Juniper Networks 10.4 Layer 2 Firewall Filters

CHAPTER9

Layer 2 Firewall Filters

•FirewallFilters for Bridge Domains and VPLS Instanceson page 95

•Example:Configuring Policing and Marking of TrafficEntering a VPLS Core on page96

•Example:Configuring Filtering of Frames by MACAddress on page 98

•Example:Configuring Filtering of Frames by IEEE 802.1pBits on page 99

•Example:Configuring Filtering of Frames by PacketLoss Priority on page 101

FirewallFilters for Bridge Domains and VPLS Instances

JuniperNetworks MX Series Ethernet Services Routerssupport firewall filters for the

bridgeand vpls protocol families. Youconfigure these firewall filters tocontrol traffic

withinbridge domains and VPLS instances. This chapterexplores some of the ways that

filterscan be used in a Layer 2 environment tocontrol traffic.

MXSeries router firewall filters canbe applied to:

•Inputinterfaces

•Outputinterfaces

•Inputto the Layer 2 forwarding table

NOTE: Broadcast,unicast unknown,and multicast (BUM) traffic is not

affectedby input and output policies. BUM traffic canonly be filtered by

forwardingtable policies.

Youuse a firewall filterafter taking the following two steps:

1. Youconfigure any policersand the firewall filter at the [edit firewall] hierarchylevel.

2. Youapply the properlyconfigured firewall filter to an interface.

NOTE: Youshoulddeploy firewall filters carefullybecause it is easy to cause

unforeseensideeffects on all traffic, especially trafficthat is not the intended

targetof the filter. For moreinformation about configuring firewall filters,

seethe Junos OS Policy Framework ConfigurationGuide.

95Copyright© 2010, Juniper Networks,Inc.

