ON THIS PAGE
Example: Applying a Firewall Filter to OVSDB-Managed Interfaces
You can create family ethernet-switching logical units (subinterfaces) on VXLAN
interfaces managed by a Contrail controller. (The controller and switch communicate
through the Open vSwitch Database—OVSDB—management protocol). This support enables you
to apply Layer 2 (family ethernet-switching) firewall filters to these
subinterfaces, which means that you apply firewall filters to OVSDB-managed interfaces.
Because a Contrail controller can create subinterfaces dynamically, you need to apply
firewall filters in such a way that the filters will apply to subinterfaces whenever the
controller creates them. You accomplish this by using configuration groups to configure
and apply the firewall filters. (You must use configuration groups for this purpose—that
is, you cannot apply a firewall filter directly to these subinterfaces.)
Firewall filters are the only supported configuration items on family ethernet-switching subinterfaces of OVSDB-managed interfaces. Layer 2 (port) filters are the only allowed filters.
Requirements
This example uses the following hardware and software components:
A supported switch such as QFX5100 switch
Supported Junos OS Release
Overview
This example assumes that interfaces xe-0/0/0 and xe-0/0/1 on the switch are VXLAN interfaces
managed by a Contrail controller, which means that the controller has applied the flexible-vlan-tagging and encapsulation extended-vlan-bridge statements to these interfaces. You want
to apply a firewall filter that accepts traffic from the Web to any subinterfaces that the
controller creates dynamically. To apply a firewall filter Layer 2 (port) firewall filter
to any dynamically created subinterfaces, you must create and apply the filter as shown in
this example.
Configuration
To configure a firewall filter to be automatically applied to subinterfaces created dynamically by a Contrail controller, perform these tasks:
CLI Quick Configuration
[edit] set groups vxlan-filter-group interfaces xe-0/0/0 unit <*> family ethernet-switching filter input vxlan-filter set groups vxlan-filter-group interfaces xe-0/0/1 unit <*> family ethernet-switching filter input vxlan-filter set groups vxlan-filter-group firewall family ethernet-switching filter vxlan-filter term t1 from destination-port 80 set groups vxlan-filter-group firewall family ethernet-switching filter vxlan-filter term t1 then accept set apply-groups vxlan-filter-group
Procedure
Step-by-Step Procedure
Create configuration group
vxlan-filter-groupto apply firewall filtervxlan-filterto any subinterface of interface xe-0/0/0. The filter applies to any subinterface because you specifyunit <*>:[edit] user@switch# set groups vxlan-filter-group interfaces xe-0/0/0 unit <*> family ethernet-switching filter input vxlan-filter
Create the same configuration for interface xe-0/0/1:
[edit] user@switch# set groups vxlan-filter-group interfaces xe-0/0/1 unit <*> family ethernet-switching filter input vxlan-filter
Configure the group to include a family
ethernet-switchingfilter that matches on outgoing traffic to the web:[edit] user@switch# set groups vxlan-filter-group firewall family ethernet-switching filter vxlan-filter term t1 from destination-port 80
Configure the group to accept the traffic that matches the filter:
[edit] user@switch# set groups vxlan-filter-group firewall family ethernet-switching filter vxlan-filter term t1 then accept
Apply the group to enable its configuration:
[edit] user@switch# set apply-groups vxlan-filter-group