MPLS
MPLS Description
MPLS Overview
Multiprotocol Label Switching (MPLS) is a networking process that replaces complete network addresses with short path labels for directing data packets to network nodes. The labels identify virtual links (paths) between distant nodes rather than endpoints. MPLS is scalable and protocol-independent. Data packets are assigned labels, which are used to determine packet forwarding destinations without examining the packet.
Arista switches utilize MPLS to improve efficiency and control from servers through data centers and to the WAN. The MPLS implementation supports static MPLS tunneling that is manually configured on each switch or established over a network by an SDN controller. The configuration is specified by a set of rules that filter packets based on matching criteria. Each rule applies MPLS-related actions to packets that match the rule's criteria. Each rule includes a metric that the switch uses to select an action when multiple rules match a packet.
MPLS Implementation
- A 20-bit value that is compared to the top header label of each MPLS packet. Other rule parameters may be applied to packets whose top label match this value.
- A nexthop location that specifies the packet’s next destination (IPv4 or IPv6) and the interface through which the switch forwards the packet.
- An MPLS label stack management action that is performed on filtered packets:
- pop-payload: removes the top label from stack; this terminates an Label-Switched Path (LSP).
- swap-label: replaces top label with a specified new label; this passes a packet along an LSP.
- A rule metric that the switch uses to select a rule when multiple rules match an MPLS packet.
Packets that do not match any MPLS rules are dropped.
MPLSoGRE Filtered Mirroring
In MPLS over Generic Routing Encapsulation (MPLSoGRE) filtered mirroring, IPv4 over MPLS over GRE (IPv4oMPLSoGRE) and IPv6 over MPLS over GRE (IPv6oMPLSoGRE) packets that enter a GRE tunnel endpoint on which MPLS lookup is performed, are selected for mirroring based on the destination IP address field in the inner IPv4 or IPv6 header.
the image below shows the header format of the packets that are selected for mirroring.
When mirroring to a GRE tunnel, the payload of the outgoing GRE packet contains the payload of the incoming source packet starting from the MPLS header. L2 and outer L3 headers are stripped from the mirror copy. When the MPLS lookup fails, the packet is still eligible for mirroring based on the selection criteria defined in the ACL.
Mixed TTL/DSCP in MPLS Tunnel Termination
A Label Edge Router (LER) decapsulating an MPLS packet may choose to source the TTL and DSCP fields from either the MPLS header or the original inner IPv4 header. However, some applications need the TTL field value from the MPLS header, while retaining the DSCP from the original IPv4 header. Mixed TTL/DSCP in MPLS Tunnel Termination enables tunnel termination to select this specific mix of two modes.
Configuration
switch(config)# mpls ip
switch(config)# mpls static vrf-label mpls-label vrf vrf-name
switch(config)# ip routing vrf vrf-name
switch(config)# mpls tunnel termination model ttl uniform dscp pipe
switch(config)# packet mpls ipv4 forwarding routed decap
switch(config)# hardware tcam
# May use any profile that provides “qos ip”
switch(config-tcam)# profile name copy default
switch(config-tcam-profile-name)# feature qos ip
switch(config-tcam-profile-name-feature-qos-ip)# packet mpls ipv4 forwarding routed decap
switch(config-tcam)# system profile name
Packet Support for IPv6
switch(config)# hardware tcam
# May use any profile that provides “qos ipv6”
switch(config-tcam)# profile name copy default
switch(config-tcam-profile-name)# feature qos ipv6
switch(config-tcam-profile-name-ipv4)# packet mpls ipv6 forwarding routed decap
switch(config-tcam)# system profile name
Support for MPLS Packets in IP acls
Ingress and egress IPv4 and IPv6 access-lists do not automatically match the inner IP header when processing IP over MPLS traffic.
Support is now avaiable to allow matching of the inner IP header in an access-list by adding the proper packet types to the corresponding TCAM features.
DSCP-to-TC Maps for MPLS Traffic to L3 VRFs
MPLS-labeled traffic, both IPv4 and IPv6, can be decapsulated and routed using a specific VRF, either the default or a named VRF. The MPLS label can be statically assigned to a specific VRF, or dynamically through L3 EVPN MPLS. In this configuration, a traffic class (TC) label based on a packet's ingress DSCP is added to the decapsulated MPLS packet if it is directed to a specific VRF. This is an MPLS tunneling technique called Short Pipe Mode.
