Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Example configuration - Using FW flexible match conditions to count l2circuit PW packets in MPLS core

0

0

Article ID: KB34584 KB Last Updated: 20 Jun 2019Version: 1.0
Summary:

You may encounter a challenge to find a place of packet drop for a particular traffic flow in MPLS core. A convenient way to check whether packets are entering or leaving a router is to use firewall filter with count action for interesting traffic. However, in a MPLS core, you have to use firewall filter for family MPLS. And the only option for family MPLS filters to peek into payload is to use flexible match condition.

This article provides an example on matching and counting packets for a particular traffic flow carried in l2circuit PW without control-word in a MPLS core.

Solution:

CPE_A --- PE --- P --- P --- ..... --- PE --- CPE_B

        ---------- l2circuit PW ---------->

              ---> traffic flow --->

Drops are somewhere in between two PEs. The filter shown below you can apply on inbound or outbound direction on interfaces between PE --- P routers and between P --- P routers.


user@P_router# show firewall
family mpls {
    filter count_l2c {
        term CE {
            from {
                flexible-match-mask {
                    match-start payload;     <-- lookup starts from the first byte after bottom-of-stack MPLS label
                    byte-offset 8;           <-- offsetting lookup by 8 bytes (lookup starts in source MAC, skipping first 2 bytes)
                    bit-length 32;           <-- matching pattern length
                    mask-in-hex 0xffffffff;  <-- matching pattern mask, all bits have to match in this case
                    prefix 0xab0d3960;       <-- last 4 bytes of source MAC, skipping 2 most significant bytes (CPE_A MAC address)
                }
            }
            then {
                count CPE;
                accept;
            }
        }
        term other {
            then accept;
        }
    }
}

Apply filter on an interface:

user@P_router# show interfaces ae0.0 family mpls
filter input count_l2c;


Check the FW counter. Make sure that there are packets flowing which you're matching:

user@P_router> show firewall filter count_l2c

Filter: count_l2c
Counters:
Name              Bytes              Packets
CPE               576                8   <-- packets are arriving via ae0


 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search