Understanding IP-Based Filtering and Selective Port Mirroring of MPLS Traffic
In an MPLS packet, the IP header comes immediately after the MPLS header. The IP-based filtering feature provides a deep inspection mechanism, where a maximum of upto eight MPLS labels of the inner payload can be inspected to enable filtering of MPLS traffic based on IP parameters. The filtered MPLS traffic can also be port mirrored to a monitoring device to offer network-based services in the core MPLS network.
IP-Based Filtering of MPLS Traffic
Prior to Junos OS Release 18.4R1, filtering based on IP parameters was not supported for MPLS family filter. With the introduction of the IP-based filtering feature, you can apply inbound and outbound filters for MPLS-tagged IPv4 and IPv6 packets based on IP parameters, such as source and destination addresses, Layer 4 protocol type, and source and destination ports.
The IP-based filtering feature enables you to filter MPLS packets at the ingress of an interface, where the filtering is done using match conditions on the inner payload of the MPLS packet. The selective MPLS traffic can then be port mirrored to a remote monitoring device using logical tunnels.
To support IP-based filtering, additional match conditions are added that allow MPLS packets to be deep inspected to parse the inner payload with Layer 3 and Layer 4 headers before the appropriate filters are applied.
The IP-based filtering feature is supported only for MPLS-tagged IPv4 and IPv6 packets. In other words, the MPLS filters match IP parameters only when the IP payload comes immediately after the MPLS labels.
In other scenarios, where the MPLS payload includes pseudowires, protocols other than inet and inet6, or other encapsulations like Layer 2 VPN or VPLS, the IP-based filtering feature is not supported.
The following match conditions are added for the IP-based filtering of MPLS traffic:
IPv4 source address
IPv4 destination address
IPv6 source address
IPv6 destination address
Protocol
Source port
Destination port
Source IPv4 prefix list
Destination IPv4 prefix list
Source IPv6 prefix list
Destination IPv6 prefix list
The following match combinations are supported for the IP-based filtering of MPLS traffic:
Source and destination address match conditions with IPv4 and IPv6 prefix lists.
Source and destination port address and protocol types match conditions with IPv4 and IPv6 prefix lists.
Selective Port Mirroring of MPLS Traffic
Port mirroring is the capability of mirroring a packet to a configured destination, in addition to the normal processing and forwarding of the packets. Port mirroring is applied as an action for a firewall filter, which is applied at the ingress or egress of any interface. Similarly, the selective port mirroring feature provides the capability to mirror MPLS traffic, which is filtered based on IP parameters, to a mirrored destination using logical tunnels.
To enable selective port mirroring, additional actions are configured
at the [edit firewall family mpls filter filter-nameterm term-name then]
hierarchy level,
in addition to the existing counter
, accept
,
and discard
actions:
port-mirror
port-mirror-instance
Port Mirroring
The port-mirror
action enables port mirroring globally
on the device, which applies to all Packet Forwarding Engines (PFEs)
and associated interfaces.
For MPLS family filter, the port-mirror
action is
enabled for global port mirroring.
Port Mirroring Instance
The port-mirror-instance
action enables you to customize
each instance with different properties for input sampling and port
mirroring output destinations, instead of having to use a single system-wide
configuration for port mirroring.
You can configure only two port mirroring instances per Flexible
PIC Concentrator (FPC) by including the instance port-mirror-instance-name
statement at the [edit forwarding-options port-mirror]
hierarchy level. You can then associate individual port mirroring
instances with an FPC, PIC, or (Forwarding Engine Board (FEB) depending
on the device hardware.
For MPLS family filter, the port-mirror-instance
action
is enabled only for the port-mirroring instance.
For both port-mirror
and port-mirror-instance
actions, the output interface must be enabled with Layer 2 family
and not family MPLS (Layer 3) for the selective port mirroring feature
to work.
Sample Configurations
- IP-Based Filtering Configuration
- Selective Port Mirroring Configuration
- Mirrored Destination Configuration
IP-Based Filtering Configuration
[edit firewall family mpls filter mpls-filter] term ipv4-term { from { ip-version { ipv4 { source-address { 10.10.10.10/24; } destination-address { 20.20.20.20/24; } protocol tcp { source-port 100; destination-port 200; } soure-prefix-list ipv4-source-users; destination-prefix-list ipv4-destination-users; } } exp 1; } then port-mirror; then accept; then count; } term ipv6-term { from { ip-version { ipv6 { source-address { 2000::1/128; } destination-address { 3000::1/128; } protocol tcp { source-port 100; destination-port 200; } source-prefix-list ipv6-source-users; destination-prefix-list ipv6-destination-users; } } exp 1; } then port-mirror-instance port-mirror-instance1; then accept; then count; }
[edit policy-options] prefix-list ipv4-source-users { 172.16.1.16/28; 172.16.2.16/28; } prefix-list ipv6-source-users { 2001::1/128; 3001::1/128; }
[edit interfaces] xe-0/0/1 { unit 0 { family inet { address 100.100.100.1/30; } family mpls { filter { input mpls-filter; } } } }
Selective Port Mirroring Configuration
[edit forwarding-options] port-mirroring { input { rate 2; run-length 4; maximum-packet-length 500; } family any { output { interface xe-2/0/2.0; } } }
[edit forwarding-options] port-mirroring { instance { port-mirror-instance1 { input { rate 3; run-length 5; maximum-packet-length 500; } family any { output { interface xe-2/0/2.0; } } } } }
The output interface xe-2/0/2.0
is configured for
Layer 2 family and not family MPLS.
For both port-mirror
and port-mirror-instance
actions, the output interface must be enabled with Layer 2 family
and not family MPLS (Layer 3) for the selective port mirroring feature
to work.
Mirrored Destination Configuration
[edit interfaces] xe-2/0/2 { vlan-tagging; encapsulation extended-vlan-bridge; unit 0 { vlan-id 600; } }
[edit bridge-domains] bd { domain-type bridge; interface xe-2/0/2.0; }