The mapping of DSCP labels to TC is steered by a QoS map. Up to 10 custom maps can be applied. Such a map will only use hardware resources when attached to at least one VRF. When a map is first created, the DSCP-to-TC map is copied from the global map; subsequent changes to the global map do not have any effect on custom maps.
MPLS Configuration
MPLS routing is enabled through the mpls ip command.
switch(config)# mpls ip
switch(config)# show running-config mpls ip
!
end
switch(config)#
MPLS rules are created by the mpls static command. MPLS static rules identify a set of MPLS packets by a common top label and defines the method of handling these packets.
These commands create an MPLS rule that matches packets with a top label value of 3400 and causes the removal of the top label from the header stack. The nexthop destination of the IPv4 payload is IP address 10.14.4.4 through interface ethernet 3/3/3. This rule has a metric value of 100.
switch(config)# mpls static top-label 3400 ethernet 3/3/3 10.14.4.4 pop payload-type ipv4
switch(config)# show running-config
!
mpls static top-label 3400 Ethernet3/3/3 10.14.4.4 pop payload-type ipv4
!
end
switch(config)#
These commands create a backup rule that forwards the packet through interface ethernet 4/3. This rule’s metric value of 150 assigns it backup status prior to the first rule.
switch(config)# mpls static top-label 3400 ethernet 4/3 10.14.4.4 pop payload-type ipv4 metric 150
switch(config)# show running-config
!
mpls static top-label 3400 Ethernet4/3 10.14.4.4 pop payload-type ipv4 metric 150
mpls static top-label 3400 Ethernet3/3/3 10.14.4.4 pop payload-type ipv4
!
end
switch(config)#
These commands create an MPLS rule that forwards the packet to the nexthop address through any interface.
switch(config)# mpls static top-label 4400 10.15.46.45 pop payload-type ipv4
switch(config)# show running-config
!
mpls static top-label 3400 Ethernet4/3 10.14.4.4 pop payload-type ipv4 metric 150
mpls static top-label 3400 Ethernet3/3/3 10.14.4.4 pop payload-type ipv4
mpls static top-label 4400 10.15.46.45 pop payload-type ipv4
!
end
switch(config)#
This command configures a static tunnel for the tunnel endpoint 64.0.0.1 and pushes a label 11111 to it.
switch(config)# mpls static STATIC 64.0.0.1/32 54.0.0.1 Port-Channel7 label-stack 11111
This example shows MPLS swap route configuration. The following CLI swaps a packet with MPLS top label 3400 to 5600 for forwarding to 10.14.4.4.
switch(config)# mpls static top-label 3400 10.14.4.4 swap 5600
switch(config)#
This example shows MPLS next-hop groups configuration for MPLS. The following CLI shows the specification of a next hop group called TestGrp1 with two entries.
switch(config)# nexthop-group TestGrp1 type MPLS
switch(config-nexthop-group-TestGrp1)# size 2
switch(config-nexthop-group-TestGrp1)# entry 0 push label-stack 70 nexthop 10.20.30.5
switch(config-nexthop-group-TestGrp1)# entry 1 push label-stack 71 nexthop 10.20.30.6
switch(config-nexthop-group-TestGrp1)# exit
switch(config)#
The label-stack keyword can take only one label. Tunnel-source and ttl config commands do not apply to MPLS NexthopGroups and are disabled. The nexthop entry is recursively resolved when the specified entry is a remote nexthop. The show command indicates the resolved, directly-attached nexthop.
The switch’s MPLS static rule configuration for specified routes and rules is displayed by show mpls route.
This command displays the MPLS rule configuration.
switch> show mpls config route
In-Label Out-Label Metric Payload NextHop
3400 pop 100 ipv4 10.14.4.4,Et3/3/3
3400 pop 150 ipv4 10.14.4.4,Et4/3
switch>
Statistics about the configuration and implementation of MPLS rules are displayed by the show mpls route summary command.
