This a an MPLS labelled packet inside an L3VPNv4, so with at least one label (service label here).
That is, it's a frame with an ethertype
0x8847, so it goes to the family MPLS at the ingress interface, and the (MPLS) ingress filter configured on this address family is the one that is used before any other processing.
If needed, you might be able to filter IP traffic inside the VRF itself by attaching something like that (not tested), that is once the MPLS packet has been processed and converted to an IP packet to the VRF:
routing-instances {
VRF-A {
vrf-table-label;
forwarding-options {
family inet {
filter {
output FWFR-VRF-A;
}
}
}
}
}
At the interface in the MPLS address family, you might filter on ip prefixes, but not labels (or maybe using from flexible-match-mask, but that's probably not a fine idea), using from ip-version ipv4 and so on (but you wouldn't distinguish between VRFs).
------------------------------
Olivier Benghozi
------------------------------
Original Message:
Sent: 10-05-2022 08:17
From: Unknown User
Subject: Can I apply a firewall filter on PE core facing interface to filter VRF traffic ?
thanks so much !!
" I would imagine that it doesn't matter that its only the VRF label that's left in the stack as ingress filter evaluation will be happening before any label lookups."
I do not quite understand this. Is the filter supposed to check the Label or IP header, theoretically ?
Original Message:
Sent: 10-05-2022 04:39
From: STUART RIDSDALE
Subject: Can I apply a firewall filter on PE core facing interface to filter VRF traffic ?
The packet has a label imposed so it's the filter under family MPLS that is relevant. I would imagine that it doesn't matter that its only the VRF label that's left in the stack as ingress filter evaluation will be happening before any label lookups.
Now it's platform dependent but on MX (don't know about other platform support) you can filter on inner protocol headers on labelled packets in the MPLS family filter so something like this *might* do what you want:
firewall { family mpls { filter mpls_filter { term count_icmp { from { ip-version { ipv4 { protocol icmp; } } } then count icmp_count; accept; } term count_exp5 { from { exp 5; } then { count mpls_count; accept; } } } }}
------------------------------
STUART RIDSDALE
Original Message:
Sent: 10-05-2022 01:10
From: Unknown User
Subject: Can I apply a firewall filter on PE core facing interface to filter VRF traffic ?
I have the following:
PEset firewall family inet filter inet-filter term 1 from protocol icmpset firewall family inet filter inet-filter term 1 then count inet-countset firewall family inet filter inet-filter term 1 then acceptset firewall family inet filter inet-filter term 2 then acceptset firewall family mpls filter mpls-filter term 1 from exp 5set firewall family mpls filter mpls-filter term 1 then count exp-countset firewall family mpls filter mpls-filter term 2 then acceptset interfaces ge-0/0/4 vlan-taggingset interfaces ge-0/0/4 unit 5 vlan-id 5set interfaces ge-0/0/4 unit 5 family inet filter input inet-filterset interfaces ge-0/0/4 unit 5 family inet address 10.220.34.0/31set interfaces ge-0/0/4 unit 5 family inet6set interfaces ge-0/0/4 unit 5 family mpls filter input mpls-filterroot@PE3# run show firewallFilter: __default_bpdu_filter__Filter: mpls-filterCounters:Name Bytes Packetsexp-count 85536 972Filter: inet-filterCounters:Name Bytes Packetsinet-count 0 0
Here is the PE ingress packet