Overview of MPLS Firewall Filters on Loopback Interface
Although all interfaces are important, the loopback interface might be the most important
because it is the link to the Routing Engine, which runs and manages all the routing protocols.
The loopback interface is a gateway for all the control traffic that enters the Routing Engine
of the switch. You can control this traffic by configuring a firewall filter on the loopback
interface (lo0) on family mpls
. Loopback firewall filters affect only traffic destined
for the Routing Engine CPU. You can apply a loopback firewall filter only in the ingress direction (packets entering the interface). Starting with Junos OS Release 19.2R1, you can apply an MPLS firewall filter
to a loopback interface on a label switch router (LSR) on QFX5100, QFX5110, QFX5200, and QFX5210
switches.
When you configure an MPLS firewall filter, you define filtering criteria (terms, with match
conditions) for the packets and an action for the switch to take if the
packets match the filtering criteria. Because you apply the filter to a loopback
interface, you must explicitly specify the time to live (TTL) match condition under
family mpls
and set its TTL value to 1 (ttl=1
).
The TTL is an 8-bit (IPv4) header field that signifies the remaining time an IP packet
has left before its life ends and is dropped. You can also match packets with other MPLS
qualifiers such as label
, exp
, Layer 4 source
port
, and Layer 4 destination port
.
Benefits of Adding MPLS Firewall Filters on the Loopback Interface
Protects the Routing Engine by ensuring that it accepts traffic only from trusted networks.
Helps protect the Routing Engine from denial-of-service attacks.
Gives you the flexibility to match packets on the source port and destination port. For example, if you run a traceroute, you can selectively filter traffic by choosing either TCP or UDP.
Guidelines and Limitations
You can apply a loopback firewall filter only in the ingress direction
Only MPLS fields
label
,exp
,ttl=1
and Layer 4 fieldstcp
andudp
port numbers are supported.Only
accept
,discard
, andcount
actions are supported.You must explicitly specify
ttl=1
underfamily mpls
to match on TLL packets.Filters applied on the loopback interface cannot be matched on the destination port (inner payload) of an IPv6 packet.
You cannot apply a filter on packets that have more than two MPLS labels.
You cannot specify a port range for TCP or UDP match conditions.
Only 255 firewall terms are supported.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.