This command displays a summary of MPLS rule implementation.
switch> show mpls route summary
Number of Labels: 1 (1 unprogrammed)
Number of adjacencies in hardware: 0
Number of backup adjacencies: 2
switch>
The show mpls lfib route command displays the Label Forward Information Base of the switch.
switch(config)# show mpls lfib route
MPLS forwarding table (Label [metric] Vias) - 1 routes
MPLS next-hop resolution allow default route: False
Via Type Codes:
M - MPLS via, P - Pseudowire via,
I - IP lookup via, V - VLAN via,
VA - EVPN VLAN aware via, ES - EVPN ethernet segment via,
VF - EVPN VLAN flood via, AF - EVPN VLAN aware flood via,
NG - Nexthop group via
Source Codes:
G - gRIBI, S - Static MPLS route,
B2 - BGP L2 EVPN, B3 - BGP L3 VPN,
R - RSVP, LP - LDP pseudowire,
L - LDP, M - MLDP,
IP - IS-IS SR prefix segment, IA - IS-IS SR adjacency segment,
IL - IS-IS SR segment to LDP, LI - LDP to IS-IS SR segment,
BL - BGP LU, ST - SR TE policy,
DE - Debug LFIB
S 300 [100]
via M, 192.0.2.2, swap 500
payload mpls, bypass egress-acl
interface Ethernet3/1
switch(config)#
The show ip route command displays all IP routes along with static MPLS push routes and Nexthop Group routes.
switch(config)# show ip route
VRF name: default
Codes: C - connected, S - static, K - kernel,
O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type2, B I - iBGP, B E - eBGP,
R - RIP, I L1 - ISIS level 1, I L2 - ISIS level 2,
O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
NG - Nexthop Group Static Route, V - VXLAN Control service
Gateway of last resort is not set
C 192.0.2.0/24 is directly connected, Ethernet1/1
S 3.3.3.0/24 [1/0] via 192.0.2.2, Ethernet1/1 label 200
S 10.80.0.0/13 [1/0] via 172.24.0.1, Management1
S 10.95.0.0/20 [1/0] via 172.24.0.1, Management1
C 172.24.0.0/18 is directly connected, Management1
S 172.16.0.0/12 [1/0] via 172.24.0.1, Management1
switch(config)#
The MPLS push routes are of type static so the show ip route static command also displays the output for an MPLS Nexthop Group assuming there is a route pointing to the NexthopGroup and the entries in the NexthopGroup are resolved. The output for show nexthop-group TestGrp1 for the test group configured earlier is shown below.
switch(config)# show nexthop-group TestGrp1
TestGrp1
Id 2
Type MPLS
Size 2
Entries
0 push label-stack 70 nexthop 10.20.30.5
Tunnel destination directly connected, Ethernet2
52:14:a3:a6:50:e8, Ethernet2
1 push label-stack 71 nexthop 10.20.30.6
Tunnel destination directly connected, Ethernet2
52:14:a3:a6:50:e8, Ethernet2
switch(config)#
LSP Ping/Traceroute for MPLS Nexthop Group Tunnels
The ping/traceroute mpls tunnel nexthop-group command checks the liveness of Nexthop Group tunnel endpoint for an MPLS Nexthop Group.
The following displays the output for the ping command where the endpoint is specified.
switch(config)# rtrmpls1
switch(config-rtrmpls1)# ping mpls tunnel nexthop-group 100.0.116.1/32
LSP ping to nexthop-group tunnel 100.0.116.1/32
100.0.116.1/32: nexthop-group tunnel index 1 (nexthop-group name: nhg-100)
Entry 0
Via 10.0.16.2
Reply from 10.0.108.1: seq=1, time=507.546ms
Entry 1
Via 10.0.16.8
Reply from 10.0.113.1: seq=1, time=516.131ms
--- nexthop-group tunnel index 1, nexthop-group nhg-100: lspping statistics
---
Entry 0
Via 10.0.16.2
1 packets transmitted, 1 received, 0% packet loss, time 652ms
1 received from 10.0.108.1, rtt min/max/avg 507.546/507.546/507.546 ms
Entry 1
Via 10.0.16.8
1 packets transmitted, 1 received, 0% packet loss, time 652ms
1 received from 10.0.113.1, rtt min/max/avg 516.131/516.131/516.131ms
The following displays the output where the endpoint is specified for traceroute command.
switch(config)# rtrmpls1
switch(config-rtrmpls1)# traceroute mpls tunnel nexthop-group 100.0.116.1/32
LSP traceroute to nexthop-group tunnel 100.0.116.1/32
Traceroute over nexthop-group tunnel index 1, nexthop-group nhg-100 Entry 1
Entry 1
1 10.0.225.1 32.571ms
label stack (top label first): 89
2 10.0.227.1 42.866ms
label stack (top label first): 109
3 10.0.229.1 54.893ms
label stack (top label first): 110
4 10.0.231.1 15.946ms
label stack (top label first): 111
5 10.0.233.1 27.72ms
label stack (top label first): 112
6 10.0.113.1 36.383ms
The following displays the output for the ping command where the static route resolves over Nexthop Group tunnel(s).
