Firewall Filter Match Conditions for MPLS Traffic

You can configure a firewall filter with match conditions for MPLS traffic (family mpls).

The input-list filter-names and output-list filter-names statements for firewall filters for the mpls protocol family are supported on all interfaces except for management interfaces and internal Ethernet interfaces (fxp or em0), loopback interfaces (lo0), and USB modem interfaces (umd)
If you are applying an MPLS filter on a loopback interface, you can only filter on the label, exp, ttl=1, and Layer 4 tcp and udp port number fields. For TTL, you must explicitly specify ttl=1 under family mpls to match on TTL=1 packets. The only actions you can configure are accept, discard, and count. You can apply the filter only in the ingress direction.
You can apply inbound and outbound filters for MPLS family based on MPLS-tagged IPv4 and IPv6 parameters using inner payload match conditions, and enable selective port mirroring of MPLS traffic unto a monitoring device. For IP-based filtering, additional match conditions are available under the MPLS filter term from parameter, and to support port mirroring, additional actions (such as port-mirror and port-mirror-instance), are available under the filter term thenparameter.

Table 1 describes the match-conditions you can configure at the [edit firewall family mpls filter filter-name term term-name from] hierarchy level.

Table 1: Firewall Filter Match Conditions for MPLS Traffic
Match Condition	Description
`apply-groups`	Specify which groups to inherit configuration data from. You can specify more than one group name. You must list them in order of inheritance priority. The configuration data in the first group takes priority over the data in subsequent groups.
`apply-groups-except`	Specify which groups not to inherit configuration data from. You can specify more than one group name.
`destination-port number`	Match on the UDP or TCP destination port field. In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): `afs` (1483), `bgp` (179), `biff` (512), `bootpc` (68), `bootps` (67), `cmd` (514), `cvspserver` (2401), `dhcp` (67), `domain` (53), `eklogin` (2105), `ekshell` (2106), `exec` (512), `finger` (79), `ftp` (21), `ftp-data` (20), `http` (80), `https` (443), `ident` (113), `imap` (143), `kerberos-sec` (88), `klogin` (543), `kpasswd` (761), `krb-prop` (754), `krbupdate` (760), `kshell` (544), `ldap` (389), `ldp` (646), `login` (513), `mobileip-agent` (434), `mobilip-mn` (435), `msdp` (639), `netbios-dgm` (138), `netbios-ns` (137), `netbios-ssn` (139), `nfsd` (2049), `nntp` (119), `ntalk` (518), `ntp` (123), `pop3` (110), `pptp` (1723), `printer` (515), `radacct` (1813), `radius` (1812), `rip` (520), `rkinit` (2108), `smtp` (25), `snmp` (161), `snmptrap` (162), `snpp` (444), `socks` (1080), `ssh` (22), `sunrpc` (111), `syslog` (514), `tacacs` (49), `tacacs-ds` (65), `talk` (517), `telnet` (23), `tftp` (69), `timed` (525), `who` (513), or `xdmcp` (177).
`exp number`	Experimental (EXP) bit number or range of bit numbers in the MPLS header of a packet. For `number`, you can specify one or more values from 0 through 7 in binary, decimal or hexadecimal format, as given below: A single EXP bit—for example, `exp 3` Several EXP bits—for example, `exp 0,4` A range of EXP bits—for example, `exp [0-5]`. These values are not supported on filters applied to the loopback interface.
`exp-except number`	Do not match on the EXP bit number or range of bit numbers in the MPLS header. For `number`, you can specify one or more values from `0` through `7`.
`exp0 number`	Experimental (EXP) bit number or range of bit numbers in the TOS MPLS header of a packet. For `number`, you can specify one or more values from 0 through 7 in binary, decimal or hexadecimal format, as given below: A single EXP bit—for example, `exp0 3` Several EXP bits—for example, `exp0 0,4` A range of EXP bits—for example, `exp0 [0-5]`. These values are not supported on filters applied to the loopback interface.
`exp0-except number`	Do not match EXP bit number or range of bit numbers in the TOS MPLS header of a packet. For `number`, you can specify one or more values from 0 through 7 in binary, decimal or hexadecimal format, as given below: A single EXP bit—for example, `exp0-except 3` Several EXP bits—for example, `exp0-except 0,4` A range of EXP bits—for example, `exp0-except [0-5]`. These values are not supported on filters applied to the loopback interface.
