Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

QFX5100 failed to program firewall filters with multiple port range options.

0

0

Article ID: KB30804 KB Last Updated: 23 Feb 2020Version: 2.0
Summary:

QFX5100 series switches have 'source-port-range-optimize' and 'destination-port-range-optimize' options available in the firewall filter. However, more than 24 terms of noncontiguous 'source/destination-port' matching conditions will fail the firewall filter installation. This is expected behavior due to the system's hardware limitation.

Symptoms:

The QFX5100 switch does not allow the installation of a firewall filter with more than 24 noncontiguous 'source/destination-port' matching conditions with 'source/destination-port-range-optimize' options.

Successful scenario of a firewall filter with 24 noncontiguous "destination-port" matching conditions with "destination-port-range-optimize" option:

{master:0}[edit]
root@switch-48s-6q-r2027# show | display set
set version 14.1X53-D30.3
set system host-name jtac-QFX5100-48s-6q-r2027
set system root-authentication encrypted-password "$ABC123"
set system login user labroot uid 2000
set system login user labroot class super-user
set system login user labroot authentication encrypted-password "$ABC123"
set system services ftp
set system services ssh root-login allow
set system services telnet
set system syslog file messages any notice
set interfaces xe-0/0/0 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members 10
set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members 20
set interfaces em0 unit 0 family inet address 10.219.41.241/26
set interfaces irb unit 10 family inet filter input range_test1 <<<<< range_test1 installed on irb.10
set interfaces irb unit 10 family inet address 10.1.1.1/24
set interfaces irb unit 20 family inet filter input range_test1 <<<<< range_test1 installed on irb.20
set interfaces irb unit 20 family inet address 20.1.1.1/24
set routing-options static route 0.0.0.0/0 next-hop 10.219.41.193
set firewall family inet filter range_test1 term 1 from destination-port 10001
set firewall family inet filter range_test1 term 1 from destination-port 10003
set firewall family inet filter range_test1 term 1 from destination-port 10005
set firewall family inet filter range_test1 term 1 from destination-port 10007
set firewall family inet filter range_test1 term 1 from destination-port 10009
set firewall family inet filter range_test1 term 1 from destination-port 10011
set firewall family inet filter range_test1 term 1 from destination-port 10013
set firewall family inet filter range_test1 term 1 from destination-port 10015
set firewall family inet filter range_test1 term 1 from destination-port 10017
set firewall family inet filter range_test1 term 1 from destination-port 10019
set firewall family inet filter range_test1 term 1 from destination-port 10021
set firewall family inet filter range_test1 term 1 from destination-port 10023
set firewall family inet filter range_test1 term 1 from destination-port 10025
set firewall family inet filter range_test1 term 1 from destination-port 10027
set firewall family inet filter range_test1 term 1 from destination-port 10029
set firewall family inet filter range_test1 term 1 from destination-port 10031
set firewall family inet filter range_test1 term 1 from destination-port 10033
set firewall family inet filter range_test1 term 1 from destination-port 10035
set firewall family inet filter range_test1 term 1 from destination-port 10037
set firewall family inet filter range_test1 term 1 from destination-port 10039
set firewall family inet filter range_test1 term 1 from destination-port 10041
set firewall family inet filter range_test1 term 1 from destination-port 10043
set firewall family inet filter range_test1 term 1 from destination-port 10045
set firewall family inet filter range_test1 term 1 from destination-port 10047
set firewall family inet filter range_test1 term 1 from destination-port-range-optimize
set firewall family inet filter range_test1 term 1 then accept
set vlans vlan10 vlan-id 10
set vlans vlan10 l3-interface irb.10
set vlans vlan20 vlan-id 20
set vlans vlan20 l3-interface irb.20

TFXPC0(vty)# show filter
Program Filters:
---------------
Index  Dir    Cnt  Text  Bss  Name
-----  -----  ---- ----  ---- ----

Term Filters:
------------
Index Semantic Name
----- -------------
1 Classic range_test1 <<<<< filter of Index 1
17000 Classic __default_arp_policer__
16777216 Classic fnp-filter-level-all

Resolve Filters:
---------------
Index
--------

TFXPC0(vty)# show filter hw 1 <<<<< filter of Index 1
======================
Filter index : 1
======================

