ON THIS PAGE
Configuring Firewall Filters
Follow the steps in the following sections to configure and apply a firewall filter on your switch.
Configuring a Firewall Filter
To configure a firewall filter:
Configuring Enhanced Egress Firewall Filters (QFX5110 and QFX5220 Switches)
Due to a hardware limitation, the QFX5110 and QFX5220 switches can only support a maximum of 1000 egress firewall filters (eRACLs). You can increase this number to 2000, by configuring the switch in scaled mode. In this mode, the switch uses ingress TCAM space (IFP) to achieve the higher scale.
To configure the egress filter, specify the family address type (inet
for IPv4) or (inet6
for IPv6), filter name, and term name. Include the
applicable scaling option for your switch and specify a match condition and action to take
if a match occurs. Then apply the filter in the output direction on the interface.
After configuring, modifying, or deleting a scaling option, you must commit the configuration, and the packet forwarding engine (PFE) must be restarted.
To increase the number of egress filters on the QFX5110, include the
egress-to-ingress
option in your configuration. You can add this option
under any term. The following is a sample configuration:
set firewall family inet filter f1 term t1 from egress-to-ingress set firewall family inet filter f1 term t1 from source-port 1500 set firewall family inet filter f1 term t1 then accept set interfaces irb unit 100 family inet filter output f1
To increase the number of egress filters on the
QFX5220,
include the eracl-scale
option under the egress-profile
statement. The following is a sample configuration:
The eracl-scale
option comes configured in global mode. When enabled,
existing egress filters will be automatically reinstalled in scaled mode.
set system packet-forwarding-options firewall eracl-profile eracl-scale set firewall family inet filter f1 term t1 from source-port 1500 set firewall family inet filter f1 term t1 then accept set interfaces irb unit 100 family inet filter output f1
When you enable scaled mode, these limitations apply:
-
You can only apply a filter in the egress direction (traffic exiting the VLAN).
-
Only
inet
andinet6
protocol families are supported. -
Generic Routing Encapsulation (GRE) interfaces are not supported.
-
Only use the scaling options for egress firewall filters.
-
You cannot apply filters with the same match condition to different egress VLANs or Layer 3 interfaces. The only supported actions are
accept
,discard
, andcount
. -
Match conditions are programmed in the ingress firewall filter TCAM. This means that any counters attached to the filter counts traffic on any incoming VLANs.
Applying a Firewall Filter to a Port
To apply a firewall filter to a port:
Applying a Firewall Filter to a VLAN
VLAN firewall filters are not supported on QFX5100, QFX5100 Virtual Chassis, QFX5110, and QFX5120 switches in an EVPN-VXLAN environment.
To apply a firewall filter to a VLAN:
Applying a Firewall Filter to a Layer 3 (Routed) Interface
You can apply a firewall filter to IPv4 and IPv6 interfaces, routed VLAN interfaces (RVI) (also known as an integrated routing and bridging (IRB) interface), and the loopback interface. These are all considered Layer 3 routed interfaces.
(QFX5100 and QFX5110 switches) In an EVPN-VXLAN environment, you can use an IRB interface to provide layer 3 connectivity to the switch. To configure an IRB interface, see Example: Configuring IRB Interfaces in an EVPN-VXLAN Environment to Provide Layer 3 Connectivity for Hosts in a Data Center. You can then apply a firewall filter to the IRB interface by following the steps below (only the ingress direction is supported). For a list of supported match conditions, see Firewall Filter Match Conditions and Actions (QFX5100, QFX5110, QFX5120, QFX5200, EX4600, EX4650).
When you apply a filter to an IRB interface associated with a given VLAN, the filter is executed on any Layer 3 interface with a matching VLAN ID. This is because the filter matches on all Layer 3 interfaces with the corresponding VLAN tag.
To apply a firewall filter to a Layer 3 interface:
Applying a Firewall Filter to a Layer 2 CCC (QFX10000 Switches)
You can apply firewall filters with count and policer actions
on Layer 2 circuit cross-connect (CCC) traffic on QFX10000 switches.
This lets you count and monitor the policer activity set at the [edit firewall family ccc]
hierarchy level.
In this example, count
is the policer action.
set firewall policer traffic-cnt if-exceeding bandwidth-limit 1g set firewall policer traffic-cnt if-exceeding burst-size-limit 100m set firewall policer traffic-cnt then loss-priority low set firewall family ccc filter srTCM-cnt term t1 then policer traffic-cnt set firewall family ccc filter srTCM-cnt term t1 then count traffic-counter
In this example, discard
is the policer action.
set firewall policer discard-traffic if-exceeding bandwidth-limit 1g set firewall policer discard-traffic if-exceeding burst-size-limit 500m set firewall policer discard-traffic then discard set firewall family ccc filter srTCM1 term t1 then policer discard-traffic