Firewall Filter Match Conditions for MPLS-Tagged IPv4 or IPv6 Traffic

Matching on IPv4 or IPv6 Packet Header Fields in MPLS Traffic

To support network-based services in a core network, you can configure firewall filters that match IPv4 or IPv6 packet headers in MPLS traffic (family mpls). These filters can inspect the inner payload of MPLS packets with either a single label or up to five stacked labels.

The feature is not supported for the router or switch loopback interface (lo0), the router or switch management interface (fxp0 or em0), or USB modem interfaces (umd).

When using the ip-version match condition, the following additional match conditions become available.

IP Header Match Conditions for MPLS Traffic

Table 1 describes the match conditions you can configure at the [edit firewall family mpls filter filter-name term term-name from ip-version ip-version] hierarchy level.

Table 1: IP Header Firewall Filter Match Conditions for MPLS Traffic
Match Condition	Description
`destination-address address`	Match the address of the destination node to receive the packet.
`destination-address address except`	Do not match the address of the destination node to receive the packet.
`destination-prefix-list name`	Match destination prefixes in specified list
`dscp value`	Match Differentiated Services code point (0-63)
`dscp-except value`	Exclude specified DSCP value
`fragment-flags value`	Match IPv4 fragment flags (DF, MF)
`is-fragment`	Match IPv4 fragmented packets
`next-header number`	Match IPv6 next header type (equivalent to IPv4 protocol)
`protocol number`	Match the IP protocol type field. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): `ah` (51), `dstopts` (60), `egp` (8), `esp` (50), `fragment` (44), `gre` (47), `hop-by-hop` (0), `icmp` (1), `icmp6` (58), `icmpv6` (58), `igmp` (2), `ipip` (4), `ipv6` (41), `ospf` (89), `pim` (103), `rsvp` (46), `sctp` (132), `tcp` (6), `udp` (17), or `vrrp` (112).
`source-address address`	Match the address of the source node sending the packet.
`source-address address except`	Do not match the address of the source node sending the packet.
`source-prefix-list name`	Match source prefixes in specified list
`tcp-established`	Match established TCP connections (requires protocol tcp)
`tcp-initial`	Match initial TCP packets (requires protocol tcp)

IP Port Match Conditions for MPLS Traffic

Table 2 describes the port-specific match conditions you can configure at the [edit firewall family mpls filter filter-name term term-name from ip-version ip-version protocol (udp | tcp)] hierarchy level.

Table 2: Port-Specific Firewall Filter Match Conditions for MPLS Traffic
Match Condition	Description
`destination-port number`	Match on the UDP or TCP destination port field. In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): `afs` (1483), `bgp` (179), `biff` (512), `bootpc` (68), `bootps` (67), `cmd` (514), `cvspserver` (2401), `dhcp` (67), `domain` (53), `eklogin` (2105), `ekshell` (2106), `exec` (512), `finger` (79), `ftp` (21), `ftp-data` (20), `http` (80), `https` (443), `ident` (113), `imap` (143), `kerberos-sec` (88), `klogin` (543), `kpasswd` (761), `krb-prop` (754), `krbupdate` (760), `kshell` (544), `ldap` (389), `ldp` (646), `login` (513), `mobileip-agent` (434), `mobilip-mn` (435), `msdp` (639), `netbios-dgm` (138), `netbios-ns` (137), `netbios-ssn` (139), `nfsd` (2049), `nntp` (119), `ntalk` (518), `ntp` (123), `pop3` (110), `pptp` (1723), `printer` (515), `radacct` (1813), `radius` (1812), `rip` (520), `rkinit` (2108), `smtp` (25), `snmp` (161), `snmptrap` (162), `snpp` (444), `socks` (1080), `ssh` (22), `sunrpc` (111), `syslog` (514), `tacacs` (49), `tacacs-ds` (65), `talk` (517), `telnet` (23), `tftp` (69), `timed` (525), `who` (513), or `xdmcp` (177).
`destination-port-except number`	Do not match on the UDP or TCP destination port field. In place of the numeric value, you can specify one of the text synonyms listed with the `destination-port` match condition.
`source-port number`	Match on the TCP or UDP source port field. In place of the numeric field, you can specify one of the text synonyms listed under `destination-port`.
`source-port-except number`	Do not match on the TCP or UDP source port field.

ICMP Match Conditions for MPLS Traffic

Describes the ICMP-specific match conditions you can configure at the [edit firewall family mpls filter filter-name term term-name from ip-version ip-version protocol icmp] hierarchy level for IPv4 or next-header icmpv6 for IPv6.

Table 3: ICMP Match Conditions for MPLS Traffic
Match Condition	Description
`icmp-code number`	Match ICMP message code (0-255)
`icmp-type number`	Match ICMP message type (0-255)

Interface Match Conditions for MPLS Traffic

Table 4 describes the interface-specific match-conditions you can configure at the [edit firewall family mpls filter filter-name term term-name] hierarchy level.

Table 4: Interface-specific Firewall Filter Match Conditions for MPLS Traffic
Match Condition	Description
`interface-group interface-device name \| unit-list`	Match the interface group. Options are: interface-device name - Name of the interface device. Only Ethernet devices are allowed. The device interface name includes `ge, ae, xe and et.` unit-list - One or more logical interface unit numbers. Range: A string in the range <0-16385> or <0-16385>-<0-16385>. For example, `unit-list`[12 23-33 44]

Configuration Example

Usage Notes

ip-version must be specified before using IP header match conditions
Port match conditions require explicit protocol definition (tcp/udp)
ICMP conditions require protocol icmp (IPv4) or next-header icmpv6 (IPv6)
Supports MPLS packets with 1-5 label stacks
IPv4 and IPv6 match conditions cannot be mixed in the same term
All match conditions evaluate inner payload of MPLS packets

ON THIS PAGE