• Supported Platforms
• EX Series

• Related Topics
• Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series Switches
• Verifying That Firewall Filters Are Operational
• Configuring Firewall Filters (CLI Procedure)
• Configuring Firewall Filters (J-Web Procedure)

Troubleshooting Firewall Filters

1. Firewall Filter Configuration Returns a No Space Available in TCAM Message

Firewall Filter Configuration Returns a No Space Available in TCAM Message

Problem

When a firewall filter configuration exceeds the amount of available TCAM space, the switch returns the following syslogd message:

No space available in tcam. 
Rules for filter filter-name will not be installed.

The switch returns this message during the commit operation if the firewall filter that has been applied to a port, VLAN, or Layer 3 interface exceeds the amount of available TCAM space. However, the commit operation for the firewall filter configuration is completed in the CLI module.

Solution

When a firewall filter configuration exceeds the amount of available TCAM table space, you must configure a new firewall filter with fewer filter terms so that the space requirements for the filter do not exceed the available space in the TCAM table.

You can perform either of the following procedures to correct the problem:

To delete the firewall filter and its bind points and apply the new smaller firewall filter to the same bind points:

1. Delete the firewall filter configuration and the bind points to ports, VLANs, or Layer 3 interfaces—for example:
   
   

   [edit]
user@switch# delete firewall family ethernet-switching filter filter-ingress-vlan
user@switch# delete vlans voice-vlan description "filter to block rogue devices on voice-vlan"
user@switch# delete vlans voice-vlan filter input mini-filter—ingress-vlan
2. Commit the operation:
   
   

   [edit]
user@switch# commit
3. Configure a smaller filter with fewer terms that does not exceed the amount of available TCAM space on the switch—for example:
   
   

   [edit]
user@switch# set firewall family ethernet-switching filter new—filter-ingress-vlan ...
4. Apply (bind) the new firewall filter to a port, VLAN , or Layer 3 interface—for example:
   
   

   [edit]
user@switch# set vlans voice-vlan description "filter to block rogue devices on voice-vlan"
user@switch# set vlans voice-vlan filter input new-filter—ingress-vlan
5. Commit the operation:
   
   

   [edit]
user@switch# commit

To apply a new firewall filter and overwrite the existing bind points:

1. Configure a firewall filter with fewer terms than the original filter:
   
   

   [edit]
user@switch# set firewall family ethernet-switching filter new-filter-ingress-vlan...
2. Apply the firewall filter to the port, VLAN, or Layer 3 interfaces to overwrite the bind points of the original filter—for example:
   
   

   [edit]
user@switch# set vlans voice-vlan description "smaller filter to block rogue devices on voice-vlan"
user@switch# set vlans voice-vlan filter input new-filter-ingress-vlan
3. Commit the operation:
   
   

   [edit]
user@switch# commit

Only the original bind points, and not the original firewall filter itself, are deleted.