Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Flex-filter to match IP/MAC address on l2circuit ethernet-ccc/vlan-ccc interfaces

1

0

Article ID: KB34798 KB Last Updated: 30 Jul 2019Version: 1.0
Summary:

In some cases, the l2circuit control plane is up, but traffic does not go through or there is packet loss. In Junos OS, since l2circuit is usually point to point (unlike VPLS or EVPN), we did not have many match terms for the ethernet-ccc/vlan-ccc filter.

However, starting from Junos OS release 15.1, with flexible filter, it is possible to configure a filter on the ethernet-ccc/vlan-ccc interface to match various terms.

This article gives a few examples of flex-filters to match source IP address, destination IP address, and source MAC and destination MAC addresses on l2circuit ccc interfaces.

 

Symptoms:

Lab Topology

CE --- xe-0/0/1.100 R1 <MPLS CORE> R2 xe-0/0/0.100

R1# show interfaces xe-0/0/1      
unit 100 {
    encapsulation vlan-ccc;
    vlan-id 100;
    family ccc {
        filter {
            input test-filter-mac;
        }
    }
}


R1# show protocols l2circuit    
neighbor 2.2.2.2 {
    interface xe-0/0/1.100 {
        virtual-circuit-id 2000;
    }
}


R2# show interfaces xe-0/0/0 
unit 100 {
    encapsulation vlan-ccc;
    vlan-id 100;
    family ccc {
        filter {
            output test-filter;
        }
    }
}


R2# show protocols l2circuit 
neighbor 1.1.1.1 {
    interface xe-0/0/0.100 {
        virtual-circuit-id 2000;
    }
}


R1> show l2circuit connections 
Layer-2 Circuit Connections:

Legend for connection status (St)   
EI -- encapsulation invalid      NP -- interface h/w not present   
MM -- mtu mismatch               Dn -- down                       
EM -- encapsulation mismatch     VC-Dn -- Virtual circuit Down    
CM -- control-word mismatch      Up -- operational                
VM -- vlan id mismatch           CF -- Call admission control failure
OL -- no outgoing label          IB -- TDM incompatible bitrate 
NC -- intf encaps not CCC/TCC    TM -- TDM misconfiguration 
BK -- Backup Connection          ST -- Standby Connection
CB -- rcvd cell-bundle size bad  SP -- Static Pseudowire
LD -- local site signaled down   RS -- remote site standby
RD -- remote site signaled down  HS -- Hot-standby Connection
XX -- unknown

Legend for interface status  
Up -- operational            
Dn -- down                   
Neighbor: 2.2.2.2 
    Interface                 Type  St     Time last up          # Up trans
    xe-0/0/1.100(vc 2000)     rmt   Up     Jul 12 09:59:56 2019           1
      Remote PE: 2.2.2.2, Negotiated control-word: Yes (Null)
      Incoming label: 299872, Outgoing label: 299936
      Negotiated PW status TLV: No
      Local interface: xe-0/0/1.100, Status: Up, Encapsulation: VLAN
      Flow Label Transmit: No, Flow Label Receive: No

 

Solution:

Flex-filter to match the source IP address or destination IP address of the packet (1.1.1.1) 

  • Source IP: 1.1.1.1

  • Dest IP: 1.1.1.2 


R1# show firewall family ccc filter test-filter        
interface-specific;
term 1 {
from {
flexible-match-mask {
match-start payload;  <<< Matching payload for IP, first match criteria
byte-offset 12;       <<< 12 for Source IP and 16 for Destination IP 
bit-length 32;        <<< IP address length 32 
prefix 0x01010101;    <<< IP address of 1.1.1.1 
}
}
then {
count ccc-in;
accept;
}
}
term 2 {
then accept;
}

Flex-filter to match the source MAC address of the packet

  • SMAC: a8d0e553fa23

  • DMAC: a8d0e553fa22


R1# show firewall family ccc filter test-filter-mac 
interface-specific;
term 1 {
from {
flexible-match-mask {
match-start layer-2; <<< Matching Ethernet header 
byte-offset 4;       <<< 0 for Destination MAC, 6 for Source MAC. 4 for last 2 bytes in Destination MAC and first 2 bytes in Source MAC 
bit-length 32;       <<< The max length is 32 bits/4 bytes which is less than 48 bits/6 bytes of MAC address 
prefix 0xfa22a8d0;
}
}
then {
count ccc-in-mac;
accept;
}
}
term 2 {
then accept;
}

Note: The current implementation of flexible filter supports a match condition of only 32-bits (4 bytes). Therefore, it is impossible to match the source IP and destination IP addresses at the same time. For MAC address, we suggest to match the first/last 4 bytes of source/destination MAC address, or the last 2 bytes of the destination MAC address plus the first 2 bytes of the source MAC address.

For more information, see Firewall Filter Flexible Match Conditions.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search