Filter Traffic Based on the IP Header

The vrf-table-label statement makes it possible to map the inner label to a specific VRF and thus allow the examination of the encapsulated IP header at an egress VPN router. You might want to enable this functionality so you can do either of the following:

• Forward traffic on a PE-router-to-CE-device interface, in a shared medium, where the CE device is a Layer 2 switch without IP capabilities (for example, a metro Ethernet switch).

The first lookup is done on the VPN label to determine which VRF table to refer to, and the second lookup is done on the IP header to determine how to forward packets to the correct end hosts on the shared medium.

• Perform egress filtering at the egress PE router.

The first lookup on the VPN label is done to determine which VRF table to refer to, and the second lookup is done on the IP header to determine how to filter and forward packets. You can enable this functionality by configuring output filters on the VRF interfaces.

When you use the vrf-table-label statement to configure a VRF table, a label-switched interface (LSI) logical interface label is created and mapped to the VRF.

Any routes configured in a VRF with the vrf-table-label statement are advertised with the LSI logical interface label allocated for the VRF. When packets for this VPN arrive on a core-facing interface, they are treated as if the enclosed IP packet arrived on the LSI interface and are then forwarded and filtered based on the correct table.

To filter traffic based on the IP header, include the vrf-table-label statement at the [edit routing-instances routing-instance-name] hierarchy level:

[edit routing-instances routing-instance-name]

vrf-table-label;

Egress Filtering Options

You can enable egress filtering (which allows egress Layer 3 VPN PE routers to perform lookups on the VPN label and IP header at the same time) by including the vrf-table-label statement at the [edit routing-instances instance-name] hierarchy level. However, this feature works only for non-channelized Point-to-Point Protocol/High-level Data Link Control (PPP/HDLC) SONET core-facing interfaces and non-channelized Gigabit and Fast Ethernet core-facing interfaces. The vrf-table-label statement cannot be configured for the 10-port E1 Physical Interface Card (PIC) or for aggregated interfaces. There is no restriction on CE-router-to-PE-router interfaces.

You can also enable egress filtering by configuring a VPN tunnel (VT) interface on routers equipped with a Tunnel Services PIC. When you enable egress filtering this way, there is no restriction on the type of core-facing interface used. There is also no restriction on the type of CE-router-to-PE-router interface used.

Limitations

When you configure the vrf-table-label statement, be aware of the following limitations:

• The vrf-table-label statement is supported on M-series platforms only. It is not supported on T-series platforms.
• You cannot configure a VT interface and the vrf-table-label statement on the same routing instance.
• Do not use the vrf-table-label statement for source class usage/destination class usage (SCU/DCU) configurations. For information on SCU/DCU configuration, see the JUNOS Internet Software Configuration Guide: Interfaces and Class of Service.
• The vrf-table-label statement cannot be configured for the 10-port E1 Physical Interface Card (PIC) or for aggregated interfaces. There is no restriction on CE-router-to-PE-router interfaces.
• The vrf-table-label statement cannot be configured in an IPv6 Layer 3 VPN environment. If you configure a dual-stack VRF routing table (where both IPv4 and IPv6 routes are supported) and also configure the vrf-table-label statement for that VRF, the IPv4 traffic flows normally but the IPv6 traffic is dropped.