Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to calculate TCAM utilization by loopback firewall filter on EX4600 and QFX5100

0

0

Article ID: KB32027 KB Last Updated: 08 Aug 2017Version: 1.0
Summary:

This article provides information on ternary content addressable memory (TCAM) utilization by firewall filter applied on loopback interface on EX4600 and QFX5100.

Symptoms:

Loopback interface consumes four times more TCAM utilization than physical interface. 

Solution:

A packet is determined to be host bound if any of the following conditions are met during lookup:

  • Reserved multicast (always sent to the CPU)
  • Known L3 Unicast packets destined to port 0 (CPU port)
  • Any packets flagged by the L3 routing table as routed to the CPU
  • TTL 0 packets (automatically punted to the CPU)

These entries handle different types of host bound traffic. Without these matching conditions, there is no way to handle the traffic going to CPU using a single entry.

When a firewall filter applies to a loopback filter, 4 TCAM entries are used where the same firewall filter uses 1 TCAM entry if it is applied to a physical interface. ‚Äč

Lab output:

root# show firewall
family inet {
    filter TEST {
        term 1 {
            from {
                source-address {
                    10.10.10.1/32;
                    10.10.10.5/32;
                }
                destination-address {
                    20.20.20.1/32;
                    20.20.20.5/32;
                }
                destination-port 80;
            }
            then accept;
        }
        term 2 {
            then accept;
        }
    }
}

TCAM calculation:

Source-address = 2
Destination-address = 2
Destination-port = 1
Please refer this KB30953 for TCAM usage calculation.

TCAM entries for loopback interface: 2(Source-address)*2(Destination-address)*1(Destination-port)*4(loopback filter) = 16
TCAM entries for physical interface: 2(Source-address)*2(Destination-address)*1(Destination-port) = 4

TFXPC0( vty)#  show filter
Program Filters:
---------------
   Index     Dir     Cnt    Text     Bss  Name
--------  ------  ------  ------  ------  --------

Term Filters:
------------
   Index    Semantic    Name
--------  ----------------
       1  Classic   TEST
   17000  Classic   __default_arp_policer__
   57006  Classic   __jdhcpd__
   57007  Classic   __dhcpv6__
   65008  Classic   __jdhcpd_l2_snoop_filter__
92274688  Classic   __jdhcpd_l2_dai_filter__
125829120  Classic   __jdhcpd_security_dhcpv6_l2_snoop_filter__
130023424  Classic   __jdhcpd_security_icmpv6_l2_snoop_filter__
142606336  Classic   __jdhcpd_l3_tag__
142606337  Classic   __dhcpv6_l3_tag__

Resolve Filters:
---------------
   Index
--------

TFXPC0( vty)# show filter hw 1 show_term_info
======================
Filter index   : 1
======================

- Filter name  : TEST

+ Hardware Instance : 1
  + Hardware key (struct brcm_dfw_hw_key_t):
    - Type          : IRACL
    - Vlan id       : 0
    - Direction     : ingress
    - Protocol      : 2 (IPv4)
    - Port class id : 0
    - Class id      : 0
    - Loopback      : 1
    - Port          : 0(xe-1)
    - Vlan tag      : 0
    - Non-overflow  : 1
  + FP usage info (struct brcm_dfw_fp_t):
    - Group                           : IFP iRACL group (33)
    - My Mac                          : 00:00:00:00:00:00
    - Loopback Reference Count        : 00000001
    - IFL Type                        : unknown (0)
    + List of tcam entries            : [ total: 20; ]
        - Pipe: 0; [259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 ]
    + List of ranges                  : [ total: 0; ]
        - Pipe: 0 []
    + List of interface match entries : [ total: 0; ]
        - Pipe: 0 []
    + List of dot1q-tag match entries : [ total: 0; ]
        - Pipe: 0 []
    - List of l3 ifl index entries    : [ total: 0; ]
    + List of vfp tcam entries        : [ total: 0; ]
        - Pipe: 0 []
  + Misc info (struct brcm_dfw_misc_info_t):
    - List of <anlz_id, entry_id> : [ total: 0; ]
  + Bind point info (union brcm_dfw_bind_point_info_t):
    + Loopback      : CPU Traffic
  + Programmed: YES
  + BD ID     : 228
  + Total TCAM entries available: 1511
  + Total TCAM entries needed   : 20
  + Term Expansion:
    - Term    1: will expand to     4 terms: Name "1"
    - Term    2: will expand to     1 term : Name "2"
  + Term TCAM entry requirements:
    - Term    1: needs    16 TCAM entries: Name "1" < ------------ loopback interface
    - Term    2: needs     4 TCAM entries: Name "2"
  + Total TCAM entries available: 1511
  + Total TCAM entries needed   : 20

+ Hardware Instance : 2
  + Hardware key (struct brcm_dfw_hw_key_t):
    - Type          : IRACL
    - Vlan id       : 0
    - Direction     : ingress
    - Protocol      : 2 (IPv4)
    - Port class id : 0
    - Class id      : 4095
    - Loopback      : 0
    - Port          : 0(xe-1)
    - Vlan tag      : 0
    - Non-overflow  : 0
  + FP usage info (struct brcm_dfw_fp_t):
    - Group                           : IFP iRACL group (33)
    - My Mac                          : 00:00:00:00:00:00
    - Loopback Reference Count        : 00000000
    - IFL Type                        : unknown (0)
    + List of tcam entries            : [ total: 5; ]
        - Pipe: 0; [254 255 256 257 258 ]
    + List of ranges                  : [ total: 0; ]
        - Pipe: 0 []
    + List of interface match entries : [ total: 0; ]
        - Pipe: 0 []
    + List of dot1q-tag match entries : [ total: 0; ]
        - Pipe: 0 []
    - List of l3 ifl index entries    : [ total: 1; 555 (4095) ]
    + List of vfp tcam entries        : [ total: 0; ]
        - Pipe: 0 []
  + Misc info (struct brcm_dfw_misc_info_t):
    - List of <anlz_id, entry_id> : [ total: 0; ]
  + Bind point info (union brcm_dfw_bind_point_info_t):
    + Overflow Vlan : 4095
  + Programmed: YES
  + BD ID     : 227
  + Total TCAM entries available: 1511
  + Total TCAM entries needed   : 5
  + Term Expansion:
    - Term    1: will expand to     4 terms: Name "1"
    - Term    2: will expand to     1 term : Name "2"
  + Term TCAM entry requirements:
    - Term    1: needs     4 TCAM entries: Name "1" < ------------ Physical interface
    - Term    2: needs     1 TCAM entry  : Name "2"
  + Total TCAM entries available: 1511
  + Total TCAM entries needed   : 5

Total hardware instances: 2
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search