When using the firewall filter function on next generation EX and QFX switches, except QFX10k, the implicit deny rule is added internally as the last term of the filter. This article describes the limitations of the implicit deny rule on L2 firewall filters.

Note: For more details about the implicit deny rule, see Understanding How Firewall Filters Are Evaluated.

 

On next generation EX and QFX switches, except QFX10k, an implicit deny rule on L2 firewall filter may not work in certain cases.

A summary of when the implicit deny rule may work or may not is demonstrated below:

When the implicit deny rule works

L2 switching packet

When an L2 firewall filter is configured on the EX or QFX device and a packet is forwarded by L2 switching, the packet will be discarded by the implicit deny rule.

For example, a packet from Client to Server in the following topology will be discarded:

set interfaces xe-0/0/20 unit 0 family ethernet-switching vlan members v100
set interfaces xe-0/0/20 unit 0 family ethernet-switching filter input TEST
set interfaces xe-0/0/21 unit 0 family ethernet-switching vlan members v100
set firewall family ethernet-switching filter TEST term 1 from ip-protocol ospf
set firewall family ethernet-switching filter TEST term 1 then accept
set vlans v100 vlan-id 100

TEST@Client> ping 192.168.100.2 count 3
PING 192.168.100.2 (192.168.100.2): 56 data bytes
^C
--- 192.168.100.2 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

L3 switching packet

When an L2 firewall filter is configured on the EX or QFX device and a packet is forwarded by L3 switching, the packet will be discarded by the implicit deny rule.

For example, a packet from Client to Server in the following topology will be discarded.

set interfaces xe-0/0/20 unit 0 family ethernet-switching vlan members v100
set interfaces xe-0/0/20 unit 0 family ethernet-switching filter input TEST
set interfaces xe-0/0/21 unit 0 family ethernet-switching vlan members v200
set interfaces irb unit 100 family inet address 192.168.100.254/24
set interfaces irb unit 200 family inet address 192.168.200.254/24
set firewall family ethernet-switching filter TEST term 1 from ip-protocol ospf
set firewall family ethernet-switching filter TEST term 1 then accept
set vlans v100 vlan-id 100
set vlans v100 l3-interface irb.100
set vlans v200 vlan-id 200
set vlans v200 l3-interface irb.200

TEST@Client> ping 192.168.200.1
PING 192.168.200.1 (192.168.200.1): 56 data bytes
^C
--- 192.168.200.1 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

When the implicit deny rule does not work

Host packet

When an L2 firewall filter is configured on the EX or QFX device and the packet is destined to the host, the packet will not be discarded by the implicit deny rule.

For example, a packet from Client to EX/QFX in the following topology will not be discarded.

set interfaces xe-0/0/20 unit 0 family ethernet-switching vlan members v100
set interfaces xe-0/0/20 unit 0 family ethernet-switching filter input TEST
set interfaces xe-0/0/21 unit 0 family ethernet-switching vlan members v200
set interfaces irb unit 100 family inet address 192.168.100.254/24
set interfaces irb unit 200 family inet address 192.168.200.254/24
set firewall family ethernet-switching filter TEST term 1 from ip-protocol ospf
set firewall family ethernet-switching filter TEST term 1 then accept
set vlans v100 vlan-id 100
set vlans v100 l3-interface irb.100
set vlans v200 vlan-id 200
set vlans v200 l3-interface irb.200

TEST@Client> ping 192.168.100.254 count 3
PING 192.168.100.254 (192.168.100.254): 56 data bytes
64 bytes from 192.168.100.254: icmp_seq=0 ttl=64 time=11.540 ms
64 bytes from 192.168.100.254: icmp_seq=1 ttl=64 time=11.119 ms
64 bytes from 192.168.100.254: icmp_seq=2 ttl=64 time=76.848 ms

--- 192.168.100.254 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 11.119/33.169/76.848/30.886 ms

 

An implicit rule has been properly programmed in the Packet Forwarding Engine (PFE), but traffic destined to the host will be copied to the Routing Engine (RE) by design since this port has the IRB interface without a filter. As a result, the implicit rule may not work.

As per design, the L2 firewall filter is configured to block only egress forwarding and hence ping to the IRB interface works.

In the non-working case as detailed above, the destination MAC address is the IRB interface, so copying traffic to the RE is expected.

On the other hand, given the same configuration above, forwarding traffic will be dropped by the implicit deny rule, which is designed to block egress forwarding.

 

To resolve this issue, configure a filter on the IRB interface by inet filter or add an explicit deny rule in the last term of the Ethernet filter.

To configure the inet filter on the IRB interface

set interfaces xe-0/0/20 unit 0 family ethernet-switching vlan members v100
set interfaces xe-0/0/21 unit 0 family ethernet-switching vlan members v200
set interfaces irb unit 100 family inet filter input TEST
set interfaces irb unit 100 family inet address 192.168.100.254/24
set interfaces irb unit 200 family inet address 192.168.200.254/24
set firewall family inet filter TEST term 1 from protocol ospf
set firewall family inet filter TEST term 1 then accept
set vlans v100 vlan-id 100
set vlans v100 l3-interface irb.100
set vlans v200 vlan-id 200
set vlans v200 l3-interface irb.200

To configure the explicit deny rule

set firewall family ethernet-switching filter TEST term 1 from ip-protocol ospf
set firewall family ethernet-switching filter TEST term 1 then accept
set firewall family ethernet-switching filter TEST term 999 then discard

TEST@Client> ping 192.168.100.254 count 3
PING 192.168.100.254 (192.168.100.254): 56 data bytes

--- 192.168.100.254 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss