MPLS

These sections describe the Arista MPLS implementation:

MPLS Description

MPLS Overview

Multiprotocol Label Switching (MPLS) is a networking process that replaces complete network addresses with short path labels for directing data packets to network nodes. The labels identify virtual links (paths) between distant nodes rather than endpoints. MPLS is scalable and protocol-independent. Data packets are assigned labels, which are used to determine packet forwarding destinations without examining the packet.

Arista switches utilize MPLS to improve efficiency and control from servers through data centers and to the WAN. The MPLS implementation supports static MPLS tunneling that is manually configured on each switch or established over a network by an SDN controller. The configuration is specified by a set of rules that filter packets based on matching criteria. Each rule applies MPLS-related actions to packets that match the rule's criteria. Each rule includes a metric that the switch uses to select an action when multiple rules match a packet.

MPLS Implementation

MPLS static rule parameters contain the following:
  • A 20-bit value that is compared to the top header label of each MPLS packet. Other rule parameters may be applied to packets whose top label match this value.
  • A nexthop location that specifies the packet’s next destination (IPv4 or IPv6) and the interface through which the switch forwards the packet.
  • An MPLS label stack management action that is performed on filtered packets:
    • pop-payload: removes the top label from stack; this terminates an Label-Switched Path (LSP).
    • swap-label: replaces top label with a specified new label; this passes a packet along an LSP.
  • A rule metric that the switch uses to select a rule when multiple rules match an MPLS packet.

Packets that do not match any MPLS rules are dropped.

MPLSoGRE Filtered Mirroring

In MPLS over Generic Routing Encapsulation (MPLSoGRE) filtered mirroring, IPv4 over MPLS over GRE (IPv4oMPLSoGRE) and IPv6 over MPLS over GRE (IPv6oMPLSoGRE) packets that enter a GRE tunnel endpoint on which MPLS lookup is performed, are selected for mirroring based on the destination IP address field in the inner IPv4 or IPv6 header.

Note: These packets are not selected for mirroring if they are forwarded based on either the L2 or outer L3 header destination address.

the image below shows the header format of the packets that are selected for mirroring.

Figure 1. Header Format of Packets


When mirroring to a GRE tunnel, the payload of the outgoing GRE packet contains the payload of the incoming source packet starting from the MPLS header. L2 and outer L3 headers are stripped from the mirror copy. When the MPLS lookup fails, the packet is still eligible for mirroring based on the selection criteria defined in the ACL.

Mixed TTL/DSCP in MPLS Tunnel Termination

A Label Edge Router (LER) decapsulating an MPLS packet may choose to source the TTL and DSCP fields from either the MPLS header or the original inner IPv4 header. However, some applications need the TTL field value from the MPLS header, while retaining the DSCP from the original IPv4 header. Mixed TTL/DSCP in MPLS Tunnel Termination enables tunnel termination to select this specific mix of two modes.

This section contains the following topics:

Configuration

Mixed TTL/DSCP in MPLS tunnel termination is intended to be used with MPLS VRF decapsulation. Therefore, a static VRF-to-MPLS-label map is expected to be provided, similar to the following:
switch(config)# mpls ip
switch(config)# mpls static vrf-label mpls-label vrf vrf-name
switch(config)# ip routing vrf vrf-name
TTL=uniform and DSCP=pipe options have been added to the existing mpls tunnel termination command:
switch(config)# mpls tunnel termination model ttl uniform dscp pipe
Also, a new TCAM profile packet type has been introduced:
switch(config)# packet mpls ipv4 forwarding routed decap
Configuration occurs under the “qos ip” feature section of a user defined TCAM profile:
switch(config)# hardware tcam
# May use any profile that provides “qos ip”
switch(config-tcam)# profile name copy default   
switch(config-tcam-profile-name)# feature qos ip
switch(config-tcam-profile-name-feature-qos-ip)# packet mpls ipv4 forwarding routed decap   
      
switch(config-tcam)# system profile name 
Packet Support for IPv6
RFE 391109 brings mixed TTL/DSCP support for IPv6 over MPLS packets as well. The TCAM profile configuration is similar to the above IPv4 configuration:
switch(config)# hardware tcam
   # May use any profile that provides “qos ipv6”
switch(config-tcam)# profile name copy default
switch(config-tcam-profile-name)# feature qos ipv6
switch(config-tcam-profile-name-ipv4)# packet mpls ipv6 forwarding routed decap
switch(config-tcam)# system profile name

Support for MPLS Packets in IP acls

Ingress and egress IPv4 and IPv6 access-lists do not automatically match the inner IP header when processing IP over MPLS traffic.

Support is now avaiable to allow matching of the inner IP header in an access-list by adding the proper packet types to the corresponding TCAM features.

DSCP-to-TC Maps for MPLS Traffic to L3 VRFs

MPLS-labeled traffic, both IPv4 and IPv6, can be decapsulated and routed using a specific VRF, either the default or a named VRF. The MPLS label can be statically assigned to a specific VRF, or dynamically through L3 EVPN MPLS. In this configuration, a traffic class (TC) label based on a packet's ingress DSCP is added to the decapsulated MPLS packet if it is directed to a specific VRF. This is an MPLS tunneling technique called Short Pipe Mode.

The mapping of DSCP labels to TC is steered by a QoS map. Up to 10 custom maps can be applied. Such a map will only use hardware resources when attached to at least one VRF. When a map is first created, the DSCP-to-TC map is copied from the global map; subsequent changes to the global map do not have any effect on custom maps.

MPLS Configuration

MPLS routing is enabled through the mpls ip command.

This command enables MPLS routing.
switch(config)# mpls ip
switch(config)# show running-config mpls ip
!

end
switch(config)#

MPLS rules are created by the mpls static command. MPLS static rules identify a set of MPLS packets by a common top label and defines the method of handling these packets.

These commands create an MPLS rule that matches packets with a top label value of 3400 and causes the removal of the top label from the header stack. The nexthop destination of the IPv4 payload is IP address 10.14.4.4 through interface ethernet 3/3/3. This rule has a metric value of 100.

switch(config)# mpls static top-label 3400 ethernet 3/3/3 10.14.4.4 pop payload-type ipv4
switch(config)# show running-config

!
mpls static top-label 3400 Ethernet3/3/3 10.14.4.4 pop payload-type ipv4
!

end
switch(config)#

These commands create a backup rule that forwards the packet through interface ethernet 4/3. This rule’s metric value of 150 assigns it backup status prior to the first rule.

switch(config)# mpls static top-label 3400 ethernet 4/3 10.14.4.4 pop payload-type ipv4 metric 150
switch(config)# show running-config

!
mpls static top-label 3400 Ethernet4/3 10.14.4.4 pop payload-type ipv4 metric 150
mpls static top-label 3400 Ethernet3/3/3 10.14.4.4 pop payload-type ipv4
!

end
switch(config)#

These commands create an MPLS rule that forwards the packet to the nexthop address through any interface.

switch(config)# mpls static top-label 4400 10.15.46.45 pop payload-type ipv4
switch(config)# show running-config

!
mpls static top-label 3400 Ethernet4/3 10.14.4.4 pop payload-type ipv4 metric 150
mpls static top-label 3400 Ethernet3/3/3 10.14.4.4 pop payload-type ipv4
mpls static top-label 4400 10.15.46.45 pop payload-type ipv4
!

end
switch(config)#

This command configures a static tunnel for the tunnel endpoint 64.0.0.1 and pushes a label 11111 to it.

switch(config)# mpls static STATIC 64.0.0.1/32 54.0.0.1 Port-Channel7 label-stack 11111

This example shows MPLS swap route configuration. The following CLI swaps a packet with MPLS top label 3400 to 5600 for forwarding to 10.14.4.4.

switch(config)# mpls static top-label 3400 10.14.4.4 swap 5600
switch(config)#

This example shows MPLS next-hop groups configuration for MPLS. The following CLI shows the specification of a next hop group called TestGrp1 with two entries.

switch(config)# nexthop-group TestGrp1 type MPLS
switch(config-nexthop-group-TestGrp1)# size 2
switch(config-nexthop-group-TestGrp1)# entry 0 push label-stack 70 nexthop 10.20.30.5
switch(config-nexthop-group-TestGrp1)# entry 1 push label-stack 71 nexthop 10.20.30.6
switch(config-nexthop-group-TestGrp1)# exit
switch(config)#

The label-stack keyword can take only one label. Tunnel-source and ttl config commands do not apply to MPLS NexthopGroups and are disabled. The nexthop entry is recursively resolved when the specified entry is a remote nexthop. The show command indicates the resolved, directly-attached nexthop.

The switch’s MPLS static rule configuration for specified routes and rules is displayed by show mpls route.

This command displays the MPLS rule configuration.

switch> show mpls config route
In-Label  Out-Label  Metric  Payload  NextHop
3400      pop        100     ipv4     10.14.4.4,Et3/3/3
3400      pop        150     ipv4     10.14.4.4,Et4/3
switch>

Statistics about the configuration and implementation of MPLS rules are displayed by the show mpls route summary command.

This command displays a summary of MPLS rule implementation.

switch> show mpls route summary
Number of Labels: 1 (1 unprogrammed)
Number of adjacencies in hardware: 0
Number of backup adjacencies: 2
switch>

The show mpls lfib route command displays the Label Forward Information Base of the switch.

switch(config)# show mpls lfib route
MPLS forwarding table (Label [metric] Vias) - 1 routes
MPLS next-hop resolution allow default route: False
Via Type Codes:
          M - MPLS via, P - Pseudowire via,
          I - IP lookup via, V - VLAN via,
          VA - EVPN VLAN aware via, ES - EVPN ethernet segment via,
          VF - EVPN VLAN flood via, AF - EVPN VLAN aware flood via,
          NG - Nexthop group via
Source Codes:
          G - gRIBI, S - Static MPLS route,
          B2 - BGP L2 EVPN, B3 - BGP L3 VPN,
          R - RSVP, LP - LDP pseudowire,
          L - LDP, M - MLDP,
          IP - IS-IS SR prefix segment, IA - IS-IS SR adjacency segment,
          IL - IS-IS SR segment to LDP, LI - LDP to IS-IS SR segment,
          BL - BGP LU, ST - SR TE policy,
          DE - Debug LFIB
 
 S   300      [100]
                via M, 192.0.2.2, swap 500
                 payload mpls, bypass egress-acl
                 interface Ethernet3/1
switch(config)#

The show ip route command displays all IP routes along with static MPLS push routes and Nexthop Group routes.

switch(config)# show ip route
VRF name: default
 Codes: C - connected, S - static, K - kernel,
 O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
 E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
 N2 - OSPF NSSA external type2, B I - iBGP, B E - eBGP,
 R - RIP, I L1 - ISIS level 1, I L2 - ISIS level 2,
 O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
 NG - Nexthop Group Static Route, V - VXLAN Control service
 
Gateway of last resort is not set
C 192.0.2.0/24 is directly connected, Ethernet1/1
 S 3.3.3.0/24 [1/0] via 192.0.2.2, Ethernet1/1 label 200
 S 10.80.0.0/13 [1/0] via 172.24.0.1, Management1
 S 10.95.0.0/20 [1/0] via 172.24.0.1, Management1
 C 172.24.0.0/18 is directly connected, Management1
 S 172.16.0.0/12 [1/0] via 172.24.0.1, Management1
switch(config)#

The MPLS push routes are of type static so the show ip route static command also displays the output for an MPLS Nexthop Group assuming there is a route pointing to the NexthopGroup and the entries in the NexthopGroup are resolved. The output for show nexthop-group TestGrp1 for the test group configured earlier is shown below.

switch(config)# show nexthop-group TestGrp1
TestGrp1
  Id 2
  Type MPLS
  Size 2
  Entries
   0 push label-stack 70 nexthop 10.20.30.5
   Tunnel destination directly connected, Ethernet2
   52:14:a3:a6:50:e8, Ethernet2
   1 push label-stack 71 nexthop 10.20.30.6
   Tunnel destination directly connected, Ethernet2
   52:14:a3:a6:50:e8, Ethernet2
switch(config)#

LSP Ping/Traceroute for MPLS Nexthop Group Tunnels

The ping/traceroute mpls tunnel nexthop-group command checks the liveness of Nexthop Group tunnel endpoint for an MPLS Nexthop Group.

The following displays the output for the ping command where the endpoint is specified.

switch(config)# rtrmpls1
switch(config-rtrmpls1)# ping mpls tunnel nexthop-group 100.0.116.1/32
LSP ping to nexthop-group tunnel 100.0.116.1/32
 
100.0.116.1/32: nexthop-group tunnel index 1 (nexthop-group name: nhg-100)
Entry 0
 Via 10.0.16.2
 Reply from 10.0.108.1: seq=1, time=507.546ms
Entry 1
 Via 10.0.16.8
 Reply from 10.0.113.1: seq=1, time=516.131ms
 
--- nexthop-group tunnel index 1, nexthop-group nhg-100: lspping statistics
        ---
Entry 0
 Via 10.0.16.2
 1 packets transmitted, 1 received, 0% packet loss, time 652ms
 1 received from 10.0.108.1, rtt min/max/avg 507.546/507.546/507.546 ms
 
Entry 1
 Via 10.0.16.8
 1 packets transmitted, 1 received, 0% packet loss, time 652ms
   1 received from 10.0.113.1, rtt min/max/avg 516.131/516.131/516.131ms

The following displays the output where the endpoint is specified for traceroute command.

switch(config)# rtrmpls1
switch(config-rtrmpls1)# traceroute mpls tunnel nexthop-group 100.0.116.1/32
LSP traceroute to nexthop-group tunnel 100.0.116.1/32
Traceroute over nexthop-group tunnel index 1, nexthop-group nhg-100 Entry 1
Entry 1
  1  10.0.225.1        32.571ms
     label stack (top label first): 89
  2  10.0.227.1        42.866ms
     label stack (top label first): 109
  3  10.0.229.1        54.893ms
     label stack (top label first): 110
  4  10.0.231.1        15.946ms
     label stack (top label first): 111
  5  10.0.233.1        27.72ms
     label stack (top label first): 112
  6  10.0.113.1        36.383ms

The following displays the output for the ping command where the static route resolves over Nexthop Group tunnel(s).

switch(config-rtrmpls1)# ping mpls static ip 100.0.77.0/24
LSP ping to static MPLS push label route 100.0.77.0/24
 
100.0.77.0/24: nexthop-group tunnel index 1 (nexthop-group name: nhg-46)
Entry 0
   Via 10.0.25.5
   Reply from 10.0.51.1: seq=1, time=112.171ms
 
100.0.77.0/24: nexthop-group tunnel index 2 (nexthop-group name: nhg-64)
Entry 0
   Via 10.0.25.4
   Reply from 10.0.68.1: seq=1, time=121.809ms
Entry 1
   Via 10.0.25.9
   Reply from 10.0.76.1: seq=1, time=133.668ms
 
--- nexthop-group tunnel index 1, nexthop-group nhg-46: lspping statistics ---
Entry 0
   Via 10.0.25.5
   1 packets transmitted, 1 received, 0% packet loss, time 251ms
   1 received from 10.0.51.1, rtt min/max/avg 112.171/112.171/112.171 ms
 
 
--- nexthop-group tunnel index 2, nexthop-group nhg-64: lspping statistics ---
Entry 0
   Via 10.0.25.4
   1 packets transmitted, 1 received, 0% packet loss, time 251ms
   1 received from 10.0.68.1, rtt min/max/avg 121.809/121.809/121.809 ms
 
Entry 1
   Via 10.0.25.9
   1 packets transmitted, 1 received, 0% packet loss, time 251ms
   1 received from 10.0.76.1, rtt min/max/avg 133.668/133.668/133.668 ms

The following displays the output for the traceroute command where the static route resolves over Nexthop Group tunnel(s). The command randomly selects a tunnel.

switch(config-rtrmpls1)# traceroute mpls static ip 100.0.77.0/24LSP traceroute to 100.0.77.0/24
100.0.77.0/24: nexthop-group tunnel index 1 (nexthop-group name: nhg-46)
100.0.77.0/24: nexthop-group tunnel index 2 (nexthop-group name: nhg-64)
Traceroute over nexthop-group tunnel index 1, nexthop-group nhg-46 Entry 0
Entry 0
  1  10.0.83.1         382.798ms
     label stack (top label first): 35
  2  10.0.85.1         42.7ms
     label stack (top label first): 47
  3  10.0.87.1         55.815ms
     label stack (top label first): 48
  4  10.0.89.1         17.728ms
     label stack (top label first): 49
  5  10.0.91.1         29.452ms
     label stack (top label first): 50
  6  10.0.51.1         38.686ms

Egress IPv4/IPv6 over MPLS acls

IPv4/IPv6 over MPLS packets are now eligible for acls at the egress stage by default, applicable only to IPv4/IPv6 over MPLS packets that are MPLS label popped (such as if the label is at the bottom of stack). The user can override this behavior if required, thereby disabling egress acls for certain MPLS labels by configuration. No special configuration is required to enable egress acls on IPv4/IPv6 over MPLS packets.

Examples

  • This command disables egress acls for MPLS top-label 12000 on the egress interface 120.1.1.1 nexthop address.
    switch(config)# no mpls static top-label 12000 120.1.1.1 pop payload-type ipv6
    switch(config)# 
  • This command enables egress acls for MPLS top-label 12000 on the egress interface 120.1.1.1 nexthop address.
    switch(config)# mpls static top-label 12000 120.1.1.1 pop payload-type ipv6 
    switch(config)#

Configuring MPLSoGRE Filtered Mirroring

The filtered mirroring of terminated MPLSoGRE packets is configured by creating an IPv4 access-list, and then attaching the IPv4 access-list to a monitor session source where a tunnel decap group has been configured. This IPv4 access-list has rules that match to either inner IPv4 or IPv6 destination addresses.

Enabling the TC-Counters TCAM Profile

The following limitations are applicable to MPLSoGRE filtered mirroring in tc-counters TCAM profile:
  • Security acls are not enforced on IPv4oMPLSoGRE and IPv6oMPLSoGRE terminated packets.
  • The rules of a mirroring-ACL are set to match either inner IPv4 or inner IPv6 header fields, but not both.

The acls containing rules to match both inner IPv4 and inner IPv6 header fields are not applicable to a single source interface in multiple mirroring sessions. In other words, all acls applied to a shared source interface must contain either inner IPv4 rules or inner IPv6 rules.

The commands below switch to the tc-counters TCAM profile in the running configuration.
switch(config)# hardware tcam
switch(config-hw-tcam)# system profile tc-counters
switch(config-hw-tcam)# exit

Defining Two IPv4 Access-Lists

The ip access-list command places the switch in ACL configuration mode, which is a group change mode that modifies an IPv4 access control list. The command specifies the name of the IPv4 ACL that

subsequent commands modify and creates an ACL if it references a nonexistent list. All changes in a group change mode edit session are pending till the end of the session.

The permit (Role) command configures one access-list to match the inner IPv4 address, and the other access-list to match the inner IPv6 address.
switch(config)# ip access-list dIPv4
switch(config)# 10 permit ip any any inner ip any host 5.5.5.5
switch(config)# exit

switch(config)# ip access-list dIPv6
switch(config)# 10 permit ip any any inner ipv6 any host 55::55
switch(config)# exit

Attaching Access-Lists

The monitor session source and monitor session destination commands allow to attach two access-lists to two different monitor session sources.
switch(config)# monitor session sess1 source et1 rx ip access-group dIPv4
switch(config)# monitor session sess1 destination tunnel mode gre source 1.1.1.1 destination 2.2.2.2
switch(config)# monitor session sess2 source et2 rx ip access-group dIPv6
switch(config)# monitor session sess2 destination tunnel mode gre source 3.3.3.3 destination 4.4.4.4
switch(config)# show monitor session

Session sess1
------------------------

Source Ports:

  Rx Only:     Et1(IP ACL: dIPv4)

Destination Ports:

        status    source    dest     TTL   DSCP  proto    VRF      fwd-drop
Gre1 :  active    1.1.1.1   2.2.2.2  128   0     0x88be   default  no


Session sess2
------------------------

Source Ports:

  Rx Only:     Et2(IP ACL: dIPv6), Et5(IP ACL: dIPv6)

Destination Ports:

        status   source    dest     TTL   DSCP  proto    VRF        fwd-drop
Gre2 :  active   3.3.3.3   4.4.4.4  128   0     0x88be   default    no

switch(config)#

Configurations to Support IP acls for MPLS Packets

Ingress IP Access-List Support

To facilitate inner IP header matching, there are two TCAM profile packet types:
packet mpls ipv4 forwarding bridged
packet mpls ipv4 forwarding mpls

The ingress inner IP header matching creates a user-defined profile with these new packet types. Although MAC access-lists do not match on the inner IP header, you must add this packet type in order to generate a lookup for MPLS packets (if using MAC acls).

hardware tcam
   #May use any profile that provides ACL features
   profile <name> copy default
      feature acl port ip
         packet mpls ipv4 forwarding bridged
         packet mpls ipv4 forwarding mpls
      feature acl port ipv6
         packet mpls ipv6 forwarding bridged
         packet mpls ipv6 forwarding mpls
      feature acl port mac
         packet mpls ipv4 forwarding bridged
         packet mpls ipv4 forwarding mpls
         packet mpls ipv6 forwarding bridged
         packet mpls ipv6 forwarding mpls
   system profile <name>

Starting in Release eos 4.23.1, ingress on inner IP header matching in MPLS packets is also supported on PBR acls. In order to enable this, the following must be configured in a user-defined TCAM profile:

hardware tcam
   #May use any profile that provides ACL features
   profile <name> copy default
      feature pbr ip
         packet mpls ipv4 forwarding mpls
      feature pbr ipv6
         packet mpls ipv6 forwarding mpls

Egress IPv4/IPv6 over MPLS acls

IPv4/IPv6 over MPLS packets are now eligible for acls at the egress stage by default, applicable only to IPv4/IPv6 over MPLS packets that are MPLS label popped (such as if the label is at the bottom of stack). The user can override this behavior if required, thereby disabling egress acls for certain MPLS labels by configuration. No special configuration is required to enable egress acls on IPv4/IPv6 over MPLS packets.

Examples

  • This command disables egress acls for MPLS top-label 12000 on the egress interface 120.1.1.1 nexthop address.
    switch(config)# no mpls static top-label 12000 120.1.1.1 pop payload-type ipv6
    switch(config)# 
  • This command enables egress acls for MPLS top-label 12000 on the egress interface 120.1.1.1 nexthop address.
    switch(config)# mpls static top-label 12000 120.1.1.1 pop payload-type ipv6 
    switch(config)#

MPLS Pop Terminated Packets

To enable the use of these qualifiers on MPLS-terminated packets by last label pop, this feature must be applied to the current TCAM profile, as illustrated below:
feature acl port ip egress mpls-tunnelled-match
No functionality is lost, however, this feature is not enabled by default on all system profiles. Some TCAM profiles may also use the resources required by this feature. Verification is required to ensure the current user-defined TCAM profile supports this feature.
hardware tcam
   #May use any profile that provides ACL features
   profile <name> copy <some-system-profile>
      feature acl port ip egress mpls-tunnelled-match
   system profile <name>

MPLS VRF-Decapsulated Packets

To enable the use of these new qualifiers on MPLS-terminated packets by last label VRF-label mapping, the packet type mpls ipv4 forwarding routed decap must be applied to at least one feature in the TCAM profile. For example:
hardware tcam
   profile <name> copy default
      feature qos ip
         packet mpls ipv4 forwarding routed decap
   system profile <name>

Supporting Traffic Policy on Interfaces

Access Control Lists (ACL) configures the action for packets which are going through the packet processor pipeline based on different fields of packets. Usually TCAM is used to match packets with multiple entries matching the list of IP addresses. TCAM is also a limited resource, so traffic-policy performs transformation of the fields of the packet, that summarize them in terms of the relevant rules this field matches by using command interface traffic-policy.

