Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Firewall Filter Match Conditions for MPLS-Tagged IPv4 or IPv6 Traffic

Matching on IPv4 or IPv6 Packet Header Address or Port Fields in MPLS Flows

To support network-based service in a core network, you can configure a firewall filter that matches Internet Protocol version 4 (IPv4) or version 6 (IPv6) packet header fields in MPLS traffic (family mpls). The firewall filter can match IPv4 or IPv6 packets as an inner payload of an MPLS packet that has a single MPLS label or up to five MPLS labels stacked together. You can configure match conditions based on IPv4 addresses and IPv4 port numbers or IPv6 addresses and IPv6 port numbers in the header.

Firewall filters based on MPLS-tagged IPv4 headers are supported for interfaces on Enhanced Scaling flexible PIC concentrators (FPCs) on T320, T640, T1600, TX Matrix, and TX Matrix Plus routers and switches only. However, the firewall filters based on MPLS-tagged IPv6 headers are supported for interfaces on the Type 5 FPC on T4000 Core Routers only. The feature is not supported for the router or switch loopback interface (lo0), the router or switch management interface (fxp0 or em0), or USB modem interfaces (umd).

To configure a firewall filter term that matches an address or port fields in the Layer 4 header of packets in an MPLS flow, you use the ip-version ipv4 match condition to specify that the term is to match packets based on inner IP fields:

  • To match an MPLS-tagged IPv4 packet on the source or destination address field in the IPv4 header, specify the match condition at the [edit firewall family mpls filter filter-name term term-name from ip-version ipv4] hierarchy level.

  • To match an MPLS-tagged IPv4 packet on the source or destination port field in the Layer 4 header, specify the match condition at the [edit firewall family mpls filter filter-name term term-name from ip-version ipv4 protocol (udp | tcp)] hierarchy level.

To configure a firewall filter term that matches an address or port fields in the IPv6 header of packets in an MPLS flow, you use the ip-version ipv6 match condition to specify that the term is to match packets based on inner IP fields:

  • To match an MPLS-tagged IPv6 packet on the source or destination address field in the IPv6 header, specify the match condition at the [edit firewall family mpls filter filter-name term term-name from ip-version ipv6] hierarchy level.

  • To match an MPLS-tagged IPv6 packet on the source or destination port field in the Layer 4 header, specify the match condition at the [edit firewall family mpls filter filter-name term term-name from ip-version ipv6 protocol (udp | tcp)] hierarchy level.

IP Address Match Conditions for MPLS Traffic

Table 1 describes the IP address-specific match conditions you can configure at the [edit firewall family mpls filter filter-name term term-name from ip-version ip-version] hierarchy level.

Table 1: IP Address-Specific Firewall Filter Match Conditions for MPLS Traffic

Match Condition

Description

destination-address address

Match the address of the destination node to receive the packet.

destination-address address except

Do not match the address of the destination node to receive the packet.

protocol number

Match the IP protocol type field. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), dstopts (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0), icmp (1), icmp6 (58), icmpv6 (58), igmp (2), ipip (4), ipv6 (41), ospf (89), pim (103), rsvp (46), sctp (132), tcp (6), udp (17), or vrrp (112).

source-address address

Match the address of the source node sending the packet.

source-address address except

Do not match the address of the source node sending the packet.

IP Port Match Conditions for MPLS Traffic

Table 2 describes the IP port-specific match-conditions you can configure at the [edit firewall family mpls filter filter-name term term-name from ip-version ip-version protocol (udp | tcp )] hierarchy level.

Table 2: IP Port-Specific Firewall Filter Match Conditions for MPLS Traffic

Match Condition

Description

destination-port number

Match on the UDP or TCP destination port field.

In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), ldp (646), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs (49), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), or xdmcp (177).

destination-port-except number

Do not match on the UDP or TCP destination port field.

In place of the numeric value, you can specify one of the text synonyms listed with the destination-port match condition.

source-port number

Match on the TCP or UDP source port field.

In place of the numeric field, you can specify one of the text synonyms listed under destination-port.

source-port-except number

Do not match on the TCP or UDP source port field.

Related Documentation