Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Routing Policy and Firewall Filters

  • Support for microsegmentation on VLANs and VXLANs (QFX5110 and QFX5120)—Starting in Junos OS Release 21.1R1, you can configure egress filters with Layer 2 and Layer 3 match conditions in both VLAN and VXLAN deployments. Junos OS already supports filtering in Layer 2 match conditions in the ingress direction.

    To use egress filters for microsegmentation in a VXLAN, enable the epacl-firewall-optimization statement at the [edit chassis] level of the hierarchy and create the firewall rules with the match conditions that you want to filter on. For egress filtering on VLANs, you don't need to enable epacl-firewall-optimization. Both the QFX5110 and QFX5120 support egress filtering, for VLANs and VXLANs, with the following match conditions:

    • ip-source-address
    • ip-destination-address
    • destination-port
    • destination-mac-address
    • user-vlan-id
    • ip-protocol
    • source-mac-address

    Valid actions for these rules are accept, count, and discard.

    [See Overview of Firewall Filters (QFX Series) and Understanding Firewall Filter Match Conditions.]