Configuring MPLS Firewall Filters and Policers on Switches
You can configure firewall filters to filter MPLS traffic. To use an MPLS firewall filter, you must first configure the filter and then apply it to an interface you have configured for forwarding MPLS traffic. You can also configure a policer for the MPLS filter to police (that is, rate-limit) the traffic on the interface to which the filter is attached.
When you configure an MPLS firewall filter, you define the filtering criteria (terms, with match conditions) and an action for the switch to take if the packets match the filtering criteria.
You can only configure MPLS filters in the ingress direction. Egress MPLS firewall filters are not supported.
Configuring an MPLS Firewall Filter
To configure an MPLS firewall filter:
Applying an MPLS Firewall Filter to an MPLS Interface
To apply the MPLS firewall filter to an interface you
have configured for forwarding MPLS traffic (using the family
mpls
statement at the [edit interfaces interface-name unit unit-number]
hierarchy level):
You can apply firewall filters only to filter MPLS packets that enter an interface.
Applying an MPLS Firewall Filter to a Loopback Interface
To apply an MPLS firewall filter to a loopback interface (lo0):
The following is an example configuration.
set groups lo_mpls_filter interfaces lo0 unit 0 family mpls filter input mpls_lo
set groups lo_mpls_filter firewall family mpls filter mpls_lo term mpls_lo_term from ttl 1
set groups lo_mpls_filter firewall family mpls filter mpls_lo term mpls_lo_term from ip-version ipv4 protocol udp source-port 10
set groups lo_mpls_filter firewall family mpls filter mpls_lo term mpls_lo_term from ip-version ipv4 protocol udp destination-port 11
set groups lo_mpls_filter firewall family mpls filter mpls_lo term mpls_lo_term then count c1
set groups lo_mpls_filter firewall family mpls filter mpls_lo term mpls_lo_term then accept
Configuring Policers for LSPs
Starting with Junos OS 13.2X51-D15, you can send traffic matched by an MPLS filter to a two-color policer or three-color policer. MPLS LSP policing allows you to control the amount of traffic forwarded through a particular LSP. Policing helps to ensure that the amount of traffic forwarded through an LSP never exceeds the requested bandwidth allocation. LSP policing is supported on regular LSPs, LSPs configured with DiffServ-aware traffic engineering, and multiclass LSPs. You can configure multiple policers for each multiclass LSP. For regular LSPs, each LSP policer is applied to all of the traffic traversing the LSP. The policer's bandwidth limitations become effective as soon as the total sum of traffic traversing the LSP exceeds the configured limit.
You configure the multiclass LSP and DiffServ-aware traffic engineering LSP policers in a filter. The filter can be configured to distinguish between the different class types and apply the relevant policer to each class type. The policers distinguish between class types based on the EXP bits.
You configure LSP policers under the family any
filter.
The family any
filter is used because the policer is applied
to traffic entering the LSP. This traffic might be from different
families: IPv6, MPLS, and so on. You do not need to know what sort
of traffic is entering the LSP, as long as the match conditions apply
to all types of traffic.
When configuring MPLS LSP policers, be aware of the following limitations:
LSP policers are supported for packet LSPs only.
LSP policers are supported for unicast next hops only. Multicast next hops are not supported.
The LSP policer runs before any output filters.
Traffic sourced from the Routing Engine (for example, ping traffic) does not take the same forwarding path as transit traffic. This type of traffic cannot be policed.