prefix-scale-mode
Syntax
prefix-scale-mode src-and-dest
Hierarchy Level
[edit firewall family <inet/inet6> filter <filter-name>]
Description
The prefix-scale-mode feature significantly expands the
capacity for prefix-based matches in firewall filters, allowing you to
configure more IP prefixes than standard firewall capabilities. When
prefix-scale-mode is enabled, you can configure:
-
Up to 225,000 prefixes per firewall filter
-
Up to 1 million prefixes total across multiple firewall filters (combined capacity for Inet and Inet6 firewall filter families)
Setting the src-and-dest flag of the
prefix-scale-mode configuration command is mandatory
because it enables the use of source-address and
destination-address match conditions in the firewall
filter to match prefixes at the aforementioned scale.
The following is an example configuration to demonstrate the use of
prefix-scale-mode.
set firewall family inet filter f1 prefix-scale-mode src-and-dest set firewall family inet filter f1 term t1 from source-address 10.0.0.1/32 set firewall family inet filter f1 term t1 from destination-address 10.0.0.9/32 set firewall family inet filter f1 term t1 then count c-1
This feature trades scale for performance.
prefix-scale-mode requires additional
processing. As a result, packet forwarding throughput is reduced
compared to standard filtering operations
Platform and firewall filter family support
-
This feature is available only on BX based platforms - PTX10002 and PTX10008 LC1301 (enhanced mode)
-
Inet and Inet6 families
The following are the capacity limits:
-
IPv4 prefix capacity:
-
Single firewall filter: Up to 225,000 prefixes
-
Multiple firewall filters combined: Up to 1 million prefixes in total
-
-
IPv6 prefixes with lengths up to /64:
-
Single firewall filter: Up to 225,000 /64 prefixes
-
Multiple firewall filters combined: Up to 500,000 /64 prefixes in total
-
-
IPv6 prefixes with lengths between /65 and /128:
-
Single firewall filter: Up to 225,000 /128 prefixes
-
Multiple firewall filters combined: Up to 250,000 /128 prefixes in total
-
The following are the supported firewall filter features when
prefix-scale-mode is enabled.
-
Interface-specific firewall filter
-
Incremental and non-incremental updates
-
Input lists
-
Two-pass firewall filters
-
Transient firewall filters
-
Rollback on error
Caveats
The following caveats are checked at CLI commit.
-
Not supported on egress firewall filters attachments
-
Not supported on loopback firewall filters - firewall filters attached to loopback interfaces.
-
Not supported on FFT firewall filters
-
Not supported on Routing table and VRF firewall filters (L3 firewall filters)
-
Not supported on IRB firewall filters
-
Not supported for firewall filter family ANY.
-
Not supported on firewall filter chains
-
On terminated tunnels,
prefix-scale-modefirewall filters cannot be attached to the outer transport header -
On non-terminated tunnels,
prefix-scale-modefirewall filters cannot be applied to inner payload traffic.
Default
Feature is inactive without configuration.
Required Privilege Level
interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Evolved Release 25.4 R1