Defining a VPLS Firewall Filter
You can configure filters, policers, and broadcast and unknown filters to determine which kind of traffic is allowed into and out of a VPLS domain. You can apply these filters and policers to CE-facing interfaces only.
To process traffic as it exits a VPLS domain, you can define
a firewall filter and apply it to the output interface. To configure
match conditions for a firewall filter, include the interface-group, source-mac-address, destination-mac-address, ethernet-type, or vlan-ethernet-type statements
at the [edit firewall family vpls filter filter-name term term-name from] hierarchy level.
Then, implement the desired action (for example, discard) for the traffic at the [edit firewall family vpls filter filter-name term term-name then] hierarchy level. To apply the filter to a CE-facing interface, include
the input, output, or group statements
at the [edit interfaces interface-name unit unit-number family vpls filter] hierarchy level.
[edit]
interfaces {
fe-2/1/1 {
vlan-tagging;
mtu 1544;
encapsulation vlan-vpls;
unit 0 {
encapsulation vlan-vpls;
vlan-id 600;
family vpls {
filter {
output vpls-out-filter;
}
}
}
}
}
firewall {
family vpls {
filter vpls-out-filter {
interface-specific;
term 1 {
from {
source-mac-address {
00.10.10.10.11.18/48;
}
}
then {
count count.ce2;
accept;
}
}
term 2 {
then accept;
}
}
}
}
Output filters do not work for broadcast, multicast, and unknown unicast traffic.
If an IRB interface is configured as part of a VPLS routing instance, VPLS filters might not filter packets that are destined to the IRB interface. This can be configured by installing filters that match Layer 3 fields for the the IRB interface.
If you apply a firewall filter to discard a source MAC address, the MAC address is not deleted from the MAC address table.