Firewall Filter Match Conditions for VPLS Traffic

 

In the from statement in the VPLS filter term, you specify conditions that the packet must match for the action in the then statement to be taken. All conditions in the from statement must match for the action to be taken. The order in which you specify match conditions is not important, because a packet must match all the conditions in a term for a match to occur.

If you specify no match conditions in a term, that term matches all packets.

An individual condition in a from statement can contain a list of values. For example, you can specify numeric ranges. You can also specify multiple source addresses or destination addresses. When a condition defines a list of values, a match occurs if one of the values in the list matches the packet.

Individual conditions in a from statement can be negated. When you negate a condition, you are defining an explicit mismatch. For example, the negated match condition for forwarding-class is forwarding-class-except. If a packet matches a negated condition, it is immediately considered not to match the from statement, and the next term in the filter is evaluated, if there is one. If there are no more terms, the packet is discarded.

You can configure a firewall filter with match conditions for Virtual Private LAN Service (VPLS) traffic (family vpls). Table 1 describes the match-conditions you can configure at the [edit firewall family vpls filter filter-name term term-name from] hierarchy level.

Note

Not all match conditions for VPLS traffic are supported on all routing platforms or switching platforms. A number of match conditions for VPLS traffic are supported only on MX Series 5G Universal Routing Platforms.

In the VPLS documentation, the word router in terms such as PE router is used to refer to any device that provides routing functions.

Table 1: Firewall Filter Match Conditions for VPLS Traffic

Match Condition

Description

destination-mac-address address

Match the destination media access control (MAC) address of a VPLS packet.

destination-port number

(MX Series routers and EX Series switches only) Match the UDP or TCP destination port field.

You cannot specify both the port and destination-port match conditions in the same term.

In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), ldp (646), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs (49), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), or xdmcp (177).

destination-port-except number

(MX Series routers and EX Series switches only) Do not match on the TCP or UDP destination port field. You cannot specify both the port and destination-port match conditions in the same term.

destination-prefix-list name

(ACX Series routers, MX Series routers, and EX Series switches only) Match destination prefixes in the specified list. Specify the name of a prefix list defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level.

Note: VPLS prefix lists support only IPv4 addresses. IPv6 addresses included in a VPLS prefix list will be discarded.

destination-prefix-list name except

(MX Series routers and EX Series switches only) Do not match destination prefixes in the specified list. For more information, see the destination-prefix-list match condition.

dscp number

(MX Series routers and EX Series switches only) Match the Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant 6 bits of this byte form the DSCP. For more information, see the Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic.

You can specify a numeric value from 0 through 63. To specify the value in hexadecimal form, include 0x as a prefix. To specify the value in binary form, include b as a prefix.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

  • RFC 3246, An Expedited Forwarding PHB (Per-Hop Behavior), defines one code point: ef (46).

  • RFC 2597, Assured Forwarding PHB Group, defines 4 classes, with 3 drop precedences in each class, for a total of 12 code points:

af11 (10), af12 (12), af13 (14),

af21 (18), af22 (20), af23 (22),

af31 (26), af32 (28), af33 (30),

af41 (34), af42 (36), af43 (38)

dscp-except number

(MX Series routers and EX Series switches only) Do not match on the DSCP. For details, see the dscp match condition.

ether-type values

Match the 2-octet IEEE 802.3 Length/EtherType field to the specified value or list of values.

You can specify decimal or hexadecimal values from 0 through 65535 (0xFFFF). A value from 0 through 1500 (0x05DC) specifies the length of an Ethernet Version 1 frame. A value from 1536 (0x0600) through 65535 specifies the EtherType (nature of the MAC client protocol) of an Ethernet Version 2 frame.

In place of the numeric value, you can specify one of the following text synonyms (the hexadecimal values are also listed): aarp (0x80F3), appletalk (0x809B), arp (0x0806), ipv4 (0x0800), ipv6 (0x86DD), mpls-multicast (0x8848), mpls-unicast (0x8847), oam (0x8902), ppp (0x880B), pppoe-discovery (0x8863), pppoe-session (0x8864), or sna (0x80D5).

ether-type-except values

Do not match the 2-octet Length/EtherType field to the specified value or list of values.

For details about specifying the values, see the ether-type match condition.

flexible-match-mask value

bit-length

Starting in Junos OS 14.2, flexible offset filters are supported in firewall hierarchy configurations.

