Access Control Lists (Firewall Filters)
SUMMARY Read this topic to learn about Layer 2 access control lists (Firewall filters) in the cloud-native router.
Access Control Lists (Firewall Filters)
Starting with Juniper Cloud-Native Router Release 22.2 we've included a limited firewall filter capability. You can configure the filters using the Junos OS CLI within the cloud-native router controller, using NETCONF, or the cloud-native router APIs. Starting with Juniper Cloud-Native Router Release 23.2, you can also configure firewall filters using node annotations and custom configuration template at the time of JCNR deployment. Please review the deployment guide for more details.
During deployment, the system defines and applies firewall filters to block traffic from passing directly between the router interfaces. You can dynamically define and apply more filters. Use the firewall filters to:
-
Define firewall filters for bridge family traffic.
-
Define filters based on one or more of the following fields: source MAC address, destination MAC address, or EtherType.
-
Define multiple terms within each filter.
-
Discard the traffic that matches the filter.
-
Apply filters to bridge domains.
Configuration Example
Below you can see an example of a firewall filter configuration from a cloud-native router deployment:
root@jcnr01> show configuration firewall
firewall {
family {
bridge {
filter example {
term t1 {
from {
destination-mac-address 10:10:10:10:10:11;
source-mac-address 10:10:10:10:10:10;
ether-type arp;
}
then {
discard;
}
}
}
}
}
}discard action.set
routing-instances vswitch bridge-domains bd3001 forwarding-options filter
input filter1 configuration command. Then you must commit the
configuration for the firewall filter to take effect. To see how many packets matched the
filter (per VLAN), you can issue the show firewall filter
filter1 command on the controller CLI. For
example:
show firewall filter filter1 Filter : filter1 vlan-id : 3001 Term Packet t1 0
In
the preceding example, we applied the filter to the bridge domain bd3001.
The filter has not yet matched any packets.
Troubleshooting
The following table lists some of the potential problems that you might face when you implement firewall rules or ACLs in the cloud-native router. You run most of these commands on the host server.
| Problem | Possible Causes and Resolution | Command |
|---|---|---|
| Firewall filters or ACLs not working | gRPC connection (port 50052) to the vRouter is down. Check the gRPC connection. |
netstat -antp|grep 50052 |
The ui-pubd process is not running. Check whether
ui-pubd is running. |
ps aux|grep ui-pubd |
|
| Firewall filter or ACL show commands not working | The gRPC connection (port 50052) to the vRouter is down. Check the gRPC connection. |
netstat -antp|grep 50052 |
| The firewall service is not running. |
ps aux|grep firewall |
|
show log filter.logYou must run this command in the JCNR-controller (cRPD) CLI. |