- Filter name : range_test1

+ Hardware Instance : 1
+ Hardware key (struct brcm_dfw_hw_key_t):
- Type : IRACL
- Vlan id : 0
- Direction : ingress
- Protocol : 2 (IPv4)
- Port class id : 0
- Class id : 0
- Loopback : 0
- Port : 0(xe-1)
- Vlan tag : 0
- Non-overflow : 1
+ FP usage info (struct brcm_dfw_fp_t):
- Group : IFP iRACL group (14)
- My Mac : 00:00:00:00:00:00
- Loopback Reference Count : 00000000
- IFL Type : unknown (0)
- List of tcam entries : [ total: 25; 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 ]
- List of ranges : [ total: 24;
874 (E: 1047 type: Dst Port min 10001 max 10001)
875 (E: 1048 type: Dst Port min 10003 max 10003)
876 (E: 1049 type: Dst Port min 10005 max 10005)
877 (E: 1050 type: Dst Port min 10007 max 10007)
878 (E: 1051 type: Dst Port min 10009 max 10009)
879 (E: 1052 type: Dst Port min 10011 max 10011)
880 (E: 1053 type: Dst Port min 10013 max 10013)
881 (E: 1054 type: Dst Port min 10015 max 10015)
882 (E: 1055 type: Dst Port min 10017 max 10017)
883 (E: 1056 type: Dst Port min 10019 max 10019)
884 (E: 1057 type: Dst Port min 10021 max 10021)
885 (E: 1058 type: Dst Port min 10023 max 10023)
886 (E: 1059 type: Dst Port min 10025 max 10025)
887 (E: 1060 type: Dst Port min 10027 max 10027)
888 (E: 1061 type: Dst Port min 10029 max 10029)
889 (E: 1062 type: Dst Port min 10031 max 10031)
890 (E: 1063 type: Dst Port min 10033 max 10033)
891 (E: 1064 type: Dst Port min 10035 max 10035)
892 (E: 1065 type: Dst Port min 10037 max 10037)
893 (E: 1066 type: Dst Port min 10039 max 10039)
894 (E: 1067 type: Dst Port min 10041 max 10041)
895 (E: 1068 type: Dst Port min 10043 max 10043)
896 (E: 1069 type: Dst Port min 10045 max 10045)
897 (E: 1070 type: Dst Port min 10047 max 10047)
]
- List of interface match entries : [ total: 0; ]
- List of dot1q-tag match entries : [ total: 0; ]
- List of l3 ifl index entries : [ total: 2; 550 (4) 559 (5) ]
- List of vfp tcam entries : [ total: 0; ]
+ Misc info (struct brcm_dfw_misc_info_t):
- List of <anlz_id, entry_id> : [ total: 0; ]
+ Bind point info (union brcm_dfw_bind_point_info_t):
+ Class id : 1
- Vlans : [4 5 (total:2/4096)]
+ Programmed: YES <<<<< Programming into H/W succeeded.
+ BD ID : 533

Total hardware instances: 1
+ Programmed: YES
+ BD ID : 530

Total hardware instances: 1



Scenario where the firewall filter with 25 noncontiguous 'destination-port' matching conditions with 'destination-port-range-optimize' option failed:

