Firewall Filter Match Conditions for MPLS-Tagged IPv4 or IPv6 Traffic
Matching on IPv4 or IPv6 Packet Header Address or Port Fields in MPLS Flows
To support network-based service in a core network, you can
configure a firewall filter that matches Internet Protocol version 4
(IPv4) or version 6 (IPv6) packet header fields in MPLS traffic
(family mpls). The firewall filter can match IPv4 or IPv6
packets as an inner payload of an MPLS packet that has a single MPLS
label or up to five MPLS labels stacked together. You can configure
match conditions based on IPv4 addresses and IPv4 port numbers or
IPv6 addresses and IPv6 port numbers in the header.
Firewall filters based on MPLS-tagged IPv4 headers are supported
for interfaces on Enhanced Scaling flexible PIC concentrators (FPCs)
on T320, T640, T1600, TX Matrix, and TX Matrix Plus routers and switches
only. However, the firewall filters based on MPLS-tagged IPv6 headers
are supported for interfaces on the Type 5 FPC on T4000 Core Routers
only. The feature is not supported for the router or switch loopback
interface (lo0), the router or switch management interface
(fxp0 or em0), or USB modem interfaces (umd).
To configure a firewall filter term that matches an address
or port fields in the Layer 4 header of packets in an MPLS flow, you
use the ip-version ipv4 match condition to specify that
the term is to match packets based on inner IP fields:
To match an MPLS-tagged IPv4 packet on the source or destination address field in the IPv4 header, specify the match condition at the
[edit firewall family mpls filter filter-name term term-name from ip-version ipv4]hierarchy level.To match an MPLS-tagged IPv4 packet on the source or destination port field in the Layer 4 header, specify the match condition at the
[edit firewall family mpls filter filter-name term term-name from ip-version ipv4 protocol (udp | tcp)]hierarchy level.
To configure a firewall filter term that matches an address
or port fields in the IPv6 header of packets in an MPLS flow, you
use the ip-version ipv6 match condition to specify that
the term is to match packets based on inner IP fields:
To match an MPLS-tagged IPv6 packet on the source or destination address field in the IPv6 header, specify the match condition at the
[edit firewall family mpls filter filter-name term term-name from ip-version ipv6]hierarchy level.To match an MPLS-tagged IPv6 packet on the source or destination port field in the Layer 4 header, specify the match condition at the
[edit firewall family mpls filter filter-name term term-name from ip-version ipv6 protocol (udp | tcp)]hierarchy level.
IP Address Match Conditions for MPLS Traffic
Table 1 describes the IP address-specific match conditions you can
configure at the [edit firewall family mpls filter filter-name term term-name from ip-version ip-version] hierarchy level.
Match Condition |
Description |
|---|---|
|
|
Match the address of the destination node to receive the packet. |
|
|
Do not match the address of the destination node to receive the packet. |
|
|
Match IPv4 destination address. (Applicable for PTX EVO platforms) |
|
|
Match IPv6 destination address. (Applicable for PTX EVO platforms) |
|
|
Match IPv6 destination prefixes in named list. (Applicable for PTX EVO platforms) |
|
|
Match the IP protocol type field. In place of the numeric value,
you can specify one of the following text synonyms (the field
values are also listed): |
|
|
Match IPv4 source address. (Applicable for PTX EVO platforms). |
|
|
Match IPv6 source address. (Applicable for PTX EVO platforms). |
|
|
Match IPV6 source prefixes in named list. (Applicable for PTX EVO platforms). |
|
|
Match IPv6 source address. (Applicable for PTX EVO platforms). |
|
|
Match IP source or destination prefixes in named list. (Applicable for PTX EVO platforms). |
|
|
Match the address of the source node sending the packet. |
|
|
Do not match the address of the source node sending the packet. |
IP Port Match Conditions for MPLS Traffic
Table 2 describes the IP port-specific match-conditions you can configure at the [edit firewall family mpls filter filter-name term term-name from ip-version ip-version protocol (udp | tcp )] hierarchy level.
Match Condition |
Description |
|---|---|
|
Match on the UDP or TCP destination port field. In place of the numeric value, you can
specify one of the following text synonyms (the port numbers are also
listed): |
|
Do not match on the UDP or TCP destination port field. In place of the numeric value, you can
specify one of the text synonyms listed with the |
|
Match on the TCP or UDP source port field. In place of the numeric field, you can specify one of the text
synonyms listed under |
|
Do not match on the TCP or UDP source port field. |