`exp1 number`	Experimental (EXP) bit number or range of bit numbers in the MPLS header that is next to the TOS (top of stack) MPLS header. For `number`, you can specify one or more values from 0 through 7 in binary, decimal or hexadecimal format, as given below: A single EXP bit—for example, `exp1 3` Several EXP bits—for example, `exp1 0,4` A range of EXP bits—for example, `exp1 [0-5]`. These values are not supported on filters applied to the loopback interface.
`exp1-except number`	Do not match on the EXP bit number or range of bit numbers in the MPLS header next to the TOS MPLS header. For `number`, you can specify one or more values from 0 through 7 in binary, decimal or hexadecimal format, as given below: A single EXP bit—for example, `exp1-except 3` Several EXP bits—for example, `exp1-except 0,4` A range of EXP bits—for example, `exp1-except [0-5]`. These values are not supported on filters applied to the loopback interface.
`forwarding-class class`	Forwarding class. Specify `assured-forwarding`, `best-effort`, `expedited-forwarding`, or `network-control`.
`forwarding-class-except class`	Do not match on the forwarding class. Specify `assured-forwarding`, `best-effort`, `expedited-forwarding`, or `network-control`.
`interface interface-name`	Interface on which the packet was received. You can configure a match condition that matches packets based on the interface on which they were received. Note: If you configure this match condition with an interface that does not exist, the term does not match any packet.
`interface-set interface-set-name`	Match the interface on which the packet was received to the specified interface set. To define an interface set, include the `interface-set` statement at the `[edit firewall]` hierarchy level. For more information, see Filtering Packets Received on an Interface Set Overview.
`ip-version number`	Match inner IP version. For example, to match MPLS-tagged IPv4 packets, match on the text synonym `ipv4`. Within `ip-version number` you can further match packets based on source and destination addresses and ports. Refer Table 1 and Table 2.
`label number`	MPLS label value or range of label values in the MPLS header of a packet. For `number`, you can specify one or more values from 0 through 1048575 in decimal or hexadecimal format, as given below: A single label—for example, `label 3` Several labels—for example, `label 0,4` A range of labels—for example, `label [0-5]`. These values are not supported on filters applied to the loopback interface.
`label0 number`	MPLS label value or range of label values in the TOS MPLS header of a packet. For `number`, you can specify one or more values from 0 through 1048575 in decimal or hexadecimal format, as given below: A single label—for example, `label0 3` Several labels—for example, `label0 0,4` A range of labels—for example, `label0 [0-5]`. These values are not supported on filters applied to the loopback interface.
`label0-except number`	Do not match MPLS label value or range of label values in the TOS MPLS header of a packet. For `number`, you can specify one or more values from 0 through 1048575 in decimal or hexadecimal format, as given below: A single label—for example, `label0-except 3` Several labels—for example, `label0-except 0,4` A range of labels—for example, `label0-except [0-5]`. These values are not supported on filters applied to the loopback interface.
`label1 number`	Match the MPLS label value or range of label values in the MPLS header label of the MPLS header that is next to the TOS MPLS header. For `number`, you can specify one or more values from 0 through 1048575 in decimal or hexadecimal format, as given below: A single label—for example, `label1 3` Several labels—for example, `label1 0,4` A range of labels—for example, `label1 [0-5]`. These values are not supported on filters applied to the loopback interface.
`label1-except number`	Do not match on the MPLS label value or range of label values in the MPLS header label of the MPLS header that is next to the TOS MPLS header. For `number`, you can specify one or more values from 0 through 1048575 in decimal or hexadecimal format, as given below: A single label—for example, `label1-except 3` Several labels—for example, `label1-except 0,4` A range of labels—for example, `label1-except [0-5]`. These values are not supported on filters applied to the loopback interface.
