Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Firewall Filter Match Conditions for MPLS Traffic

You can configure a firewall filter with match conditions for MPLS traffic (family mpls).

  • The input-list filter-names and output-list filter-names statements for firewall filters for the mpls protocol family are supported on all interfaces except for management interfaces and internal Ethernet interfaces (fxp or em0), loopback interfaces (lo0), and USB modem interfaces (umd)

  • If a packet has multiple MPLS labels, the filter applies the match conditions to only the bottom label in the label stack.

  • (QFX5100, QFX5110, QFX5200, QFX5210) If you are applying an MPLS filter on a loopback interface, you can only filter on the label, exp, ttl=1, and Layer 4 tcp and udp port number fields. For TTL, you must explicitly specify ttl=1 under family mpls to match on TTL=1 packets. The only actions you can configure are accept, discard, and count. You can apply the filter only in the ingress direction.

Table 1 describes the match-conditions you can configure at the [edit firewall family mpls filter filter-name term term-name from] hierarchy level.

Table 1: Firewall Filter Match Conditions for MPLS Traffic
Match Condition Description

apply-groups

Specify which groups to inherit configuration data from. You can specify more than one group name. You must list them in order of inheritance priority. The configuration data in the first group takes priority over the data in subsequent groups.

apply-groups-except

Specify which groups not to inherit configuration data from. You can specify more than one group name.

destination-port number

Match on the UDP or TCP destination port field.

In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), ldp (646), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs (49), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), or xdmcp (177).

exp number

Experimental (EXP) bit number or range of bit numbers in the MPLS header of a packet.

For number, you can specify one or more values from 0 through 7 in binary, decimal or hexadecimal format, as given below:

  • A single EXP bit—for example, exp 3

  • Several EXP bits—for example, exp 0,4

  • A range of EXP bits—for example, exp [0-5]. These values are not supported on filters applied to the loopback interface.

Note:

This match condition is not supported on PTX series packet transport routers.

exp-except number

Do not match on the EXP bit number or range of bit numbers in the MPLS header. For number, you can specify one or more values from 0 through 7.

Note:

This match condition is not supported on PTX series packet transport routers.

forwarding-class class

Forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.

forwarding-class-except class

Do not match on the forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.

interface interface-name

Interface on which the packet was received. You can configure a match condition that matches packets based on the interface on which they were received.

Note:

If you configure this match condition with an interface that does not exist, the term does not match any packet.

interface-set interface-set-name

Match the interface on which the packet was received to the specified interface set.

To define an interface set, include the interface-set statement at the [edit firewall] hierarchy level.

Note:

This match condition is not supported on PTX series packet transport routers.

For more information, see Filtering Packets Received on an Interface Set Overview.

ip-version number

(Interfaces on Enhanced Scaling flexible PIC concentrators [FPCs] on supported T Series routers only) Inner IP version. To match MPLS-tagged IPv4 packets, match on the text synonym ipv4.

Note:

This match condition is not supported on PTX series packet transport routers.

label number

MPLS label value or range of label values in the MPLS header of a packet.

For number, you can specify one or more values from 0 through 1048575 in decimal or hexadecimal format, as given below:

  • A single label—for example, label 3

  • Several labels—for example, label 0,4

  • A range of labels—for example, label [0-5]. These values are not supported on filters applied to the loopback interface.

loss-priority level

Match the packet loss priority (PLP) level.

Specify a single level or multiple levels: low, medium-low, medium-high, or high.

Supported on M120 and M320 routers; M7i and M10i routers with the Enhanced CFEB (CFEB-E); and MX Series routers and EX Series switches.

For IP traffic on M320, MX Series, and T Series routers with Enhanced II Flexible PIC Concentrators (FPCs), and EX Series switches, you must include the tri-color statement at the [edit class-of-service] hierarchy level to commit a PLP configuration with any of the four levels specified. If the tri-color statement is not enabled, you can only configure the high and low levels. This applies to all protocol families.

For information about the tri-color statement, see Configuring and Applying Tricolor Marking Policers. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see Understanding How Forwarding Classes Assign Classes to Output Queues.

loss-priority-except level

Do not match the PLP level. For details, see the loss-priority match condition.

Note:

This match condition is not supported on PTX series packet transport routers.

source-port number

Match on the TCP or UDP source port field.

You cannot specify the port and source-port match conditions in the same term.

If you configure this match condition for IPv4 traffic, we recommend that you also configure the protocol udp or protocol tcp match statement in the same term to specify which protocol is being used on the port.

In place of the numeric field, you can specify one of the text synonyms listed under destination-port.

ttl number

Time To Live (TTL) is an 8-bit field in the MPLS label that signifies the remaining time that a packet has left before its life ends and is dropped.

For number, you can specify a value from 0 through 255.

Table 2 describes the actions you can configure for MPLS firewall filters at the [edit firewall family mpls filter filter-name term term-name then] hierarchy level.

Table 2: Supported Actions for MPLS Firewall Filters

Action

Description

accept

Accept a packet

count counter-name

Count the number of packets that pass this filter or term.

Note:

We recommend that you configure a counter for each term in a firewall filter, so that you can monitor the number of packets that match the conditions specified in each filter term.

discard

Discard a packet silently without sending an Internet Control Message Protocol (ICMP) message

policer

Starting with Junos OS 13.2X51-D15, you can send traffic matched by an MPLS filter to a two-color policer.

three-color-policer

Starting with Junos OS 13.2X51-D15, you can send traffic matched by an MPLS filter to a three-color policer.