Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Overview of MPLS Firewall Filters on Loopback Interface

Although all interfaces are important, the loopback interface might be the most important because it is the link to the Routing Engine, which runs and manages all the routing protocols. The loopback interface is a gateway for all the control traffic that enters the Routing Engine of the switch. You can control traffic by configuring a firewall filter on the loopback interface (lo0) on family mpls in QFX5100, QFX5110, QFX5200, and QFX5210 switches. Loopback firewall filters affect only traffic destined for the Routing Engine CPU. You can apply a loopback firewall filter only in the ingress direction (packets entering the interface). Starting with Junos OS Release 19.2R1, you can apply an MPLS firewall filter to a loopback interface on a label switch router (LSR) on QFX5100, QFX5110, QFX5200, and QFX5210 switches.

When you configure an MPLS firewall filter, you define filtering criteria (terms, with match conditions) for the packets and an action for the switch to take if the packets match the filtering criteria. Because you apply the filter to a loopback interface, you must explicitly specify the time to live (TTL) match condition under family mpls and set its TTL value to 1 (ttl=1). The TTL is an 8-bit (IPv4) header field that signifies the remaining time an IP packet has left before its life ends and is dropped. You can also match packets with other MPLS qualifiers such as label, exp, Layer 4 source port, and Layer 4 destination port.

Benefits of Adding MPLS Firewall Filters on the Loopback Interface

  • Protects the Routing Engine by ensuring that it accepts traffic only from trusted networks.

  • Helps protect the Routing Engine from denial-of-service attacks.

  • Gives you the flexibility to match packets on the source port and destination port. For example, if you run a traceroute, you can selectively filter traffic by choosing either TCP or UDP.

Guidelines and Limitations

  • You can apply a loopback firewall filter only in the ingress direction

  • Only MPLS fields label, exp, ttl=1 and Layer 4 fields tcp and udp port numbers are supported.

  • Only accept, discard, and count actions are supported.

  • You must explicitly specify ttl=1 under family mpls to match on TLL packets.

  • Filters applied on the loopback interface cannot be matched on the destination port (inner payload) of an IPv6 packet.

  • You cannot apply a filter on packets that have more than two MPLS labels.

  • You cannot specify a port range for TCP or UDP match conditions.

  • Only 255 firewall terms are supported.

Platform-Specific MPLS firewall filters Behavior

Table 1: Platform-Specific Behavior

Platform

Difference

QFX5100 / QFX5110 / QFX5200 / QFX5210

Supports MPLS firewall filters on lo0 from Junos OS 19.2R1; only ingress direction; ttl=1 required under family mpls.

MX Series

Supports MPLS filters on lo0; fxp0 supports only IP filters, not MPLS.

PTX Series

Supports MPLS filters on lo0.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
19.2R1
Starting with Junos OS Release 19.2R1, you can apply an MPLS firewall filter to a loopback interface on a label switch router (LSR) on QFX5100, QFX5110, QFX5200, and QFX5210 switches.