Length of the data to be matched in bits, not needed for string input (0..128)

bit-offset

Bit offset after the (match-start + byte) offset (0..7)

byte-offset

Byte offset after the match start point

flexible-mask-name

Select a flexible match from predefined template field

mask-in-hex

Mask out bits in the packet data to be matched

match-start

Start point to match in packet

prefix

Value data/string to be matched

 

flexible-match-range value

bit-length

Length of the data to be matched in bits (0..32)

bit-offset

Bit offset after the (match-start + byte) offset (0..7)

byte-offset

Byte offset after the match start point

flexible-range-name

Select a flexible match from predefined template field

match-start

Start point to match in packet

range

Range of values to be matched

range-except

Do not match this range of values

 

forwarding-class class

Match the forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.

forwarding-class-except class

Do not match the forwarding class. For details, see the forwarding-class match condition.

icmp-code message-code

Match the ICMP message code field.

If you configure this match condition, we recommend that you also configure the next-header icmp or next-header icmp6 match condition in the same term.

If you configure this match condition, you must also configure the icmp-type message-type match condition in the same term. An ICMP message code provides more specific information than an ICMP message type, but the meaning of an ICMP message code is dependent on the associated ICMP message type.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:

  • parameter-problem: ip6-header-bad (0), unrecognized-next-header (1), unrecognized-option (2)

  • time-exceeded: ttl-eq-zero-during-reassembly (1), ttl-eq-zero-during-transit (0)

  • destination-unreachable: address-unreachable (3), administratively-prohibited (1), no-route-to-destination (0), port-unreachable (4)

icmp-code-except message-code

Do not match the ICMP message code field. For details, see the icmp-code match condition.

icmp-code number

(MX Series routers and EX Series switches only) Match the ICMP message code field.

If you configure this match condition, we recommend that you also configure the ip-protocol icmp or ip-protocol icmp6 match condition in the same term.

If you configure this match condition, you must also configure the icmp-type message-type match condition in the same term. An ICMP message code provides more specific information than an ICMP message type, but the meaning of an ICMP message code is dependent on the associated ICMP message type.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:

  • parameter-problem: ip6-header-bad (0), unrecognized-next-header (1), unrecognized-option (2)

  • time-exceeded: ttl-eq-zero-during-reassembly (1), ttl-eq-zero-during-transit (0)

  • destination-unreachable: address-unreachable (3), administratively-prohibited (1), no-route-to-destination (0), port-unreachable (4)

icmp-code-except number

(MX Series routers and EX Series switches only) Do not match on the ICMP code field. For details, see the icmp-code match condition.

interface interface-name

Interface on which the packet was received. You can configure a match condition that matches packets based on the interface on which they were received.

Note: If you configure this match condition with an interface that does not exist, the term does not match any packet.

interface-group group-number

Match the logical interface on which the packet was received to the specified interface group or set of interface groups. For group-number, specify a single value or a range of values from 0 through 255.

To assign a logical interface to an interface group group-number, specify the group-number at the [interfaces interface-name unit number family family filter group] hierarchy level.

For more information, see Filtering Packets Received on a Set of Interface Groups Overview.

Note: This match condition is not supported on T4000 Type 5 FPCs.

interface-group-except group-name

Do not match the logical interface on which the packet was received to the specified interface group or set of interface groups. For details, see the interface-group match condition.

Note: This match condition is not supported on T4000 Type 5 FPCs.

interface-set interface-set-name

Match the interface on which the packet was received to the specified interface set.

To define an interface set, include the interface-set statement at the [edit firewall] hierarchy level. For more information, see Filtering Packets Received on an Interface Set Overview.

ip-address address

(MX Series routers and EX Series switches only) 32-bit address that supports the standard syntax for IPv4 addresses.

Note that when using this term, the match condition ether-type IPv4 must be defined on the same term.

ip-destination-address address

(MX Series routers and EX Series switches only) 32-bit address that is the final destination node address for the packet.

Note that when using this term, the match condition ether-type IPv4 must be defined on the same term.

ip-precedence ip-precedence-field

(MX Series routers and EX Series switches only) IP precedence field. In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0), flash (0x60), flash-override (0x80), immediate (0x40), internet-control (0xc0), net-control (0xe0), priority (0x20), or routine (0x00).

ip-precedence-except ip-precedence-field

(MX Series routers and EX Series switches only) Do not match on the IP precedence field.

ip-protocol number

(MX Series routers and EX Series switches only) IP protocol field.

ip-protocol-except number

(MX Series routers and EX Series switches only) Do not match on the IP protocol field.

ip-source-address address

(MX Series routers and EX Series switches only) IP address of the source node sending the packet.

