Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[M/MX/T] How to perform a VRF-based route-lookup based on the incoming label value in a L3VPN scenario

0

0
Article ID: KB22574 KB Last Updated: 23 Feb 2020Version: 2.0 Summary:

This article provides information on how to perform a VRF based route-lookup, based on the incoming label value in a L3VPN scenario.

Solution:

On the PE device in a L3VPN setup, to perform a VRF-based lookup based on the incoming label and forward the traffic, the combination of the vt interface and label-map can be used.

This kind of look-up commonly happens on the intermediate router when the ingress router has defined static LSPs to reach certain destinations.

Topology:

CE1---PE1---P----PE2---CE2

In the above setup, CE1 has the static LSP defined to reach the loopback interface (192.168.60.1) of CE2.


lab@router1> show route 192.168.60.1

inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.60.1/32 *[Static/5] 4d 17:35:08
to 10.0.4.2 via so-0/2/0.0
> to 10.0.4.2 via so-0/2/0.0, Push 1000006

lab@router1>

On the PE1 device, this destination is reachable via the VRF routing instance - VPN-A - as shown below:

lab@hostname-PE1> show route table VPN-A

VPN-A.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.4.0/24 *[Static/5] 4d 18:02:34
to table inet.0
10.0.12.0/24 *[BGP/170] 00:25:43, localpref 100, from 192.168.21.1
AS path: I
> via so-1/3/2.0, Push 300400, Push 100448(top)
150.1.1.0/24 *[BGP/170] 00:25:43, localpref 100, from 192.168.21.1
AS path: 65001 I
> via so-1/3/2.0, Push 300400, Push 100448(top)
150.1.2.0/24 *[BGP/170] 00:25:43, localpref 100, from 192.168.21.1
AS path: 65001 I
> via so-1/3/2.0, Push 300400, Push 100448(top)
150.1.3.0/24 *[BGP/170] 00:25:43, localpref 100, from 192.168.21.1
AS path: 65001 I
> via so-1/3/2.0, Push 300400, Push 100448(top)
150.1.4.0/24 *[BGP/170] 00:25:43, localpref 100, from 192.168.21.1
AS path: 65001 I
> via so-1/3/2.0, Push 300400, Push 100448(top)
150.1.5.0/24 *[BGP/170] 00:25:43, localpref 100, from 192.168.21.1
AS path: 65001 I
> via so-1/3/2.0, Push 300400, Push 100448(top)
192.168.60.1/32 *[BGP/170] 00:25:43, localpref 100, from 192.168.21.1
AS path: 65001 I
> via so-1/3/2.0, Push 300400, Push 100448(top)

lab@hostname-PE1>

On PE1, under the protocols MPLS, the label-map is defined on the interface receiving the MPLS labeled packet. The Incoming label is matched, pop action performed, and forwarded to the logical unit of the vt interface.
 
lab@hostname-PE1> show configuration protocols mpls
interface so-1/3/2.0;
interface so-1/1/0.0 {
     label-map 1000006 {
         next-hop vt-0/1/0.12;
             pop;
     }
}

lab@hostname-PE1> show route table mpls.0

mpls.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0 *[MPLS/0] 4d 21:03:38, metric 1
Receive
1 *[MPLS/0] 4d 21:03:38, metric 1
Receive
2 *[MPLS/0] 4d 21:03:38, metric 1
Receive
299792 *[LDP/9] 4d 21:01:43, metric 1
> via so-1/3/2.0, Pop
299792(S=0) *[LDP/9] 4d 21:01:43, metric 1
> via so-1/3/2.0, Pop
299808 *[LDP/9] 4d 21:01:43, metric 1
> via so-1/3/2.0, Swap 100448
299824 *[VPN/0] 4d 17:28:16
> via vt-0/1/0.12, Pop
1000006 *[Static/5] 4d 17:28:16
> via vt-0/1/0.12, Pop

The logical unit of the vt interface is called under the VPN instance to perform the VRF-based route-lookup.

