epacl-firewall-optimization
Syntax
epacl-firewall-optimization
Hierarchy Level
[edit chassis forwarding-options]
Description
Enable epacl-firewall-optimization
to use Layer 2 and Layer 3
match conditions in firewall filters to support micro-segmentation on VXLAN
deployments. Filtering in both the ingress and egress directions is
supported. (For egress filtering on VLANs, this statement is not
needed.)
For example, to create micro-segmentation in a VXLAN, you need to enable the
epacl-firewall-optimization
statement at the
[chassis]
level of the hierarchy, and then create the
firewall rules with the match conditions that you want to filter on.
For both VLANs and VXLANs, you can use the following match conditions:
-
ip-source-address
-
ip-destination-address
-
destination-port
-
user-vlan-id
-
source-mac-address
-
destination-mac-address
-
ip-protocol
Valid actions are accept
, count
, and
discard
.
The configuration sample below shows how to configure a QFX5110 Series switch
that is part of a VXLAN to provide Layer 2 filtering in the egress
direction. First we enable epacl-firewall-optimization
on
the device, and then we create a Layer 2 egress firewall filter named
epacl, and attach it to the
xe-0/0/10.0
interface. The first term tells the
switch to accept and count packets from the specified source MAC address
(00:00:5e:00:53:a1/48). The second term tells the interface to count and
discard all other packets.
set chassis forwarding-options epacl-firewall-optimization
set firewall family ethernet-switching filter epacl term t1 from source-mac-address 00:00:5e:00:53:a1/48
set firewall family ethernet-switching filter epacl term t1 then accept
set firewall family ethernet-switching filter epacl term t1 then count epacl-accept
set firewall family ethernet-switching filter epacl term t2 then discard
set firewall family ethernet-switching filter epacl term t2 then count epacl-discard
set interfaces xe-0/0/10 unit 0 family ethernet-switching filter output epacl
Default
Not enabled.
Required Privilege Level
interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 21.1R1 for QFX5110 and QFX5120 Series switches.