• Downloads
• Enabling Inspection of MPLS Traffic    

• Related Topics
• Verifying MPLS Decapsulation
• Disabling MPLS Decapsulation
• scio const
• Inspection of MPLS Traffic Overview

Enabling Inspection of MPLS Traffic

Before the IDP engine can inspect the payload of Multiprotocol Label Switching (MPLS) traffic, it must decapsulate it. You can use the command-line interface to enable MPLS decapsulation.

For an overview of MPLS decapsulation support and limitations, see the IDP Concepts and Examples Guide.

To enable MPLS decapsulation:

1. Log into the CLI as admin and enter su - to switch to root.
2. Enter the following command to enable decapsulation:
   
   

   [root@defaulthost admin]# scio const -s s0 set sc_mpls_decapsulation 1

   scio: sc_mpls_decapsulation = 0x1

   The value 0x1 indicates MPLS support is enabled.

Changes you make to kernel constants from the CLI do not persist across restarts. To make your change persistent:

1. Open the /usr/idp/device/bin/user_funcs file in a text editor, such as vi.
2. Locate the MPLS constant below the line user_start_end():

   user_start_pre_policy ()
   
   {
   
           # Disable ARP spoofing detection
           # -------------------------------
           # If you are running clusters with virtual MAC addresses, IDP will treat
           # these as spoofed ARP packets since the MAC addresses in the ethernet
           # frame will be different from what is inside the ARP request/response. If
           # you have multiple virtual routers, you need to perform this operation on
           # all defined virtual routers.
           #
           # $SCIO const -v vr0 set sc_arp_spoof_detect 0
           # $SCIO const -s s0 set sc_mpls_decapsulation 1 
           return;
   
   }
   

3. Uncomment the $SCIO const -s s0 set sc_mpls_decapsulation 1 line. For example:

   user_start_pre_policy ()
   
   {
   
           # Disable ARP spoofing detection
           # -------------------------------
           # If you are running clusters with virtual MAC addresses, IDP will treat
           # these as spoofed ARP packets since the MAC addresses in the ethernet
           # frame will be different from what is inside the ARP request/response. If
           # you have multiple virtual routers, you need to perform this operation on
           # all defined virtual routers.
           #
           # $SCIO const -v vr0 set sc_arp_spoof_detect 0
          $SCIO const -s s0 set sc_mpls_decapsulation 1 
           return;
   
   }
   

4. Save the file.
5. Restart the IDP engine:
   
   

   [root@defaulthost admin]# idp.sh restart

   Restarting the IDP process engine can take several moments.