Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Defining a VPLS Firewall Filter

You can configure filters, policers, and broadcast and unknown filters to determine which kind of traffic is allowed into and out of a VPLS domain. You can apply these filters and policers to CE-facing interfaces only.

To process traffic as it exits a VPLS domain, you can define a firewall filter and apply it to the output interface. To configure match conditions for a firewall filter, include the interface-group, source-mac-address, destination-mac-address, ethernet-type, or vlan-ethernet-type statements at the [edit firewall family vpls filter filter-name term term-name from] hierarchy level. Then, implement the desired action (for example, discard) for the traffic at the [edit firewall family vpls filter filter-name term term-name then] hierarchy level. To apply the filter to a CE-facing interface, include the input, output, or group statements at the [edit interfaces interface-name unit unit-number family vpls filter] hierarchy level.

  • Output filters do not work for broadcast, multicast, and unknown unicast traffic.

  • If an IRB interface is configured as part of a VPLS routing instance, VPLS filters might not filter packets that are destined to the IRB interface. This can be configured by installing filters that match Layer 3 fields for the the IRB interface.

  • If you apply a firewall filter to discard a source MAC address, the MAC address is not deleted from the MAC address table.