Configuring Firewall Filters and Policers for VPLS
You can configure both firewall filters and policers for VPLS. Firewall filters allow you to filter packets based on their components and to perform an action on packets that match the filter. Policers allow you to limit the amount of traffic that passes into or out of an interface.
VPLS filters and policers act on a Layer 2 frame that includes the media access control (MAC) header (after any VLAN rewrite or other rules are applied), but does not include the cyclical redundancy check (CRC) field.
You can apply VPLS filters and policers on the PE router to customer-facing interfaces only.
In the VPLS documentation, the word router in terms such as PE router is used to refer to any device that provides routing functions.
The behavior of firewall filters processing with MAC addresses differs between DPCs and MPCs. On MPCs, interface filters are always applied before MAC learning occurs. The input forwarding table filter is applied after MAC learning is completed. However, on DPCs, MAC learning occurs independently of the application of filters. If the CE-facing interface of the PE where the firewall filter is applied is an MPC, then the MAC entry times out and is never learned again. However, if the CE-facing interface of the PE where the firewall filter is applied is an DP, then the MAC entry is not timed out and if the MAC address entry is manually cleared, it is relearned.
The following sections explain how to configure filters and policers for VPLS:
Configuring a VPLS Filter
To configure a filter for VPLS, include the filter
statement at the [edit firewall family vpls]
hierarchy
level:
[edit firewall family vpls] filter filter-name { interface-specific; term term-name { from { match-conditions; } then { actions; } } }
For more information about how to configure firewall filters, see the Routing Policies, Firewall Filters, and Traffic Policers User Guide. For information on how to configure a VPLS filter match condition, see Firewall Filter Match Conditions for VPLS Traffic.
To configure a filter for VPLS traffic, complete the following tasks:
- Configuring an Interface-Specific Counter for VPLS
- Configuring an Action for the VPLS Filter
- Configuring VPLS FTFs
- Changing Precedence for Spanning-Tree BPDU Packets
- Applying a VPLS Filter to an Interface
- Applying a VPLS Filter to a VPLS Routing Instance
- Configuring a Filter for Flooded Traffic
Configuring an Interface-Specific Counter for VPLS
When you configure a firewall filter for VPLS and apply it to multiple interfaces, you can specify individual counters specific to each interface. This allows you to collect separate statistics on the traffic transiting each interface.
To generate an interface-specific counter for VPLS, you configure
the interface-specific
statement. A separate instantiation
of the filter is generated. This filter instance has a different name
(based on the interface name) and collects statistics on the interface
specified only.
To configure interface-specific counters, include the interface-specific
statement at the [edit firewall family vpls filter filter-name]
hierarchy level:
[edit firewall family vpls filter filter-name] interface-specific;
The counter name is restricted to 24 bytes. If the renamed counter exceeds this maximum length, it might be rejected.
Configuring an Action for the VPLS Filter
You can configure
the following actions for a VPLS filter at the [edit firewall
family vpls filter filter-name term term-name then]
hierarchy level: accept
, count
, discard
, forwarding-class
, loss-priority
, next
, policer
.
Configuring VPLS FTFs
Forwarding table filters (FTFs) are filters configured for forwarding tables. For VPLS, they are attached to the destination MAC (DMAC) forwarding table of the VPLS routing instance. You define VPLS FTFs in the same manner as any other type of FTF. You can only apply a VPLS FTF as an input filter.
To specify a VPLS FTF, include the filter input
statement
at the [edit routing-instance routing-instance-name forwarding-options family vpls]
hierarchy level:
[edit routing-instance routing-instance-name forwarding-options family vpls] filter input filter-name;
Changing Precedence for Spanning-Tree BPDU Packets
Spanning tree BPDU packets are automatically set to
a high precedence. The queue number on these packets is set to 3.
