Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX/QFX] L2 Firewall filter implicit deny doesn't work in certain cases

0

0

Article ID: KB35445 KB Last Updated: 10 Mar 2020Version: 1.0
Summary:

When using the firewall filter function on next generation EX and QFX switches, except QFX10k, the implicit deny rule is added internally as the last term of the filter. This article describes the limitations of the implicit deny rule on L2 firewall filters.

Note: For more details about the implicit deny rule, see Understanding How Firewall Filters Are Evaluated.

 

Symptoms:

On next generation EX and QFX switches, except QFX10k, an implicit deny rule on L2 firewall filter may not work in certain cases.

A summary of when the implicit deny rule may work or may not is demonstrated below:

When the implicit deny rule works

L2 switching packet

When an L2 firewall filter is configured on the EX or QFX device and a packet is forwarded by L2 switching, the packet will be discarded by the implicit deny rule.

For example, a packet from Client to Server in the following topology will be discarded:

set interfaces xe-0/0/20 unit 0 family ethernet-switching vlan members v100
set interfaces xe-0/0/20 unit 0 family ethernet-switching filter input TEST
set interfaces xe-0/0/21 unit 0 family ethernet-switching vlan members v100
set firewall family ethernet-switching filter TEST term 1 from ip-protocol ospf
set firewall family ethernet-switching filter TEST term 1 then accept
set vlans v100 vlan-id 100
TEST@Client> ping 192.168.100.2 count 3
PING 192.168.100.2 (192.168.100.2): 56 data bytes
^C
--- 192.168.100.2 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

L3 switching packet

When an L2 firewall filter is configured on the EX or QFX device and a packet is forwarded by L3 switching, the packet will be discarded by the implicit deny rule.

For example, a packet from Client to Server in the following topology will be discarded.

set interfaces xe-0/0/20 unit 0 family ethernet-switching vlan members v100
set interfaces xe-0/0/20 unit 0 family ethernet-switching filter input TEST
set interfaces xe-0/0/21 unit 0 family ethernet-switching vlan members v200
set interfaces irb unit 100 family inet address 192.168.100.254/24
set interfaces irb unit 200 family inet address 192.168.200.254/24
set firewall family ethernet-switching filter TEST term 1 from ip-protocol ospf
set firewall family ethernet-switching filter TEST term 1 then accept
set vlans v100 vlan-id 100
set vlans v100 l3-interface irb.100
set vlans v200 vlan-id 200
set vlans v200 l3-interface irb.200
TEST@Client> ping 192.168.200.1
PING 192.168.200.1 (192.168.200.1): 56 data bytes
^C
--- 192.168.200.1 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

When the implicit deny rule does not work

Host packet

When an L2 firewall filter is configured on the EX or QFX device and the packet is destined to the host, the packet will not be discarded by the implicit deny rule.

For example, a packet from Client to EX/QFX in the following topology will not be discarded.

set interfaces xe-0/0/20 unit 0 family ethernet-switching vlan members v100
set interfaces xe-0/0/20 unit 0 family ethernet-switching filter input TEST
set interfaces xe-0/0/21 unit 0 family ethernet-switching vlan members v200
set interfaces irb unit 100 family inet address 192.168.100.254/24
set interfaces irb unit 200 family inet address 192.168.200.254/24
set firewall family ethernet-switching filter TEST term 1 from ip-protocol ospf
set firewall family ethernet-switching filter TEST term 1 then accept
set vlans v100 vlan-id 100
set vlans v100 l3-interface irb.100
set vlans v200 vlan-id 200
set vlans v200 l3-interface irb.200
TEST@Client> ping 192.168.100.254 count 3
PING 192.168.100.254 (192.168.100.254): 56 data bytes
64 bytes from 192.168.100.254: icmp_seq=0 ttl=64 time=11.540 ms
64 bytes from 192.168.100.254: icmp_seq=1 ttl=64 time=11.119 ms
64 bytes from 192.168.100.254: icmp_seq=2 ttl=64 time=76.848 ms

--- 192.168.100.254 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 11.119/33.169/76.848/30.886 ms

 

Cause:

An implicit rule has been properly programmed in the Packet Forwarding Engine (PFE), but traffic destined to the host will be copied to the Routing Engine (RE) by design since this port has the IRB interface without a filter. As a result, the implicit rule may not work.

As per design, the L2 firewall filter is configured to block only egress forwarding and hence ping to the IRB interface works.

In the non-working case as detailed above, the destination MAC address is the IRB interface, so copying traffic to the RE is expected.

On the other hand, given the same configuration above, forwarding traffic will be dropped by the implicit deny rule, which is designed to block egress forwarding.

 

Solution:

To resolve this issue, configure a filter on the IRB interface by inet filter or add an explicit deny rule in the last term of the Ethernet filter.

To configure the inet filter on the IRB interface

set interfaces xe-0/0/20 unit 0 family ethernet-switching vlan members v100
set interfaces xe-0/0/21 unit 0 family ethernet-switching vlan members v200
set interfaces irb unit 100 family inet filter input TEST
set interfaces irb unit 100 family inet address 192.168.100.254/24
set interfaces irb unit 200 family inet address 192.168.200.254/24
set firewall family inet filter TEST term 1 from protocol ospf
set firewall family inet filter TEST term 1 then accept
set vlans v100 vlan-id 100
set vlans v100 l3-interface irb.100
set vlans v200 vlan-id 200
set vlans v200 l3-interface irb.200

To configure the explicit deny rule

set firewall family ethernet-switching filter TEST term 1 from ip-protocol ospf
set firewall family ethernet-switching filter TEST term 1 then accept
set firewall family ethernet-switching filter TEST term 999 then discard
TEST@Client> ping 192.168.100.254 count 3
PING 192.168.100.254 (192.168.100.254): 56 data bytes

--- 192.168.100.254 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search