Contents

Main Page ENDUSER LICENSE AGREEMENT Page Page Page Abbreviated Table of Contents Page Table of Contents AboutThisGuide.................................................xvii Part1 Overview Chapter1 OverviewofEthernetSolutions......................................3 Part2 Basic Solutions for MX SeriesRouters Chapter3 VirtualSwitches..................................................39 Chapter4 VLANs Within BridgeDomain and VPLS Environments . . . . . . . . . . . . . . . . 43 Chapter5 BulkAdministration of Layer 2 Features on MX Series Routers . . . . . . . . . . 59 Chapter6 DynamicProfiles for VLANInterfaces and Protocols. . . . . . . . . . . . . . . . . . . 63 Chapter8 MXSeries Router in an ATMEthernet Interworking Function . . . . . . . . . . . . 77 Part3 EthernetFiltering, Monitoring, and Fault ManagementSolutions forMX Series Routers Chapter9 Layer2FirewallFilters.............................................95 Chapter10 IEEE802.1ag OAM Connectivity-Fault Management . . . . . . . . . . . . . . . . . . 103 Chapter11 ITU-TY.1731 Ethernet Frame DelayMeasurements . . . . . . . . . . . . . . . . . . . . 119 Chapter13 EthernetRing Protection..........................................145 Page List of Figures Part1 Overview Part2 BasicSolutions for MX Series Routers Part3 EthernetFiltering, Monitoring, and Fault ManagementSolutions forMX Series Routers Page List of Tables Page About This Guide JunosDocumentation and Release Notes Objectives Audience SupportedRouting Platforms Usingthe Indexes Usingthe Examples in This Manual Merginga Full Example Merginga Snippet DocumentationConventions Table1: Notice Icons DescriptionMeaningIcon Table2 on pagexxi defines the text and syntax conventions used in this guide. Table2: Textand Syntax Conventions ExamplesDescriptionConvention DocumentationFeedback thefollowing information with your comments: RequestingTechnical Support Self-HelpOnline Tools and Resources Openinga Case with JTAC Page Page Page CHAPTER1 Overview of Ethernet Solutions EthernetTerms and Acronyms Page Page Networkingand Internetworking with Bridges and Routers NetworkAddressing at Layer 2 and Layer 3 Page Networkingat Layer 2: Benefits of Ethernet Frames Networkingat Layer 2: Challenges of Ethernet MAC Addresses Networkingat Layer 2: Forwarding VLAN TaggedFrames Figure1: Native (Normal) and VLAN-TaggedEthernet Fames Networkingat Layer 2: Forwarding Dual-TaggedFrames Networkingat Layer 2: Logical Interface Types AMetro Ethernet Network with MX Series Routers Figure2: A Metro Ethernet Network Figure3: A Metro Ethernet Network with MX Series Routers Figure4: VLAN Tags on a Metro Ethernet Network Layer2 Networking Standards Page PART2 Basic Solutions for MX Series Routers Page CHAPTER2 Basic Layer 2 Features on MX Series Routers Layer2 Features for a Bridging Environment ExampleRoadmap: Configuring a Basic Bridge Domain Environment ExampleTopology Figure5: Bridging Network with MX Series Routers ExampleScenario ExampleConfiguration Summary ExampleStep: Configuring Interfaces and VLAN Tags Toconfigure the Ethernetinterfaces and VLAN tags on all three routers: Page Page Page Page ExampleStep: Configuring Bridge Domains Toconfigure the bridgedomains on all three routers: Page ExampleStep: Configuring Spanning Tree Protocols Page Figure6: Designated, Root, and AlternatePorts ExampleStep: Configuring Integrated Bridging and Routing Page Page Page Page CHAPTER3 Virtual Switches Layer2 Features for a Switching Environment ConfiguringVirtual Switches as Separate RoutingInstances Page Page CHAPTER4 VLANs Within Bridge Domain and VPLS Environments VLANsWithin a Bridge Domain or VPLS Instance PacketFlow Through a Bridged Network with NormalizedVLANs Configuringa Normalized VLAN for Translation or Tagging ImplicitVLAN Translation to a Normalized VLAN SendingTagged or Untagged Packetsover VPLS Virtual Interfaces Configuringa Normalized VLAN ConfiguringLearning Domains for VLAN IDs Bound to Logical Interfaces Example:Configuring a Provider Bridge Network with Normalized VLAN Tags Figure7: Provider Bridge Network Using Normalized VLAN Tags Page Page Example:Configuring a Provider VPLS Network with Normalized VLAN Tags Figure8: VLAN Tags and VPLS Labels Page Page Example:Configuring One VPLS Instance for Several VLANs Figure9: Many VLANs on One VPLS Instance IfVLANs 1 through 1000 for customer C1 span the same sites, then the vlan-id all and Page CHAPTER5 Bulk Administration of Layer 2 Features on MX Series Routers BulkConfiguration of VLANs and Bridge Domains Example:Configuring VLAN Translation with a VLAN ID List Example:Configuring Multiple Bridge Domains with a VLAN ID List Page Page CHAPTER6 Dynamic Profiles for VLAN Interfaces and Protocols DynamicProfiles for VPLS Pseudowires Example:Configuring VPLS Pseudowires with Dynamic ProfilesBasic Solutions VPLSPseudowire Interfaces Without Dynamic Profiles VPLSPseudowire Interfaces and Dynamic Profiles CERouters Without Dynamic Profiles CERouters and Dynamic Profiles Considerthe following configuration, which usesdynamic profiles at the protocols level: Example:Configuring VPLS Pseudowires with Dynamic ProfilesComplexSolutions Configurationof Routing Instance and InterfacesWithout Dynamic Profiles Configurationof Routing Instance and InterfacesUsing Dynamic Profiles Page Page Configurationof Tag TranslationUsing Dynamic Profiles CHAPTER7 MX Series Router as a DHCP Relay Agent MXSeries Router as a Layer 2 DHCP Relay Agent Example:Configuring DHCP Relay in a Bridge Domain VLAN Environment Example:Configuring DHCP Relay in a VPLS Routing Instance Environment Youverify your configurationby using two related commands: CHAPTER8 MX Series Router in an ATM Ethernet Interworking Function MXSeries Router ATM Ethernet InterworkingFunction Figure10: ATM Ethernet VLAN Interworking Figure11: ATM Ethernet VLAN Interworking PacketStructure Figure12: CCC to Stacked VLAN Translation Example:Configuring MX Series Router ATMEthernet Interworking Figure13: ATM Ethernet VLAN