Custom TCAM Profile

The following commands enable custom TCAM profile to support traffic policy.
hardware tcam
   profile traffic-policy
      feature acl port mac
         sequence 55
         key size limit 160
         key field dst-mac ether-type src-mac
         action count drop
         packet ipv4 forwarding bridged
         packet ipv4 forwarding routed
         packet ipv4 forwarding routed multicast
         packet ipv4 mpls ipv4 forwarding mpls decap
         packet ipv4 mpls ipv6 forwarding mpls decap
         packet ipv4 non-vxlan forwarding routed decap
         packet ipv4 vxlan forwarding bridged decap
         packet ipv6 forwarding bridged
         packet ipv6 forwarding routed
         packet ipv6 forwarding routed decap
         packet ipv6 forwarding routed multicast
         packet ipv6 ipv6 forwarding routed decap
         packet mpls forwarding bridged decap
         packet mpls ipv4 forwarding mpls
         packet mpls ipv6 forwarding mpls
         packet mpls non-ip forwarding mpls
         packet non-ip forwarding bridged
      feature forwarding-destination mpls
         sequence 100
      feature mirror ip
         sequence 80
         key size limit 160
         key field dscp dst-ip ip-frag ip-protocol l4-dst-port l4-ops l4-src-port src-ip tcp-control
         action count mirror set-policer
         packet ipv4 forwarding bridged
         packet ipv4 forwarding routed
         packet ipv4 forwarding routed multicast
         packet ipv4 non-vxlan forwarding routed decap
      feature mpls
         sequence 5
         key size limit 160
         action drop redirect set-ecn
         packet ipv4 mpls ipv4 forwarding mpls decap
         packet ipv4 mpls ipv6 forwarding mpls decap
         packet mpls ipv4 forwarding mpls
         packet mpls ipv6 forwarding mpls
         packet mpls non-ip forwarding mpls
      feature pbr ip
         sequence 60
         key size limit 160
         key field dscp dst-ip ip-frag ip-protocol l4-dst-port l4-ops-18b l4-src-port src-ip tcp-control
         action count redirect
         packet ipv4 forwarding routed
         packet ipv4 mpls ipv4 forwarding mpls decap
         packet ipv4 mpls ipv6 forwarding mpls decap
         packet ipv4 non-vxlan forwarding routed decap
         packet ipv4 vxlan forwarding bridged decap
      feature pbr ipv6
         sequence 30
         key field dst-ipv6 ipv6-next-header l4-dst-port l4-src-port src-ipv6-high src-ipv6-low tcp-control
         action count redirect
         packet ipv6 forwarding routed
      feature pbr mpls
         sequence 65
         key size limit 160
         key field mpls-inner-ip-tos
         action count drop redirect
         packet mpls ipv4 forwarding mpls
         packet mpls ipv6 forwarding mpls
         packet mpls non-ip forwarding mpls
      feature qos ip
         sequence 75
         key size limit 160
         key field dscp dst-ip ip-frag ip-protocol l4-dst-port l4-ops l4-src-port src-ip tckp-control
         action set-dscp set-policer set-tc
         packet ipv4 forwarding routed
         packet ipv4 forwarding routed multicast
         packet ipv4 mpls ipv4 forwarding mpls decap
         packet ipv4 mpls ipv6 forwarding mpls decap
         packet ipv4 non-vxlan forwarding routed decap
      feature qos ipv6
         sequence 70
         key field dst-ipv6 ipv6-next-header ipv6-traffic-class l4-dst-port l4-src-port src-ipv6-high src-ipv6-low
         action set-dscp set-policer set-tc
         packet ipv6 forwarding routed	
      feature traffic-policy port ipv4
         sequence 45
         key size limit 160
         key field dscp dst-ip-label icmp-type-code ip-frag ip-fragment-offset ip-length ip-protocol l4-dst-port 
         l4-src-port src-ip-label tcp-control ttl
         action count drop log set-dscp set-tc
         packet ipv4 forwarding routed
      feature traffic-policy port ipv6
         sequence 25
         key field dst-ipv6-label hop-limit icmp-type-code ipv6-length ipv6-next-header ipv6-traffic-class l4-dst-port 
         l4-src-port src-ipv6-label tcp-control
         action count drop log set-dscp set-tc
         packet ipv6 forwarding routed
      feature tunnel vxlan
         sequence 50
         key size limit 160
         packet ipv4 vxlan eth ipv4 forwarding routed decap
         packet ipv4 vxlan forwarding bridged decap