Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[QFX] TCAM doubling consumption on Egress filters for IRB

0

0

Article ID: KB36253 KB Last Updated: 07 Oct 2020Version: 1.0
Summary:

TCAM Doubling consumption on Egress Filters for IRB/Vlan interfaces compared to Ingress Filter. 

  • When a filter is applied to egress IRB or VLAN, the filter occupies double the TCAM entries than the filter applied to Ingress IRB or VLAN or an L3 interface.
  • When a filter is applied to loopback interface, it occupies three/four times more than the number of TCAM entries occupied by an L3 interface.
  • If it’s an Egress filter on a regular interface, one IP in a term will occupy one TCAM entry.
  • If it’s an Egress filter on an IRB interface, one IP in a term will occupy two TCAM Entries.
Symptoms:

Firewall filter:

set firewall family inet filter IRB-count2 term 1 from source-address 192.168.10.2/32
set firewall family inet filter IRB-count2 term 1 from destination-address 192.168.10.3/32
set firewall family inet filter IRB-count2 term 1 then reject
set firewall family inet filter IRB-count2 term 2 then accept

INPUT filter:  

set interfaces irb unit 10 family inet filter input IRB-count2
set interfaces irb unit 10 family inet address 192.168.10.1/24

FPC0(d23-8 vty)# show filter hw 1 show_term_info  
======================
Filter index   : 1
======================

- Filter name  : IRB-count2

+ Hardware Instance : 1
  + Hardware key (struct brcm_dfw_hw_key_t):
    - Type          : IRACL
    - Vlan id       : 0
    - Direction     : ingress
    - Protocol      : 2 (IPv4)
    - Port class id : 0
    - Class id      : 0
    - Loopback      : 0
    - Port          : 0(xe-1)
    - Vlan tag      : 0
    - Non-overflow  : 1
  + FP usage info (struct brcm_dfw_fp_t):
    - Group                           : IFP iRACL group (33)
    - My Mac                          : 00:00:00:00:00:00
    - Loopback Reference Count        : 00000000
    - IFL Type                        : unknown (0)
    + List of tcam entries            : [ total: 2; ]
        - Pipe: 0; [1017 1021 ]
        - Pipe: 1; [1018 1022 ]
        - Pipe: 2; [1019 1023 ]
        - Pipe: 3; [1020 1024 ]
    + List of ranges                  : [ total: 0; ]
        - Pipe: 0 []
        - Pipe: 1 []
        - Pipe: 2 []
        - Pipe: 3 []
    + List of interface match entries : [ total: 0; ]
        - Pipe: 0 []
        - Pipe: 1 []
        - Pipe: 2 []
        - Pipe: 3 []
    + List of dot1q-tag match entries : [ total: 0; ]
        - Pipe: 0 []
        - Pipe: 1 []
        - Pipe: 2 []
        - Pipe: 3 []
    - List of l3 ifl index entries    : [ total: 1; 544 (3) ]
    + List of vfp tcam entries        : [ total: 0; ]
        - Pipe: 0 []
        - Pipe: 1 []
        - Pipe: 2 []
        - Pipe: 3 []
  + Misc info (struct brcm_dfw_misc_info_t):
    - List of <anlz_id, entry_id> : [ total: 0; ]
  + Bind point info (union brcm_dfw_bind_point_info_t):
    + Class id      : 1
      - Vlans       : [3 (total:1/4096)]
  + Programmed: YES
  + BD ID     : 219
  + Total TCAM entries available: 1022
  + Total TCAM entries needed   : 2
  + Term Expansion:
    - Term    1: will expand to     1 term : Name "1"
    - Term    2: will expand to     1 term : Name "2"
  + Term TCAM entry requirements:
    - Term    1: needs     1 TCAM entry  : Name "1"
    - Term    2: needs     1 TCAM entry  : Name "2"
  + Total TCAM entries available: 1022
  + Total TCAM entries needed   : 2 

OUTPUT filter:  

set interfaces irb unit 10 family inet filter output IRB-count2
set interfaces irb unit 10 family inet address 192.168.10.1/24

FPC0(d23-8 vty)# show filter hw 1 show_term_info    
======================
Filter index   : 1
======================

- Filter name  : IRB-count2

+ Hardware Instance : 1
  + Hardware key (struct brcm_dfw_hw_key_t):
    - Type          : ERACL
    - Vlan id       : 3
    - Direction     : egress
    - Protocol      : 2 (IPv4)
    - Port class id : 0
    - Class id      : 0
    - Loopback      : 0
    - Port          : 0(xe-1)
    - Vlan tag      : 100
    - Non-overflow  : 0
  + FP usage info (struct brcm_dfw_fp_t):
    - Group                           : EFP eRACL group (54)
    - My Mac                          : 00:00:00:00:00:00
    - Loopback Reference Count        : 00000000
    - IFL Type                        : unknown (0)
    + List of tcam entries            : [ total: 4; ]
        - Pipe: 0; [1037 1041 1045 1049 ]
        - Pipe: 1; [1038 1042 1046 1050 ]
        - Pipe: 2; [1039 1043 1047 1051 ]
        - Pipe: 3; [1040 1044 1048 1052 ]
    + List of ranges                  : [ total: 0; ]
        - Pipe: 0 []
        - Pipe: 1 []
        - Pipe: 2 []
        - Pipe: 3 []
    + List of interface match entries : [ total: 0; ]
        - Pipe: 0 []
        - Pipe: 1 []
        - Pipe: 2 []
        - Pipe: 3 []
    + List of dot1q-tag match entries : [ total: 2; ]
        - Pipe: 0 [1041 (3 100 U 1) 1049 (3 100 U 1) ]
        - Pipe: 1 [1042 (3 100 U 1) 1050 (3 100 U 1) ]
        - Pipe: 2 [1043 (3 100 U 1) 1051 (3 100 U 1) ]
        - Pipe: 3 [1044 (3 100 U 1) 1052 (3 100 U 1) ]
    - List of l3 ifl index entries    : [ total: 0; ]
    + List of vfp tcam entries        : [ total: 0; ]
        - Pipe: 0 []
        - Pipe: 1 []
        - Pipe: 2 []
        - Pipe: 3 []
  + Misc info (struct brcm_dfw_misc_info_t):
    - List of <anlz_id, entry_id> : [ total: 0; ]
  + Bind point info (union brcm_dfw_bind_point_info_t):
    - No grouping possible
  + Programmed: YES
  + BD ID     : 220
  + Total TCAM entries available: 1019
  + Total TCAM entries needed   : 4
  + Term Expansion:
    - Term    1: will expand to     1 term : Name "1"
    - Term    2: will expand to     1 term : Name "2"
  + Term TCAM entry requirements:
    - Term    1: needs     2 TCAM entries: Name "1"
    - Term    2: needs     2 TCAM entries: Name "2"
  + Total TCAM entries available: 1019
  + Total TCAM entries needed   : 4

 Total hardware instances: 1
Solution:

With a regular L3 interface filter (ingress and egress), for each term there will be one entry based on InterfaceClassPort.
With an IRB Egress filter, for each term there will be two entries for OuterVlanId, VlanFormat which represents "tagged vlan HW token" and "untagged vlan HW token"  

The above corresponds to hardware limitation on QFX-series.

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search