switch(config-rtrmpls1)# ping mpls static ip 100.0.77.0/24
LSP ping to static MPLS push label route 100.0.77.0/24
100.0.77.0/24: nexthop-group tunnel index 1 (nexthop-group name: nhg-46)
Entry 0
Via 10.0.25.5
Reply from 10.0.51.1: seq=1, time=112.171ms
100.0.77.0/24: nexthop-group tunnel index 2 (nexthop-group name: nhg-64)
Entry 0
Via 10.0.25.4
Reply from 10.0.68.1: seq=1, time=121.809ms
Entry 1
Via 10.0.25.9
Reply from 10.0.76.1: seq=1, time=133.668ms
--- nexthop-group tunnel index 1, nexthop-group nhg-46: lspping statistics ---
Entry 0
Via 10.0.25.5
1 packets transmitted, 1 received, 0% packet loss, time 251ms
1 received from 10.0.51.1, rtt min/max/avg 112.171/112.171/112.171 ms
--- nexthop-group tunnel index 2, nexthop-group nhg-64: lspping statistics ---
Entry 0
Via 10.0.25.4
1 packets transmitted, 1 received, 0% packet loss, time 251ms
1 received from 10.0.68.1, rtt min/max/avg 121.809/121.809/121.809 ms
Entry 1
Via 10.0.25.9
1 packets transmitted, 1 received, 0% packet loss, time 251ms
1 received from 10.0.76.1, rtt min/max/avg 133.668/133.668/133.668 ms
The following displays the output for the traceroute command where the static route resolves over Nexthop Group tunnel(s). The command randomly selects a tunnel.
switch(config-rtrmpls1)# traceroute mpls static ip 100.0.77.0/24LSP traceroute to 100.0.77.0/24
100.0.77.0/24: nexthop-group tunnel index 1 (nexthop-group name: nhg-46)
100.0.77.0/24: nexthop-group tunnel index 2 (nexthop-group name: nhg-64)
Traceroute over nexthop-group tunnel index 1, nexthop-group nhg-46 Entry 0
Entry 0
1 10.0.83.1 382.798ms
label stack (top label first): 35
2 10.0.85.1 42.7ms
label stack (top label first): 47
3 10.0.87.1 55.815ms
label stack (top label first): 48
4 10.0.89.1 17.728ms
label stack (top label first): 49
5 10.0.91.1 29.452ms
label stack (top label first): 50
6 10.0.51.1 38.686ms
Egress IPv4/IPv6 over MPLS acls
IPv4/IPv6 over MPLS packets are now eligible for acls at the egress stage by default, applicable only to IPv4/IPv6 over MPLS packets that are MPLS label popped (such as if the label is at the bottom of stack). The user can override this behavior if required, thereby disabling egress acls for certain MPLS labels by configuration. No special configuration is required to enable egress acls on IPv4/IPv6 over MPLS packets.
Examples
-
This command disables egress acls for MPLS top-label 12000 on the egress interface 120.1.1.1 nexthop address.
switch(config)# no mpls static top-label 12000 120.1.1.1 pop payload-type ipv6 switch(config)#
-
This command enables egress acls for MPLS top-label 12000 on the egress interface 120.1.1.1 nexthop address.
switch(config)# mpls static top-label 12000 120.1.1.1 pop payload-type ipv6 switch(config)#
Configuring MPLSoGRE Filtered Mirroring
The filtered mirroring of terminated MPLSoGRE packets is configured by creating an IPv4 access-list, and then attaching the IPv4 access-list to a monitor session source where a tunnel decap group has been configured. This IPv4 access-list has rules that match to either inner IPv4 or IPv6 destination addresses.
Enabling the TC-Counters TCAM Profile
- Security acls are not enforced on IPv4oMPLSoGRE and IPv6oMPLSoGRE terminated packets.
- The rules of a mirroring-ACL are set to match either inner IPv4 or inner IPv6 header fields, but not both.
