This article provides information on how to match the IPv4 packet header address or port fields in MPLS flows.
To match an MPLS-tagged IPv4 packet on the source or destination address field in the IPv4 header, specify the match condition at the [edit firewall family mpls filter filter-name term term-name from ip-version ipv4] hierarchy level. But this will work only for T-series routers. This option is not supported on M/MX-series routers.
To match MPLS-tagged IPv4 packets on M/MX-series routers, perform the following procedure:
1. Create a firewall filter for the IPv4 family under the group.
2. Create a firewall filter for the MPLS family and call the defined group under this firewall filter. For example, matching ICMP packets that are passing through LSP.
There is a LSP between R1and R3:
R1-ge-1/3/9----ge-1/3/11-R2-ge-1/3/10----ge-3/1/6-R3
R2# show groups
test {
firewall {
family inet {
filter IPv4_filter {
term 1 {
from {
protocol icmp;
}
then {
discard;
}
}
}
}
}
}
[edit]
R2# show firewall
family mpls {
filter MPLS_filter {
term 1 {
from {
apply-groups test;
}
then discard;
}
term 2 {
then accept;
}
}
}
[edit]
R2# show interfaces ge-1/3/11
unit 0 {
family inet {
address 10.1.1.2/24;
}
family mpls {
filter {
input MPLS_filter;
}
}
}
[edit]