Ethernet Switching
Highlighted
Ethernet Switching

QFX-10002 filter on GRE issue

‎12-01-2018 11:23 AM

Hi guys!

 

Had anyone configured firewall filters for gr-x/x/x interfaces? It didn't work when we'd tried to apply it.
QFX-10002-36Q running junos version 18.2R1-S3.2.
The config is pretty simple - just a GRE tunnel that's using IRB (VLAN) interface as transport with a common /30 subnet inside. All the connectivities over the tunnel are well. But when I try to apply filter under family inet it doesn't work.

 

I didn't find any limitations for this kind of GRE implementation. What could be wrong?

6 REPLIES 6
Highlighted
Ethernet Switching

Re: QFX-10002 filter on GRE issue

‎12-01-2018 12:22 PM

Just did a similar simple test and can confirm I'm seing the same on Junos 17.4R2-S1. It looks like the firewall filter is not evaluated at all. Strange. I would contact JTAC if possible for further analysis.

 

 

root@labdc02-spine01> show configuration interfaces gr-0/0/0
unit 0 {
    tunnel {
        source 10.10.10.2;
        destination 10.10.10.1;
    }
    family inet {
        filter {
            input block-ssh;
        }
        address 10.20.20.1/24;
    }
}

{master:0}
root@labdc02-spine01> ...iguration firewall family inet filter block-ssh
term 1 {
    from {
        destination-port 22;
    }
    then {
        count block;
        reject;
    }
}
term 2 {
    then {
        count accept;
        accept;
    }
}

{master:0}
root@labdc02-spine01> show route 10.20.20.2

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.20.20.0/24      *[Direct/0] 00:16:48
                    > via gr-0/0/0.0

{master:0}

From the opposite end ssh is still doable:

 

 

 

root@labdc01-spine01> ssh 10.20.20.1
The authenticity of host '10.20.20.2 (10.20.20.2)' can't be established.
ECDSA key fingerprint is SHA256:zZX8O4gKhiNjKmKSoB9ct8uJpeCZfnYOQ+OvgG7fWo4.
Are you sure you want to continue connecting (yes/no)? ^C
{master:0}

...and when looking at firewall counters neither accept or block is never incremented:

 

 

 

root@labdc02-spine01> show firewall counter filter block-ssh block

Filter: block-ssh
Counters:
Name                                                Bytes              Packets
block                                                   0                    0

{master:0}
root@labdc02-spine01> show firewall counter filter block-ssh accept

Filter: block-ssh
Counters:
Name                                                Bytes              Packets
accept                                                  0                    0

{master:0}
root@labdc02-spine01>

 

 


--
Best regards,

Jonas Hauge Klingenberg
Juniper Ambassador & Technology Architect, SEC DATACOM A/S (Denmark)
Highlighted
Ethernet Switching

Re: QFX-10002 filter on GRE issue

‎12-01-2018 03:23 PM

Hi Jonas!

 

Thanks for your experience sharing! Cause my first thoughts were about software downgrade. But your situation tells me that it can be useless at all. This device is using for our customers'  productive traffic and I guess it's not a good idea to make a downtime just for 'testing' another junos version for luck. By the way, I tested IP-IP encapsulation and got the same results - filters didn't work.

Highlighted
Ethernet Switching

Re: QFX-10002 filter on GRE issue

‎12-01-2018 09:24 PM

This behavior is expected as the Stateless firewall filters are not supported over GRE interface.
Below URL mentions about it. Though it talks about M and T series router.
Though I believe same applies to all QFX10002 platforms.

 

Note: For transit packets exiting the tunnel, forwarding path features, such as reverse path forwarding (RPF), forwarding table filtering, source class usage, destination class usage, and stateless firewall filtering, are not supported on the interfaces you configure as tunnel sources, but are supported on tunnel-pic interfaces.

 

http://www.juniper.net/documentation/en_US/junos11.4/topics/usage-guidelines/services-configuring-un...

Highlighted
Ethernet Switching

Re: QFX-10002 filter on GRE issue

‎12-01-2018 09:39 PM

Filter does not get programmed when applied on gr-0/0/0 but get programmed for normal interface.

 

TFXPC0(vty)# show filter hw 6

Filter:test (Index:6) Type IPv4 phdl:0x6fa73199 flags:0 n_anh:0 n_sfilters:1
Base Inst:
PFE 0: Empty
PFE 1: Empty
PFE 2: Empty

 

Highlighted
Ethernet Switching

Re: QFX-10002 filter on GRE issue

‎12-02-2018 04:19 AM

Hi!

 

You may be right. But we need to be absolutely sure in this verdict. I'll try to ask JTAC about this.

To be honestly it's very sad to face that kind of limitation for this powerful hardware.

Highlighted
Ethernet Switching

Re: QFX-10002 filter on GRE issue

‎12-02-2018 06:42 AM

I agree with Anton. If it isn't supported, then it should at least return a warning.

 

When I read the note it's relevant for the tunnel sources interfaces (in my case an et-0/0/x interfaces) but should be supported on the actual tunnel interfaces (ip- or gr- interfaces). The tunnel-pic part were relevant on older M and T series (and suspect it's also relevant with old MX's with DPC/iChip-linecards).

 

Note: For transit packets exiting the tunnel, forwarding path features, such as reverse path forwarding (RPF), forwarding table filtering, source class usage, destination class usage, and stateless firewall filtering, are not supported on the interfaces you configure as tunnel sources, but are supported on tunnel-pic interfaces.

 

The filter is actual also shown as applied to the interface:

root@labdc02-spine01> show interfaces filters
Interface       Admin Link Proto Input Filter         Output Filter
gr-0/0/0        up    up
gr-0/0/0.0      up    up   inet  block-ssh

Anton, please let us know about your progress with JTAC.


--
Best regards,

Jonas Hauge Klingenberg
Juniper Ambassador & Technology Architect, SEC DATACOM A/S (Denmark)
Feedback