Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring Firewall Filters and Policers for VPLS

You can configure both firewall filters and policers for VPLS. Firewall filters allow you to filter packets based on their components and to perform an action on packets that match the filter. Policers allow you to limit the amount of traffic that passes into or out of an interface.

VPLS filters and policers act on a Layer 2 frame that includes the media access control (MAC) header (after any VLAN rewrite or other rules are applied), but does not include the cyclical redundancy check (CRC) field.

You can apply VPLS filters and policers on the PE router to customer-facing interfaces only.

Note:

In the VPLS documentation, the word router in terms such as PE router is used to refer to any device that provides routing functions.

Note:

The behavior of firewall filters processing with MAC addresses differs between DPCs and MPCs. On MPCs, interface filters are always applied before MAC learning occurs. The input forwarding table filter is applied after MAC learning is completed. However, on DPCs, MAC learning occurs independently of the application of filters. If the CE-facing interface of the PE where the firewall filter is applied is an MPC, then the MAC entry times out and is never learned again. However, if the CE-facing interface of the PE where the firewall filter is applied is an DP, then the MAC entry is not timed out and if the MAC address entry is manually cleared, it is relearned.

The following sections explain how to configure filters and policers for VPLS:

Configuring a VPLS Filter

To configure a filter for VPLS, include the filter statement at the [edit firewall family vpls] hierarchy level:

For more information about how to configure firewall filters, see the Routing Policies, Firewall Filters, and Traffic Policers User Guide. For information on how to configure a VPLS filter match condition, see Firewall Filter Match Conditions for VPLS Traffic.

To configure a filter for VPLS traffic, complete the following tasks:

Configuring an Interface-Specific Counter for VPLS

When you configure a firewall filter for VPLS and apply it to multiple interfaces, you can specify individual counters specific to each interface. This allows you to collect separate statistics on the traffic transiting each interface.

To generate an interface-specific counter for VPLS, you configure the interface-specific statement. A separate instantiation of the filter is generated. This filter instance has a different name (based on the interface name) and collects statistics on the interface specified only.

To configure interface-specific counters, include the interface-specific statement at the [edit firewall family vpls filter filter-name] hierarchy level:

Note:

The counter name is restricted to 24 bytes. If the renamed counter exceeds this maximum length, it might be rejected.

Configuring an Action for the VPLS Filter

You can configure the following actions for a VPLS filter at the [edit firewall family vpls filter filter-name term term-name then] hierarchy level: accept, count, discard, forwarding-class, loss-priority, next, policer.

Configuring VPLS FTFs

Forwarding table filters (FTFs) are filters configured for forwarding tables. For VPLS, they are attached to the destination MAC (DMAC) forwarding table of the VPLS routing instance. You define VPLS FTFs in the same manner as any other type of FTF. You can only apply a VPLS FTF as an input filter.

To specify a VPLS FTF, include the filter input statement at the [edit routing-instance routing-instance-name forwarding-options family vpls] hierarchy level:

Changing Precedence for Spanning-Tree BPDU Packets

Spanning tree BPDU packets are automatically set to a high precedence. The queue number on these packets is set to 3. On M Series routers (except the M320 router) by default, a queue value of 3 indicates high precedence. To enable this higher precedence on BPDU packets, an instance-specific BPDU precedence filter named default_bpdu_filter is automatically attached to the VPLS DMAC table. This filter places a high precedence on all packets sent to 01:80:c2:00:00:00/24.

You can overwrite this filter by configuring a VPLS FTF filter and applying it to the VPLS routing instance. For more information, see Configuring VPLS FTFs and Applying a VPLS Filter to a VPLS Routing Instance.

Applying a VPLS Filter to an Interface

To apply a VPLS filter to an interface, include the filter statement:

You can include this statement at the following hierarchy levels:

  • [edit interfaces interface-name unit number family vpls]

  • [edit logical-systems logical-system-name interfaces interface-name unit number family vpls]

Note:

ACX Series routers do not support the [edit logical-systems] hierarchy.

In the input statement, list the name of the VPLS filter to be evaluated when packets are received on the interface. In the output statement, list the name of the VPLS filter to be evaluated when packets are transmitted on the interface.

Note:

For output interface filters, MAC addresses are learned after the filter action is completed. When an output interface filter’s action is discard, the packet is dropped before the MAC address is learned. However, an input interface filter learns the MAC address before discarding the packet.

Applying a VPLS Filter to a VPLS Routing Instance

You can apply a VPLS filter to a VPLS routing instance. The filter checks traffic passing through the specified routing instance.

Input routing instance filters learn the MAC address before the filter action is completed, so if the filter action is discard, the MAC address is learned before the packet is dropped.

To apply a VPLS filter to packets arriving at a VPLS routing instance and specify the filter, include the filter input statement at the [edit routing-instances routing-instance-name forwarding-options family vpls] hierarchy level:

Configuring a Filter for Flooded Traffic

You can configure a VPLS filter to filter flooded packets. CE routers typically flood the following types of packets to PE routers in VPLS routing instances:

  • Layer 2 broadcast packets

  • Layer 2 multicast packets

  • Layer 2 unicast packets with an unknown destination MAC address

  • Layer 2 packets with a MAC entry in the DMAC routing table

You can configure filters to manage how these flooded packets are distributed to the other PE routers in the VPLS routing instance.

To apply a flooding filter to packets arriving at the PE router in the VPLS routing instance, and specify the filter, include the flood input statement:

You can include this statement at the following hierarchy levels:

  • [edit routing-instances routing-instance-name forwarding-options family vpls]

  • [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options family vpls]

Note:

ACX Series routers do not support the [edit logical-systems] hierarchy.

Configuring a VPLS Policer

You can configure a policer for VPLS traffic. The VPLS policer configuration is similar to the configuration of any other type of policer.

VPLS policers have the following characteristics:

  • You cannot police the default VPLS routes stored in the flood table from PE router–sourced flood traffic.

  • When specifying policing bandwidth, the VPLS policer considers all Layer 2 bytes in a packet to determine the packet length.

To configure a VPLS policer, include the policer statement at the [edit firewall] hierarchy level:

To apply a VPLS policer to an interface, include the policer statement:

You can include this statement at the following hierarchy levels:

  • [edit interfaces interface-name unit number family vpls]

  • [edit logical-systems logical-system-name interfaces interface-name unit number family vpls

Note:

ACX Series routers do not support the [edit logical-systems] hierarchy.

In the input statement, list the name of the VPLS policer to be evaluated when packets are received on the interface. In the output statement, list the name of the VPLS policer to be evaluated when packets are transmitted on the interface. This type of VPLS policer can only apply to unicast packets. For information about how to filter flood packets, see Configuring a Filter for Flooded Traffic.