Interworking ConfiguringPE2 with a Layer 2 Circuit PE1Configuation Configurethe Layer 2 Circuit PE2Configuation Configurethe Layer 2 Circuit on the MX Series Router Youverify your configurationon the MX Series router with the command: ConfiguringPE2 with a Layer 2 Circuit over AggregatedEthernet PE1Configuation Configurethe Layer 2 Circuit PE2Configuation Configurethe Layer 2 Circuit over AggregatedEthernet on the MX Series Router Page Youverify your configurationon the MX Series router with the command: ConfiguringPE2 with a Remote Interface Switch PE1Configuation Configurethe Remote InterfaceSwitch PE2Configuation Configurethe Remote InterfaceSwitch on the MX Series Router Youverifyyour configurationon the MX Series router with the show connections command: ConfiguringPE2 with a Remote Interface Switch overAggregated Ethernet PE1Configuation Configurethe Remote InterfaceSwitch PE2Configuation ConfiguretheRemote InterfaceSwitch over aggregatedEthernet on the MX Series Router Page Youverifyyour configurationon the MX Series router with the show connections command: Page Page Page CHAPTER9 Layer 2 Firewall Filters FirewallFilters for Bridge Domains and VPLS Instances Example:Configuring Policing and Marking of Traffic Enteringa VPLS Core Figure14: Policing and Marking Traffic Entering a VPLSCore Toconfigure policing and marking of trafficentering a VPLS core: limitthe aggregate broadcast, unknownunicast, and non-IP multicast to 50 kbps: theIP multicast traffic: Example:Configuring Filtering of Frames by MAC Address Example:Configuring Filtering of Frames by IEEE 802.1p Bits Page Example:Configuring Filtering of Frames by PacketLoss Priority Page CHAPTER10 IEEE 802.1ag OAM Connectivity-Fault Management EthernetOperations, Administration, and Maintenance EthernetOAM Connectivity Fault Management Example:Configuring Ethernet CFM over VPLS Figure15: Ethernet OAM with VPLS Page Configurationof PE2 Page Configurationof P router MPLSonly, no CFM needed: CFMon L2-CE1 Hereis the configuration of CFM on L2-E1: CFMon L2-CE2 Hereis the configuration of CFM L2-CE2: Example:Configuring Ethernet CFM on Bridge Connections Figure16: Ethernet CFM over a Bridge Network Hereare the configurations of CFM on the customer routers. CFMon L2-CE1 CFMon L2-CE2 Hereare the configurations of CFM on the provider routers. CFMon PE1 CFMon PE2 Page Example:Configuring Ethernet CFM on Physical Interfaces Figure17: Ethernet CFM on Physical Interfaces Page Page CHAPTER11 ITU-T Y.1731 Ethernet Frame Delay Measurements EthernetFrame Delay Measurements Figure18: Ethernet OAM Overview Page ConfiguringMEP Interfaces to Support Ethernet Frame Delay Measurements Triggeringan Ethernet Frame Delay Measurements Session Table3: Monitor Ethernet Delay CommandParameters Table3: Monitor Ethernet Delay CommandParameters (continued) ViewingEthernet Frame Delay Measurements Statistics Table4: Show Ethernet Delay CommandParameters Example:Configuring One-Way Ethernet Frame DelayMeasurements with Single-TaggedInterfaces NOTE: Theseare not completerouter configurations. Configurationon Router MX-1: Configurationon Router MX-2: FromRouter MX-2, start a one-way delay measurementto Router MX-1. Thecounters are displayed aspart of the local MEP database on Router MX-2. Theremote MEP database statistics areavailable on Router MX-1. Page Example:Configuring Two-WayEthernet Frame Delay Measurements with Single-TaggedInterfaces Configurationon Router MX-2: FromRouter MX-1, start a two-way delaymeasurement to Router MX-2. Thecounters are displayed aspart of the MEP database on Router MX-1 maintenance domainMD6. Page Example:Configuring Ethernet Frame Delay Measurements with UntaggedInterfaces Untaggedinterface configurationfor Router MX-1. Untaggedinterface configurationfor Router MX-2. Page CHAPTER12 IEEE 802.3ah OAM Link-Fault Management EthernetOAM Link Fault Management Example:Configuring Ethernet LFM Between PE and CE Figure19: Ethernet LFM Between PE and CE Toconfigure EthernetLFM on an IP link between PE and CE interfaces: Example:Configuring Ethernet LFM for CCC Figure20: Ethernet LFM for CCC Example:Configuring Ethernet LFM for Aggregated Ethernet Figure21: Ethernet LFM for Aggregated Ethernet Toconfigure LFM on an aggregatedEthernet interface betweentwo routers: Example:Configuring Ethernet LFM with Loopback Support Figure22: Ethernet LFM with Loopback Support Page Page CHAPTER13 Ethernet Ring Protection EthernetRing Protection Page EthernetRing Protection Using Ring Instances for Load Balancing Example:Configuring Ethernet Ring Protection for MX Series Routers ExampleTopology Figure23: Ethernet Ring Protection Example Nodes channelinterface is ge-1/2/1.1. The protection group is pg102. Router1 (RPL Owner) Configuration Toconfigure Router1 (the RPL owne)r: Router2 Configuration Toconfigure Router2: Page Router3 Configuration Toconfigure Router3: Page Example:Configuring Load Balancing Within Ethernet Ring Protection forMX Series Routers Requirements Overviewand Topology Figure24: ERP with Multiple Protection Instances Configuredon Three MXSeries Routers Table5: Components of the Network Topology SettingsProperty Table5: Components of the Network Topology(continued) SettingsProperty Configuration Toenable ERP with ring instanceson CS1, CS2, and AS1, perform these tasks: ConfiguringERP on CS1 Page Page ConfiguringERP on CS2 CLIQuick Configuration Page Page ConfiguringERP on AS1 witheach bridge domain: Results Checkthe results of the configuration: Page Verification Verifyingthe Ethernet Protection Ring on CS1 Verifyingthe Data Channel CS1 Verifyingthe VLANs on CS1 Verifyingthe Ethernet Protection Ring on CS2 Verifyingthe Data Channel CS2 Verifyingthe VLANs on CS2 Verifyingthe Ethernet Protection Ring on AS1 Verifyingthe Data Channels on AS1 Verifyingthe VLANs on AS1 Example:Viewing Ethernet Ring Protection StatusNormal Ring Operation Example:Viewing Ethernet Ring Protection StatusRing FailureCondition Page Page Page Page Index Symbols A B C F G I L M R S T U V