Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Firewall Filters

 

Follow the steps in the following sections to configure and apply a firewall filter on your switch.

Configuring a Firewall Filter

To configure a firewall filter:

  1. Configure the family address type, filter name, term name, and at least one match condition—for example, match on packets that contain a specific source address.
    [edit]

    user@switch# set firewall family ethernet-switching filter ingress-port-filter term term-one from source-address 192.0.2.14
    • To filter Layer 2 traffic (port or VLAN), specify the family address type ethernet-switching.

    • To filter Layer 3 (routed) traffic, specify the family address type (inet for IPv4) or (inet6 for IPv6).

    • To filter Layer 2 circuit interface traffic, specify the family address type ccc.

    The filter and term names can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. Each filter name must be unique. A filter can contain one or more terms, and each term name must be unique within a filter.

  2. Configure additional match conditions. For example:

    In this configuration, the filter matches on Layer 2 packets that contain source port 80.

    [edit firewall family ethernet-switching filter ingress-port-filter term term-one from]

    user@switch# set source-port 80

    In this configuration, the filter matches on VLANs that contain interface ge-0/0/6.0.

    [edit firewall family inet filter ingress-interface-match-condition term term-one from]

    user@switch#set interface ge-0/0/6.0.


    You can specify one or more match conditions in a single from statement. For a match to occur, the packet must match all the conditions in the term. The from statement is optional, but if you include it in a term, it can’t be empty. If you omit the from statement, all packets are considered to match.

  3. If you want to apply a firewall filter to multiple interfaces and be able to see counters specific to each interface, configure the interface-specific option:
    [edit firewall family ethernet-switching filter ingress-port-filter]

    user@switch# set interface-specific
  4. In each firewall filter term, specify the actions to take if the packet matches all the conditions in that term. You can specify an action and action modifiers:
    • To specify a filter action, for example, to discard packets that match the conditions of the filter term:

      [edit firewall family ethernet-switching filter ingress-port-filter term term-one then]

      user@switch# set discard

      You can specify only one action per term (accept, discard, reject, routing-instance, or vlan).

    • To specify action modifiers, for example, to count and classify packets to a forwarding class:

      [edit firewall family ethernet-switching filter ingress-port-filter term term-one then]

      user@switch# set count counter-one

      user@switch# set forwarding-class expedited-forwarding

      user@switch# set loss-priority high

      You can specify any of the following action modifiers in a then statement:

      • analyzer analyzer-name—Mirror port traffic to a specified analyzer, which you must configure at the [ethernet-switching-options] level.

      • count counter-name—Count the number of packets that pass this filter term.

        Note

        We recommend that you configure a counter for each term in a firewall filter, so that you can monitor the number of packets that match the conditions specified in each filter term.

        Note

        On QFX3500 and QFX3600 switches, filters automatically count packets that were dropped in the ingress direction because of cyclic redundancy check (CRC) errors.

      • forwarding-class class—Assign packets to a forwarding class.

      • log—Log the packet header information in the Routing Engine.

      • loss-priority priority—Set the priority of dropping a packet.

      • policer policer-name—Apply rate-limiting to the traffic.

      • syslog—Log an alert for this packet.

    If you omit the then statement or don’t specify an action, packets matching all the conditions in the from statement are accepted. But make sure that you always configure an action in the then statement. You can only include one action statement, but can use any combination of action modifiers. For an action or action modifier to take effect, all conditions in the from statement must match.

    Note

    The implicit discard action applicable to a firewall filter applied to the loopback interface, lo0.

Configuring Enhanced Egress Firewall Filters (QFX5110 and QFX5220 Switches)

Due to a hardware limitation, the QFX5110 and QFX5220 can only support a maximum of 1000 egress firewall filters (eRACLs). You can increase this number to 2000, by configuring the switch in scaled mode. In this mode, the switch uses ingress TCAM space (IFP) to achieve the higher scale.

To configure the egress filter, specify the family address type (inet for IPv4) or (inet6 for IPv6), filter name, and term name. Include the applicable scaling option for your switch and specify a match condition and action to take if a match occurs. Then apply the filter in the output direction on the interface.

After configuring, modifying, or deleting a scaling option, you must commit the configuration, and the packet forwarding engine (PFE) must be restarted.