`label number top` \| `bottom` \| `offset` `offset-value`	Match top label, or bottom label or the label at a specified offset (from the top or bottom of the label stack) of the incoming MPLS packet. `top` - Match with reference to top-of-stack towards bottom-of-stack. `bottom` - Match with reference to bottom-of-stack towards top-of-stack. `offset<offset-value>` - Match with reference to MPLS stack depth with respect to top or bottom of stack, where `offset-value` = (0..15). `label` `number` `top` `offset` `offset-value` - MPLS top label filter match with an offset to stack sanding from 0 to 15. 0 being the first label position from top of stack for both implicit and CLI filters. `label` `number` `bottom` `offset` `offset-value` - MPLS bottom label filter match with an offset to stack sanding from 0 to 15. 0 being the first label position from bottom of stack for both implicit and CLI filters. `label` `number` `offset` `offset-value` - If no options, top or bottom, are provided next to `label` `number` then the default match starts from top-of-stack with given offset. In other words, label number offset [n = 0..15] is equivalent to label number top offset [n = 0..15]. `label` `number` - If no options are provided next to `label` `number` then the default match will be done on top label (implicit offset 0 and anchor point being top-of-stack). Note: Filter match on label with offset out of the MPLS stack depth might not give the expected behaviour. For filter label match with position as bottom, if offset is out of MPLS stack depth then filter will always match on end-of-stack label. For filter match with position as top, if offset is out of MPLS stack depth, will point to pay load to match against the configured label. Note: The configuration command options are introduced in Junos Release 22.3R1.
`loss-priority level`	Match the packet loss priority (PLP) level. Specify a single level or multiple levels: `low`, `medium-low`, `medium-high`, or `high`. For IP traffic you must include the `tri-color` statement at the `[edit class-of-service]` hierarchy level to commit a PLP configuration with any of the four levels specified. If the `tri-color` statement is not enabled, you can only configure the `high` and `low` levels. This applies to all protocol families. For information about the `tri-color` statement, see Configuring and Applying Tricolor Marking Policers. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see Understanding How Forwarding Classes Assign Classes to Output Queues.
`loss-priority-except level`	Do not match the PLP level. For details, see the `loss-priority` match condition.
`source-port number`	Match on the TCP or UDP source port field. You cannot specify the `port` and `source-port` match conditions in the same term. If you configure this match condition for IPv4 traffic, we recommend that you also configure the `protocol udp` or `protocol tcp` match statement in the same term to specify which protocol is being used on the port. In place of the numeric field, you can specify one of the text synonyms listed under `destination-port`.
`ttl0 number`	Match TTL number or range of numbers in the TOS MPLS header of a packet. Time To Live (TTL) is an 8-bit field in the MPLS label that signifies the remaining time that a packet has left before its life ends and is dropped. For `number`, you can specify a value from 0 through 255.
`ttl0-except number`	Do not match TTL number or range of numbers in the TOS MPLS header of a packet. Time To Live (TTL) is an 8-bit field in the MPLS label that signifies the remaining time that a packet has left before its life ends and is dropped. For `number`, you can specify a value from 0 through 255.
`ttl1 number`	Match TTL number or range of numbers in the MPLS header that is next to the TOS MPLS header of a packet. Time To Live (TTL) is an 8-bit field in the MPLS label that signifies the remaining time that a packet has left before its life ends and is dropped. For `number`, you can specify a value from 0 through 255.
`ttl1-except number`	Do not match TTL number or range of numbers in the MPLS header that is next to the TOS MPLS header of a packet. Time To Live (TTL) is an 8-bit field in the MPLS label that signifies the remaining time that a packet has left before its life ends and is dropped. For `number`, you can specify a value from 0 through 255.

