Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Planning the Number of Firewall Filters to Create

    Understanding How Many Firewall Filters Are Supported

    QFX3500 and QFX3600 switches and Node devices support the following maximum number of firewall filter terms per type of attachment point:

    • 768 terms for ingress filters
    • 1024 terms for egress filters

    These totals are applied in aggregate. That is, you can apply a total of 768 port filters, Layer 3 filters, and VLAN filters in the input direction and 1024 port filters, Layer 3 filters, and VLAN filters in the output direction. These maximum values also assume that each filter has only one term. If you create filters with multiple terms (including implicit terms), the maximum numbers of filters is reduced.

    Note: If you want to create more than 512 egress VLAN filters, your first VLAN ID should be 6 and the subsequent VLAN IDs should increase by 1. For example, to create 1024 egress VLAN filters, the first VLAN ID would be 6, the second ID would be 7, and the sequence would continue through VLAN ID 1029. Similarly, if you want to create fewer than 512 egress VLAN filters but want the total number of terms in those filters to exceed 512, you should number your VLAN IDs in the same manner. If you do not use this approach to create your VLAN IDs, the total number of allowed terms or filters will be less than 1024 and might be 512.

    The memory for filters is divided into slices that accommodate 256 filters (again assuming that there is one term per filter), and all the filters in a memory slice must be of the same type and applied in the same direction. A memory slice is reserved as soon as you apply a filter. For example, if you create a port filter and apply it in the input direction, a memory slice is reserved that will only store ingress port filters. If you create and apply only one ingress port filter, the rest of this slice is unused and is unavailable for other filter types.

    Continuing with the above example, assume that you create and apply 256 ingress port filters with one term each so that one memory slice is filled. This leaves two more memory slices available for ingress filters. (Remember that the maximum number of ingress filters is 768.) If you then create and apply an ingress Layer 3 filter, another memory slice is reserved for ingress Layer 3 filters. As before, the rest of the slice is unused and is unavailable for different filter types. At this point there is one memory slice available for any ingress filter type.

    Now assume that you create and apply a VLAN ingress filter. The final memory slice is reserved for VLAN ingress filters. Memory allocation for ingress filters (once again assuming one term per filter) is as follows:

    • Slice 1: Filled with 256 ingress port filters. You cannot apply any more ingress port filters.
    • Slice 2: Contains one ingress Layer 3 filter. You can apply 255 more ingress Layer 3 filters.
    • Slice 3: Contains one ingress VLAN filter. You can apply 255 more ingress VLAN filters.

    Here is another example. Assume that you create 257 ingress port filters with one term per filter–that is, you create one more term than a single memory slice can accommodate. When you apply the filters and commit the configuration, the filter memory allocation is:

    • Slice 1: Filled with 256 ingress port filters. You cannot apply any more ingress port filters.
    • Slice 2: Contains one ingress port filter. You can apply 255 more ingress port filters.
    • Slice 3: This slice is unassigned. You can create and apply 256 ingress filters of any type (port, Layer 3, or VLAN), but all the filters must be of the same type.

    Egress Filters

    All of the preceding principles also apply to egress filters, but four memory slices are used because IPv4 Layer 3 filters and IPv6 Layer 3 filters are stored in separate slices. The memory slices for egress filters are the same size as those for ingress filters, so the maximum number of egress filter terms is therefore 1024.

    Avoid Configuring too Many Filters

    If you violate any of these restrictions and commit a configuration that is not in compliance, Junos OS rejects the excessive filters. For example, if you configure 300 ingress port filters and 300 ingress Layer 3 filters and try to commit the configuration, Junos OS does the following (again assuming one term per filter):

    • Accepts the 300 ingress port filters (storing them in two memory slices).
    • Accepts the first 256 ingress Layer 3 filters it processes (storing them in the third memory slice).
    • Rejects the remaining 44 ingress Layer 3 filters.

    Note: In this situation, be sure to delete excessive filters (for example, the remaining 44 ingress Layer 3 filters) from the configuration before you reboot the device. If you reboot a device that has a noncompliant configuration, you cannot predict which filters are installed after the reboot. Using the example above, the 44 ingress Layer 3 filters that were originally rejected might be installed, and 44 of the port filters that were originally accepted might be rejected.

     

    Related Documentation

     

    Published: 2012-09-19

    Previous Page Next Page