Understanding Firewall Filters on OVSDB-Managed Interfaces
When you use a Contrail controller to manage VXLANs on a supported switch (through the Open
vSwitch Database—OVSDB—management protocol), the VXLAN interfaces are automatically
configured with the flexible-vlan-tagging and encapsulation
extended-vlan-bridge statements. You can create family
ethernet-switching logical units (subinterfaces) on these interfaces. This
enables you to apply Layer 2 (family ethernet-switching) firewall
filters to these subinterfaces, which means that you apply firewall filters to
OVSDB-managed interfaces. These filters support all the same match conditions and
actions as any other Layer 2 filter.
Firewall filters are the only supported configuration items on family
ethernet-switching subinterfaces of OVSDB-managed interfaces. Layer 2 (port) filters
are the only allowed filters.
Because a Contrail controller can create subinterfaces dynamically, you need to apply firewall filters in such a way that the filters will apply to subinterfaces whenever the controller creates them. You accomplish this by using configuration groups to configure and apply the firewall filters. See Example: Applying a Firewall Filter to OVSDB-Managed Interfaces for more information.