Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring Firewall Filters

Follow the steps in the following sections to configure and apply a firewall filter on your switch.

Configuring a Firewall Filter

To configure a firewall filter:

  1. Configure the family address type, filter name, term name, and at least one match condition—for example, match on packets that contain a specific source address.
    • To filter Layer 2 traffic (port or VLAN), specify the family address type ethernet-switching.

    • To filter Layer 3 (routed) traffic, specify the family address type (inet for IPv4) or (inet6 for IPv6).

    • To filter Layer 2 circuit interface traffic, specify the family address type ccc.

    The filter and term names can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. Each filter name must be unique. A filter can contain one or more terms, and each term name must be unique within a filter.

  2. Configure additional match conditions. For example:

    In this configuration, the filter matches on Layer 2 packets that contain source port 80.

    In this configuration, the filter matches on VLANs that contain interface ge-0/0/6.0.

    You can specify one or more match conditions in a single from statement. For a match to occur, the packet must match all the conditions in the term. The from statement is optional, but if you include it in a term, it can’t be empty. If you omit the from statement, all packets are considered to match.

  3. If you want to apply a firewall filter to multiple interfaces and be able to see counters specific to each interface, configure the interface-specific option:
  4. In each firewall filter term, specify the actions to take if the packet matches all the conditions in that term. You can specify an action and action modifiers:
    • To specify a filter action, for example, to discard packets that match the conditions of the filter term:

      You can specify only one action per term (accept, discard, flood, reject, routing-instance, or vlan).

    • To specify a filter action, for example, to flood packets that match the MAC address on QFX5100/QFX5110/ QFX5120-32C/QFX5200/QFX5210:

      You can configure the ingress port-based firewall filters to flood or discard the following BPDUs by using the destination MAC address as the match condition.

      Protocols

      Destination Media Access Control (DMAC) Address

      Firewall Action

      Link Aggregation Control Protocol (LACP)

      01:80:c2:00:00:02

      Flood/Discard/Count

      Link Layer Discovery Protocol (LLDP)

      01:80:c2:00:00:0E

      Flood/Discard/Count

      Extensible Authentication Protocol over LAN (EAPOL)

      01:80:c2:00:00:03

      Flood/Discard/Count

      Spanning Tree Protocol (STP)

      01:80:c2:00:00:00

      Flood/Discard/Coun

      VLAN Spanning Tree Protocol (VSTP)

      01:00:0c:cc:cc:cd

      Flood/Discard/Count

      Cisco Discovery Protocol (CDP)/VLAN Trunk Protocol (VTP)

      01:00:0C:cc:cc:cc

      Discard/Count

      ISIS L1

      01:80:c2:00:00:14

      Discard/Count

      ISIS L2

      01:80:c2:00:00:15

      Discard/Count

      Note:
      • CDP/VTP, ISIS L1/L2 protocols flood by using the default dynamic filter. Therefore, configuring additional filters for these protocols is not necessary.

      • As ingress port-based firewall filters are applied at the port level, only one filter can be applied for a physical interface in the service provider style configuration.

      • The native VLAN must be configured to ensure flooding of the untagged BPDUs received on the trunk port. If the native VLAN is not configured, then the untagged BPDUs will be flooded on all the interfaces in the local FPC.

      • When IGMP snooping or multicast listener discovery (MLD) snooping is enabled then, the flood functionality does not work.

      • When the firewall filter with flood action is applied on an interface and later if the interface goes down, then the BPDUs received on that interface will be flooded if it satisfies the match conditions.

    • To specify action modifiers, for example, to count and classify packets to a forwarding class:

      You can specify any of the following action modifiers in a then statement:

      • analyzer analyzer-name—Mirror port traffic to a specified analyzer, which you must configure at the [ethernet-switching-options] level.

      • count counter-name—Count the number of packets that pass this filter term.

        Note:

        We recommend that you configure a counter for each term in a firewall filter, so that you can monitor the number of packets that match the conditions specified in each filter term.

        Note:

        On QFX3500 and QFX3600 switches, filters automatically count packets that were dropped in the ingress direction because of cyclic redundancy check (CRC) errors.

      • forwarding-class class—Assign packets to a forwarding class.

      • log—Log the packet header information in the Routing Engine.

      • loss-priority priority—Set the priority of dropping a packet.

      • policer policer-name—Apply rate-limiting to the traffic.

      • flood—Flood the packets.

      • syslog—Log an alert for this packet.

    If you omit the then statement or don’t specify an action, packets matching all the conditions in the from statement are accepted. But make sure that you always configure an action in the then statement. You can only include one action statement, but can use any combination of action modifiers. For an action or action modifier to take effect, all conditions in the from statement must match.

