Routing

 View Only
last person joined: an hour ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  Can I apply a firewall filter on PE core facing interface to filter VRF traffic ?

    Posted 10-05-2022 01:11
    I have the following:
    PE
    set firewall family inet filter inet-filter term 1 from protocol icmp
    set firewall family inet filter inet-filter term 1 then count inet-count
    set firewall family inet filter inet-filter term 1 then accept
    set firewall family inet filter inet-filter term 2 then accept
    set firewall family mpls filter mpls-filter term 1 from exp 5
    set firewall family mpls filter mpls-filter term 1 then count exp-count
    set firewall family mpls filter mpls-filter term 2 then accept
    
    set interfaces ge-0/0/4 vlan-tagging
    set interfaces ge-0/0/4 unit 5 vlan-id 5
    set interfaces ge-0/0/4 unit 5 family inet filter input inet-filter
    set interfaces ge-0/0/4 unit 5 family inet address 10.220.34.0/31
    set interfaces ge-0/0/4 unit 5 family inet6
    set interfaces ge-0/0/4 unit 5 family mpls filter input mpls-filter
    
    root@PE3# run show firewall
    
    Filter: __default_bpdu_filter__
    
    Filter: mpls-filter
    Counters:
    Name                                                Bytes              Packets
    exp-count                                           85536                  972
    
    Filter: inet-filter
    Counters:
    Name                                                Bytes              Packets
    inet-count                                              0                    0
    ​

    Here is the PE ingress packet


    I thought this label is vrf label,  The firewall filter should check IP header instead of label.

    what did I miss here ?

    thanks !! 




  • 2.  RE: Can I apply a firewall filter on PE core facing interface to filter VRF traffic ?

    Posted 10-05-2022 06:42

    The packet has a label imposed so it's the filter under family MPLS that is relevant. I would imagine that it doesn't matter that its only the VRF label that's left in the stack as ingress filter evaluation will be happening before any label lookups.

    Now it's platform dependent but on MX (don't know about other platform support) you can filter on inner protocol headers on labelled packets in the MPLS family filter so something like this *might* do what you want:

    firewall {
        family mpls {
            filter mpls_filter {
                term count_icmp {
                    from {
                        ip-version {
                            ipv4 {
                                protocol icmp;
                            }
                        }
                    }
                    then count icmp_count;
                    accept;
                }
                term count_exp5 {
                    from {
                        exp 5;
                    }
                    then {
                        count mpls_count;
                        accept;
                    }
                }
            }
        }
    }
    



    ------------------------------
    STUART RIDSDALE
    ------------------------------



  • 3.  RE: Can I apply a firewall filter on PE core facing interface to filter VRF traffic ?

    Posted 10-05-2022 08:18
    thanks so much !!

    " I would imagine that it doesn't matter that its only the VRF label that's left in the stack as ingress filter evaluation will be happening before any label lookups."

    I do not quite understand this.  Is the filter supposed to check the Label or IP header, theoretically ?


  • 4.  RE: Can I apply a firewall filter on PE core facing interface to filter VRF traffic ?

    Posted 10-06-2022 11:29
    This a an MPLS labelled packet inside an L3VPNv4, so with at least one label (service label here).
    That is, it's a frame with an ethertype 0x8847, so it goes to the family MPLS at the ingress interface, and the (MPLS) ingress filter configured on this address family is the one that is used before any other processing.

    If needed, you might be able to filter IP traffic inside the VRF itself by attaching something like that (not tested), that is once the MPLS packet has been processed and converted to an IP packet to the VRF:
    routing-instances {
     VRF-A {
      vrf-table-label;
      forwarding-options {
       family inet {
        filter {
         output FWFR-VRF-A;
        }
       }
      }
     }
    }
    ​


    At the interface in the MPLS address family, you might filter on ip prefixes, but not labels (or maybe using from flexible-match-mask, but that's probably not a fine idea), using from ip-version ipv4 and so on (but you wouldn't distinguish between VRFs).



    ------------------------------
    Olivier Benghozi
    ------------------------------



  • 5.  RE: Can I apply a firewall filter on PE core facing interface to filter VRF traffic ?

    Posted 10-06-2022 11:49
    thanks so much!!

    I am learning and testing these.