[Contents] [Prev] [Next] [Index] [Report an Error]

Option: Applying VPLS Policers and Filters

You can configure filters, policers, and broadcast/unknown filters to determine which kind of traffic is allowed into and out of a VPLS domain. You can apply these filters and policers to CE-facing interfaces only.

Note: Keep the following rules in mind when configuring filters on an MX-series router:

If an IRB interface is configured as part of a VPLS routing instance, VPLS filters might not filter packets that are destined to the IRB interface. This can be configured by installing filters that match Layer 3 fields for the the IRB interface.
If you apply a firewall filter to discard a source MAC address, the MAC address is not deleted from the MAC address table.

VPLS Policers

To process traffic as it enters a VPLS domain, you can define a firewall policer and apply it to the input interface. To define policer characteristics for incoming VPLS traffic, include the bandwidth-limit and burst-size-limit statements at the [edit firewall policer policer-name if-exceeding] hierarchy level. Then, specify statements to implement the desired action (for example, discard) for the policed traffic at the [edit firewall policer policer-name then] hierarchy level. To apply the policer to a CE-facing interface, include the input or output statements and the name of the policer at the [edit interfaces interface-name unit unit-number family vpls policer] hierarchy level.



[edit]
interfaces {


ge-2/1/0 {
vlan-tagging;
mtu 1544;
encapsulation vlan-vpls;


unit 0 {
encapsulation vlan-vpls;
vlan-id 600;


family vpls {


policer {
input vpls-policer;
}


}


}


}


}
firewall {


policer {


vpls-policer {


if-exceeding {
bandwidth-limit 5m;
burst-size-limit 1m;
}


then discard;
}


}


}

VPLS Filters

To process traffic as it exits a VPLS domain, you can define a firewall filter and apply it to the output interface. To configure match conditions for a firewall filter, include the interface-group, source-mac-address, destination-mac-address, ethernet-type, or vlan-ethernet-type statements at the [edit firewall family vpls filter filter-name term term-name from] hierarchy level. Then, implement the desired action (for example, discard) for the traffic at the [edit firewall family vpls filter filter-name term term-name then] hierarchy level. To apply the filter to a CE-facing interface, include the input, output, or group statements at the [edit interfaces interface-name unit unit-number family vpls filter] hierarchy level.



[edit]
interfaces {


fe-2/1/1 {
vlan-tagging;
mtu 1544;
encapsulation vlan-vpls;


unit 0 {
encapsulation vlan-vpls;
vlan-id 600;


family vpls {


filter {
output vpls-out-filter;
}


}


}


}


}
firewall {


family vpls {


filter vpls-out-filter {
interface-specific;


term 1 {


from {


source-mac-address {
00.10.10.10.11.18/48;
}


}




then {
count count.ce2;
accept;
}


}




term 2 {
then accept;
}


}


}


}

Note: Output filters do not work for broadcast, multicast, and unknown unicast traffic.

VPLS Broadcast and Unknown Filters

To restrict the flow of broadcast and unknown unicast packets into a VPLS domain, you must create a firewall filter and apply the filter to one of the forwarding tables of the VPLS routing instance. When you apply a filter in this way, the filter processes traffic from all interfaces in the instance, including vt interfaces. To configure match conditions for a VPLS-based firewall filter, include the source-mac-address, destination-mac-address, interface-group, ethernet-type, or vlan-ethernet-type statements at the [edit firewall family vpls filter filter-name term term-name from] hierarchy level. Then, specify statements to activate the desired action (for example, discard) for the matched packets at the [edit firewall family vpls filter filter-name term term-name then] hierarchy level.

To apply the filter to the broadcast and unknown unicast table of a VPLS routing instance, include the input statement and the name of the filter at the [edit routing-instances instance-name forwarding-options family vpls flood] hierarchy level. To apply the filter to the destination MAC address table of a VPLS routing instance, include the input statement and the name of the filter at the [edit routing-instances instance-name forwarding-options family vpls filter] hierarchy level.



[edit]
firewall {


family vpls {


filter vpls-flood {


term 1 {


from {


destination-mac-address (broadcast | multicast | unknown-unicast)
{ 
# The broadcast, multicast, 
# and unknown-unicast options apply to MX-series 
# routers only.
00.90.69.dc.95.3b/48;
}


}


then discard;
}




term 2 {
then accept;
}


}


}


}
routing-instances {


green {


forwarding-options {


family vpls {


(flood | filter) {
input vpls-flood;
}


}


}


}


}

When you configure VPLS, a priority filter for Spanning Tree Protocol (STP) bridge protocol data units (BPDUs) is enabled by default. This BPDU filter matches on the well-known STP MAC address of 01:80:c2:00:00:00/24 and applies high priority to this traffic.

For more information on VPLS policers and filters, see the JUNOS Policy Framework Configuration Guide and the JUNOS VPNs Configuration Guide.

[Contents] [Prev] [Next] [Index] [Report an Error]