Configuring MPLS Match Conditions
Table 1, Table 2, and Table 3 describe the firewall filter match conditions supported for MPLS traffic.
To configure firewall filter match conditions for MPLS traffic, include the match-conditions statement at one of the hierarchy levels described below.
- At the [edit firewall family mpls filter filter-name term term-name from] hierarchy level:
Table 1: MPLS Firewall Filter Match Conditions (Hierarchy Level 1)
Match Condition Description exp number
Experimental (EXP) bit number or range of bit numbers in the MPLS header. For number, you can specify one or more values from 0 through 7 in decimal, binary, or hexadecimal format.
exp-except number
Do not match on the EXP bit number or range of bit numbers in the MPLS header. For number, you can specify one or more values from 0 through 7.
forwarding-class class
Forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.
forwarding-class-except
classDo not match on the forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.
interface interface-name
Interface on which the packet was received. You can configure a match condition that matches packets based on the interface on which they were received.
interface-set interface-set-name
(MX Series routers and routers with Enhanced IQ2 [IQ2E] PICs only) Interface set on which the packet was received. An interface set is a set of logical interfaces used to configure hierarchical class-of- service schedulers. For information about configuring an interface set, see the Junos Class of Service Configuration Guide and the Junos Network Interfaces Configuration Guide.
ip-version number
(MPLS-tagged IPv4 packets only) Inner IP version.
- (MPLS-tagged IPv4 packets only) At the [edit firewall
family mpls filter filter-name term term-name from ip-version ipv4] hierarchy level:
Table 2: MPLS Firewall Filter Match Conditions (Hierarchy Level 2)
Match Condition Description destination-address address
Destination prefix.
protocol number
IP protocol field. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), egp (8), esp (50), gre (47), icmp (1), igmp (2), ipip (4), ipv6 (41), ospf (89), pim (103), rsvp (46), tcp (6), or udp (17).
source-address address
Address of the source node sending the packet in IPv4 address format; 32 bits in length.
- (MPLS-tagged IPv4 packets only) At the [edit firewall
family mpls filter filter-name term term-name from ip-version ipv4 protocol protocol-name] hierarchy level:
Table 3: MPLS Firewall Filter Match Conditions (Hierarchy Level 3)
Match Condition Description destination-port number
TCP or User Datagram Protocol (UDP) destination port field.
In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), xdmcp (177).
destination-port-except number
Do not match on the TCP or UDP destination port field.
source-port number
TCP or UDP source port field.
In place of the numeric field, you can specify one of the text synonyms listed under destination-port.
source-port-except number
Do not match on the TCP or UDP source port field.
