Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Troubleshooting Firewall Filter Configuration

 

Use the following information to troubleshoot your firewall filter configuration.

Firewall Filter Configuration Returns a No Space Available in TCAM Message

Problem

Description: When a firewall filter configuration exceeds the amount of available Ternary Content Addressable Memory (TCAM) space, the system returns the following syslogd message:

A switch returns this message during the commit operation if the firewall filter that has been applied to a port, VLAN, or Layer 3 interface exceeds the amount of space available in the TCAM table. The filter is not applied, but the commit operation for the firewall filter configuration is completed in the CLI module.

Solution

When a firewall filter configuration exceeds the amount of available TCAM table space, you must configure a new firewall filter with fewer filter terms so that the space requirements for the filter do not exceed the available space in the TCAM table.

You can perform either of the following procedures to correct the problem:

To delete the filter and its binding and apply the new smaller firewall filter to the same binding:

  1. Delete the filter and its binding to ports, VLANs, or Layer 3 interfaces. For example:
    [edit]

    user@switch# delete firewall family ethernet-switching filter ingress-vlan-rogue-block

    user@switch# delete vlans employee-vlan description "filter to block rogue devices on employee-vlan"

    user@switch# delete vlans employee-vlan filter input ingress-vlan-rogue-block
  2. Commit the changes:
    [edit]

    user@switch# commit
  3. Configure a smaller filter with fewer terms that does not exceed the amount of available TCAM space. For example:
    [edit]

    user@switch# set firewall family ethernet-switching filter new-ingress-vlan-rogue-block ...
  4. Apply (bind) the new firewall filter to a port, VLAN , or Layer 3 interface. For example:
    [edit]

    user@switch# set vlans employee-vlan description "filter to block rogue devices on employee-vlan"

    user@switch# set vlans employee-vlan filter input new-ingress-vlan-rogue-block
  5. Commit the changes:
    [edit]

    user@switch# commit

To apply a new firewall filter and overwrite the existing binding but not delete the original filter:

  1. Configure a firewall filter with fewer terms than the original filter:
    [edit]

    user@switch# set firewall family ethernet-switching filter new-ingress-vlan-rogue-block...
  2. Apply the firewall filter to the port, VLAN, or Layer 3 interfaces to overwrite the binding of the original filter—for example:
    [edit]

    user@switch# set vlans employee-vlan description "smaller filter to block rogue devices on employee-vlan"

    user@switch# set vlans employee-vlan filter input new-ingress-vlan-rogue-block

    Because you can apply no more than one firewall filter per VLAN per direction, the binding of the original firewall filter to the VLAN is overwritten with the new firewall filter new-ingress-vlan-rogue-block.

  3. Commit the changes:
    [edit]

    user@switch# commit
Note

The original filter is not deleted and is still available in the configuration.

Filter Counts Previously Dropped Packet

Problem

Description: If you configure two or more filters in the same direction for a physical interface and one of the filters includes a counter, the counter will be incorrect if the following circumstances apply:

  • You configure the filter that is applied to packets first to discard certain packets. For example, imagine that you have a VLAN filter that accepts packets sent to 10.10.1.0/24 addresses and implicitly discards packets sent to any other addresses. You apply the filter to the admin VLAN in the output direction, and interface xe-0/0/1 is a member of that VLAN.

  • You configure a subsequent filter to accept and count packets that are dropped by the first filter. In this example, you have a port filter that accepts and counts packets sent to 192.168.1.0/24 addresses that is also applied to xe-0/0/1 in the output direction.

The egress VLAN filter is applied first and correctly discards packets sent to 192.168.1.0/24 addresses. The egress port filter is applied next and counts the discarded packets as matched packets. The packets are not forwarded, but the counter displayed by the egress port filter is incorrect.

Remember that the order in which filters are applied depends on the direction in which they are applied, as indicated here:

Ingress filters:

  1. Port (Layer 2) filter
  2. VLAN filter
  3. Router (Layer 3) filter

Egress filters:

  1. Router (Layer 3) filter
  2. VLAN filter
  3. Port (Layer 2) filter

Solution

This is expected behavior.

Matching Packets Not Counted

Problem

Description: If you configure two egress filters with counters for a physical interface and a packet matches both of the filters, only one of the counters includes that packet.

For example:

  • You configure an egress port filter with a counter for interface xe-0/0/1.

  • You configure an egress VLAN filter with a counter for the adminVLAN, and interface xe-0/0/1 is a member of that VLAN.

  • A packet matches both filters.

In this case, the packet is counted by only one of the counters even though it matched both filters.

Solution

This is expected behavior.

Counter Reset When Editing Filter

Problem

Description: If you edit a firewall filter term, the value of any counter associated with any term in the same filter is set to 0, including the implicit counter for any policer referenced by the filter. Consider the following examples:

  • Assume that your filter has term1, term2, and term3, and each term has a counter that has already counted matching packets. If you edit any of the terms in any way, the counters for all the terms are reset to 0.

  • Assume that your filter has term1 and term2. Also assume that term2 has a policer action modifier and the implicit counter of the policer has already counted 1000 matching packets. If you edit term1 or term2 in any way, the counter for the policer referenced by term2 is reset to 0.

Solution

This is expected behavior.

Cannot Include loss-priority and policer Actions in Same Term

Problem

Description: You cannot include both of the following actions in the same firewall filter term in a QFX Series switch:

  • loss-priority

  • policer

If you do so, you see the following error message when you attempt to commit the configuration: “cannot support policer action if loss-priority is configured.”

Solution

This is expected behavior.

Cannot Egress Filter Certain Traffic Originating on QFX Switch

Problem

Description: On a QFX Series switch, you cannot filter certain traffic with a firewall filter applied in the output direction if the traffic originates on the QFX switch. This limitation applies to control traffic for protocols such as ICMP (ping), STP, LACP, and so on.

