Firewall Filter Match Conditions for Layer 2 CCC Traffic
You can configure a firewall filter with match conditions for Layer 2 circuit cross-connect
(CCC) traffic (family ccc
).
The following restrictions apply to firewall filters for Layer 2 CCC traffic:
-
The
input-list filter-names
andoutput-list filter-names
statements for firewall filters for theccc
protocol family are supported on all interfaces with the exception of management interfaces and internal Ethernet interfaces (fxp
orem0
), loopback interfaces (lo0
), and USB modem interfaces (umd
). -
Only on MX Series routers and EX Series switches, you cannot apply a Layer 2 CCC stateless firewall filter (a firewall filter configured at the
[edit firewall filter family ccc]
hierarchy level) as an output filter. On MX Series routers and EX Series switches, firewall filters configured for thefamily ccc
statement can be applied only as input filters.
Table 1 describes the match-conditions
you can configure at the
[edit firewall family ccc filter filter-name term
term-name from]
hierarchy level.
Match Condition |
Description |
|
---|---|---|
|
Specify which groups to inherit configuration data from. You can specify more than one group name. You must list them in order of inheritance priority. The configuration data in the first group takes priority over the data in subsequent groups. |
|
|
Specify which groups not to inherit configuration data from. You can specify more than one group name. |
|
|
(MX Series routers and EX Series switches only) Match the destination media access control (MAC) address of a virtual private LAN service (VPLS) packet. To have packets correctly evaluated by this match condition when applied to egress traffic flowing over a CCC circuit from a logical interface on an I-chip DPC in a Layer 2 virtual private network (VPN) routing instance, you must make a configuration change to the Layer 2 VPN routing instance. You must explicitly disable the use of a control word for traffic flowing out over a Layer 2 circuit. The use of a control word is enabled by default for Layer 2 VPN routing instances to support the emulated virtual circuit (VC) encapsulation for Layer 2 circuits. To explicitly disable the use of a control word for Layer 2 VPNs, include the
Note:
This match condition is not supported on PTX series packet transport routers. For more information, see Disabling the Control Word for Layer 2 VPNs. |
|
|
|
Length of the data to be matched in bits, not needed for string input (0..128) |
|
Bit offset after the (match-start + byte) offset (0..7) |
|
|
Byte offset after the match start point |
|
|
Select a flexible match from predefined template field |
|
|
Mask out bits in the packet data to be matched |
|
|
Start point to match in packet |
|
|
Value data/string to be matched |
|
|
|
Length of the data to be matched in bits (0..32) |
|
Bit offset after the (match-start + byte) offset (0..7) |
|
|
Byte offset after the match start point |
|
|
Select a flexible match from predefined template field |
|
|
Start point to match in packet |
|
|
Range of values to be matched |
|
|
Do not match this range of values |
|
|
Forwarding class. Specify |
|
|
Do not match on the forwarding class. Specify |
|
|
Match the logical interface on which the packet was received to the specified interface
group or set of interface groups. For To assign a logical interface to an interface group
Note:
This match condition is not supported on PTX series packet transport routers. For more information, see Filtering Packets Received on a Set of Interface Groups Overview. |
|
|
Do not match the logical interface on which the packet was received to the specified
interface group or set of interface groups. For details, see the
Note:
This match condition is not supported on PTX series packet transport routers. |
|
|
(MX Series routers, M320 router, and EX Series switches only) Match on the IEEE 802.1p
learned VLAN priority bits in the provider VLAN tag (the only tag in a single-tag frame with
802.1Q VLAN tags or the outer tag in a dual-tag frame with 802.1Q VLAN tags). Specify a
single value or multiple values from Compare with the Note:
This match condition is not supported on PTX series packet transport routers. Note:
This match condition supports the presence of a control word for MX Series and M320 routers. |
|
|
(MX Series routers, M320 router, and EX Series switches only) Do not match on the
IEEE 802.1p learned VLAN priority bits. For details, see the
Note:
This match condition is not supported on PTX series packet transport routers. Note:
This match condition supports the presence of a control word for MX Series and M320 routers. |
|
|
Packet loss priority (PLP) level. Specify a single level or multiple levels:
Supported on M120 and M320 routers; M7i and M10i routers with the Enhanced CFEB (CFEB-E); and MX Series routers and EX Series switches. For IP traffic on M320, MX Series, and T Series routers with Enhanced II Flexible PIC
Concentrators (FPCs), and EX Series switches, you must include the For information about the |
|
|
Do not match on the packet loss priority level. Specify a single level or multiple levels:
Note:
This match condition is not supported on PTX series packet transport routers. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic. |
|
|
(MX Series routers, M320 router, and EX Series switches only) Match on the IEEE 802.1p
user priority bits in the customer VLAN tag (the inner tag in a dual-tag frame with 802.1Q
VLAN tags). Specify a single value or multiple values from Compare with the Note:
This match condition is not supported on PTX series packet transport routers. Note:
This match condition supports the presence of a control word for MX Series and M320 routers. |
|
|
(MX Series routers, M320 router, and EX Series switches only) Do not match on the IEEE
802.1p user priority bits. For details, see the Note:
This match condition is not supported on PTX series packet transport routers. Note:
This match condition supports the presence of a control word for MX Series and M320 routers. |
For matches flexible-match-mask
and flexible-match-range
match-start layer-4 used to match over IPV6 header will not work for L2 family filters such as
"bridge, CCC, VPLS". Instead, use layer-3 with appropriate offset to match over IPV6 payload
fields.