ON THIS PAGE
Configuring Firewall Filters
Follow the steps in the following sections to configure and apply a firewall filter on your switch.
Configuring a Firewall Filter
To configure a firewall filter:
- Configure the family address type, filter name, term name, and at least one match
condition—for example, match on packets that contain a specific source address.
To filter Layer 2 traffic (port or VLAN), specify the family address type ethernet-switching.
To filter Layer 3 (routed) traffic, specify the family address type (inet for IPv4) or (inet6 for IPv6).
To filter Layer 2 circuit interface traffic, specify the family address type ccc.
The filter and term names can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. Each filter name must be unique. A filter can contain one or more terms, and each term name must be unique within a filter.
- Configure additional match conditions. For example:
In this configuration, the filter matches on Layer 2 packets that contain source port 80.
[edit firewall family ethernet-switching filter ingress-port-filter term term-one from]
user@switch# set source-port 80In this configuration, the filter matches on VLANs that contain interface ge-0/0/6.0.
[edit firewall family inet filter ingress-interface-match-condition term term-one from]
user@switch#set interface ge-0/0/6.0.You can specify one or more match conditions in a single from statement. For a match to occur, the packet must match all the conditions in the term. The from statement is optional, but if you include it in a term, it can’t be empty. If you omit the from statement, all packets are considered to match.
- If you want to apply a firewall filter to multiple interfaces and be able to see
counters specific to each interface, configure the interface-specific option:
[edit firewall family ethernet-switching filter ingress-port-filter]
user@switch# set interface-specific - In each firewall filter term, specify the actions to take if the packet matches
all the conditions in that term. You can specify an action and action modifiers:
To specify a filter action, for example, to discard packets that match the conditions of the filter term:
[edit firewall family ethernet-switching filter ingress-port-filter term term-one then]
user@switch# set discardYou can specify only one action per term (accept, discard, flood, reject, routing-instance, or vlan).
To specify a filter action, for example, to flood packets that match the MAC address on QFX5100/QFX5110/ QFX5120-32C/QFX5200/QFX5210:
[edit firewall family ethernet-switching filter f1 term t2 then]
user@switch#set floodYou can configure ingress port based firewall filters (PACL) to flood or discard the following BPDUs by using destination MAC address as the match condition.
Protocols
DMAC
Firewall Action
LACP
01:80:c2:00:00:02
Flood/Discard/Count
LLDP
01:80:c2:00:00:0E
Flood/Discard/Count
EAPOL
01:80:c2:00:00:03
Flood/Discard/Count
STP
01:80:c2:00:00:00
Flood/Discard/Coun
VSTP
01:00:0c:cc:cc:cd
Flood/Discard/Count
CDP/VTP
01:00:0C:cc:cc:cc
Discard/Count
ISIS L1
01:80:c2:00:00:14
Discard/Count
ISIS L2
01:80:c2:00:00:15
Discard/Count
Note CDP/VTP, ISIS L1/L2 protocols flood by using the default dynamic filter. Therefore, configuring additional filters for these protocols is not necessary.
As ingress port based firewall filters (PACL) are applied at port level, only one filter can be applied for a physical interface in the service provider style configuration.
The native VLAN must be configured to ensure flooding of the untagged BPDUs received on the trunk port. If the native VLAN is not configured, then the untagged BPDUs will be flooded on all interfaces in the local FPC.
When IGMP snooping or multicast listener discovery (MLD) snooping is enabled then, the flood functionality will not work.
When the firewall filter with flood action is applied on an interface and later if the interface goes down, then the BPDUs received on that interface will be flooded if it satisfies the match conditions.
To specify action modifiers, for example, to count and classify packets to a forwarding class:
[edit firewall family ethernet-switching filter ingress-port-filter term term-one then]
user@switch# set count counter-one
user@switch# set forwarding-class expedited-forwarding
user@switch# set loss-priority highYou can specify any of the following action modifiers in a then statement:
analyzer analyzer-name—Mirror port traffic to a specified analyzer, which you must configure at the [ethernet-switching-options] level.
count counter-name—Count the number of packets that pass this filter term.
Note We recommend that you configure a counter for each term in a firewall filter, so that you can monitor the number of packets that match the conditions specified in each filter term.
Note On QFX3500 and QFX3600 switches, filters automatically count packets that were dropped in the ingress direction because of cyclic redundancy check (CRC) errors.
forwarding-class class—Assign packets to a forwarding class.
log—Log the packet header information in the Routing Engine.
loss-priority priority—Set the priority of dropping a packet.
policer policer-name—Apply rate-limiting to the traffic.
flood—Flood the packets.
syslog—Log an alert for this packet.
If you omit the then statement or don’t specify an action, packets matching all the conditions in the from statement are accepted. But make sure that you always configure an action in the then statement. You can only include one action statement, but can use any combination of action modifiers. For an action or action modifier to take effect, all conditions in the from statement must match.
Note The implicit discard action applicable to a firewall filter applied to the loopback interface, lo0.
Configuring Enhanced Egress Firewall Filters (QFX5110 and QFX5220 Switches)
Due to a hardware limitation, the QFX5110 and QFX5220 can only support a maximum of 1000 egress firewall filters (eRACLs). You can increase this number to 2000, by configuring the switch in scaled mode. In this mode, the switch uses ingress TCAM space (IFP) to achieve the higher scale.