On M Series routers (except the M320 router) by default, a queue value
of 3 indicates high precedence. To enable this higher precedence
on BPDU packets, an instance-specific BPDU precedence filter named default_bpdu_filter
is automatically attached to the VPLS DMAC
table. This filter places a high precedence on all packets sent to 01:80:c2:00:00:00/24
.
You can overwrite this filter by configuring a VPLS FTF filter and applying it to the VPLS routing instance. For more information, see Configuring VPLS FTFs and Applying a VPLS Filter to a VPLS Routing Instance.
Applying a VPLS Filter to an Interface
To apply a VPLS
filter to an interface, include the filter
statement:
filter { group index; input input-filter-name; output output-filter-name; }
You can include this statement at the following hierarchy levels:
[edit interfaces interface-name unit number family vpls]
[edit logical-systems logical-system-name interfaces interface-name unit number family vpls]
ACX Series routers do not support the [edit logical-systems]
hierarchy.
In the input
statement, list the name of the VPLS
filter to be evaluated when packets are received on the interface.
In the output
statement, list the name of the VPLS filter
to be evaluated when packets are transmitted on the interface.
For output interface filters, MAC addresses are learned after
the filter action is completed. When an output interface filter’s
action is discard
, the packet is dropped before the MAC
address is learned. However, an input interface filter learns the
MAC address before discarding the packet.
Applying a VPLS Filter to a VPLS Routing Instance
You can apply a VPLS filter to a VPLS routing instance. The filter checks traffic passing through the specified routing instance.
Input routing instance filters learn the MAC address before
the filter action is completed, so if the filter action is discard
, the MAC address is learned before the packet is dropped.
To apply a VPLS filter to packets arriving at a VPLS routing
instance and specify the filter, include the filter input
statement at the [edit routing-instances routing-instance-name forwarding-options family vpls]
hierarchy level:
[edit routing-instances routing-instance-name forwarding-options family vpls] filter input input-filter-name;
Configuring a Filter for Flooded Traffic
You can configure a VPLS filter to filter flooded packets. CE routers typically flood the following types of packets to PE routers in VPLS routing instances:
Layer 2 broadcast packets
Layer 2 multicast packets
Layer 2 unicast packets with an unknown destination MAC address
Layer 2 packets with a MAC entry in the DMAC routing table
You can configure filters to manage how these flooded packets are distributed to the other PE routers in the VPLS routing instance.
To apply a flooding filter to packets arriving at the PE router
in the VPLS routing instance, and specify the filter, include the flood input
statement:
flood input filter-name;
You can include this statement at the following hierarchy levels:
[edit routing-instances routing-instance-name forwarding-options family vpls]
[edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options family vpls]
ACX Series routers do not support the [edit logical-systems]
hierarchy.
Configuring a VPLS Policer
You can configure a policer for VPLS traffic. The VPLS policer configuration is similar to the configuration of any other type of policer.
VPLS policers have the following characteristics:
You cannot police the default VPLS routes stored in the flood table from PE router–sourced flood traffic.
When specifying policing bandwidth, the VPLS policer considers all Layer 2 bytes in a packet to determine the packet length.
To configure a VPLS policer, include the policer
statement
at the [edit firewall]
hierarchy level:
[edit firewall] policer policer-name { bandwidth-limit limit; burst-size-limit limit; then action; }
To apply a VPLS policer to an interface, include the policer
statement:
policer { input input-policer-name; output output-policer-name; }
You can include this statement at the following hierarchy levels:
[edit interfaces interface-name unit number family vpls]
[edit logical-systems logical-system-name interfaces interface-name unit number family vpls
ACX Series routers do not support the [edit logical-systems]
hierarchy.
In the input
statement, list the name of the VPLS
policer to be evaluated when packets are received on the interface.
In the output
statement, list the name of the VPLS policer
to be evaluated when packets are transmitted on the interface. This
type of VPLS policer can only apply to unicast packets. For information
about how to filter flood packets, see Configuring a Filter for Flooded Traffic.