The acls containing rules to match both inner IPv4 and inner IPv6 header fields are not applicable to a single source interface in multiple mirroring sessions. In other words, all acls applied to a shared source interface must contain either inner IPv4 rules or inner IPv6 rules.
switch(config)# hardware tcam
switch(config-hw-tcam)# system profile tc-counters
switch(config-hw-tcam)# exit
Defining Two IPv4 Access-Lists
The ip access-list command places the switch in ACL configuration mode, which is a group change mode that modifies an IPv4 access control list. The command specifies the name of the IPv4 ACL that
subsequent commands modify and creates an ACL if it references a nonexistent list. All changes in a group change mode edit session are pending till the end of the session.
switch(config)# ip access-list dIPv4
switch(config)# 10 permit ip any any inner ip any host 5.5.5.5
switch(config)# exit
switch(config)# ip access-list dIPv6
switch(config)# 10 permit ip any any inner ipv6 any host 55::55
switch(config)# exit
Attaching Access-Lists
switch(config)# monitor session sess1 source et1 rx ip access-group dIPv4
switch(config)# monitor session sess1 destination tunnel mode gre source 1.1.1.1 destination 2.2.2.2
switch(config)# monitor session sess2 source et2 rx ip access-group dIPv6
switch(config)# monitor session sess2 destination tunnel mode gre source 3.3.3.3 destination 4.4.4.4
switch(config)# show monitor session
Session sess1
------------------------
Source Ports:
Rx Only: Et1(IP ACL: dIPv4)
Destination Ports:
status source dest TTL DSCP proto VRF fwd-drop
Gre1 : active 1.1.1.1 2.2.2.2 128 0 0x88be default no
Session sess2
------------------------
Source Ports:
Rx Only: Et2(IP ACL: dIPv6), Et5(IP ACL: dIPv6)
Destination Ports:
status source dest TTL DSCP proto VRF fwd-drop
Gre2 : active 3.3.3.3 4.4.4.4 128 0 0x88be default no
switch(config)#
Configurations to Support IP acls for MPLS Packets
Ingress IP Access-List Support
packet mpls ipv4 forwarding bridged
packet mpls ipv4 forwarding mpls
The ingress inner IP header matching creates a user-defined profile with these new packet types. Although MAC access-lists do not match on the inner IP header, you must add this packet type in order to generate a lookup for MPLS packets (if using MAC acls).
hardware tcam
#May use any profile that provides ACL features
profile <name> copy default
feature acl port ip
packet mpls ipv4 forwarding bridged
packet mpls ipv4 forwarding mpls
feature acl port ipv6
packet mpls ipv6 forwarding bridged
packet mpls ipv6 forwarding mpls
feature acl port mac
packet mpls ipv4 forwarding bridged
packet mpls ipv4 forwarding mpls
packet mpls ipv6 forwarding bridged
packet mpls ipv6 forwarding mpls
system profile <name>
Starting in Release eos 4.23.1, ingress on inner IP header matching in MPLS packets is also supported on PBR acls. In order to enable this, the following must be configured in a user-defined TCAM profile:
hardware tcam
#May use any profile that provides ACL features
profile <name> copy default
feature pbr ip
packet mpls ipv4 forwarding mpls
feature pbr ipv6
packet mpls ipv6 forwarding mpls
Egress IPv4/IPv6 over MPLS acls
IPv4/IPv6 over MPLS packets are now eligible for acls at the egress stage by default, applicable only to IPv4/IPv6 over MPLS packets that are MPLS label popped (such as if the label is at the bottom of stack). The user can override this behavior if required, thereby disabling egress acls for certain MPLS labels by configuration. No special configuration is required to enable egress acls on IPv4/IPv6 over MPLS packets.
Examples
-
This command disables egress acls for MPLS top-label 12000 on the egress interface 120.1.1.1 nexthop address.
switch(config)# no mpls static top-label 12000 120.1.1.1 pop payload-type ipv6 switch(config)#
-
This command enables egress acls for MPLS top-label 12000 on the egress interface 120.1.1.1 nexthop address.
switch(config)# mpls static top-label 12000 120.1.1.1 pop payload-type ipv6 switch(config)#
MPLS Pop Terminated Packets
feature acl port ip egress mpls-tunnelled-match
hardware tcam
#May use any profile that provides ACL features
profile <name> copy <some-system-profile>
feature acl port ip egress mpls-tunnelled-match
system profile <name>
MPLS VRF-Decapsulated Packets
hardware tcam
profile <name> copy default
feature qos ip
packet mpls ipv4 forwarding routed decap
system profile <name>
Supporting Traffic Policy on Interfaces
Access Control Lists (ACL) configures the action for packets which are going through the packet processor pipeline based on different fields of packets. Usually TCAM is used to match packets with multiple entries matching the list of IP addresses. TCAM is also a limited resource, so traffic-policy performs transformation of the fields of the packet, that summarize them in terms of the relevant rules this field matches by using command interface traffic-policy.