Table 2 describes the actions you can configure for MPLS firewall filters at the [edit firewall family mpls filter filter-name term term-name then] hierarchy level.

Table 2: Supported Actions for MPLS Firewall Filters
Action	Description
`accept`	Accept a packet
`count counter-name`	Count the number of packets that pass this filter or term. Note: We recommend that you configure a counter for each term in a firewall filter, so that you can monitor the number of packets that match the conditions specified in each filter term.
`discard`	Discard a packet silently without sending an Internet Control Message Protocol (ICMP) message
`policer`	You can send traffic matched by an MPLS filter to a two-color policer.
`three-color-policer`	You can send traffic matched by an MPLS filter to a three-color policer.

Platform-Specific Behavior

Use Feature Explorer to confirm platform and release support for specific features.

Use the following table to review platform-specific behavior for your platform:

Platform	Difference
QFX Series Routers	If you are applying an MPLS filter on a loopback interface, you can only filter on the `label`, `exp`, `ttl=1`, and Layer 4 `tcp` and `udp` port number fields. For TTL, you must explicitly specify `ttl=1` under `family mpls` to match on TTL=1 packets. The only actions you can configure are `accept`, `discard`, and `count`. You can apply the filter only in the ingress direction.
MX Series Routers	For MX Series Routers with MPC and MIC, you can apply inbound and outbound filters for MPLS family based on MPLS-tagged IPv4 and IPv6 parameters using inner payload match conditions, and enable selective port mirroring of MPLS traffic unto a monitoring device. For IP-based filtering, additional match conditions are available under the MPLS filter term `from` parameter, and to support port mirroring, additional actions (such as port-mirror and port-mirror-instance), are available under the filter term `then` parameter.
PTX Series Routers	You can configure MPLS filters in the ingress direction only for PTX Series Express 4 ASIC based platforms. We do not support the egress MPLS firewall filters on these platforms. The match condition `exp number` is deprecated on PTX10001-36MR, PTX10003, PTX10004, PTX10008, and PTX10016 devices and is replaced by `exp0 number`. `forwarding-class class` - On PTX10001-36MR, PTX10003, PTX10004, PTX10008, PTX10016 routers, `exp0` or `exp1` bits are used to obtain the forwarding class. `label number` option is deprecated on PTX10001-36MR, PTX10003, PTX10004, PTX10008, and PTX10016 devices and is replaced by `label0`. `loss-priority loss -` - On PTX10001-36MR, PTX10003, PTX10004, PTX10008, PTX10016 routers, `exp0` or `exp1` bits are used to obtain the loss priority. `exp0`, `exp0-except`, `exp1`, `exp1-except`, `ip-version`, `label0`, `label0-except`, `label1`, `label1-except`, `ttl0`, `ttl0-except`, `ttl1`, and `ttl1-except` are only supported on PTX10001-36MR, PTX10003, PTX10004, PTX10008, PTX10016.

Platform

Difference

QFX Series Routers

If you are applying an MPLS filter on a loopback interface, you can only filter on the label, exp, ttl=1, and Layer 4 tcp and udp port number fields. For TTL, you must explicitly specify ttl=1 under family mpls to match on TTL=1 packets. The only actions you can configure are accept, discard, and count. You can apply the filter only in the ingress direction.

MX Series Routers

For MX Series Routers with MPC and MIC, you can apply inbound and outbound filters for MPLS family based on MPLS-tagged IPv4 and IPv6 parameters using inner payload match conditions, and enable selective port mirroring of MPLS traffic unto a monitoring device. For IP-based filtering, additional match conditions are available under the MPLS filter term from parameter, and to support port mirroring, additional actions (such as port-mirror and port-mirror-instance), are available under the filter term then parameter.

PTX Series Routers

You can configure MPLS filters in the ingress direction only for PTX Series Express 4 ASIC based platforms. We do not support the egress MPLS firewall filters on these platforms.

The match condition exp number is deprecated on PTX10001-36MR, PTX10003, PTX10004, PTX10008, and PTX10016 devices and is replaced by exp0 number.

forwarding-class class - On PTX10001-36MR, PTX10003, PTX10004, PTX10008, PTX10016 routers, exp0 or exp1 bits are used to obtain the forwarding class.

label number option is deprecated on PTX10001-36MR, PTX10003, PTX10004, PTX10008, and PTX10016 devices and is replaced by label0.

loss-priority loss - - On PTX10001-36MR, PTX10003, PTX10004, PTX10008, PTX10016 routers, exp0 or exp1 bits are used to obtain the loss priority.

exp0, exp0-except, exp1, exp1-except, ip-version, label0, label0-except, label1, label1-except, ttl0, ttl0-except, ttl1, and ttl1-except are only supported on PTX10001-36MR, PTX10003, PTX10004, PTX10008, PTX10016.

Firewall Filter Match Conditions for MPLS Traffic

Platform-Specific Behavior

Related Documentation