Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX] Firewall counters do not work for aggregated Ethernet (aE) interfaces when filter is applied on ingress

0

0
Article ID: KB29270 KB Last Updated: 30 Mar 2020Version: 3.0 Summary:

This article explains why firewall counters do not work for aggregated Ethernet (aE) interfaces when the filter is applied on the ingress.

 

Symptoms:

A firewall filter is created to accept traffic from an aggregated Ethernet interface (ae0.200, a vlan-tagging interface) and to count the traffic, but the counter does not increment.

This situation is shown in the example below.

set chassis aggregated-devices ethernet device-count 64 ==> Device count configuration for lag.

set interfaces ae0 vlan-tagging
set interfaces ae0 unit 200 vlan-id 200
set interfaces ae0 unit 200 family inet filter input test ==> Filter is applied on ae0.200 interface in ingress.
set interfaces ae0 unit 200 family inet address 10.0.0.1/24

set firewall family inet filter test term 1 from interface ae0.200
set firewall family inet filter test term 1 then count ae20
set firewall family inet filter test term 1 then accept
set firewall family inet filter test term else then accept

set interfaces ge-0/0/15 ether-options 802.3ad ae0
set interfaces ge-0/0/16 ether-options 802.3ad ae0

{master:0}[edit]
root@DHCP-RELAY# run show interfaces terse | match ae ==> aE is up.
ge-0/0/15.0 up up aenet --> ae0.0
ge-0/0/15.200 up up aenet --> ae0.200
ge-0/0/16.0 up up aenet --> ae0.0
ge-0/0/16.200 up up aenet --> ae0.200
ae0 up up
ae0.0 up up
ae0.200 up up inet 10.0.0.1/24

root@DHCP-RELAY# run show firewall

Filter: test
Counters:
Name Bytes Packets
ae20 0 0 ==> No counter increment.

Now, when the same configuration is applied on the child members of the link aggregation group (LAG), the counter increments.

{master:0}[edit]
root@DHCP-RELAY# delete firewall family inet filter test term 1 from interface ae0.200 ==> Deleted and reconfigured on child interfaces.
root@DHCP-RELAY# set firewall family inet filter test term 1 from interface ge-0/0/15.200
root@DHCP-RELAY# set firewall family inet filter test term 1 from interface ge-0/0/16.200

{master:0}[edit]
root@DHCP-RELAY# show firewall
family inet {
filter test {
term 1 {
from {
interface ge-0/0/15.200;
interface ge-0/0/16.200;
}
then {
count ae20;
accept;
}
}
term else {
then accept;
}
}
}

{master:0}[edit]
root@DHCP-RELAY# commit
configuration check succeeds
commit complete

{master:0}[edit]
root@DHCP-RELAY# run show firewall

Filter: test
Counters:
Name Bytes Packets
ae20 6197672 4140 ==> Counter is incrementing.
 

Note: This is a limitation on EX devices.

 

Solution:

Apply the filter on the child interfaces of the aggregated Ethernet (aE) bundle so that the counters increment on the firewall filter.

 

Modification History:

2020-03-30: Article verified for accuracy, its valid and accurate.

 

Related Links

 Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search