To increase the number of egress filters on the QFX5110, include the egress-to-ingress option in your configuration. You can add this option under any term. The following is a sample configuration:

To increase the number of egress filters on the QFX5220, include the eracl-scale option under the egress-profile statement. The following is a sample configuration:

Note

The eracl-scale option comes configured in global mode. When enabled, existing egress filters will be automatically reinstalled in scaled mode.

When you enable scaled mode, these limitations apply:

  • You can only apply a filter in the egress direction (traffic exiting the VLAN).

  • Only inet and inet6 protocol families are supported.

  • Generic Routing Encapsulation (GRE) interfaces are not supported.

  • Only use the scaling options for egress firewall filters.

  • You cannot apply filters with the same match condition to different egress VLANs or Layer 3 interfaces. The only supported actions are accept, discard, and count.

  • Match conditions are programmed in the ingress firewall filter TCAM. This means that any counters attached to the filter counts traffic on any incoming VLANs.

Applying a Firewall Filter to a Port

To apply a firewall filter to a port:

  1. Provide a meaningful and descriptive name for the firewall filter. The name is what you use to apply the filter to the port.
    [edit]

    user@switch# set interfaces ge-0/0/6 description "filter to limit tcp traffic at trunk port for employee-vlan"
  2. Apply the filter to the interface, specifying the unit number, family address type (ethernet-switching), the direction of the filter (for packets entering the port), and the filter name:
    [edit]

    user@switch# set ge-0/0/6 unit 0 family ethernet-switching filter input ingress-port-filter
    Note

    You can apply only one filter to a port in the ingress direction.

Applying a Firewall Filter to a VLAN

Note

VLAN firewall filters are not supported on QFX5100, QFX5100 Virtual Chassis, and QFX5110 switches in an EVPN-VXLAN environment.

To apply a firewall filter to a VLAN:

  1. Provide a meaningful and descriptive name for the firewall filter. This name is what you use to apply the filter to the VLAN.
    [edit]

    user@switch# set vlans employee-vlan vlan-id 20 description "filter to block rogue devices on employee-vlan"
  2. Apply firewall filters to filter packets entering or exiting the VLAN:

    • To apply a filter to match packets entering the VLAN:

      [edit]

      user@switch# set vlans employee-vlan vlan-id 20 filter input ingress-vlan-rogue-block
    • To apply a firewall filter to match packets exiting the VLAN:

      [edit]

      user@switch# set vlans employee-vlan vlan-id 20 filter output egress-vlan-filter
    Note

    You can apply only one filter to a VLAN for a given direction (ingress or egress).

Applying a Firewall Filter to a Layer 3 (Routed) Interface

You can apply a firewall filter to IPv4 and IPv6 interfaces, routed VLAN interfaces (RVI), and the loopback interface. These are all considered Layer 3 routed interfaces.

Note

(QFX5100 and QFX5110 switches) In an EVPN-VXLAN environment, you can use an IRB interface to provide layer 3 connectivity to the switch. To configure an IRB interface, see Example: Configuring IRB Interfaces in an EVPN-VXLAN Environment to Provide Layer 3 Connectivity for Hosts in a Data Center. You can then apply a firewall filter to the IRB interface by following the steps below (only the ingress direction is supported). For a list of supported match conditions, see Firewall Filter Match Conditions and Actions (QFX5100, QFX5110, QFX5120, QFX5200, EX4600, EX4650).

To apply a firewall filter to a Layer 3 interface:

  1. Provide a meaningful and descriptive name for the firewall filter. This name is what you use to apply the filter to the interface.
    [edit]

    user@switch# set interfaces ge-0/1/6 description "filter to count and monitor traffic on layer 3 interface"
  2. Apply the firewall filters.
    • To filter packets entering the interface:

      [edit]

      user@switch# set interfaces ge-0/1/6 unit 0 family inet filter input ingress-router-filter
    • To filter packets exiting the interface:

      [edit]

      user@switch# set interfaces ge-0/1/6 unit 0 family inet filter output egress-router-filter

      The family address type can either be (inet for IPv4) or (inet6 for IPv6).

    Note

    You can apply only one filter to an interface for a given direction (ingress or egress).

Applying a Firewall Filter to a Layer 2 CCC (QFX10000 Switches)

You can apply firewall filters with count and policer actions on Layer 2 circuit cross-connect (CCC) traffic on QFX10000 switches. This lets you count and monitor the policer activity set at the [edit firewall family ccc] hierarchy level.

In this example, count is the policer action.

In this example, discard is the policer action.