Solution

This is expected behavior.

Firewall Filter Match Condition Not Working with Q-in-Q Tunneling

Problem

Description: If you create a firewall filter that includes a match condition of dot1q-tag or dot1q-user-priority and apply the filter on input to a trunk port that participates in a service VLAN, the match condition does not work if the Q-in-Q EtherType is not 0x8100. (When Q-in-Q tunneling is enabled, trunk interfaces are assumed to be part of the service provider or data center network and therefore participate in service VLANs.)

Solution

This is expected behavior. To set the Q-in-Q EtherType to 0x8100, enter the set dot1q-tunneling ethertype 0x8100 statement at the [edit ethernet-switching-options] hierarchy level. You must also configure the other end of the link to use the same Ethertype.

Egress Firewall Filters with Private VLANs

Problem

Description: If you apply a firewall filter in the output direction to a primary VLAN, the filter also applies to the secondary VLANs that are members of the primary VLAN when the traffic egresses with the primary VLAN tag or isolated VLAN tag, as listed below:

  • Traffic forwarded from a secondary VLAN trunk port to a promiscuous port (trunk or access)

  • Traffic forwarded from a secondary VLAN trunk port that carries an isolated VLAN to a PVLAN trunk port.

  • Traffic forwarded from a promiscuous port (trunk or access) to a secondary VLAN trunk port

  • Traffic forwarded from a PVLAN trunk port. to a secondary VLAN trunk port

  • Traffic forwarded from a community port to a promiscuous port (trunk or access)

If you apply a firewall filter in the output direction to a primary VLAN, the filter does not apply to traffic that egresses with a community VLAN tag, as listed below:

  • Traffic forwarded from a community trunk port to a PVLAN trunk port

  • Traffic forwarded from a secondary VLAN trunk port that carries a community VLAN to a PVLAN trunk port

  • Traffic forwarded from a promiscuous port (trunk or access) to a community trunk port

  • Traffic forwarded from a PVLAN trunk port. to a community trunk port

If you apply a firewall filter in the output direction to a community VLAN, the following behaviors apply:

  • The filter is applied to traffic forwarded from a promiscuous port (trunk or access) to a community trunk port (because the traffic egresses with the community VLAN tag).

  • The filter is applied to traffic forwarded from a community port to a PVLAN trunk port (because the traffic egresses with the community VLAN tag).

  • The filter is not applied to traffic forwarded from a community port to a promiscuous port (because the traffic egresses with the primary VLAN tag or untagged).

Solution

These are expected behaviors. They occur only if you apply a firewall filter to a private VLAN in the output direction and do not occur if you apply a firewall filter to a private VLAN in the input direction.

Egress Filtering of L2PT Traffic Not Supported

Problem

Description: Egress filtering of L2PT traffic is not supported on the QFX3500 switch. That is, if you configure L2PT to tunnel a protocol on an interface, you cannot also use a firewall filter to filter traffic for that protocol on that interface in the output direction. If you commit a configuration for this purpose, the firewall filter is not applied to the L2PT-tunneled traffic.

Solution

This is expected behavior.

Cannot Drop BGP Packets in Certain Circumstances

Problem

Description: BGP packets with a time-to-live (TTL) value greater than 1 cannot be discarded using a firewall filter applied to a loopback interface or applied on input to a Layer 3 interface. BGP packets with TTL value of 1 or 0 can be discarded using a firewall filter applied to a loopback interface or applied on input to a Layer 3 interface.

Solution

This is expected behavior.

Invalid Statistics for Policer

Problem

Description: If you apply a single-rate two-color policer in more than 128 terms in a firewall filter, the output of the show firewall command displays incorrect data for the policer.

Solution

This is expected behavior.

Policers can Limit Egress Filters

Problem

Description: On some switches, the number of egress policers you configure can affect the total number of allowed egress firewall filters. Every policer has two implicit counters that take up two entries in a 1024-entry TCAM. These are used for counters, including counters that are configured as action modifiers in firewall filter terms. (Policers consume two entries because one is used for green packets and one is used for nongreen packets regardless of policer type.) If the TCAM becomes full, you are unable to commit any more egress firewall filters that have terms with counters. For example, if you configure and commit 512 egress policers (two-color, three-color, or a combination of both policer types), all of the memory entries for counters get used up. If later in your configuration file you insert additional egress firewall filters with terms that also include counters, none of the terms in those filters are committed because there is no available memory space for the counters.

Here are some additional examples:

  • Assume that you configure egress filters that include a total of 512 policers and no counters. Later in your configuration file you include another egress filter with 10 terms, 1 of which has a counter action modifier. None of the terms in this filter are committed because there is not enough TCAM space for the counter.

  • Assume that you configure egress filters that include a total of 500 policers, so 1000 TCAM entries are occupied. Later in your configuration file you include the following two egress filters:

    • Filter A with 20 terms and 20 counters. All the terms in this filter are committed because there is enough TCAM space for all the counters.

    • Filter B comes after Filter A and has five terms and five counters. None of the terms in this filter are committed because there is not enough memory space for all the counters. (Five TCAM entries are required but only four are available.)

Solution

You can prevent this problem by ensuring that egress firewall filter terms with counter actions are placed earlier in your configuration file than terms that include policers. In this circumstance, Junos OS commits policers even if there is not enough TCAM space for the implicit counters. For example, assume the following:

  • You have 1024 egress firewall filter terms with counter actions.

  • Later in your configuration file you have an egress filter with 10 terms. None of the terms have counters but one has a policer action modifier.

You can successfully commit the filter with 10 terms even though there is not enough TCAM space for the implicit counters of the policer. The policer is committed without the counters.