Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Understanding IP-Based Filtering and Selective Port Mirroring of MPLS Traffic

In an MPLS packet, the IP header comes immediately after the MPLS header. The IP-based filtering feature provides a deep inspection mechanism, where a maximum of upto eight MPLS labels of the inner payload can be inspected to enable filtering of MPLS traffic based on IP parameters. The filtered MPLS traffic can also be port mirrored to a monitoring device to offer network-based services in the core MPLS network.

IP-Based Filtering of MPLS Traffic

Prior to Junos OS Release 18.4R1, filtering based on IP parameters was not supported for MPLS family filter. With the introduction of the IP-based filtering feature, you can apply inbound and outbound filters for MPLS-tagged IPv4 and IPv6 packets based on IP parameters, such as source and destination addresses, Layer 4 protocol type, and source and destination ports.

The IP-based filtering feature enables you to filter MPLS packets at the ingress of an interface, where the filtering is done using match conditions on the inner payload of the MPLS packet. The selective MPLS traffic can then be port mirrored to a remote monitoring device using logical tunnels.

To support IP-based filtering, additional match conditions are added that allow MPLS packets to be deep inspected to parse the inner payload with Layer 3 and Layer 4 headers before the appropriate filters are applied.

Note:

The IP-based filtering feature is supported only for MPLS-tagged IPv4 and IPv6 packets. In other words, the MPLS filters match IP parameters only when the IP payload comes immediately after the MPLS labels.

In other scenarios, where the MPLS payload includes pseudowires, protocols other than inet and inet6, or other encapsulations like Layer 2 VPN or VPLS, the IP-based filtering feature is not supported.

The following match conditions are added for the IP-based filtering of MPLS traffic:

  • IPv4 source address

  • IPv4 destination address

  • IPv6 source address

  • IPv6 destination address

  • Protocol

  • Source port

  • Destination port

  • Source IPv4 prefix list

  • Destination IPv4 prefix list

  • Source IPv6 prefix list

  • Destination IPv6 prefix list

Note:

The following match combinations are supported for the IP-based filtering of MPLS traffic:

  • Source and destination address match conditions with IPv4 and IPv6 prefix lists.

  • Source and destination port address and protocol types match conditions with IPv4 and IPv6 prefix lists.

Selective Port Mirroring of MPLS Traffic

Port mirroring is the capability of mirroring a packet to a configured destination, in addition to the normal processing and forwarding of the packets. Port mirroring is applied as an action for a firewall filter, which is applied at the ingress or egress of any interface. Similarly, the selective port mirroring feature provides the capability to mirror MPLS traffic, which is filtered based on IP parameters, to a mirrored destination using logical tunnels.

To enable selective port mirroring, additional actions are configured at the [edit firewall family mpls filter filter-nameterm term-name then] hierarchy level, in addition to the existing counter, accept, and discard actions:

  • port-mirror

  • port-mirror-instance

Port Mirroring

The port-mirror action enables port mirroring globally on the device, which applies to all Packet Forwarding Engines (PFEs) and associated interfaces.

For MPLS family filter, the port-mirror action is enabled for global port mirroring.

Port Mirroring Instance

The port-mirror-instance action enables you to customize each instance with different properties for input sampling and port mirroring output destinations, instead of having to use a single system-wide configuration for port mirroring.

You can configure only two port mirroring instances per Flexible PIC Concentrator (FPC) by including the instance port-mirror-instance-name statement at the [edit forwarding-options port-mirror] hierarchy level. You can then associate individual port mirroring instances with an FPC, PIC, or (Forwarding Engine Board (FEB) depending on the device hardware.

For MPLS family filter, the port-mirror-instance action is enabled only for the port-mirroring instance.

Note:

For both port-mirror and port-mirror-instance actions, the output interface must be enabled with Layer 2 family and not family MPLS (Layer 3) for the selective port mirroring feature to work.

Sample Configurations

IP-Based Filtering Configuration

Selective Port Mirroring Configuration

Note:

The output interface xe-2/0/2.0 is configured for Layer 2 family and not family MPLS.

For both port-mirror and port-mirror-instance actions, the output interface must be enabled with Layer 2 family and not family MPLS (Layer 3) for the selective port mirroring feature to work.

Mirrored Destination Configuration