Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

fast-lookup-filter (PTX)

Syntax

Hierarchy Level

Description

On PTX platforms, the fast-lookup-filter (FFT) is available on Inet, Inet 6, Ethernet-Switching, Any, MPLS (no MPLS label match support) and CCC firewall filter families. Using fast-lookup-filter on output filters prioritizes the filters for fast processing. Applying the fast-lookup-filter configuration on output firewall filters, programs the firewall filters on the fast-lookup-filter block on the device, to enable high-speed line-rate (2 billion packets-per-second) processing of the firewall filters in the egress direction.

Note:

It is mandatory to set the fast-lookup-filter knob to apply the family mpls output filter.

On PTX platforms, only the following firewall filter match conditions and actions are supported for fast look filters.

Table 1: Supported firewall filter match conditions for fast lookup filters on PTX platforms (PTX10008 and PTX10001-36MR)

CLI

IPv6

IPv4

MPLS

Ethernet switching

Any

CCC

Except match

learn-vlan-id

No

No

No

Yes

Yes

Yes

Yes

vlan-id

No

No

No

Yes

Yes

Yes

Yes

ttl

Yes

Yes

No

No

No

No

Yes

source-port

Yes

Yes

No

Yes

Yes

Yes

Yes

destination-port

Yes

Yes

No

Yes

Yes

Yes

Yes

source-class

Yes

Yes

No

No

No

Yes

Yes

interface-group

No

No

No

No

No

No

Yes

forwarding-class

Yes

Yes

Yes

Yes

Yes

Yes

Yes

loss-priority

Yes

Yes

Yes

Yes

Yes

Yes

Yes

interface

Yes

Yes

No

Yes

Yes

Yes

Yes

destination-mac

No

No

No

Yes

Yes

Yes

Yes

source-mac

No

No

No

Yes

Yes

Yes

Yes

outer-vlan

No

No

No

Yes

Yes

Yes

Yes

inner-vlan

No

No

No

Yes

Yes

Yes

Yes

ether-type

Yes

Yes

No

Yes

Yes

Yes

Yes

source-address

Yes

Yes

No

Yes

Yes

Yes

Yes

source-prefix-list

Yes

Yes

No

Yes

Yes

Yes

Yes

destination-address

Yes

Yes

No

Yes

Yes

Yes

Yes

destination-prefix-list

Yes

Yes

No

Yes

Yes

Yes

Yes

dscp

Yes

Yes

NA

Yes

Yes

Yes

Yes

Is-fragment

Yes

No

NA

Yes

Yes

Yes

Yes

Ip-options

Yes

Yes

NA

No

No

No

Yes

protocol

Yes

Yes

NA

Yes

Yes

Yes

Yes

src-port

Yes

Yes

NA

Yes

Yes

Yes

Yes

dst-port

Yes

Yes

NA

Yes

Yes

Yes

Yes

icmp-type

Yes

Yes

NA

Yes

Yes

Yes

Yes

icmp-code

Yes

Yes

NA

Yes

Yes

Yes

Yes

tcp-flags

Yes

Yes

NA

Yes

Yes

Yes

Yes

tcp-initial

Yes

Yes

NA

Yes

Yes

Yes

Yes

tcp-established

Yes

Yes

NA

Yes

Yes

Yes

Yes

gre-key

No

No

NA

NA

NA

NA

Yes

vxlan-header

No

No

NA

NA

NA

NA

Yes
Note:

For supported firewall filter match conditions for fast lookup filters on PTX platforms (PTX10008 and PTX10001-36MR):

  • Only 8 unique firewall filters per PFE are supported across all supported firewall filter families.

  • Fast lookup is applicable only for output filters.

  • Unsupported firewall filter matches and actions is processed from the default processing pipeline, and not programmed on the fast-lookup-filter block.

  • Fast lookup filters are limited to 4096 rules of 96 bits or 2048 rules of 192 bits or 1024 rules of 384 bits.

  • Maximum 256 logical interface (IFL) bindings for interface specific filter per PFE.

  • The fast-lookup-filter configuration cannot be applied on input filters.

  • There is no support for split filter or filter chaining.

  • The fast-lookup-filter configuration cannot be used to prioritize amongst the 8 unique fast lookup filters.

