Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Firewall Filters and Policers for VPLS in ACX Series

    You can configure both firewall filters and policers for VPLS. Firewall filters allow you to filter packets based on their components and to perform an action on packets that match the filter. Policers allow you to limit the amount of traffic that passes into or out of an interface.

    VPLS filters and policers act on a Layer 2 frame that includes the media access control (MAC) header (after any VLAN rewrite or other rules are applied), but does not include the cyclical redundancy check (CRC) field.

    You can apply VPLS filters and policers on the PE router to customer-facing interfaces only.

    The following sections explain how to configure filters and policers for VPLS:

    Configuring a VPLS Filter

    To configure a filter for VPLS, include the filter statement at the [edit firewall family vpls] hierarchy level:

    [edit firewall family vpls]
    filter filter-name {
    interface-specific;
    term term-name {
    from {
    match-conditions;
    }
    then {
    actions;
    }
    }
    }

    For more information about how to configure firewall filters, see the Routing Policies, Firewall Filters, and Traffic Policers Feature Guide. For information on how to configure a VPLS filter match condition, see Firewall Filter Match Conditions for VPLS Traffic.

    To configure a filter for VPLS traffic, complete the following tasks:

    Configuring an Interface-Specific Counter for VPLS

    When you configure a firewall filter for VPLS and apply it to multiple interfaces, you can specify individual counters specific to each interface. This allows you to collect separate statistics on the traffic transiting each interface.

    To generate an interface-specific counter for VPLS, you configure the interface-specific statement. A separate instantiation of the filter is generated. This filter instance has a different name (based on the interface name) and collects statistics on the interface specified only.

    To configure interface-specific counters, include the interface-specific statement at the [edit firewall family vpls filter filter-name] hierarchy level:

    [edit firewall family vpls filter filter-name]
    interface-specific;

    Note: The counter name is restricted to 24 bytes. If the renamed counter exceeds this maximum length, it might be rejected.

    For more information about the interface-specific statement and an example of how to configure it, see the Routing Policies, Firewall Filters, and Traffic Policers Feature Guide.

    Configuring an Action for the VPLS Filter

    You can configure the following actions for a VPLS filter at the [edit firewall family vpls filter filter-name term term-name then] hierarchy level: accept, count, discard, forwarding-class, loss-priority, policer.

    Applying a VPLS Filter to an Interface

    To apply a VPLS filter to an interface, include the filter statement:

    filter {
    input input-filter-name;
    output output-filter-name;
    }

    You can include this statement at the following hierarchy levels:

    • [edit interfaces interface-name unit number family vpls]
    • [edit logical-systems logical-system-name interfaces interface-name unit number family vpls]

    Note: ACX Series routers do not support the [edit logical-systems] hierarchy.

    In the input statement, list the name of the VPLS filter to be evaluated when packets are received on the interface. In the output statement, list the name of the VPLS filter to be evaluated when packets are transmitted on the interface.

    For the statement summaries for these statements, see the Junos OS Network Interfaces Library for Routing Devices.

    Configuring a VPLS Policer

    You can configure a policer for VPLS traffic. The VPLS policer configuration is similar to the configuration of any other type of policer.

    When specifying policing bandwidth, the VPLS policer considers all Layer 2 bytes in a packet to determine the packet length.

    To configure a VPLS policer, include the policer statement at the [edit firewall] hierarchy level:

    [edit firewall]
    policer policer-name {
    bandwidth-limit limit;
    burst-size-limit limit;
    then action;
    }

    For the statement summaries of these statements and more information about how to configure policers, see the Routing Policies, Firewall Filters, and Traffic Policers Feature Guide.

    To apply a VPLS policer to an interface, include the policer statement:

    policer {
    input input-policer-name;
    output output-policer-name;
    }

    You can include this statement at the following hierarchy levels:

    • [edit interfaces interface-name unit number family vpls]
    • [edit logical-systems logical-system-name interfaces interface-name unit number family vpls

    Note: ACX Series routers do not support the [edit logical-systems] hierarchy.

    In the input statement, list the name of the VPLS policer to be evaluated when packets are received on the interface. In the output statement, list the name of the VPLS policer to be evaluated when packets are transmitted on the interface.

    For the statement summaries for these statements, see the Junos OS Network Interfaces Library for Routing Devices.

    Modified: 2016-11-08