To configure the egress filter, specify the family address type (inet for IPv4) or (inet6 for IPv6), filter name, and term name. Include the applicable scaling option for your switch and specify a match condition and action to take if a match occurs. Then apply the filter in the output direction on the interface.
After configuring, modifying, or deleting a scaling option, you must commit the configuration, and the packet forwarding engine (PFE) must be restarted.
To increase the number of egress filters on the QFX5110, include the egress-to-ingress option in your configuration. You can add this option under any term. The following is a sample configuration:
set firewall family inet filter f1 term t1 from egress-to-ingress
set firewall family inet filter f1 term t1 from source-port 1500
set firewall family inet filter f1 term t1 then accept set interfaces irb unit 100 family inet filter output f1
To increase the number of egress filters on the QFX5220, include the eracl-scale option under the egress-profile statement. The following is a sample configuration:
The eracl-scale option comes configured in global mode. When enabled, existing egress filters will be automatically reinstalled in scaled mode.
set system packet-forwarding-options firewall eracl-profile eracl-scale
set firewall family inet filter f1 term t1 from source-port 1500
set firewall family inet filter f1 term t1 then accept set interfaces irb unit 100 family inet filter output f1
When you enable scaled mode, these limitations apply:
You can only apply a filter in the egress direction (traffic exiting the VLAN).
Only inet and inet6 protocol families are supported.
Generic Routing Encapsulation (GRE) interfaces are not supported.
Only use the scaling options for egress firewall filters.
You cannot apply filters with the same match condition to different egress VLANs or Layer 3 interfaces. The only supported actions are accept, discard, and count.
Match conditions are programmed in the ingress firewall filter TCAM. This means that any counters attached to the filter counts traffic on any incoming VLANs.
Applying a Firewall Filter to a Port
To apply a firewall filter to a port:
- Provide a meaningful and descriptive name for the firewall filter. The name is
what you use to apply the filter to the port.
[edit]
user@switch# set interfaces ge-0/0/6 description "filter to limit tcp traffic at trunk port for employee-vlan" - Apply the filter to the interface, specifying the unit number, family address
type (ethernet-switching), the direction of the filter (for packets entering the
port), and the filter name:
[edit]
user@switch# set ge-0/0/6 unit 0 family ethernet-switching filter input ingress-port-filterNote You can apply only one filter to a port in the ingress direction.
Applying a Firewall Filter to a VLAN
VLAN firewall filters are not supported on QFX5100, QFX5100 Virtual Chassis, and QFX5110 switches in an EVPN-VXLAN environment.
To apply a firewall filter to a VLAN:
- Provide a meaningful and descriptive name for the firewall filter. This name is what you use to apply the filter to the VLAN.
Apply firewall filters to filter packets entering or exiting the VLAN:
To apply a filter to match packets entering the VLAN:
To apply a firewall filter to match packets exiting the VLAN:
[edit]
user@switch# set vlans employee-vlan vlan-id 20 filter output egress-vlan-filter
Note You can apply only one filter to a VLAN for a given direction (ingress or egress).
Applying a Firewall Filter to a Layer 3 (Routed) Interface
You can apply a firewall filter to IPv4 and IPv6 interfaces, routed VLAN interfaces (RVI), and the loopback interface. These are all considered Layer 3 routed interfaces.
(QFX5100 and QFX5110 switches) In an EVPN-VXLAN environment, you can use an IRB interface to provide layer 3 connectivity to the switch. To configure an IRB interface, see Example: Configuring IRB Interfaces in an EVPN-VXLAN Environment to Provide Layer 3 Connectivity for Hosts in a Data Center. You can then apply a firewall filter to the IRB interface by following the steps below (only the ingress direction is supported). For a list of supported match conditions, see Firewall Filter Match Conditions and Actions (QFX5100, QFX5110, QFX5120, QFX5200, EX4600, EX4650).
To apply a firewall filter to a Layer 3 interface:
- Provide a meaningful and descriptive name for the firewall filter. This name is
what you use to apply the filter to the interface.
[edit]
user@switch# set interfaces ge-0/1/6 description "filter to count and monitor traffic on layer 3 interface" - Apply the firewall filters.
To filter packets entering the interface:
[edit]
user@switch# set interfaces ge-0/1/6 unit 0 family inet filter input ingress-router-filterTo filter packets exiting the interface:
[edit]
user@switch# set interfaces ge-0/1/6 unit 0 family inet filter output egress-router-filterThe family address type can either be (inet for IPv4) or (inet6 for IPv6).
Note You can apply only one filter to an interface for a given direction (ingress or egress).
Applying a Firewall Filter to a Layer 2 CCC (QFX10000 Switches)
You can apply firewall filters with count and policer actions on Layer 2 circuit cross-connect (CCC) traffic on QFX10000 switches. This lets you count and monitor the policer activity set at the [edit firewall family ccc] hierarchy level.
In this example, count is the policer action.
set firewall policer traffic-cnt if-exceeding bandwidth-limit 1g
set firewall policer traffic-cnt if-exceeding burst-size-limit 100m
set firewall policer traffic-cnt then loss-priority low
set firewall family ccc filter srTCM-cnt term t1 then policer traffic-cnt
set firewall family ccc filter srTCM-cnt term t1 then count traffic-counter
In this example, discard is the policer action.
set firewall policer discard-traffic if-exceeding bandwidth-limit 1g
set firewall policer discard-traffic if-exceeding burst-size-limit 500m
set firewall policer discard-traffic then discard
set firewall family ccc filter srTCM1 term t1 then policer discard-traffic