Firewall Filters and Enhanced Network Services Mode Overview
Under normal conditions, every firewall filter is generated in two different formats -- compiled and term-based. The compiled format is used by the routing engine (RE) kernel, FPCs, and MS-DPs. The term-based format is used by MPCs. Compiled firewall filters are duplicated for each interface or logical interface to which they are applied. Term-based filters, instead of being duplicated, are referenced by each interface or logical interface.
When a combination of MPCs and any other cards populate a chassis, the creation of both firewall filter file formats is necessary. In most networks, the creation of both filter formats and any amount of duplication for compiled firewall filters has no effect on the router. However, in subscriber management networks that include thousands of statically configured subscriber interfaces, creating filters in multiple formats and duplicating those filters for each interface can utilize a large portion of router memory resources. You can use either Enhanced IP Network Services mode or Enhanced Ethernet Network Services mode to improve the scaling and performance specific to routing filters in a subscriber access network that uses statically configured subscriber interfaces.
In configurations where interfaces are created either statically or dynamically and firewall filters are applied dynamically, you must configure the chassis network services to run in enhanced mode. In configurations where interfaces are created statically and firewall filters are applied statically, you must configure chassis network services to run in enhanced mode and also configure each firewall filter for enhanced mode.
Do not use enhanced mode for firewall filters that are intended for control plane traffic. Control plane filtering is handled by the Routing Engine kernel, which cannot use the term-based format of the enhanced mode filters.
Table 1 shows the configuration options when determining enhanced network services mode usage.
Table 1: Enhanced Network Services Mode and Firewall Filter Use Case Determination
Interface and Filter Configuration
Chassis Enhanced Mode Required
Firewall Filter Enhanced Mode Required
Dynamically-created interfaces and dynamically-applied filters
Statically-created interfaces and dynamically-applied filters
Statically-created interfaces and statically-applied filters
To achieve significant resource savings for the router, combine chassis and filter enhanced mode configuration as follows:
Install only MPCs in the chassis.
Configuring chassis network services to run one of the enhanced network services modes results in the router enabling only MPCs and MS-DPCs. Because MS-DPCs use compiled firewall filter format, a router chassis that is configured for one of the enhanced network services modes, configuring standard (non-enhanced) firewall filters for use with any MS-DPCs can decrease optimal resource efficiency.
When configuring static interfaces on the router, configure chassis network services to run either Enhanced IP Network Services mode or Enhanced Ethernet Network Services mode.
When statically applying firewall filters to statically-created interfaces, configure any firewall filters for enhanced mode to limit the filter creation to only term-based format.
Any firewall filters that are not configured for enhanced mode are created in both compiled and term-based format, even if the chassis is running one of the enhanced network services modes. Only term-based (enhanced) firewall filters will be generated, regardless of the setting of the enhanced-mode statement at the [edit chassis network-services] hierarchy level, if any of the following are true:
Flexible filter match conditions are configured at the [edit firewall family family-name filter filter-name term term-name from] or [edit firewall filter filter-name term term-name from] hierarchy levels.
A tunnel header push or pop action, such as GRE encapsulate or decapsulate is configured at the [edit firewall family family-name filter filter-name term term-name then] hierarchy level.
Payload-protocol match conditions are configured at the [edit firewall family family-name filter filter-name term term-name from] or [edit firewall filter filter-name term term-name from] hierarchy levels.
An extension-header match is configured at the [edit firewall family family-name filter filter-name term term-name from] or [edit firewall filter filter-name term term-name from] hierarchy levels.
A match condition is configured that only works with MPC cards, such as firewall bridge filters for IPv6 traffic.
Any firewall filter meeting the previous criteria will not be applied to the loopback, lo0, interface of DPC based FPCs. This means that term-based (enhanced) filters configured for use on the loopback interface of a DPC based FPC will not be applied. This will leave the RE unprotected by that filter.