Configuring Firewall Filters and Policers for VPLS
You can configure both firewall filters and policers for VPLS. Firewall filters allow you to filter packets based on their components and to perform an action on packets that match the filter. Policers allow you to limit the amount of traffic that passes into or out of an interface.
VPLS filters and policers act on a Layer 2 frame that includes the media access control (MAC) header (after any VLAN rewrite or other rules are applied), but does not include the cyclical redundancy check (CRC) field.
You can apply VPLS filters and policers on the PE router to customer-facing interfaces only.
The following sections explain how to configure filters and policers for VPLS:
Configuring a VPLS Filter
To configure a filter for VPLS, include the filter statement at the [edit firewall family vpls] hierarchy level:
For more information about how to configure firewall filters, see the Junos OS Firewall Filter and Policer Configuration Guide . For information on how to configure a VPLS filter match condition, see Standard Firewall Filter Match Conditions for VPLS Traffic.
To configure a filter for VPLS traffic, complete the following tasks:
- Configuring an Interface-Specific Counter for VPLS
- Configuring an Action for the VPLS Filter
- Configuring VPLS FTFs
- Changing Precedence for Spanning-Tree BPDU Packets
- Applying a VPLS Filter to an Interface
- Applying a VPLS Filter to a VPLS Routing Instance
- Configuring a Filter for Flooded Traffic
Configuring an Interface-Specific Counter for VPLS
When you configure a firewall filter for VPLS and apply it to multiple interfaces, you can specify individual counters specific to each interface. This allows you to collect separate statistics on the traffic transiting each interface.
To generate an interface-specific counter for VPLS, you configure the interface-specific statement. A separate instantiation of the filter is generated. This filter instance has a different name (based on the interface name) and collects statistics on the interface specified only.
To configure interface-specific counters, include the interface-specific statement at the [edit firewall family vpls filter filter-name] hierarchy level:
 | Note: The counter name is restricted to 24 bytes. If the renamed counter exceeds this maximum length, it might be rejected. |
For more information about the interface-specific statement and an example of how to configure it, see the Junos OS Firewall Filter and Policer Configuration Guide .
Configuring an Action for the VPLS Filter
You can configure the following actions for a VPLS filter at the [edit firewall family vpls filter filter-name term term-name then] hierarchy level: accept, count, discard, forwarding-class, loss-priority, next, policer.
Configuring VPLS FTFs
Forwarding table filters (FTFs) are filters configured for forwarding tables. For VPLS, they are attached to the destination MAC (DMAC) forwarding table of the VPLS routing instance. You define VPLS FTFs in the same manner as any other type of FTF. You can only apply a VPLS FTF as an input filter.
To specify a VPLS FTF, include the filter input statement at the [edit routing-instance routing-instance-name forwarding-options family vpls] hierarchy level:
For the statement summaries of these statements, see the Junos OS Policy Framework Configuration Guide .
Changing Precedence for Spanning-Tree BPDU Packets
Spanning tree BPDU packets are automatically set to a high precedence. The queue number on these packets is set to 3. On M Series routers (except the M320 router) by default, a queue value of 3 indicates high precedence. To enable this higher precedence on BPDU packets, an instance-specific BPDU precedence filter named default_bpdu_filter is automatically attached to the VPLS DMAC table. This filter places a high precedence on all packets sent to 01:80:c2:00:00:00/24.
You can overwrite this filter by configuring a VPLS FTF filter and applying it to the VPLS routing instance. For more information, see Configuring VPLS FTFs and Applying a VPLS Filter to a VPLS Routing Instance.
Applying a VPLS Filter to an Interface
To apply a VPLS filter to an interface, include the filter statement:
You can include this statement at the following hierarchy levels:
- [edit interfaces interface-name unit number family vpls]
- [edit logical-systems logical-system-name interfaces interface-name unit number family vpls]
In the input statement, list the name of the VPLS filter to be evaluated when packets are received on the interface. In the output statement, list the name of the VPLS filter to be evaluated when packets are transmitted on the interface.
| Note: For output interface filters, MAC addresses are learned after the filter action is completed. When an output interface filter’s action is discard, the packet is dropped before the MAC address is learned. However, an input interface filter learns the MAC address before discarding the packet. |
For the statement summaries for these statements, see the Junos OS Network Interfaces Configuration Guide.
Applying a VPLS Filter to a VPLS Routing Instance
You can apply a VPLS filter to a VPLS routing instance. The filter checks traffic passing through the specified routing instance.
Input routing instance filters learn the MAC address before the filter action is completed, so if the filter action is discard, the MAC address is learned before the packet is dropped.
To apply a VPLS filter to packets arriving at a VPLS routing instance and specify the filter, include the filter input statement at the [edit routing-instances routing-instance-name forwarding-options family vpls] hierarchy level:
Configuring a Filter for Flooded Traffic
You can configure a VPLS filter to filter flooded packets. CE routers typically flood the following types of packets to PE routers in VPLS routing instances:
- Layer 2 broadcast packets
- Layer 2 multicast packets
- Layer 2 unicast packets with an unknown destination MAC address
- Layer 2 packets with a MAC entry in the DMAC routing table
You can configure filters to manage how these flooded packets are distributed to the other PE routers in the VPLS routing instance.
To apply a flooding filter to packets arriving at the PE router in the VPLS routing instance, and specify the filter, include the flood input statement:
You can include this statement at the following hierarchy levels:
- [edit routing-instances routing-instance-name forwarding-options family vpls]
- [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options family vpls]
Configuring a VPLS Policer
You can configure a policer for VPLS traffic. The VPLS policer configuration is similar to the configuration of any other type of policer.
VPLS policers have the following characteristics:
- You cannot police the default VPLS routes stored in the flood table from PE router–sourced flood traffic.
- When specifying policing bandwidth, the VPLS policer considers all Layer 2 bytes in a packet to determine the packet length.
To configure a VPLS policer, include the policer statement at the [edit firewall] hierarchy level:
For the statement summaries of these statements and more information about how to configure policers, see the Junos OS Firewall Filter and Policer Configuration Guide .
To apply a VPLS policer to an interface, include the policer statement:
You can include this statement at the following hierarchy levels:
- [edit interfaces interface-name unit number family vpls]
- [edit logical-systems logical-system-name interfaces interface-name unit number family vpls
In the input statement, list the name of the VPLS policer to be evaluated when packets are received on the interface. In the output statement, list the name of the VPLS policer to be evaluated when packets are transmitted on the interface. This type of VPLS policer can only apply to unicast packets. For information about how to filter flood packets, see Configuring a Filter for Flooded Traffic.
For the statement summaries for these statements, see the Junos OS Network Interfaces Configuration Guide.