    Note:

    The implicit discard action applicable to a firewall filter applied to the loopback interface, lo0.

Configuring Enhanced Egress Firewall Filters (QFX5110 and QFX5220 Switches)

Due to a hardware limitation, the QFX5110 and QFX5220 can only support a maximum of 1000 egress firewall filters (eRACLs). You can increase this number to 2000, by configuring the switch in scaled mode. In this mode, the switch uses ingress TCAM space (IFP) to achieve the higher scale.

To configure the egress filter, specify the family address type (inet for IPv4) or (inet6 for IPv6), filter name, and term name. Include the applicable scaling option for your switch and specify a match condition and action to take if a match occurs. Then apply the filter in the output direction on the interface.

After configuring, modifying, or deleting a scaling option, you must commit the configuration, and the packet forwarding engine (PFE) must be restarted.

To increase the number of egress filters on the QFX5110, include the egress-to-ingress option in your configuration. You can add this option under any term. The following is a sample configuration:

To increase the number of egress filters on the QFX5220, include the eracl-scale option under the egress-profile statement. The following is a sample configuration:

Note:

The eracl-scale option comes configured in global mode. When enabled, existing egress filters will be automatically reinstalled in scaled mode.

When you enable scaled mode, these limitations apply:

  • You can only apply a filter in the egress direction (traffic exiting the VLAN).

  • Only inet and inet6 protocol families are supported.

  • Generic Routing Encapsulation (GRE) interfaces are not supported.

  • Only use the scaling options for egress firewall filters.

  • You cannot apply filters with the same match condition to different egress VLANs or Layer 3 interfaces. The only supported actions are accept, discard, and count.

  • Match conditions are programmed in the ingress firewall filter TCAM. This means that any counters attached to the filter counts traffic on any incoming VLANs.

Applying a Firewall Filter to a Port

To apply a firewall filter to a port:

  1. Provide a meaningful and descriptive name for the firewall filter. The name is what you use to apply the filter to the port.
  2. Apply the filter to the interface, specifying the unit number, family address type (ethernet-switching), the direction of the filter (for packets entering the port), and the filter name:
    Note:

    You can apply only one filter to a port in the ingress direction.

Applying a Firewall Filter to a VLAN

Note:

VLAN firewall filters are not supported on QFX5100, QFX5100 Virtual Chassis, QFX5110, and QFX5120 switches in an EVPN-VXLAN environment.

To apply a firewall filter to a VLAN:

  1. Provide a meaningful and descriptive name for the firewall filter. This name is what you use to apply the filter to the VLAN.
  2. Apply firewall filters to filter packets entering or exiting the VLAN:
    • To apply a filter to match packets entering the VLAN:

    • To apply a firewall filter to match packets exiting the VLAN:

    Note:

    You can apply only one filter to a VLAN for a given direction (ingress or egress).

Applying a Firewall Filter to a Layer 3 (Routed) Interface

You can apply a firewall filter to IPv4 and IPv6 interfaces, routed VLAN interfaces (RVI) (also known as an integrated routing and bridging (IRB) interface), and the loopback interface. These are all considered Layer 3 routed interfaces.

Note:

(QFX5100 and QFX5110 switches) In an EVPN-VXLAN environment, you can use an IRB interface to provide layer 3 connectivity to the switch. To configure an IRB interface, see Example: Configuring IRB Interfaces in an EVPN-VXLAN Environment to Provide Layer 3 Connectivity for Hosts in a Data Center. You can then apply a firewall filter to the IRB interface by following the steps below (only the ingress direction is supported). For a list of supported match conditions, see Firewall Filter Match Conditions and Actions (QFX5100, QFX5110, QFX5120, QFX5200, EX4600, EX4650).

Note:

When you apply a filter to an IRB interface associated with a given VLAN, the filter is executed on any Layer 3 interface with a matching VLAN ID. This is because the filter matches on all Layer 3 interfaces with the corresponding VLAN tag.

To apply a firewall filter to a Layer 3 interface:

  1. Provide a meaningful and descriptive name for the firewall filter. This name is what you use to apply the filter to the interface.
  2. Apply the firewall filters.
    • To filter packets entering the interface:

    • To filter packets exiting the interface:

      The family address type can either be (inet for IPv4) or (inet6 for IPv6).

    Note:

    You can apply only one filter to an interface for a given direction (ingress or egress).

Applying a Firewall Filter to a Layer 2 CCC (QFX10000 Switches)

You can apply firewall filters with count and policer actions on Layer 2 circuit cross-connect (CCC) traffic on QFX10000 switches. This lets you count and monitor the policer activity set at the [edit firewall family ccc] hierarchy level.

In this example, count is the policer action.

In this example, discard is the policer action.