Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Overview of MPLS Firewall Filters on Loopback Interface

Although all interfaces are important, the loopback interface might be the most important because it is the link to the Routing Engine, which runs and manages all the routing protocols. The loopback interface is a gateway for all the control traffic that enters the Routing Engine of the switch. You can control this traffic by configuring a firewall filter on the loopback interface (lo0) on family mpls. Loopback firewall filters affect only traffic destined for the Routing Engine CPU. You can apply a loopback firewall filter only in the ingress direction (packets entering the interface). Starting with Junos OS Release 19.2R1, you can apply an MPLS firewall filter to a loopback interface on a label switch router (LSR) on QFX5100, QFX5110, QFX5200, and QFX5210 switches.

When you configure an MPLS firewall filter, you define filtering criteria (terms, with match conditions) for the packets and an action for the switch to take if the packets match the filtering criteria. Because you apply the filter to a loopback interface, you must explicitly specify the time to live (TTL) match condition under family mpls and set its TTL value to 1 (ttl=1). The TTL is an 8-bit (IPv4) header field that signifies the remaining time an IP packet has left before its life ends and is dropped. You can also match packets with other MPLS qualifiers such as label, exp, Layer 4 source port, and Layer 4 destination port. For more information, see Firewall Filter Match Conditions for MPLS Traffic.

Benefits of Adding MPLS Firewall Filters on the Loopback Interface

  • Protects the Routing Engine by ensuring that it accepts traffic only from trusted networks.

  • Helps protect the Routing Engine from denial-of-service attacks.

  • Gives you the flexibility to match packets on the source port and destination port. For example, if you run a traceroute, you can selectively filter traffic by choosing either TCP or UDP.

Guidelines and Limitations

  • You can apply a loopback firewall filter only in the ingress direction

  • Only MPLS fields label, exp, ttl=1 and Layer 4 fields tcp and udp port numbers are supported.

  • Only accept, discard, and count actions are supported.

  • You must explicitly specify ttl=1 under family mpls to match on TLL packets.

  • Filters applied on the loopback interface cannot be matched on the destination port (inner payload) of an IPv6 packet.

  • You cannot apply a filter on packets that have more than two MPLS labels.

  • You cannot specify a port range for TCP or UDP match conditions.

  • Only 255 firewall terms are supported.

Release History Table
Release
Description
19.2R1
Starting with Junos OS Release 19.2R1, you can apply an MPLS firewall filter to a loopback interface on a label switch router (LSR) on QFX5100, QFX5110, QFX5200, and QFX5210 switches.