Firewall Filter Match Conditions for Layer 2 CCC Traffic

 

You can configure a firewall filter with match conditions for Layer 2 circuit cross-connect (CCC) traffic (family ccc).

The following restrictions apply to firewall filters for Layer 2 CCC traffic:

  • The input-list filter-names and output-list filter-names statements for firewall filters for the ccc protocol family are supported on all interfaces with the exception of management interfaces and internal Ethernet interfaces (fxp or em0), loopback interfaces (lo0), and USB modem interfaces (umd).

  • Only on MX Series routers and EX Series switches, you cannot apply a Layer 2 CCC stateless firewall filter (a firewall filter configured at the [edit firewall filter family ccc] hierarchy level) as an output filter. On MX Series routers and EX Series switches, firewall filters configured for the family ccc statement can be applied only as input filters.

Table 1 describes the match-conditions you can configure at the [edit firewall family ccc filter filter-name term term-name from] hierarchy level.

Table 1: Firewall Filter Match Conditions for Layer 2 CCC Traffic

Match Condition

Description

apply-groups

Specify which groups to inherit configuration data from. You can specify more than one group name. You must list them in order of inheritance priority. The configuration data in the first group takes priority over the data in subsequent groups.

apply-groups-except

Specify which groups not to inherit configuration data from. You can specify more than one group name.

destination-mac-address address

(MX Series routers and EX Series switches only) Match the destination media access control (MAC) address of a virtual private LAN service (VPLS) packet.

To have packets correctly evaluated by this match condition when applied to egress traffic flowing over a CCC circuit from a logical interface on an I-chip DPC in a Layer 2 virtual private network (VPN) routing instance, you must make a configuration change to the Layer 2 VPN routing instance. You must explicitly disable the use of a control word for traffic flowing out over a Layer 2 circuit. The use of a control word is enabled by default for Layer 2 VPN routing instances to support the emulated virtual circuit (VC) encapsulation for Layer 2 circuits.

To explicitly disable the use of a control word for Layer 2 VPNs, include the no-control-word statement at either of the following hierarchy levels:

  • [edit routing-instances routing-instance-name protocols l2vpn]

  • [edit logical-systems logical-system-name routing-instances routing-instance-name protocols l2vpn]

Note: This match condition is not supported on PTX series packet transport routers.

For more information, see Disabling the Control Word for Layer 2 VPNs.

flexible-match-mask value

bit-length

Length of the data to be matched in bits, not needed for string input (0..128)

bit-offset

Bit offset after the (match-start + byte) offset (0..7)

byte-offset

Byte offset after the match start point

flexible-mask-name

Select a flexible match from predefined template field

mask-in-hex

Mask out bits in the packet data to be matched

match-start

Start point to match in packet

prefix

Value data/string to be matched

flexible-match-range value

bit-length

Length of the data to be matched in bits (0..32)

bit-offset

Bit offset after the (match-start + byte) offset (0..7)

byte-offset

Byte offset after the match start point

flexible-range-name

Select a flexible match from predefined template field

match-start

Start point to match in packet

range

Range of values to be matched

range-except

Do not match this range of values

forwarding-class class

Forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.

forwarding-class-except

class

Do not match on the forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.

interface-group group-number

Match the logical interface on which the packet was received to the specified interface group or set of interface groups. For group-number, specify a single value or a range of values from 0 through 255.

To assign a logical interface to an interface group group-number, specify the group-number at the [interfaces interface-name unit number family family filter group] hierarchy level.

Note: This match condition is not supported on PTX series packet transport routers.

For more information, see Filtering Packets Received on a Set of Interface Groups Overview.

interface-group-except number

Do not match the logical interface on which the packet was received to the specified interface group or set of interface groups. For details, see the interface-group match condition.

Note: This match condition is not supported on PTX series packet transport routers.

learn-vlan-1p-priority number

(MX Series routers, M320 router, and EX Series switches only) Match on the IEEE 802.1p learned VLAN priority bits in the provider VLAN tag (the only tag in a single-tag frame with 802.1Q VLAN tags or the outer tag in a dual-tag frame with 802.1Q VLAN tags). Specify a single value or multiple values from 0 through 7.

Compare with the user-vlan-1p-priority match condition.

Note: This match condition is not supported on PTX series packet transport routers.

Note: This match condition supports the presence of a control word for MX Series and M320 routers.

learn-vlan-1p-priority-except number

(MX Series routers, M320 router, and EX Series switches only) Do not match on the IEEE 802.1p learned VLAN priority bits. For details, see the learn-vlan-1p-priority match condition.

Note: This match condition is not supported on PTX series packet transport routers.

Note: This match condition supports the presence of a control word for MX Series and M320 routers.

loss-priority level

Packet loss priority (PLP) level. Specify a single level or multiple levels: low, medium-low, medium-high, or high.

Supported on M120 and M320 routers; M7i and M10i routers with the Enhanced CFEB (CFEB-E); and MX Series routers and EX Series switches.

For IP traffic on M320, MX Series, and T Series routers with Enhanced II Flexible PIC Concentrators (FPCs), and EX Series switches, you must include the tri-color statement at the [edit class-of-service] hierarchy level to commit a PLP configuration with any of the four levels specified. If the tri-color statement is not enabled, you can only configure the high and low levels. This applies to all protocol families.

For information about the tri-color statement, see Configuring and Applying Tricolor Marking Policers. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see Understanding How Forwarding Classes Assign Classes to Output Queues.

loss-priority-except level

Do not match on the packet loss priority level. Specify a single level or multiple levels: low, medium-low, medium-high, or high.

Note: This match condition is not supported on PTX series packet transport routers.

For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic.

user-vlan-1p-priority number

(MX Series routers, M320 router, and EX Series switches only) Match on the IEEE 802.1p user priority bits in the customer VLAN tag (the inner tag in a dual-tag frame with 802.1Q VLAN tags). Specify a single value or multiple values from 0 through 7.

Compare with the learn-vlan-1p-priority match condition.

Note: This match condition is not supported on PTX series packet transport routers.

Note: This match condition supports the presence of a control word for MX Series and M320 routers.

user-vlan-1p-priority-except number

(MX Series routers, M320 router, and EX Series switches only) Do not match on the IEEE 802.1p user priority bits. For details, see the user-vlan-1p-priority match condition.

Note: This match condition is not supported on PTX series packet transport routers.

Note: This match condition supports the presence of a control word for MX Series and M320 routers.