 
lab@hostname-PE1# show routing-instances
VPN-A {
     instance-type vrf;
     interface vt-0/1/0.12;
     route-distinguisher 192.168.28.1:1;
vrf-target {
     import target:100L:100;
    export target:100L:100;
}
routing-options {
     static {
         route 10.0.4.0/24 next-table inet.0;
    }
}
}

Ping output from CE1:
lab@router1> ping 192.168.60.1 source 10.0.4.1 rapid count 5
PING 192.168.60.1 (192.168.60.1): 56 data bytes
!!!!!
--- 192.168.60.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.643/1.187/3.104/0.959 ms

lab@router1>

Note: The static route to reach the CE1 interface is defined under the VRF instance and forwarded to the PE2 as an L3VPN route; it is, in turn, forwarded to the CE2 through BGP running between PE2-CE2.

Configurations :

CE1:
 
lab@router1# show
system {
     root-authentication {
     encrypted-password "$ABC123"; ## SECRET-DATA
}
login {
     user lab {
     uid 2000;
    class super-user;
authentication {
     encrypted-password "$ABC123"; ## SECRET-DATA
}
    }
     }
}
interfaces {
     cstm1-0/2/0 {
     no-partition interface-type so;
}
so-0/2/0 {
     unit 0 {
         family inet {
         address 10.0.4.1/24;
     }
family mpls;
         }
     }
}
routing-options {
     static {
     route 192.168.60.1/32 next-hop 10.0.4.2;
     route 0.0.0.0/0 next-hop 10.209.75.254;
     }
}
protocols {
     mpls {
         static-path inet {
             192.168.60.1/32 {
              next-hop 10.0.4.2;
              push 1000006;
         }
     }
interface so-0/2/0.0;
    }
}

[edit]
lab@router1#


PE1:
lab@hostname-PE1# show
system {
     host-name hostname-PE1;
     root-authentication {
         encrypted-password "$ABC123"; ## SECRET-DATA
     }
login {
     user lab {
     uid 2001;
     class super-user;
      authentication {
      encrypted-password "$ABC123"; ## SECRET-DATA
      }
    }
}
}
interfaces {
     vt-0/1/0 {
         unit 12 {
             family inet;
         }
     }
t1-0/2/3 {
     unit 0 {
         family inet {
         address 10.0.13.1/24;
         }
     }
}
cstm1-1/1/0 {
     no-partition interface-type so;
}
so-1/1/0 {
     unit 0 {
         family inet {
             address 10.0.4.2/24;
         }
family mpls;
       }
     }
so-1/3/2 {
     unit 0 {
         family inet {
             address 10.0.36.2/24;
         }
family mpls;
         }
     }
lo0 {
     unit 0 {
         family inet {
             address 192.168.28.1/32;
         }
      }
 }
}
routing-options {
     autonomous-system 100;
}
protocols {
     mpls {
         interface so-1/3/2.0;
             interface so-1/1/0.0 {
                 label-map 1000006 {
                     next-hop vt-0/1/0.12;
                     pop;
                 }
             }
      }
bgp {
     group internal {
     type internal;
     local-address 192.168.28.1;
 family inet {
     unicast;
  }
family inet-vpn {
     unicast;
}
neighbor 192.168.21.1;
  }
}
ospf {
     area 0.0.0.0 {
         interface lo0.0;
             interface so-1/3/2.0;
      }
 }
ldp {
     interface so-1/3/2.0;
     interface lo0.0;
}
     }
routing-instances {
     VPN-A {
          instance-type vrf;
          interface vt-0/1/0.12;
          route-distinguisher 192.168.28.1:1;
       vrf-target {
           import target:100L:100;
           export target:100L:100;
       }
routing-options {
     static {
         route 10.0.4.0/24 next-table inet.0;
}
       }
     }
}

