Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[QFX] Loopback filter behavior in QFX5K and QFX10K Series devices

1

0

Article ID: KB37252 KB Last Updated: 21 Jul 2021Version: 1.0
Summary:

This article highlights the difference in how the loopback filter functions in QFX5K Series devices as against QFX10K devices.

Symptoms:

Customers might see the difference in how the loopback filter functions in QFX5K and QFX10K devices when they have a routing instance configured and expect the loopback filter rules to be applied in the routing instance.

For example, consider that the customer has a loopback filter, which allows SSH only from certain IP ranges, and has applied this filter to lo0.0, which is in the default instance. Further, the customer has routing instances configured with IRB/IPS. A sample configuration of this scenario is given below:

set interfaces lo0 unit 0 family inet filter input RE_PROTECT
set groups re-protect firewall family inet filter RE_PROTECT term 1 from protocol tcp
set groups re-protect firewall family inet filter RE_PROTECT term 1 from source-prefix-list MGMT_ACCESS
set groups re-protect firewall family inet filter RE_PROTECT term 1 from destination-port 22
set groups re-protect firewall family inet filter RE_PROTECT term 1 then accept
set groups re-protect firewall family inet filter RE_PROTECT term 2 then count DISCARD
set groups re-protect firewall family inet filter RE_PROTECT term 2 then log
set groups re-protect firewall family inet filter RE_PROTECT term 2 then discard

set policy-options prefix-list MGMT_ACCESS 10.0.0.0/8

set  interfaces irb unit 3011 proxy-macip-advertisement
set  interfaces irb unit 3011 virtual-gateway-accept-data
set  interfaces irb unit 3011 family inet address 101.1.1.15/24 preferred

set vlans bd-3011 vlan-id 3011
set vlans bd-3011 vxlan vni 3011
set  vlans bd-3011 l3-interface irb.3011

set  routing-instances TEST interface irb.3011 <<<<<<<<<<<<<<<<<< irb.3011 is part of the routing instance test.
set routing-instances TEST instance-type vrf
set routing-instances TEST interface lo0.1064 

Now if the customer tries to SSH from the peer device associated with irb.3011, then the loopback filter should block it because the loopback filter is configured to allow SSH only from the 10.0.0.0/8 subnet. However, this behavior is different in QFX5K and QFX10K.

In QFX10K, SSH is allowed from the peer device even though lo0.0 has the firewall filter applied.

test$ ssh 101.1.1.15
Password: <<<< ssh is allowed.

In QFX5K on the other hand, SSH is blocked due to the firewall filter applied in lo0.0.

test$ ssh 101.1.1.15
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< There is no response or no password prompt is given.
Solution:

This behavior is expected. How the loopback firewall filter is expected to work in these devices is explained in greater detail here.

In QFX10K

  • If you configure Filter A on the default loopback interface and Filter B on the VRF loopback interface, the VRF routing instance uses Filter B.

  • If you configure Filter A on the default loopback interface but do not configure a filter on the VRF loopback interface, the VRF routing instance does not use a filter.

  • If you configure Filter A on the default loopback interface but do not configure a VRF loopback interface, the VRF routing instance uses Filter A.

    Note: For MX80 devices, the behavior is slightly different: If you configure filters on the default loopback interface but do not configure a VRF loopback interface, the VRF routing instance uses only the input filters assigned to the default loopback (it does not use output filters from the default loopback).

See MPLS Overview for more information.

In QFX5K

  • The QFX5100, QFX5110, QFX5120, QFX5200, and QFX5210 Series switches do not depend on the VRF match for loopback filters that are configured in different routing instances. In fact, loopback filters per routing instance (such as lo0.100, lo0.103, and lo0.105) are not supported and may cause unpredictable behavior. In this case, it is recommended that you apply the loopback filter (lo0.0) only to the primary routing instance.

See Configuring Logical Units on the Loopback Interface for Routing Instances in Layer 3 VPNs for more information.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search