Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Firewall Filter Match Conditions for MPLS-Tagged IPv4 or IPv6 Traffic

Matching on IPv4 or IPv6 Packet Header Fields in MPLS Traffic

To support network-based services in a core network, you can configure firewall filters that match IPv4 or IPv6 packet headers in MPLS traffic (family mpls). These filters can inspect the inner payload of MPLS packets with either a single label or up to five stacked labels.

Firewall filters based on MPLS-tagged IPv4 headers are supported for interfaces on Enhanced Scaling flexible PIC concentrators (FPCs) on T320, T640, T1600, TX Matrix, and TX Matrix Plus routers and switches only. However, the firewall filters based on MPLS-tagged IPv6 headers are supported for interfaces on the Type 5 FPC on T4000 Core Routers only. The feature is not supported for the router or switch loopback interface (lo0), the router or switch management interface (fxp0 or em0), or USB modem interfaces (umd).

When using the ip-version match condition, the following additional match conditions become available.

IP Header Match Conditions for MPLS Traffic

Table 1 describes the match conditions you can configure at the [edit firewall family mpls filter filter-name term term-name from ip-version ip-version] hierarchy level.

Table 1: IP Header Firewall Filter Match Conditions for MPLS Traffic
Match Condition Description
destination-address address Match destination IPv4/IPv6 address
destination-prefix-list name Match destination prefixes in specified list
dscp value Match Differentiated Services code point (0-63)
dscp-except value Exclude specified DSCP value
source-address address Match source IPv4/IPv6 address
source-prefix-list name Match source prefixes in specified list
protocol number Match IPv4 protocol type (tcp, udp, icmp, etc.)
fragment-flags value Match IPv4 fragment flags (DF, MF)
is-fragment Match IPv4 fragmented packets
tcp-established Match established TCP connections (requires protocol tcp)
tcp-initial Match initial TCP packets (requires protocol tcp)
next-header number Match IPv6 next header type (equivalent to IPv4 protocol)

destination-address address

Match the address of the destination node to receive the packet.

destination-address address except

Do not match the address of the destination node to receive the packet.

protocol number

Match the IP protocol type field. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), dstopts (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0), icmp (1), icmp6 (58), icmpv6 (58), igmp (2), ipip (4), ipv6 (41), ospf (89), pim (103), rsvp (46), sctp (132), tcp (6), udp (17), or vrrp (112).

source-address address

Match the address of the source node sending the packet.

source-address address except

Do not match the address of the source node sending the packet.

IP Port Match Conditions for MPLS Traffic

Table 2 describes the port-specific match conditions you can configure at the [edit firewall family mpls filter filter-name term term-name from ip-version ip-version protocol (udp | tcp)] hierarchy level.

Table 2: Port-Specific Firewall Filter Match Conditions for MPLS Traffic
Match Condition Description
destination-port number Match TCP/UDP destination port (0-65535)
source-port number Match TCP/UDP source port (0-65535)

destination-port number

Match on the UDP or TCP destination port field.

In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), ldp (646), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs (49), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), or xdmcp (177).

destination-port-except number

Do not match on the UDP or TCP destination port field.

In place of the numeric value, you can specify one of the text synonyms listed with the destination-port match condition.

source-port number

Match on the TCP or UDP source port field.

In place of the numeric field, you can specify one of the text synonyms listed under destination-port.

source-port-except number

Do not match on the TCP or UDP source port field.

ICMP Match Conditions for MPLS Traffic

Describes the ICMP-specific match conditions you can configure at the [edit firewall family mpls filter filter-name term term-name from ip-version ip-version protocol icmp] hierarchy level for IPv4 or next-header icmpv6 for IPv6.

Table 3: ICMP Match Conditions for MPLS Traffic
Match Condition Description
icmp-type number Match ICMP message type (0-255)
icmp-code number Match ICMP message code (0-255)

Interface Match Conditions for MPLS Traffic

Table 4 describes the interface-specific match-conditions you can configure at the [edit firewall family mpls filter filter-name term term-name] hierarchy level.

Table 4: Interface-specific Firewall Filter Match Conditions for MPLS Traffic
Match Condition Description

interface-group interface-device name | unit-list

Match the interface group. Options are:

  • interface-device name - Name of the interface device. Only Ethernet devices are allowed. The device interface name includes ge, ae, xe and et.

  • unit-list - One or more logical interface unit numbers.

    • Range: A string in the range <0-16385> or <0-16385>-<0-16385>. For example, unit-list[12 23-33 44]

Configuration Example

Usage Notes

  • ip-version must be specified before using IP header match conditions
  • Port match conditions require explicit protocol definition (tcp/udp)
  • ICMP conditions require protocol icmp (IPv4) or next-header icmpv6 (IPv6)
  • Supports MPLS packets with 1-5 label stacks
  • IPv4 and IPv6 match conditions cannot be mixed in the same term
  • All match conditions evaluate inner payload of MPLS packets