eracl-profile (packet-forwarding-options)

Syntax

Hierarchy Level

Description

Use the option of this command to configure egress firewall filters, also known as eRACLs, in scaled mode. This feature is supported only in the egress direction (routed traffic exiting the device).

In Junos, firewall filters are classified as ingress or egress depending on where in the sequence the packet is evaluated and action taken. Filtering traffic on an egress interface can be useful, for example, for safeguarding a third-party device connected to the Juniper switch.

Options

eracl-scale

Use this option to increase the number of egress firewall filters to 2000. When you configure an egress filter in scaled mode, the switch uses ingress TCAM space (IFP) to achieve the higher scale.

Note:

After configuring, modifying, or deleting the eracl-profile statement, you must commit the configuration, and the packet forwarding engine (PFE) must be restarted.

When you enable eracl-scale mode, the following restrictions apply:

You can only apply a filter in the egress direction (traffic exiting the VLAN).
Only inet and inet6 protocol families are supported.
Generic Routing Encapsulation (GRE) interfaces are not supported.
You cannot apply filters with the same match condition to different egress VLANs or Layer 3 interfaces. The only supported actions are accept, discard, and count.
Match conditions are programmed in the ingress firewall filter TCAM. This means that any counters attached to the filter counts traffic on any incoming VLANs.
The eracl-scale option comes configured in global mode. When enabled, any of your existing egress filters will be automatically reinstalled in scaled mode.

Required Privilege Level

firewall—To view this statement in the configuration.

firewall-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Evolved Release 19.4R2 (QFX5220 switches).

ON THIS PAGE