Table and Forwarding Table Relationship (Intro)
The two tables are related but distinct, and confusing them is a common exam mistake:
| Table | Lives on / used by | Built from | Purpose |
|---|---|---|---|
| Routing table (RIB) | Routing Engine (control plane) | All learned routes: static, direct, dynamic protocols | Holds all candidate routes and selects the active route per destination |
| Forwarding table (FIB) | Pushed to and used by the PFE (forwarding plane) | Only the active routes selected from the routing table | Used for the actual per-packet forwarding decision |
The flow is one-directional: routing sources populate the routing table on the RE, the RE selects the best (active) route for each destination, and only those active routes are installed into the forwarding table that the PFE uses to forward packets. So the routing table is the full decision space; the forwarding table is the committed result the hardware acts on.
This intro is intentionally high-level. The dedicated Routing Fundamentals objective expands on route preference, multiple routing tables, routing instances, and static routes — but the core mental model is set here: RE decides (routing table) → PFE forwards (forwarding table).
A packet enters a Junos device and is destined for a network reachable out another interface. Which component forwards it and what does it use?
Which of the following is an example of host-inbound (exception) traffic that gets punted to the Routing Engine?
What problem does Routing Engine protection address?
Which statement best describes the relationship between the routing table and the forwarding table in Junos?