Note that when using this term, the match condition ether-type IPv4 must also be defined on the same term.

ipv6-source-prefix-list named-list

(MX Series only) Match the IPv6 source address in a named-list.

ipv6-address address

(MX Series and EX9200 only) 128-bit address that supports the standard syntax for IPv6 addresses. Starting in Junos OS 14.2, firewall family bridge IPv6 match criteria is supported on MX Series and EX9200 switches.

ipv6-destination-address address

((MX Series and EX9200 only) 128-bit address that is the final destination node address for this packet. Note that when using this term, the match condition ether-type IPv6 must be defined on the same term.

ipv6-destination-prefix-list named-list

(MX Series only) Match the IPv6 destination addresses in a named-list.

ipv6-next-header protocol

(MX Series only) Match IPv6 next header protocol type.

The following list shows the supported values for protocol:

  • ah—IP Security authentication header

  • dstopts—IPv6 destination options

  • egp—Exterior gateway protocol

  • esp—IPSec Encapsulating Security Payload

  • fragment—IPv6 fragment header

  • gre—Generic routing encapsulation

  • hop-by-hop—IPv6 hop by hop options

  • icmp—Internet Control Message Protocol

  • icmp6—Internet Control Message Protocol Version 6

  • igmp—Internet Group Management Protocol

  • ipip—IP in IP

  • ipv6—IPv6 in IP

  • no-next-header—IPv6 no next header

  • ospf—Open Shortest Path First

  • pim—Protocol Independent Multicast

  • routing—IPv6 routing header

  • rsvp—Resource Reservation Protocol

  • sctp—Stream Control Transmission Protocol

  • tcp—Transmission Control Protocol

  • udp—User Datagram Protocol

  • vrrp—Virtual Router Redundancy Protocol

ipv6-next-header-except protocol

(MX Series only) Do not match the IPv6 next header protocol type.

ipv6-payload-protocol protocol

(MX Series only) Match IPv6 payload protocol type.

The following list shows the supported values for protocol:

  • ah—IP Security authentication header

  • dstopts—IPv6 destination options

  • egp—Exterior gateway protocol

  • esp—IPSec Encapsulating Security Payload

  • fragment—IPv6 fragment header

  • gre—Generic routing encapsulation

  • hop-by-hop—IPv6 hop by hop options

  • icmp—Internet Control Message Protocol

  • icmp6—Internet Control Message Protocol Version 6

  • igmp—Internet Group Management Protocol

  • ipip—IP in IP

  • ipv6—IPv6 in IP

  • no-next-header—IPv6 no next header

  • ospf—Open Shortest Path First

  • pim—Protocol Independent Multicast

  • routing—IPv6 routing header

  • rsvp—Resource Reservation Protocol

  • sctp—Stream Control Transmission Protocol

  • tcp—Transmission Control Protocol

  • udp—User Datagram Protocol

  • vrrp—Virtual Router Redundancy Protocol

ipv6-payload-protocol-except protocol

(MX Series only) Do not match the IPv6 payload protocol.

ipv6-prefix-list named-list

(MX Series only) Match the IPv6 address in a named-list.

ipv6-source-address address

(MX Series only) 128-bit address that is the originating source node address for this packet.

ipv6-traffic-class number

(MX Series only) Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant 6 bits of this byte form the DSCP. For more information, see Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic.

You can specify a numeric value from 0 through 63. To specify the value in hexadecimal form, include 0x as a prefix. To specify the value in binary form, include b as a prefix.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

  • RFC 3246, An Expedited Forwarding PHB (Per-Hop Behavior), defines one code point: ef (46).

  • RFC 2597, Assured Forwarding PHB Group, defines 4 classes, with 3 drop precedences in each class, for a total of 12 code points:

af11 (10), af12 (12), af13 (14),

af21 (18), af22 (20), af23 (22),

af31 (26), af32 (28), af33 (30),

af41 (34), af42 (36), af43 (38)

ipv6-traffic-class-except number

Do not match the DSCP number.

learn-vlan-1p-priority number

(MX Series routers, M320 router, and EX Series switches only) Match on the IEEE 802.1p learned VLAN priority bits in the provider VLAN tag (the only tag in a single-tag frame with 802.1Q VLAN tags or the outer tag in a dual-tag frame with 802.1Q VLAN tags). Specify a single value or multiple values from 0 through 7.

Compare with the user-vlan-1p-priority match condition.

Note: This match condition supports the presence of a control word for MX Series routers and the M320 router.

learn-vlan-1p-priority-except number

(MX Series routers, M320 router, and EX Series switches only) Do not match on the IEEE 802.1p learned VLAN priority bits. For details, see the learn-vlan-1p-priority match condition.

Note: This match condition supports the presence of a control word for MX Series routers and the M320 router.

learn-vlan-dei

(MX Series routers and EX Series switches only) Match the user VLAN ID drop eligability indicator (DEI) bit.

learn-vlan-dei-except

(MX Series routers and EX Series switches only) Do not match the user VLAN ID DEI bit.

learn-vlan-id number

(MX Series routers and EX Series switches only) VLAN identifier used for MAC learning.

learn-vlan-id-except number

(MX Series routers and EX Series switches only) Do not match on the VLAN identifier used for MAC learning.

loss-priority level

Packet loss priority (PLP) level. Specify a single level or multiple levels: low, medium-low, medium-high, or high.