  • Fast lookup filters do not support slow counters. Counter scale is limited to 48 thousand counter per PFE (Packet Forwarding Engine).
Table 2: Supported firewall filter match conditions for fast lookup filters on PTX platforms (PTX10002-36QDD and PTX12008)

CLI

IPv6

IPv4

MPLS

Ethernet switching

Any

CCC

Except match

gre-key

Yes

No

No

No

No

No

No

first-fragment

No

Yes

No

No

No

No

No

Is-fragment

No

Yes

No

Yes

Yes

Yes

No

fragment-offset

No

Yes

No

No

No

No

No

packet-length

Yes

Yes

No

Yes

No

Yes

No

bottom-of-stack0

No

No

Yes

No

No

No

No

bottom-of-stack1

No

No

Yes

No

No

No

No

exp0

No

No

Yes

No

No

No

No

exp0-except

No

No

Yes

No

No

No

No

exp1

No

No

Yes

No

No

No

No

exp1-except

No

No

Yes

No

No

No

No

label0

No

No

Yes

No

No

No

No

label0-except

No

No

Yes

No

No

No

No

label1

No

No

Yes

No

No

No

No

label1-except

No

No

Yes

No

No

No

No

ttl0

No

No

Yes

No

No

No

No

ttl0-except

No

No

Yes

No

No

No

No

ttl1

No

No

Yes

No

No

No

No

ttl1-except

No

No

Yes

No

No

No

No
Note:

MPLS exp bits are overwritten by DSCP rewrite rules (if its not explicitly configured, then default rules will be applied) before the packet comes to FFT. Match needs to be applied on the overwritten exp bits.
Note:

For supported firewall filter match conditions for fast lookup filters on PTX platforms (PTX10002-36QDD and PTX12008):

  • Total 128 filters will be supported with maximum 8192 firewall filter rules

  • Fast lookup is applicable only for output filters.

  • Unsupported firewall filter matches and actions is processed from the default processing pipeline, and not programmed on the fast-lookup-filter block.

  • The fast-lookup-filter configuration cannot be applied on input filters.

  • There is no support for split filter or filter chaining.

  • Support of virtual filter numbers and hence support of 32K IFL attachment

  • Support for maximum 256 counters per filter for interface-specific filters. Support for more than 256 counters is supported for non-interface-specific filters.

  • FFT supports both slow and fast counters.

  • FFT supports IPv4, IPv6, MPLS and ANY firewall filter families. IPv4, IPv6 and MPLS firewall filters can be attached to the same logical interface (IFL) at the same time.
Table 3: Supported firewall filter actions for fast lookup filters on PTX platforms

CLI

Supported?

accept

Yes

discard

Yes

reject

Yes

count

Yes

forwarding-class

Yes

traffic-class

No

loss-priority

Yes

policer

Yes

sample

Yes

syslog

Yes

The following table shows a comparison of FFT support on the respective platforms.

Table 4: Comparison of FFT support

Features

Fast lookup filters on PTX platforms (PTX10008 and PTX10001-36MR)

Fast lookup filters on PTX platforms (PTX10002-36QDD and PTX12008)

Details

Physical filters

8

128

  

Maximum terms per filter

4K

8K

For interface-specific filters on PTX10002-36QDD and PTX12008, only 256 unique counters can be added even if supported terms are 4K per filter. On PTX10002-36QDD and PTX12008, a maximum 8K terms can be configured if more than one filter is configured in the PFE.

Maximum IFLs per filter

256

32K

For fast lookup filters on PTX platforms (PTX10008 and PTX10001-36MR) one physical filter can be attached to only 256 IFLs.

For fast lookup filters on PTX platforms (PTX10002-36QDD and PTX12008) one physical filter can be attached with 16K IFLs and a total of 32K maximum IFLs can be attached.

Maximum counters/policers per filter per attachment

256

4K

For fast lookup filters on PTX platforms (PTX10008 and PTX10001-36MR) for interface-specific filters one physical filter can support only 256 unique counters/policers.

For fast lookup filters on PTX platforms (PTX10002-36QDD and PTX12008) for interface-specific filter, one physical filter can support 256 unique counters and policers per filter per attachment.

Virtual filters

NA

32K

MPLS label match

No support

label0 and label1 matches are supported.

For fast lookup filters on PTX platforms (PTX10002-36QDD and PTX12008) only new or old labels can be matched.
Note:

Match conditions on fast lookup filters on PTX platforms (PTX10008 and PTX10001-36MR) introduced in Junos 24.2R1.

Match conditions on fast lookup filters on PTX platforms (PTX10002-36QDD and PTX12008) introduced in Junos 25.2R1.

Required Privilege Level

firewall—To view this statement in the configuration.

firewall-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Evolved 23.1 R1 for PTX platforms.

Related Documentation