Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[QFX5100] Limitation of source/destination-port-range-optimize option for firewall filter

0

0

Article ID: KB31154 KB Last Updated: 20 Sep 2016Version: 1.0
Summary:

For certain platforms such as EX4600 and QFX5100, Junos supports source-port-range-optimize and destination-port-optimize options for the firewall filter. Even though these options save lots of TCAM (ternary content addressable memory) entries when you configure a range of ports, there are some limitations. This article describes the known limitations.

Solution:

Known Limitations

  • Not supported with filter-based forwarding. Refer to Juniper technical document on Firewall Filter Match Conditions and Actions.

  • Not supported for egress filter. The technical document above explains that these options are supported for both ingress/egress IPv4 interfaces. However, these are not supported for egress IPv4 interfaces. In Junos version 14.1X53-D40 and later, you may see an error committing the configuration. After the commit, the following error logs may appear in the messages file:

  • ------
    fpc0 ERROR (dfw): Range type 1 [0x00000064 - 0x0000006D] add failed in unit 0 entry 433 rv (-7) "Entry not found"
    fpc0 ERROR (dfw): Range creation for L4 SRC Port RANGE 0x00000064 - 0x0000006D failed
    fpc0 ERROR (dfw): Could not set match for term 10, unit 0, entry 433, group 22
    fpc0 ERROR (dfw): [-1] from brcm_dfw_rule_create_exp term (10) dfw (inet_filter)
    fpc0 ERROR (dfw): Cannot program filter "inet_filter" (type ERACL bound to vlan 0 - hw 0) - TCAM has 255 free entries filter requires 2 free entries - error -1
    fpc0 ERROR (dfw): [-1] Could not create dfw(inet_filter) type(ERACL)
    fpc0 ERROR (dfw): [1000] bind failed for filter inet_filter
    ------

  • Scale of these options. QFX5100 supports up to 24 noncontiguous terms. Refer to KB30804 - QFX5100 failed to program firewall filters with multiple port range options.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search