{master:0}[edit]
root@switch-48s-6q-r2027# show | display set
set version 14.1X53-D30.3
set system host-name jtac-QFX5100-48s-6q-r2027
set system root-authentication encrypted-password "$ABC123"
set system login user labroot uid 2000
set system login user labroot class super-user
set system login user labroot authentication encrypted-password "$ABC123"
set system services ftp
set system services ssh root-login allow
set system services telnet
set system syslog file messages any notice
set interfaces xe-0/0/0 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members 10
set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members 20
set interfaces em0 unit 0 family inet address 10.219.41.241/26
set interfaces irb unit 10 family inet filter input range_test1 <<<<< filter looks to be installed here.
set interfaces irb unit 10 family inet address 10.1.1.1/24
set interfaces irb unit 20 family inet address 20.1.1.1/24
set routing-options static route 0.0.0.0/0 next-hop 10.219.41.193
set firewall family inet filter range_test1 term 1 from destination-port 10001
set firewall family inet filter range_test1 term 1 from destination-port 10003
set firewall family inet filter range_test1 term 1 from destination-port 10005
set firewall family inet filter range_test1 term 1 from destination-port 10007
set firewall family inet filter range_test1 term 1 from destination-port 10009
set firewall family inet filter range_test1 term 1 from destination-port 10011
set firewall family inet filter range_test1 term 1 from destination-port 10013
set firewall family inet filter range_test1 term 1 from destination-port 10015
set firewall family inet filter range_test1 term 1 from destination-port 10017
set firewall family inet filter range_test1 term 1 from destination-port 10019
set firewall family inet filter range_test1 term 1 from destination-port 10021
set firewall family inet filter range_test1 term 1 from destination-port 10023
set firewall family inet filter range_test1 term 1 from destination-port 10025
set firewall family inet filter range_test1 term 1 from destination-port 10027
set firewall family inet filter range_test1 term 1 from destination-port 10029
set firewall family inet filter range_test1 term 1 from destination-port 10031
set firewall family inet filter range_test1 term 1 from destination-port 10033
set firewall family inet filter range_test1 term 1 from destination-port 10035
set firewall family inet filter range_test1 term 1 from destination-port 10037
set firewall family inet filter range_test1 term 1 from destination-port 10039
set firewall family inet filter range_test1 term 1 from destination-port 10041
set firewall family inet filter range_test1 term 1 from destination-port 10043
set firewall family inet filter range_test1 term 1 from destination-port 10045
set firewall family inet filter range_test1 term 1 from destination-port 10047
set firewall family inet filter range_test1 term 1 from destination-port 10049 <<<<< add one more noncontiguous term, making 25th noncontiguous terms.
set firewall family inet filter range_test1 term 1 from destination-port-range-optimize
set firewall family inet filter range_test1 term 1 then accept
set vlans vlan10 vlan-id 10
set vlans vlan10 l3-interface irb.10
set vlans vlan20 vlan-id 20
set vlans vlan20 l3-interface irb.20

TFXPC0(vty)# show filter
Program Filters:
---------------
Index   Dir   Cnt  Text  Bss  Name
-----   ----- ---- ----- ---- -----

Term Filters:
------------
Index Semantic Name
-------- ----------------
1 Classic range_test1 <<<<< filter of Index 1
17000 Classic __default_arp_policer__
16777216 Classic fnp-filter-level-all

Resolve Filters:
---------------
Index
--------

TFXPC0(vty)# show filter hw 1 <<<<<< filter of Index 1
======================
Filter index : 1
======================

- Filter name : range_test1

+ Hardware Instance : 1
+ Hardware key (struct brcm_dfw_hw_key_t):
- Type : IRACL
- Vlan id : 0
- Direction : ingress
- Protocol : 2 (IPv4)
- Port class id : 0
- Class id : 0
- Loopback : 0
- Port : 0(xe-1)
- Vlan tag : 0
- Non-overflow : 1
+ FP usage info (struct brcm_dfw_fp_t):
- Group : IFP iRACL group (14)
- My Mac : 00:00:00:00:00:00
- Loopback Reference Count : 00000000
- IFL Type : unknown (0)
- List of tcam entries : [ total: 0; ]
- List of ranges : [ total: 0; ]
- List of interface match entries : [ total: 0; ]
- List of dot1q-tag match entries : [ total: 0; ]
- List of l3 ifl index entries : [ total: 1; 550 (4) ]
- List of vfp tcam entries : [ total: 0; ]
+ Misc info (struct brcm_dfw_misc_info_t):
- List of <anlz_id, entry_id> : [ total: 0; ]
+ Bind point info (union brcm_dfw_bind_point_info_t):
+ Class id : 1
- Vlans : [4 (total:1/4096)]
+ Programmed: NO <<<<<< Programming into H/W failed.
+ BD ID : 534

Total hardware instances: 1
Solution:

This is expected behavior due to the system's hardware limitation. When using the ‘source/destination-port-range-optimize’ option in the firewall filters, make sure the 24 noncontiguous terms limit is not exceeded.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search