Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

epacl-firewall-optimization

Syntax

Hierarchy Level

Description

Enable epacl-firewall-optimization to use Layer 2 and Layer 3 match conditions in firewall filters to support micro-segmentation on VXLAN deployments. Filtering in both the ingress and egress directions is supported. (For egress filtering on VLANs, this statement is not needed.)

For example, to create micro-segmentation in a VXLAN, you need to enable the epacl-firewall-optimization statement at the [chassis] level of the hierarchy, and then create the firewall rules with the match conditions that you want to filter on.

For both VLANs and VXLANs, you can use the following match conditions:

  • ip-source-address
  • ip-destination-address
  • destination-port
  • user-vlan-id
  • source-mac-address
  • destination-mac-address
  • ip-protocol

Valid actions are accept, count, and discard.

The configuration sample below shows how to configure a QFX5110 Series switch that is part of a VXLAN to provide Layer 2 filtering in the egress direction. First we enable epacl-firewall-optimization on the device, and then we create a Layer 2 egress firewall filter named epacl, and attach it to the xe-0/0/10.0 interface. The first term tells the switch to accept and count packets from the specified source MAC address (00:00:5e:00:53:a1/48). The second term tells the interface to count and discard all other packets.

set chassis forwarding-options epacl-firewall-optimization
set firewall family ethernet-switching filter epacl term t1 from source-mac-address 00:00:5e:00:53:a1/48
set firewall family ethernet-switching filter epacl term t1 then accept
set firewall family ethernet-switching filter epacl term t1 then count epacl-accept
set firewall family ethernet-switching filter epacl term t2 then discard
set firewall family ethernet-switching filter epacl term t2 then count epacl-discard
set interfaces xe-0/0/10 unit 0 family ethernet-switching filter output epacl

Default

Not enabled.

Required Privilege Level

interface—To view this statement in the configuration.

interface-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 21.1R1 for QFX5110 and QFX5120 Series switches.