Understanding Firewall Filters on OVSDB-Managed Interfaces

When you use a Contrail controller to manage VXLANs on a QFX switch (through the Open vSwitch Database—OVSDB—management protocol), the VXLAN interfaces are automatically configured with the flexible-vlan-tagging and encapsulation extended-vlan-bridge statements. Starting with Junos OS Release 14.1X53-D30, you can create family ethernet-switching logical units (subinterfaces) on these interfaces. This enables you to apply Layer 2 (family ethernet-switching) firewall filters to these subinterfaces, which means that you apply firewall filters to OVSDB-managed interfaces. These filters support all the same match conditions and actions as any other Layer 2 filter.

Because a Contrail controller can create subinterfaces dynamically, you need to apply firewall filters in such a way that the filters will apply to subinterfaces whenever the controller creates them. You accomplish this by using configuration groups to configure and apply the firewall filters. See Example: Applying a Firewall Filter to OVSDB-Managed Interfaces for more information.