In some cases, the l2circuit control plane is up, but traffic does not go through or there is packet loss. In Junos OS, since l2circuit is usually point to point (unlike VPLS or EVPN), we did not have many match terms for the ethernet-ccc/vlan-ccc filter.
However, starting from Junos OS release 15.1, with flexible filter, it is possible to configure a filter on the ethernet-ccc/vlan-ccc interface to match various terms.
This article gives a few examples of flex-filters to match source IP address, destination IP address, and source MAC and destination MAC addresses on l2circuit ccc interfaces.
Lab Topology
CE --- xe-0/0/1.100 R1 <MPLS CORE> R2 xe-0/0/0.100
R1# show interfaces xe-0/0/1
unit 100 {
encapsulation vlan-ccc;
vlan-id 100;
family ccc {
filter {
input test-filter-mac;
}
}
}
R1# show protocols l2circuit
neighbor 2.2.2.2 {
interface xe-0/0/1.100 {
virtual-circuit-id 2000;
}
}
R2# show interfaces xe-0/0/0
unit 100 {
encapsulation vlan-ccc;
vlan-id 100;
family ccc {
filter {
output test-filter;
}
}
}
R2# show protocols l2circuit
neighbor 1.1.1.1 {
interface xe-0/0/0.100 {
virtual-circuit-id 2000;
}
}
R1> show l2circuit connections
Layer-2 Circuit Connections:
Legend for connection status (St)
EI -- encapsulation invalid NP -- interface h/w not present
MM -- mtu mismatch Dn -- down
EM -- encapsulation mismatch VC-Dn -- Virtual circuit Down
CM -- control-word mismatch Up -- operational
VM -- vlan id mismatch CF -- Call admission control failure
OL -- no outgoing label IB -- TDM incompatible bitrate
NC -- intf encaps not CCC/TCC TM -- TDM misconfiguration
BK -- Backup Connection ST -- Standby Connection
CB -- rcvd cell-bundle size bad SP -- Static Pseudowire
LD -- local site signaled down RS -- remote site standby
RD -- remote site signaled down HS -- Hot-standby Connection
XX -- unknown
Legend for interface status
Up -- operational
Dn -- down
Neighbor: 2.2.2.2
Interface Type St Time last up # Up trans
xe-0/0/1.100(vc 2000) rmt Up Jul 12 09:59:56 2019 1
Remote PE: 2.2.2.2, Negotiated control-word: Yes (Null)
Incoming label: 299872, Outgoing label: 299936
Negotiated PW status TLV: No
Local interface: xe-0/0/1.100, Status: Up, Encapsulation: VLAN
Flow Label Transmit: No, Flow Label Receive: No
Flex-filter to match the source IP address or destination IP address of the packet (1.1.1.1)
-
Source IP: 1.1.1.1
-
Dest IP: 1.1.1.2
R1# show firewall family ccc filter test-filter
interface-specific;
term 1 {
from {
flexible-match-mask {
match-start payload; <<< Matching payload for IP, first match criteria
byte-offset 12; <<< 12 for Source IP and 16 for Destination IP
bit-length 32; <<< IP address length 32
prefix 0x01010101; <<< IP address of 1.1.1.1
}
}
then {
count ccc-in;
accept;
}
}
term 2 {
then accept;
}
Flex-filter to match the source MAC address of the packet
-
SMAC: a8d0e553fa23
-
DMAC: a8d0e553fa22
R1# show firewall family ccc filter test-filter-mac
interface-specific;
term 1 {
from {
flexible-match-mask {
match-start layer-2; <<< Matching Ethernet header
byte-offset 4; <<< 0 for Destination MAC, 6 for Source MAC. 4 for last 2 bytes in Destination MAC and first 2 bytes in Source MAC
bit-length 32; <<< The max length is 32 bits/4 bytes which is less than 48 bits/6 bytes of MAC address
prefix 0xfa22a8d0;
}
}
then {
count ccc-in-mac;
accept;
}
}
term 2 {
then accept;
}
Note: The current implementation of flexible filter supports a match condition of only 32-bits (4 bytes). Therefore, it is impossible to match the source IP and destination IP addresses at the same time. For MAC address, we suggest to match the first/last 4 bytes of source/destination MAC address, or the last 2 bytes of the destination MAC address plus the first 2 bytes of the source MAC address.
For more information, see Firewall Filter Flexible Match Conditions.