Knowledge Search


×
 

[QFX5100] Limitation of source/destination-port-range-optimize option for firewall filter

  [KB31154] Show Article Properties


Summary:

For certain platforms such as EX4600 and QFX5100, Junos supports source-port-range-optimize and destination-port-optimize options for the firewall filter. Even though these options save lots of TCAM (ternary content addressable memory) entries when you configure a range of ports, there are some limitations. This article describes the known limitations.

Solution:

Known Limitations

  • Not supported with filter-based forwarding. Refer to Juniper technical document on Firewall Filter Match Conditions and Actions.

  • Not supported for egress filter. The technical document above explains that these options are supported for both ingress/egress IPv4 interfaces. However, these are not supported for egress IPv4 interfaces. In Junos version 14.1X53-D40 and later, you may see an error committing the configuration. After the commit, the following error logs may appear in the messages file:

  • ------
    fpc0 ERROR (dfw): Range type 1 [0x00000064 - 0x0000006D] add failed in unit 0 entry 433 rv (-7) "Entry not found"
    fpc0 ERROR (dfw): Range creation for L4 SRC Port RANGE 0x00000064 - 0x0000006D failed
    fpc0 ERROR (dfw): Could not set match for term 10, unit 0, entry 433, group 22
    fpc0 ERROR (dfw): [-1] from brcm_dfw_rule_create_exp term (10) dfw (inet_filter)
    fpc0 ERROR (dfw): Cannot program filter "inet_filter" (type ERACL bound to vlan 0 - hw 0) - TCAM has 255 free entries filter requires 2 free entries - error -1
    fpc0 ERROR (dfw): [-1] Could not create dfw(inet_filter) type(ERACL)
    fpc0 ERROR (dfw): [1000] bind failed for filter inet_filter
    ------

  • Scale of these options. QFX5100 supports up to 24 noncontiguous terms. Refer to KB30804 - QFX5100 failed to program firewall filters with multiple port range options.
Related Links: