Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX] How Firewall filter rules are counted in TCAM and its limitation

0

0

Article ID: KB20638 KB Last Updated: 05 Mar 2017Version: 3.0
Summary:
How are the Firewall filter rules counted in TCAM and are there any associated limitations?
Symptoms:
In EX3200 and EX4200 the total number of rules that can be applied are 7K.  In the Junos version 9.x code the space is statically separated for each type of ACL,

2K - Ingress PACL (Port ACLs)
2K - Ingress VACL (VLAN ACLs)
1K - Ingress RACL (Routed ACLs)
2K - Egress PCL


From Junos version 10.0 onwards, there is no static demarcation for each of these ACLs. The total space still available in TCAM is 7K rules, however we can configure any type of ACL up to 7K rules; there is no limit per ACL as was in pre 10.0
Solution:
TCAM has limited capacity for firewall rules.  If we add more terms then its capacity then the rules are not installed and the filter "will not be installed" error message is displayed.   This is a hardware limitation.

The commands to show the number of hardware rules for each type of ACL, PACL, VACL, and RACL are

Switch> start shell user root
root% show tcam vendor 1 rules

Example:
PFEM0(vty)# show tcam vendor 1 rules
In EX3200 and EX4200 the total number of rules that can be applied are 7k.
2K - Ingress PACL (Port ACLs)
2K - Ingress VACL (VLAN ACLs)
1K - Ingress RACL (Routed ACLs)
2K - Egress PCL

NOTE: For every firewall filter, the number of rules is based on the number of match conditions.

By definition, if a term has multiple match condition of same type, the EX will have MAX one rule of every match.

The below log error indicates the TCAM limit:
Sample
EX-4200 fpc0 : rules for filter from-pms-ge-0/0/7.0-i will not be installed, Error [-2]
EX-4200 fpc0 : rules for filter pfe-dyn-cos-112-MERGE-from-pms-ge-0/0/7.0-i will not be installed

Configuration example:

  • term t1 {
        from source-port 10, 20
        then count c1
    }


    The results in two rules.
  • term t1 {
        from source-port 20
        destination-port 30
        then count c1
    }


    This results in one rule.

When there are firewall filters that are used to classify traffic and applied to every interface, it multiplies the number of filter entries times the number of interfaces.

For each interface:
  • Every classifier term creates one rule.
  • For every firewall filter, the number of rules are based on the number of match conditions:
  • COS and MAC-Based filter are applied on an interface then Each MAC will have all the COS rules
  • Example: 4 COS rules in TCAM, 4 MAC-based filter rule in TCAM,
  •           If above COS and MAC based filter is applied on a physical or logical interface then it will occupy 4*4+4 =20 rules.
    TCAM will be utilized by Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-4200 series Switch
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search