Policy Framework Configuration Guide - Juniper Networks

Chapter 9: Firewall Filter Configuration
To configure firewall filter match conditions for Layer 2 CCC traffic:
• Include the match-conditions statement at the [edit firewall family ccc filter filter-name
term term-name from hierarchy level.
Table 28: Layer 2 Circuit Cross-Connect Firewall Filter Match Conditions
Match Condition
destination-mac-address
address
Description
(MX Series routers only) Destination media access control (MAC) address of a virtual private LAN
service (VPLS) packet.
To have packets correctly evaluated by this match condition when applied to egress traffic flowing over
a CCC circuit from a logical interface on an I-chip DPC in a Layer 2 virtual private network (VPN) routing
instance, you must make a configuration change to the Layer 2 VPN routing instance. You must explicitly
disable the use of a control word for traffic flowing out over a Layer 2 circuit. The use of a control word
is enabled by default for Layer 2 VPN routing instances to support the emulated virtual circuit (VC)
encapsulation for Layer 2 circuits.
To explicitly disable the use of a control word for Layer 2 VPNs, include the no-control-word statement
at either of the following hierarchy levels:
• [edit routing-instances routing-instance-name protocols l2vpn]
• [edit logical-systems logical-system-name routing-instances routing-instance-name protocols l2vpn]
forwarding-class
class
Forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.
forwarding-class-except
class
Do not match on the forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding,
or network-control.
interface-group
group-number
Interface group on which the packet was received. An interface group is a set of one or more logical
interfaces. For group-number, specify a value from 0 through 255. For information about configuration
interface groups, see “Applying Firewall Filters to Interfaces” on page 235.
interface-group-except
number
Do not match on the interface group in which the packet was received. For group-number, specify a value
from 0 through 255.
loss-priority level
Packet loss priority (PLP) level. Specify a single level or multiple levels: low, medium-low, medium-high,
or high.
Supported on MX Series routers; M120 and M320 routers; and M7i and M10i routers with the Enhanced
CFEB (CFEB-E).
On M320 routers, you must enable the tricolor statement at the [edit class-of-service] hierarchy level
to commit a PLP configuration with any of the four levels specified. If the tricolor statement is not
referenced, you can only configure the high and low levels. This applies to all protocol families.
For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets,
see the Junos Class of Service Configuration Guide.
loss-priority-except
level
Do not match on the packet loss priority level. Specify a single level or multiple levels: low, medium-low,
medium-high, or high.
For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets,
see the Junos Class of Service Configuration Guide.
Copyright © 2010, Juniper Networks, Inc.
207