Firewall Filter Match Conditions for MPLS-Tagged IPv4 or IPv6 Traffic
Matching on IPv4 or IPv6 Packet Header Fields in MPLS Traffic
To support network-based services in a core network, you can configure firewall filters that match IPv4 or IPv6 packet headers in MPLS traffic (family mpls). These filters can inspect the inner payload of MPLS packets with either a single label or up to five stacked labels.
Firewall filters based on MPLS-tagged IPv4 headers are supported for interfaces on Enhanced Scaling flexible PIC concentrators (FPCs) on T320, T640, T1600, TX Matrix, and TX Matrix Plus routers and switches only. However, the firewall filters based on MPLS-tagged IPv6 headers are supported for interfaces on the Type 5 FPC on T4000 Core Routers only. The feature is not supported for the router or switch loopback interface (lo0), the router or switch management interface (fxp0 or em0), or USB modem interfaces (umd).
When using the ip-version match condition, the following additional match conditions become available.
IP Header Match Conditions for MPLS Traffic
Table 1 describes the match conditions you can configure at the [edit firewall family mpls filter filter-name term term-name from ip-version ip-version] hierarchy level.
| Match Condition | Description |
|---|---|
destination-address address |
Match destination IPv4/IPv6 address |
destination-prefix-list name |
Match destination prefixes in specified list |
dscp value |
Match Differentiated Services code point (0-63) |
dscp-except value |
Exclude specified DSCP value |
source-address address |
Match source IPv4/IPv6 address |
source-prefix-list name |
Match source prefixes in specified list |
protocol number |
Match IPv4 protocol type (tcp, udp, icmp, etc.) |
fragment-flags value |
Match IPv4 fragment flags (DF, MF) |
is-fragment |
Match IPv4 fragmented packets |
tcp-established |
Match established TCP connections (requires protocol tcp) |
tcp-initial |
Match initial TCP packets (requires protocol tcp) |
next-header number |
Match IPv6 next header type (equivalent to IPv4 protocol) |
|
|
Match the address of the destination node to receive the packet. |
|
|
Do not match the address of the destination node to receive the packet. |
|
|
Match the IP protocol type field. In place of the numeric value,
you can specify one of the following text synonyms (the field
values are also listed): |
|
|
Match the address of the source node sending the packet. |
|
|
Do not match the address of the source node sending the packet. |
IP Port Match Conditions for MPLS Traffic
Table 2 describes the port-specific match conditions you can configure at the [edit firewall family mpls filter filter-name term term-name from ip-version ip-version protocol (udp | tcp)] hierarchy level.
| Match Condition | Description |
|---|---|
destination-port number |
Match TCP/UDP destination port (0-65535) |
source-port number |
Match TCP/UDP source port (0-65535) |
|
|
Match on the UDP or TCP destination port field. In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): |
|
|
Do not match on the UDP or TCP destination port field. In place of the numeric value, you can specify one of the text synonyms listed with the |
|
|
Match on the TCP or UDP source port field. In place of the numeric field, you can specify one of the text synonyms listed under |
|
|
Do not match on the TCP or UDP source port field. |
ICMP Match Conditions for MPLS Traffic
Describes the ICMP-specific match conditions you can configure at the [edit firewall family mpls filter filter-name term term-name from ip-version ip-version protocol icmp] hierarchy level for IPv4 or next-header icmpv6 for IPv6.
| Match Condition | Description |
|---|---|
icmp-type number |
Match ICMP message type (0-255) |
icmp-code number |
Match ICMP message code (0-255) |
Interface Match Conditions for MPLS Traffic
Table 4 describes the interface-specific match-conditions you can configure at the [edit firewall family mpls filter filter-name term term-name] hierarchy level.
| Match Condition | Description |
|---|---|
|
|
Match the interface group. Options are:
|
Configuration Example
firewall {
family mpls {
filter MPLS_TRAFFIC_FILTER {
term BLOCK_FRAGMENTS {
from {
ip-version ipv4;
is-fragment; /* Match IPv4 fragments */
}
then discard;
}
term ALLOW_WEB_TRAFFIC {
from {
ip-version ipv4;
protocol tcp;
destination-port 80; /* HTTP */
}
then accept;
}
term ALLOW_DNS {
from {
ip-version ipv6;
next-header udp;
destination-port 53; /* DNS */
}
then accept;
}
term ALLOW_ICMP {
from {
ip-version ipv6;
next-header icmpv6;
icmp-type echo-request; /* IPv6 ping */
}
then accept;
}
}
}
}Usage Notes
ip-versionmust be specified before using IP header match conditions- Port match conditions require explicit protocol definition (tcp/udp)
- ICMP conditions require protocol icmp (IPv4) or next-header icmpv6 (IPv6)
- Supports MPLS packets with 1-5 label stacks
- IPv4 and IPv6 match conditions cannot be mixed in the same term
- All match conditions evaluate inner payload of MPLS packets