Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[QFX] Loopback filter has higher priority than normal iRACL filter on QFX platform

0

0

Article ID: KB32041 KB Last Updated: 07 Aug 2018Version: 3.0
Summary:

This article clarifies why a firewall filter that is applied to the loopback interface Lo0 negates other filters, and explains what can be done to work around the issue.

 

Symptoms:

The loopback filter is given preference when compared to a physical interface filter when:

  • Different firewall filters are configured on the Lo0 and physical interfaces

  • These actions are conflicting for traffic to the Routine Engine (RE)

  • Traffic matches the filters of both the physical and loopback interfaces

 

Example

Using the following topology and configuration, a ping from 1.1.1.2 to 1.1.1.1 will succeed.

 

Topology

 
QFX5100(ge-0/0/0 IP address: 1.1.1.1/24) ------ (ge-0/0/0, IP address: 1.1.1.2/24)EX4300
 

Configure the following:

 
root@QFX5100# show firewall | display set 
set firewall family inet filter lo0 term all then count lo0_all
set firewall family inet filter lo0 term all then accept
set firewall family inet filter physical term test from source-address 1.1.1.0/24
set firewall family inet filter physical term test then count physical_test
set firewall family inet filter physical term test then discard

{master:0}[edit]
root@QFX5100# show interfaces ge-0/0/0 | display set 
set interfaces ge-0/0/0 unit 0 family inet filter input physical
set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.1/24

{master:0}[edit]
root@QFX5100# show interfaces lo0 | display set 
set interfaces lo0 unit 0 family inet filter input lo0
 

Results

 
root@QFX5100# run show firewall

Filter: lo0                                                    
Counters:
Name                                    Bytes              Packets
lo0_all                                 612                6      >>>>>> counted

Filter: physical                                               
Counters:
Name                                    Bytes              Packets
physical_test                           0                   0   >>>>>> not counted 
                                                                (the filter will not
                                                                be taken into effect 
                                                                at all​)
 

The following testing results will confirm that the impact is only for traffic that is destined to the CPU.

 

Impact of this filter on the loopback (interface is L2) on transit traffic

 
EX4200-1(ge-0/0/0, IP: 1.1.1.2/24) --- (ge-0/0/0, L2)QFX5100(ge-0/0/1, L2) --- (EX2400-2 IP: 1.1.1.1/24)EX4200-2
 

Results of the ping from 1.1.1.2 to 1.1.1.1 on EX4200-1

 
root@EX4200-1# run ping 1.1.1.1      <<<< Failed
PING 1.1.1.1 (1.1.1.1): 56 data bytes
^C
--- 1.1.1.1 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
 

Configuration of QFX5100

 
root@QFX5100# show firewall | display set 
set firewall family inet filter lo0 term all then count lo0_all
set firewall family inet filter lo0 term all then accept
set firewall family ethernet-switching filter L2 term test from source-mac-address 54:e0:32:fe:5b:83/48 (it is mac of ge-0/0/0 EX4200-1)
set firewall family ethernet-switching filter L2 term test then discard
set firewall family ethernet-switching filter L2 term test then count L2_test

root@QFX5100# show interfaces ge-0/0/0 | display set 
set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input L2  >>>>>> Discarded traffic

{master:0}[edit]
root@QFX5100# show interfaces ge-0/0/1 | display set    
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access 

{master:0}[edit]
root@QFX5100# show interfaces lo0 | display set         
set interfaces lo0 unit 0 family inet filter input lo0   
 

Impact of this filter on the loopback (interface is L3) on transit traffic

 
EX4200-1(ge-0/0/0, IP: 1.1.1.2/24) --- (ge-0/0/0 IP: 1.1.1.1/24)QFX5100(ge-0/0/1 IP: 2.2.2.1/24) --- (EX2400-2 IP: 2.2.2.2/24)EX4200-2
 

Results of the ping from 1.1.1.2 to 1.1.1.1 and 2.2.2.2 on EX4200-1

 
root@EX4200-1# run ping 1.1.1.1 source 1.1.1.2       >>>>>> Succeeded
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=64 time=6.329 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=6.366 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=64 time=1.389 ms
^C
--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.389/4.695/6.366/2.338 ms

{master:0}[edit]
root@EX4200-1# run ping 2.2.2.2 source 1.1.1.2    >>>>>>Failed
PING 2.2.2.2 (2.2.2.2): 56 data bytes
^C
--- 2.2.2.2 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

Configuration of QFX5100

 
root@QFX5100# show firewall | display set 
set firewall family inet filter lo0 term all then count lo0_all
set firewall family inet filter lo0 term all then accept
set firewall family inet filter physical term test from source-address 1.1.1.0/24
set firewall family inet filter physical term test then count physical_test
set firewall family inet filter physical term test then discard

root@QFX5100# show interfaces ge-0/0/0 | display set 
set interfaces ge-0/0/0 unit 0 family inet filter input physical
set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.1/24

{master:0}[edit]
root@QFX5100# show interfaces lo0 | display set 
set interfaces lo0 unit 0 family inet filter input lo0 

 

Cause:

As specified in PR1080758, for the QFX platform, the loopback and iRACL filters are programmed to be in the same group. The loopback filter has a higher priority than the iRACL filter in the same group and a packet can match only one rule in a group.

 

Solution:

This behavior is as per design. However, to work around the issue, set the firewall filter separately for transit traffic and for traffic to the switch. Make sure that they do not clash.

 

Modification History:

2018-08-07: Minor non-technical edit, formatting, and addition of the PR that documents this behavior

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search