Supported on M120 and M320 routers; M7i and M10i routers with the Enhanced CFEB (CFEB-E); and MX Series routers.

For IP traffic on M320, MX Series, and T Series routers with Enhanced II Flexible PIC Concentrators (FPCs) and EX Series switches, you must include the tri-color statement at the [edit class-of-service] hierarchy level to commit a PLP configuration with any of the four levels specified. If the tri-color statement is not enabled, you can only configure the high and low levels. This applies to all protocol families.

For information about the tri-color statement and about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see Understanding How Forwarding Classes Assign Classes to Output Queues.

loss-priority-except level

Do not match on the packet loss priority level. Specify a single level or multiple levels: low, medium-low, medium-high, or high.

For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic.

port number

(MX Series routers and EX Series switches only) TCP or UDP source or destination port. You cannot specify both the port match condition and either the destination-port or source-port match condition in the same term.

port-except number

(MX Series routers and EX Series switches only) Do not match on the TCP or UDP source or destination port. You cannot specify both the port match condition and either the destination-port or source-port match condition in the same term.

prefix-list name

(MX Series routers and EX Series switches only) Match the destination or source prefixes in the specified list. Specify the name of a prefix list defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level.

Note: VPLS prefix lists support only IPV4 addresses. IPV6 addresses included in a VPLS prefix list will be discarded.

prefix-list name except

(MX Series routers and EX Series switches only) Do not match the destination or source prefixes in the specified list. For more information, see the destination-prefix-list match condition.

source-mac-address address

Source MAC address of a VPLS packet.

source-port number

(MX Series routers and EX Series switches only) TCP or UDP source port field. You cannot specify the port and source-port match conditions in the same term.

source-port-except number

(MX Series routers and EX Series switches only) Do not match on the TCP or UDP source port field. You cannot specify the port and source-port match conditions in the same term.

source-prefix-list name

(ACX Series routers, MX Series routers, and EX Series switches only) Match the source prefixes in the specified prefix list. Specify a prefix list name defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level.

Note: VPLS prefix lists support only IPV4 addresses. IPV6 addresses included in a VPLS prefix list will be discarded.

source-prefix-list name except

(MX Series routers and EX Series switches only) Do not match the source prefixes in the specified prefix list. For more information, see the source-prefix-list match condition.

tcp-flags flags

Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header.

To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:

  • fin (0x01)

  • syn (0x02)

  • rst (0x04)

  • push (0x08)

  • ack (0x10)

  • urgent (0x20)

In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet.

You can string together multiple flags using the bit-field logical operators.

If you configure this match condition for IPv6 traffic, we recommend that you also configure the next-header tcp match condition in the same term to specify that the TCP protocol is being used on the port.

traffic-type type-name

(MX Series routers and EX Series switches only) Traffic type. Specify broadcast, multicast, unknown-unicast, or known-unicast.

traffic-type-except type-name

(MX Series routers and EX Series switches only) Do not match on the traffic type. Specify broadcast, multicast, unknown-unicast, or known-unicast.

user-vlan-1p-priority number

(MX Series routers, M320 router, and EX Series switches only) Match on the IEEE 802.1p user priority bits in the customer VLAN tag (the inner tag in a dual-tag frame with 802.1Q VLAN tags). Specify a single value or multiple values from 0 through 7.

Compare with the learn-vlan-1p-priority match condition.

Note: This match condition supports the presence of a control word for MX Series routers and the M320 router.

user-vlan-1p-priority-except number

(MX Series routers, M320 rouer, and EX Series switches only) Do not match on the IEEE 802.1p user priority bits. For details, see the user-vlan-1p-priority match condition.

Note: This match condition supports the presence of a control word for MX Series routers and the M320 router.

user-vlan-id number

(MX Series routers and EX Series switches only) Match the first VLAN identifier that is part of the payload.

user-vlan-id-except number

(MX Series routers and EX Series switches only) Do not match on the first VLAN identifier that is part of the payload.

vlan-ether-type value

VLAN Ethernet type field of a VPLS packet.

vlan-ether-type-except value

Do not match on the VLAN Ethernet type field of a VPLS packet.

Release History Table
Release
Description
Starting in Junos OS 14.2, flexible offset filters are supported in firewall hierarchy configurations.
Starting in Junos OS 14.2, firewall family bridge IPv6 match criteria is supported on MX Series and EX9200 switches.