Firewall Filter Match Conditions for Layer 2 CCC Traffic

Specify which groups to inherit configuration data from. You can specify more than one group name. You must list them in order of inheritance priority. The configuration data in the first group takes priority over the data in subsequent groups.

Specify which groups not to inherit configuration data from. You can specify more than one group name.

(MX Series routers and EX Series switches only) Match the destination media access control (MAC) address of a virtual private LAN service (VPLS) packet.

To have packets correctly evaluated by this match condition when applied to egress traffic flowing over a CCC circuit from a logical interface on an I-chip DPC in a Layer 2 virtual private network (VPN) routing instance, you must make a configuration change to the Layer 2 VPN routing instance. You must explicitly disable the use of a control word for traffic flowing out over a Layer 2 circuit. The use of a control word is enabled by default for Layer 2 VPN routing instances to support the emulated virtual circuit (VC) encapsulation for Layer 2 circuits.

To explicitly disable the use of a control word for Layer 2 VPNs, include the no-control-word statement at either of the following hierarchy levels:

• [edit routing-instances routing-instance-name protocols l2vpn]

• [edit logical-systems logical-system-name routing-instances routing-instance-name protocols l2vpn]

For more information, see Disabling the Control Word for Layer 2 VPNs.

Length of the data to be matched in bits, not needed for string input (0..128)

Bit offset after the (match-start + byte) offset (0..7)

Byte offset after the match start point

Select a flexible match from predefined template field

Mask out bits in the packet data to be matched

Start point to match in packet

Value data/string to be matched

Length of the data to be matched in bits (0..32)

Bit offset after the (match-start + byte) offset (0..7)

Byte offset after the match start point

Select a flexible match from predefined template field

Start point to match in packet

Range of values to be matched

Do not match this range of values

Forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.

Do not match on the forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.

Match the logical interface on which the packet was received to the specified interface group or set of interface groups. For group-number, specify a single value or a range of values from 0 through 255.

To assign a logical interface to an interface group group-number, specify the group-number at the [interfaces interface-name unit number family family filter group] hierarchy level.

For more information, see Filtering Packets Received on a Set of Interface Groups Overview.

Do not match the logical interface on which the packet was received to the specified interface group or set of interface groups. For details, see the interface-group match condition.

(MX Series routers, M320 router, and EX Series switches only) Match on the IEEE 802.1p learned VLAN priority bits in the provider VLAN tag (the only tag in a single-tag frame with 802.1Q VLAN tags or the outer tag in a dual-tag frame with 802.1Q VLAN tags). Specify a single value or multiple values from 0 through 7.

Compare with the user-vlan-1p-priority match condition.

(MX Series routers, M320 router, and EX Series switches only) Do not match on the IEEE 802.1p learned VLAN priority bits. For details, see the learn-vlan-1p-priority match condition.

Packet loss priority (PLP) level. Specify a single level or multiple levels: low, medium-low, medium-high, or high.

Supported on M120 and M320 routers; M7i and M10i routers with the Enhanced CFEB (CFEB-E); and MX Series routers and EX Series switches.

For IP traffic on M320, MX Series, and T Series routers with Enhanced II Flexible PIC Concentrators (FPCs), and EX Series switches, you must include the tri-color statement at the [edit class-of-service] hierarchy level to commit a PLP configuration with any of the four levels specified. If the tri-color statement is not enabled, you can only configure the high and low levels. This applies to all protocol families.

For information about the tri-color statement, see Configuring and Applying Tricolor Marking Policers. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see Understanding How Forwarding Classes Assign Classes to Output Queues.

Do not match on the packet loss priority level. Specify a single level or multiple levels: low, medium-low, medium-high, or high.

For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic.

(MX Series routers, M320 router, and EX Series switches only) Match on the IEEE 802.1p user priority bits in the customer VLAN tag (the inner tag in a dual-tag frame with 802.1Q VLAN tags). Specify a single value or multiple values from 0 through 7.

Compare with the learn-vlan-1p-priority match condition.

(MX Series routers, M320 router, and EX Series switches only) Do not match on the IEEE 802.1p user priority bits. For details, see the user-vlan-1p-priority match condition.