On Tue, 12 Jul 2011, Stefan Fouant wrote:
> Hi Clarke,
>
> If you are using an MX platform, instead of using family-inet on your
> interfaces, configure them in a bridge-group using family bridge (simply use
> an IRB interface for the routing functions). Then you can create firewall
> filters for those respective interfaces under [firewall filter family bridge]
> as in the following:
>
> root at lab-mx1# show firewall
> family bridge {
> filter test {
> term arp {
> from {
> ether-type arp;
> }
> then {
> count arp;
> accept;
> }
> }
> }
> }
>
> Once you have a counter assigned, you can now poll this via SNMP as well.
Hi, Stefan,
I guess I should have been more descriptive. In my MX configuration, the
IRB interface is the only interface in the VPLS domain, so there are no
"bridge" interfaces where I can configure a "bridge" filter. In other
words, the VPLS instance is configured as "connectivity-type irb". The
only interface I can configure in that VPLS domain for a filter is the IRB
itself, which requires "family inet", unless there is something I don't
know about.
instance-type vpls;
vlan-id 100;
routing-interface irb.100;
route-distinguisher 192.168.0.1:100;
vrf-target target:65000:100;
protocols {
vpls {
connectivity-type irb;
}
}
So my example is a little problematic since the ether-type part of the
packet I need to look at on ingress is buried under the mpls header.
Your suggestion does work well in other configuration contexts.
Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187