Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Configuring MPLS Firewall Filters and Policers on Switches

You can configure firewall filters to filter MPLS traffic. To use an MPLS firewall filter, you must first configure the filter and then apply it to an interface you have configured for forwarding MPLS traffic. You can also configure a policer for the MPLS filter to police (that is, rate-limit) the traffic on the interface to which the filter is attached.

When you configure an MPLS firewall filter, you define the filtering criteria (terms, with match conditions) and an action for the switch to take if the packets match the filtering criteria.


You can only configure MPLS filters in the ingress direction. Egress MPLS firewall filters are not supported.

Configuring an MPLS Firewall Filter

To configure an MPLS firewall filter:

  1. Configure the filter name, term name, and at least one match condition—for example, match on MPLS packets with EXP bits set to either 0 or 4:
  2. In each firewall filter term, specify the actions to take if the packet matches all the conditions in that term—for example, count MPLS packets with EXP bits set to either 0 or 4:
  3. When you are finished, follow the steps below to apply the filter to an interface.

Applying an MPLS Firewall Filter to an MPLS Interface

To apply the MPLS firewall filter to an interface you have configured for forwarding MPLS traffic (using the family mpls statement at the [edit interfaces interface-name unit unit-number] hierarchy level):


You can apply firewall filters only to filter MPLS packets that enter an interface.

  1. Apply the firewall filter to an MPLS interface—for example, apply the firewall filter to interface xe-0/0/5:
  2. Review your configuration and issue the commit command:

Applying an MPLS Firewall Filter to a Loopback Interface

To apply an MPLS firewall filter to a loopback interface (lo0):

  1. First, specify the packet format by using the packet-format-match command. You must restart the PFE every time you configure this command.
  2. Configure the firewall filter match conditions and actions as described in Configuring an MPLS Firewall Filter. You must explicitly set the TTL match condition to (ttl=1). You can also match packets with other MPLS qualifiers such as label, exp, and Layer 4 source port, and destination port.
  3. Apply the filter to the loopback interface as an input filter.
  4. Review your configuration and issue the commit command:

The following is an example configuration.

Configuring Policers for LSPs

Starting with Junos OS 13.2X51-D15, you can send traffic matched by an MPLS filter to a two-color policer or three-color policer. MPLS LSP policing allows you to control the amount of traffic forwarded through a particular LSP. Policing helps to ensure that the amount of traffic forwarded through an LSP never exceeds the requested bandwidth allocation. LSP policing is supported on regular LSPs, LSPs configured with DiffServ-aware traffic engineering, and multiclass LSPs. You can configure multiple policers for each multiclass LSP. For regular LSPs, each LSP policer is applied to all of the traffic traversing the LSP. The policer's bandwidth limitations become effective as soon as the total sum of traffic traversing the LSP exceeds the configured limit.

You configure the multiclass LSP and DiffServ-aware traffic engineering LSP policers in a filter. The filter can be configured to distinguish between the different class types and apply the relevant policer to each class type. The policers distinguish between class types based on the EXP bits.

You configure LSP policers under the family any filter. The family any filter is used because the policer is applied to traffic entering the LSP. This traffic might be from different families: IPv6, MPLS, and so on. You do not need to know what sort of traffic is entering the LSP, as long as the match conditions apply to all types of traffic.

When configuring MPLS LSP policers, be aware of the following limitations:

  • LSP policers are supported for packet LSPs only.

  • LSP policers are supported for unicast next hops only. Multicast next hops are not supported.

  • The LSP policer runs before any output filters.

  • Traffic sourced from the Routing Engine (for example, ping traffic) does not take the same forwarding path as transit traffic. This type of traffic cannot be policed.