[edit]
lab@hostname-PE1#

P:
root@hostename-P# show
system {
     host-name IRIDIUM-P;
     root-authentication {
         encrypted-password "$ABC123"; ## SECRET-DATA
    }
login {
     user lab {
     uid 2000;
     class super-user;
     authentication {
         encrypted-password "$ABC123"; ## SECRET-DATA
     }
     }
}
     }
interfaces {
     fe-0/1/3 {
         unit 0 {
            family inet {
                address 10.0.30.1/24;
            }
family mpls;
         }
     }
so-1/1/2 {
     unit 0 {
         family inet {
             address 10.0.36.1/24;
         }
family mpls;
}
     }
lo0 {
     unit 0 {
         family inet {
             address 192.168.5.1/32;
     }
}
         }
      }
protocols {
     mpls {
         interface all;
     }
ospf {
     area 0.0.0.0 {
          interface all;
     }
}
ldp {
     interface all;
}
      }

[edit]
root@hostename-P#



PE2:
lab@hostname-PE2# show
system {
     host-name hostname-PE2;
         time-zone America/New_York;
         root-authentication {
             encrypted-password "$ABC123"; ## SECRET-DATA
         }
login {
     user lab {
         uid 2002;
             class super-user;
             authentication {
                 encrypted-password "$ABC123"; ## SECRET-DATA
             }
     }
}
syslog {
     archive size 10m files 10;
         file interactive-commands {
             interactive-commands any;
         }
time-format millisecond;
}
}
interfaces {
     fe-0/0/0 {
         unit 0 {
             family inet {
                 address 10.0.12.1/24;
            }
         }
}
fe-0/0/3 {
     unit 0 {
         family inet {
             address 10.0.30.2/24;
         }
family mpls;
     }
}
lo0 {
     unit 0 {
         family inet {
             address 192.168.21.1/32;
         }
     }
}
}
routing-options {
     autonomous-system 100;
 }
protocols {
     mpls {
         interface fe-0/0/3.0;
     }
bgp {
     group internal {
         type internal;
             local-address 192.168.21.1;
             family inet {
                 unicast;
            }
family inet-vpn {
    unicast;
}
neighbor 192.168.28.1;
             }
}
ospf {
     area 0.0.0.0 {
          interface fe-0/0/3.0;
              interface lo0.0;
     }
}
ldp {
     interface fe-0/0/3.0;
         interface lo0.0;
}
     }
routing-instances {
     VPN-A {
          instance-type vrf;
          interface fe-0/0/0.0;
          route-distinguisher 192.168.28.1:1;
          vrf-target {
              import target:100L:100;
              export target:100L:100;
          }
protocols {
    bgp {
        group CE-A {
            type external;
            peer-as 65001;
            neighbor 10.0.12.2;
        }
     }
     }
}
}

[edit]
lab@hostname-PE2#
CE2:

 
lab@hostname-CE2# show
system {
     host-name hostname-CE2;
         root-authentication {
             encrypted-password "$ABC123"; ## SECRET-DATA
         }
login {
    user lab {
        uid 2000;
        class super-user;
        authentication {
            encrypted-password "$ABC123"; ## SECRET-DATA
        }
    }
}
}
interfaces {
     fe-0/0/1 {
         unit 0 {
             family inet {
                 address 10.0.12.2/24;
             }
         }
}
lo0 {
     unit 0 {
         family inet {
             address 192.168.60.1/32;
         }
      }
}
           }
routing-options {
     static {
         route 150.1.1.0/24 discard;
         route 150.1.2.0/24 discard;
         route 150.1.3.0/24 discard;
         route 150.1.4.0/24 discard;
         route 150.1.5.0/24 discard;
      }
autonomous-system 65001;
}
protocols {
     bgp {
         export static->bgp;
          group CE-A {
              type external;
              peer-as 100;
              neighbor 10.0.12.1;
          }
      }
}
policy-options {
     policy-statement static->bgp {
         term 1 {
             from protocol static;
                 then accept;
          }
term 2 {
    from protocol direct;
    then accept;
}
         }
}

[edit]
lab@hostname-CE2#
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search