Supported Platforms
Troubleshooting Firewall Filters
Troubleshooting issues with firewall filters on EX Series switches:
A Firewall Filter Configuration Returns a “No Space Available in TCAM” Message
Problem
When a firewall filter configuration exceeds the amount of available ternary content addressable memory (TCAM) space, the switch returns the following system log (syslogd) message:
No space available in tcam. Rules for filter filter-name will not be installed.
The switch returns this error message during the commit operation in the following instances:
- If the firewall filter that you have applied to a port, VLAN, or Layer 3 interface requires more than the amount of available TCAM space.
- If you delete and add large firewall filters in the same
commit operation. In this case, the large firewall filter might not
be deleted from the TCAM space, because of which there will be no
TCAM space freed up for the new firewall filter to be added to it.
In addition to the syslogd message, the following error message
is displayed in the CLI:
fpc<device-id> dfw_grph_merge_dfw_bind: rules for filter filter-name will not be installed
However, in both these instances, the commit operation for the firewall filter configuration is completed in the CLI.
Solution
When a firewall filter configuration exceeds the amount of available TCAM table space, you must configure a new firewall filter with fewer filter terms or, if you had deleted and created a firewall filter with a large number of terms (on the order of 1000 or more), you must delete and add the large firewall filters in separate commit operations.
The first procedure (set of steps) in this Solution section tells you how to delete a firewall filter and its bind point and associate a new firewall filter with that existing bind point.
The second procedure in this Solution section tells you how to create a new firewall filter with fewer terms (without deleting the bind point) and bind the new firewall filter with the existing bind point, when you want to create a firewall filter with fewer terms. Do not use the second procedure if you need to replace one large firewall filter with another large firewall filter—you must delete the original large firewall filter and commit that delete operation, and then add the new large firewall filter.
To delete the firewall filter and its bind point and apply a new firewall filter to the same bind point:
- Delete the firewall filter configuration and its bind
points to ports, VLANs, or Layer 3 interfaces—for example:
[edit]
user@switch# delete firewall family ethernet-switching filter mini-filter-ingress-vlan
user@switch# delete vlans voice-vlan description "filter to block rogue devices on voice-vlan"
user@switch# delete vlans voice-vlan filter input mini-filter-ingress-vlan - Commit the operation:
[edit]
user@switch# commit
Note: Use separate commit operations for deleting and adding large firewall filters.
- Configure a firewall filter with fewer terms (if the error
message appeared when you tried to create a new filter) or configure
a large filter (if the error message appeared when you tried to delete
and add large firewall filters)—for example:
[edit]
user@switch# set firewall family ethernet-switching filter new-filter-ingress-vlan ...Note: See Firewall Filters for EX Series Switches Overview to ascertain the maximum number of terms allowed for various firewall filters on EX Series switches.
- Apply (bind) the new firewall filter to a port, VLAN ,
or Layer 3 interface—for example:
[edit]
user@switch# set vlans voice-vlan description "filter to block rogue devices on voice-vlan"
user@switch# set vlans voice-vlan filter input new-filter-ingress-vlan - Commit the operation:
[edit]
user@switch# commit
To create a new firewall filter and attach it to the existing bind point:
- Configure a firewall filter with fewer terms than the
original filter:
[edit]
user@switch# set firewall family ethernet-switching filter new-filter-ingress-vlan... - Apply the firewall filter to the port, VLAN, or Layer 3
interfaces to overwrite the bind points of the original filter—for
example:
[edit]
user@switch# set vlans voice-vlan description "smaller filter to block rogue devices on voice-vlan"
user@switch# set vlans voice-vlan filter input new-filter-ingress-vlanAs a bind point can be attached to only one firewall filter, this configuration detaches the bind point from the previous firewall filter that contained many terms and attaches the bind point to the new firewall filter.
- Commit the operation:
[edit]
user@switch# commit
