Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Routing Policy and Firewall Filters

  • Support for IPv4 and IPv6 firewall filters on Layer 3 gateways in EVPN-VXLAN fabrics (QFX5210)—Starting in Junos OS Release 21.4R1, QFX5210 switches acting as Layer 3 gateways in EVPN-VXLAN fabrics support IPv4 and IPv6 firewall filters in the ingress direction of the IRB interface. We recommend that you do not apply filters on the RIOT loopback interface. The switch supports the following match conditions:

    • source-address
    • destination-address
    • source-port
    • destination-port
    • ttl
    • ip-protocol
    • hop-limit

    The supported actions are:

    • accept
    • discard
    • log
    • syslog
    • policer

    The QFX5210 does not support filter-based forwarding (FBF).

    [See Firewall Filter Match Conditions and Actions (QFX5100, QFX5110, QFX5120, QFX5200, QFX5210, QFX5700, EX4600, EX4650).]

  • Support for source-port and destination-port range optimize conditions to reduce the TCAM space—Starting in Junos OS Release 21.4R1, we support the source-port-range-optimize and the destination-port-range-optimize conditions at the [edit firewall family ethernet-switching filter <filter-name> term <term-name> from] hierarchy level. This configuration considerably reduces the ternary content addressable memory (TCAM) space usage. QFX Series line of switches support up to 24 non-contiguous matching conditions for the source-port-range-optimize and destination-port-range-optimize options.

    [See Firewall Filter Match Conditions and Actions (QFX5100, QFX5110, QFX5120, QFX5200, QFX5210, QFX5700, EX4600, EX4650).]