Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Example: Applying a Firewall Filter to OVSDB-Managed Interfaces

Starting with Junos OS Release 14.1X53-D30, you can create family ethernet-switching logical units (subinterfaces) on VXLAN interfaces managed by a Contrail controller. (The controller and switch communicate through the Open vSwitch Database—OVSDB—management protocol). This support enables you to apply Layer 2 (family ethernet-switching) firewall filters to these subinterfaces, which means that you apply firewall filters to OVSDB-managed interfaces. Because a Contrail controller can create subinterfaces dynamically, you need to apply firewall filters in such a way that the filters will apply to subinterfaces whenever the controller creates them. You accomplish this by using configuration groups to configure and apply the firewall filters. (You must use configuration groups for this purpose—that is, you cannot apply a firewall filter directly to these subinterfaces.)


Firewall filters are the only supported configuration items on family ethernet-switching subinterfaces of OVSDB-managed interfaces. Layer 2 (port) filters are the only allowed filters.


This example uses the following hardware and software components:

  • A QFX5100 switch

  • Junos OS Release 14.1X53-D30 or later


This example assumes that interfaces xe-0/0/0 and xe-0/0/1 on the switch are VXLAN interfaces managed by a Contrail controller, which means that the controller has applied the flexible-vlan-tagging and encapsulation extended-vlan-bridge statements to these interfaces. You want to apply a firewall filter that accepts traffic from the Web to any subinterfaces that the controller creates dynamically. To apply a firewall filter Layer 2 (port) firewall filter to any dynamically created subinterfaces, you must create and apply the filter as shown in this example.


To configure a firewall filter to be automatically applied to subinterfaces created dynamically by a Contrail controller, perform these tasks:

CLI Quick Configuration


Step-by-Step Procedure

  1. Create configuration group vxlan-filter-group to apply firewall filter vxlan-filter to any subinterface of interface xe-0/0/0. The filter applies to any subinterface because you specify unit <*>:

  2. Create the same configuration for interface xe-0/0/1:

  3. Configure the group to include a family ethernet-switching filter that matches on outgoing traffic to the web:

  4. Configure the group to accept the traffic that matches the filter:

  5. Apply the group to enable its configuration: