Configuring VPLS Match Conditions

In the from statement in the VPLS filter term, you specify conditions that the packet must match for the action in the then statement to be taken. All conditions in the from statement must match for the action to be taken. The order in which you specify match conditions is not important, because a packet must match all the conditions in a term for a match to occur.

If you specify no match conditions in a term, that term matches all packets.

An individual condition in a from statement can contain a list of values. For example, you can specify numeric ranges or multiple source or destination addresses. When a condition defines a list of values, a match occurs if one of the values in the list matches the packet.

Individual conditions in a from statement can be negated. When you negate a condition, you are defining an explicit mismatch. For example, the negated match condition for forwarding-class is forwarding-class-except. If a packet matches a negated condition, it is immediately considered not to match the from statement, and the next term in the filter is evaluated, if there is one; if there are no more terms, the packet is discarded.

Not all match conditions for VPLS traffic are supported on all routing platforms. A number of match conditions for VPLS traffic are supported only on MX Series Ethernet Services Routers, as noted in the Table 11.

To specify the match conditions for a VPLS filter term, include the match-conditions statement at the [edit firewall family vpls filter filter-name term term-name from] hierarchy level.

Table 11 describes the firewall filter match conditions supported for VPLS.

For more information about how to configure Layer 2 services on the MX Series routers, see the Junos Network Interfaces Configuration Guide, the Junos Layer 2 Configuration Guide, and the Junos MX Series Ethernet Services Routers Solutions Guide.

Table 11: VPLS Firewall Filter Match Conditions

Match Condition	Description
destination mac-address address	Destination media access control (MAC) address of a VPLS packet.
destination-port number	(MX Series routers only) TCP or UDP destination port field. You cannot specify both the port and destination-port match conditions in the same term.
destination-port-except number	(MX Series routers only) Do not match on the TCP or UDP destination port field. You cannot specify both the port and destination-port match conditions in the same term.
destination-prefix-list name	(MX Series routers only) Destination prefixes in the specified list name. Specify the name of a prefix list defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level. Note: VPLS prefix lists support only IPV4 addresses. IPV6 addresses included in a VPLS prefix list will be discarded.
dscp number	(MX Series routers only) Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant 6 bits of this byte form the DSCP. For more information, see the Junos Class of Service Configuration Guide. You can specify DSCP in either hexadecimal, binary, or decimal form. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): RFC 3246, An Expedited Forwarding PHB (Per-Hop Behavior), defines one code point: ef (46). RFC 2597, Assured Forwarding PHB Group, defines 4 classes, with 3 drop precedences in each class, for a total of 12 code points: af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38)
dscp-except number	(MX Series routers only) Do not match on the DSCP.
ether-type number	Ethernet type field of a VPLS packet.
ether-type-except number	Do not match on the Ethernet type field of a VPLS packet.
forwarding-class class	Forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.
forwarding-class-except class	Do not match on the forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.
icmp-code number	(MX Series routers only) ICMP code field. This value or keyword provides more specific information than icmp-type. Because the value’s meaning depends upon the associated icmp-type, you must specify icmp-type along with icmp-code. For more information, see Overview of Protocol Match Conditions. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated: parameter-problem: ip-header-bad (0), required-option-missing (1) redirect: redirect-for-host (1), redirect-for-network (0), redirect-for-tos-and-host (3), redirect-for-tos-and-net (2) time-exceeded: ttl-eq-zero-during-reassembly (1), ttl-eq-zero-during-transit (0) unreachable: communication-prohibited-by-filtering (13), destination-host-prohibited (10), destination-host-unknown (7), destination-network-prohibited (9), destination-network-unknown (6), fragmentation-needed (4), host-precedence-violation (14), host-unreachable (1), host-unreachable-for-TOS (12), network-unreachable (0), network-unreachable-for-TOS (11), port-unreachable (3), precedence-cutoff-in-effect (15), protocol-unreachable (2), source-host-isolated (8), source-route-failed (5)
icmp-code-except number	(MX Series routers only) Do not match on the ICMP code field.
icmp-type number	(MX Series routers only) ICMP packet type field. Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more information, see Overview of Protocol Match Conditions. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): echo-reply (0), echo-request (8), info-reply (16), info-request (15), mask-request (17), mask-reply (18), parameter-problem (12), redirect (5), router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11), timestamp (13), timestamp-reply (14), or unreachable (3).
icmp-type-except number	(MX Series routers only) Do not match on the ICMP packet type field.
interface-group group-name	Interface group on which the packet was received. An interface group is a set of one or more logical interfaces. For information about configuring interface groups, see Applying Firewall Filters to Interfaces.
interface-group-except group-name	Do not match on the interface group.
interface-set interface-set-name	(MX Series routers and routers with Enhanced IQ2 [IQ2E] PICs only) Interface set on which the packet was received. An interface set is a set of logical interfaces used to configure hierarchical class-of- service schedulers. For information about configuring an interface set, see the Junos Class of Service Configuration Guide and the Junos Network Interfaces Configuration Guide.
ip-address address	(MX Series routers only) 32-bit address that supports the standard syntax for IPv4 addresses.
ip-destination-address address	(MX Series routers only) 32-bit address that is the final destination node address for the packet.
ip-precedence ip-precedence-field	(MX Series routers only) IP precedence field. In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0), flash (0x60), flash-override (0x80), immediate (0x40), internet-control (0xc0), net-control (0xe0), priority (0x20), or routine (0x00).
ip-precedence-except ip-precedence-field	(MX Series routers only) Do not match on the IP precedence field.
ip-protocol number	(MX Series routers only) IP protocol field.
ip-protocol-except number	(MX Series routers only) Do not match on the IP protocol field.
ip-source-address address	(MX Series routers only) IP address of the source node sending the packet.
learn-vlan-1p-priority number	(MX Series routers only) IEEE 802.1p learned VLAN priority field. Specify a single value or multiple values from 0 through 7.
learn-vlan-1p-priority-except number	(MX Series routers only) Do not match on the IEEE 802.1p learned VLAN priority field. Specify a single value or multiple values from 0 through 7.
learn-vlan-id number	(MX Series routers only) VLAN identifier used for MAC learning.
learn-vlan-id-except number	(MX Series routers only) Do not match on the VLAN identifier used for MAC learning.
loss-priority level	Packet loss priority (PLP) level. Specify a single level or multiple levels: low, medium-low, medium-high, or high. Supported on MX Series routers; M120 and M320 routers; and M7i and M10i routers with the Enhanced CFEB (CFEB-E). On M320 routers, you must enable the tricolor statement at the [edit class-of-service] hierarchy level to commit a PLP configuration with any of the four levels specified. If the tricolor statement is not referenced, you can only configure the high and low levels. This applies to all protocol families. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see the Junos Class of Service Configuration Guide.
loss-priority-except level	Do not match on the packet loss priority level. Specify a single level or multiple levels: low, medium-low, medium-high, or high. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see the Junos Class of Service Configuration Guide.
port number	(MX Series routers only) TCP or UDP source or destination port. You cannot specify both the port match condition and either the destination-port or source-port match condition in the same term.
port-except number	(MX Series routers only) Do not match on the TCP or UDP source or destination port. You cannot specify both the port match condition and either the destination-port or source-port match condition in the same term.
prefix-list name	(MX Series routers only) Destination or source prefixes in the specified list name. Specify the name of a prefix list defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level. Note: VPLS prefix lists support only IPV4 addresses. IPV6 addresses included in a VPLS prefix list will be discarded.
source-mac-address address	Source MAC address of a VPLS packet.
source-port number	(MX Series routers only) TCP or UDP source port field. You cannot specify the port and source-port match conditions in the same term.
source-port-except number	(MX Series routers only) Do not match on the TCP or UDP source port field. You cannot specify the port and source-port match conditions in the same term.
source-prefix-list name	(MX Series routers only) Source prefixes in the specified prefix list. Specify a prefix list name defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level. Note: VPLS prefix lists support only IPV4 addresses. IPV6 addresses included in a VPLS prefix list will be discarded.
tcp-flags flags	(MX Series routers only) One or more of the following TCP flags: Bit-name: fin, syn, rst, push, ack, urgent Numerical value: 0x01 through 0x20 Text synonym: tcp-established, tcp-initial You can string together multiple flags using logical operators. Configuring the tcp-flags match condition requires that you configure the next-header-tcp match condition.
traffic-type type-name	(MX Series routers only) Traffic type. Specify broadcast, multicast, unknown-unicast, or known-unicast.
traffic-type-except type-name	(MX Series routers only) Do not match on the traffic type. Specify broadcast, multicast, unknown-unicast, or known-unicast.
user-vlan-1p-priority number	IEEE 802.1p user priority field. Specify a single value or multiple values from 0 through 7.
user-vlan-1p-priority-except number	Do not match on the IEEE 802.1p user priority field. Specify a single value or multiple values from 0 through 7.
user-vlan-id number	(MX Series routers only) First VLAN identifier that is part of the payload.
user-vlan-id-except number	(MX Series routers only) Do not match on the first VLAN identifier that is part of the payload.
vlan-ether-type value	VLAN Ethernet type field of a VPLS packet.
vlan-ether-type-except value	Do not match on the VLAN Ethernet type field of a VPLS packet.

Configuring VPLS Match Conditions

Related Topics