Defining a VPLS Firewall Filter
You can configure filters, policers, and broadcast and unknown filters to determine which kind of traffic is allowed into and out of a VPLS domain. You can apply these filters and policers to CE-facing interfaces only.
To process traffic as it exits a VPLS domain, you can define
a firewall filter and apply it to the output interface. To configure
match conditions for a firewall filter, include the interface-group
, source-mac-address
, destination-mac-address
, ethernet-type
, or vlan-ethernet-type
statements
at the [edit firewall family vpls filter filter-name term term-name from]
hierarchy level.
Then, implement the desired action (for example, discard
) for the traffic at the [edit firewall family vpls filter filter-name term term-name then]
hierarchy level. To apply the filter to a CE-facing interface, include
the input
, output
, or group
statements
at the [edit interfaces interface-name unit unit-number family vpls filter]
hierarchy level.
[edit] interfaces { fe-2/1/1 { vlan-tagging; mtu 1544; encapsulation vlan-vpls; unit 0 { encapsulation vlan-vpls; vlan-id 600; family vpls { filter { output vpls-out-filter; } } } } } firewall { family vpls { filter vpls-out-filter { interface-specific; term 1 { from { source-mac-address { 00.10.10.10.11.18/48; } } then { count count.ce2; accept; } } term 2 { then accept; } } } }
Output filters do not work for broadcast, multicast, and unknown unicast traffic.
If an IRB interface is configured as part of a VPLS routing instance, VPLS filters might not filter packets that are destined to the IRB interface. This can be configured by installing filters that match Layer 3 fields for the the IRB interface.
If you apply a firewall filter to discard a source MAC address, the MAC address is not deleted from the MAC address table.