Junos OS

Expand all | Collapse all

Firewall filters on vxlan Tcam issue

  • 1.  Firewall filters on vxlan Tcam issue

    Posted 18 days ago
    Hello,

    i try to setup a simple firewall filter on our QFX switch, we use vxlan and the filter is applied on ae interface witch is part of an ESI lag

    Error message:
    Jan 7 10:54:50.687 2021 fpc0 DFWE ERROR DFW: Cannot program filter "ae28-input" (type IPACL_VXLAN) - TCAM has 768 free entries and the filter requires 1085 free entries
    Filter:
    family ethernet-switching {
        filter ae28-input {
            term accept_sip {
                from {
                    ip-source-address {
                        46.182.XXX.XXX/32;
                        213.148.XXX.XXX/32;
                        213.148.XXX.XXX/32;
                    }
                }
                then accept;
            }
            term sip_sperre {
                from {
                    port [ 5060 5061 ];
                    destination-prefix-list {
                        sip_sperre; # 3 Addresses inside 
                    }
                    ip-protocol tcp;
                }
                then discard;
            }
            term accept_all_other {
                then accept;
            }
        }
    }
    
    {master:0}[edit]​

    How can this filter use 1085 tcam entries ? i think its an filter / vxlan issue?


  • 2.  RE: Firewall filters on vxlan Tcam issue

     
    Posted 18 days ago
    it seems that you are exceeding the limit and that's' the reason you are seeing the error message as well the firewall filter is not being programmed in the PFE.
    You can optimize the filter by aggregating the Network IP instead using the /32 which takes up to 4 TCAM entries per /32.

    I believe these KBs might help you 

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB32027
    https://kb.juniper.net/InfoCenter/index?page=content&id=KB30953&actp=METADATA



    ------------------------------

    If my answer provides the solution, please mark my post as "Best Answer".

    ------------------------------




  • 3.  RE: Firewall filters on vxlan Tcam issue

    Posted 18 days ago
    Hello,

    this is correct, but:
    there are no other filters on the Switch, and theese 3 terms should not use 1085 tcam entries. i think there is another Problem with vxlan filters.