Custom TCAM Profile
hardware tcam
profile traffic-policy
feature acl port mac
sequence 55
key size limit 160
key field dst-mac ether-type src-mac
action count drop
packet ipv4 forwarding bridged
packet ipv4 forwarding routed
packet ipv4 forwarding routed multicast
packet ipv4 mpls ipv4 forwarding mpls decap
packet ipv4 mpls ipv6 forwarding mpls decap
packet ipv4 non-VXLAN forwarding routed decap
packet ipv4 VXLAN forwarding bridged decap
packet ipv6 forwarding bridged
packet ipv6 forwarding routed
packet ipv6 forwarding routed decap
packet ipv6 forwarding routed multicast
packet ipv6 ipv6 forwarding routed decap
packet mpls forwarding bridged decap
packet mpls ipv4 forwarding mpls
packet mpls ipv6 forwarding mpls
packet mpls non-ip forwarding mpls
packet non-ip forwarding bridged
feature forwarding-destination mpls
sequence 100
feature mirror ip
sequence 80
key size limit 160
key field dscp dst-ip ip-frag ip-protocol l4-dst-port l4-ops l4-src-port src-ip tcp-control
action count mirror set-policer
packet ipv4 forwarding bridged
packet ipv4 forwarding routed
packet ipv4 forwarding routed multicast
packet ipv4 non-VXLAN forwarding routed decap
feature mpls
sequence 5
key size limit 160
action drop redirect set-ecn
packet ipv4 mpls ipv4 forwarding mpls decap
packet ipv4 mpls ipv6 forwarding mpls decap
packet mpls ipv4 forwarding mpls
packet mpls ipv6 forwarding mpls
packet mpls non-ip forwarding mpls
feature pbr ip
sequence 60
key size limit 160
key field dscp dst-ip ip-frag ip-protocol l4-dst-port l4-ops-18b l4-src-port src-ip tcp-control
action count redirect
packet ipv4 forwarding routed
packet ipv4 mpls ipv4 forwarding mpls decap
packet ipv4 mpls ipv6 forwarding mpls decap
packet ipv4 non-VXLAN forwarding routed decap
packet ipv4 VXLAN forwarding bridged decap
feature pbr ipv6
sequence 30
key field dst-ipv6 ipv6-next-header l4-dst-port l4-src-port src-ipv6-high src-ipv6-low tcp-control
action count redirect
packet ipv6 forwarding routed
feature pbr mpls
sequence 65
key size limit 160
key field mpls-inner-ip-tos
action count drop redirect
packet mpls ipv4 forwarding mpls
packet mpls ipv6 forwarding mpls
packet mpls non-ip forwarding mpls
feature qos ip
sequence 75
key size limit 160
key field dscp dst-ip ip-frag ip-protocol l4-dst-port l4-ops l4-src-port src-ip tckp-control
action set-dscp set-policer set-tc
packet ipv4 forwarding routed
packet ipv4 forwarding routed multicast
packet ipv4 mpls ipv4 forwarding mpls decap
packet ipv4 mpls ipv6 forwarding mpls decap
packet ipv4 non-VXLAN forwarding routed decap
feature qos ipv6
sequence 70
key field dst-ipv6 ipv6-next-header ipv6-traffic-class l4-dst-port l4-src-port src-ipv6-high src-ipv6-low
action set-dscp set-policer set-tc
packet ipv6 forwarding routed
feature traffic-policy port ipv4
sequence 45
key size limit 160
key field dscp dst-ip-label icmp-type-code ip-frag ip-fragment-offset ip-length ip-protocol l4-dst-port
l4-src-port src-ip-label tcp-control ttl
action count drop log set-dscp set-tc
packet ipv4 forwarding routed
feature traffic-policy port ipv6
sequence 25
key field dst-ipv6-label hop-limit icmp-type-code ipv6-length ipv6-next-header ipv6-traffic-class l4-dst-port
l4-src-port src-ipv6-label tcp-control
action count drop log set-dscp set-tc
packet ipv6 forwarding routed
feature tunnel VXLAN
sequence 50
key size limit 160
packet ipv4 VXLAN eth ipv4 forwarding routed decap
packet ipv4 VXLAN forwarding bridged decap