Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Signaling Provider Tunnels and Data Plane Setup

 

In a next-generation multicast virtual private network (MVPN), provider tunnel information is communicated to the receiver PE routers in an out-of-band manner. This information is advertised via BGP and is independent of the actual tunnel signaling process. Once the tunnel is signaled, the sender PE router binds the VPN routing and forwarding (VRF) table to the locally configured tunnel. The receiver PE routers bind the tunnel signaled to the VRF table where the Type 1 autodiscovery route with the matching provider multicast service interface (PMSI) attribute is installed. The same binding process is used for both Protocol Independent Multicast (PIM) and RSVP-Traffic Engineering (RSVP-TE) signaled provider tunnels.

Provider Tunnels Signaled by PIM (Inclusive)

A sender provider edge (PE) router configured to use an inclusive PIM-sparse mode (PIM-SM) any-source multicast (ASM ) provider tunnel for a VPN creates a multicast tree (using the P-group address configured) in the service provider network. This tree is rooted at the sender PE router and has the receiver PE routers as the leaves. VPN multicast packets received from the local VPN source are encapsulated by the sender PE router with a multicast generic routing encapsulation (GRE) header containing the P-group address configured for the VPN. These packets are then forwarded on the service provider network as normal IP multicast packets per normal P-PIM procedures. At the leaf nodes, the GRE header is stripped and the packets are passed on to the local VRF C-PIM protocol for further processing.

In Junos OS, a logical interface called multicast tunnel (MT) is used for GRE encapsulation and de-encapsulation of VPN multicast packets. The multicast tunnel interface is created automatically if a Tunnel PIC is present.

  • Encapsulation subinterfaces are created from an mt-x/y/z.[32768-49151] range.

  • De-encapsulation subinterfaces are created from an mt-x/y/z.[49152-65535] range.

The multicast tunnel subinterfaces act as pseudo upstream or downstream interfaces between C-PIM and P-PIM.

In the following two examples, assume that the network uses PIM-SM (ASM) signaled GRE tunnels as the tunneling technology. Routers referenced in this topic are shown in Understanding Next-Generation MVPN Network Topology.

Use the show interfaces mt-0/1/0 terse command to verify that Router PE1 has created the following multicast tunnel subinterface. The logical interface number is 32768, indicating that this sub-unit is used for GRE encapsulation.

user@PE1> show interfaces mt-0/1/0 terse

Use the show interfaces mt-0/1/0 terse command to verify that Router PE2 has created the following multicast tunnel subinterface. The logical interface number is 49152, indicating that this sub-unit is used for GRE de-encapsulation.

user@PE2> show interfaces mt-0/1/0 terse

P-PIM and C-PIM on the Sender PE Router

The sender PE router installs a local join entry in its P-PIM database for each VRF table configured to use PIM as the provider tunnel. The outgoing interface list (OIL) of this entry points to the core-facing interface. Since the P-PIM entry is installed as Local, the sender PE router sets the source address to its primary loopback IP address.

Use the show pim join extensive command to verify that Router PE1 has installed the following state in its P-PIM database.

user@PE1> show pim join extensive

On the VRF side of the sender PE router, C-PIM installs a Local Source entry in its C-PIM database for the active local VPN source. The OIL of this entry points to Pseudo-MVPN, indicating that the downstream interface points to the receivers in the next-generation MVPN network. Routers referenced in this topic are shown in Understanding Next-Generation MVPN Network Topology.

Use the show pim join extensive instance vpna 224.1.1.1 command to verify that Router PE1 has installed the following entry in its C-PIM database.

user@PE1> show pim join extensive instance vpna 224.1.1.1

The forwarding entry corresponding to the C-PIM Local Source (or Local RP) on the sender PE router points to the multicast tunnel encapsulation subinterface as the downstream interface. This indicates that the local multicast data packets are encapsulated as they are passed on to the P-PIM protocol.

Use the show multicast route extensive instance vpna group 224.1.1.1 command to verify that Router PE1 has the following multicast forwarding entry for group 224.1.1.1. The upstream interface is the PE-CE interface and the downstream interface is the multicast tunnel encapsulation subinterface:

user@PE1> show multicast route extensive instance vpna group 224.1.1.1

P-PIM and C-PIM on the Receiver PE Router

On the receiver PE router, multicast data packets received from the network are de-encapsulated as they are passed through the multicast tunnel de-encapsulation interface.

The P-PIM database on the receiver PE router contains two P-joins. One is for P-RP, and the other is for the sender PE router. For both entries, the OIL contains the multicast tunnel de-encapsulation interface from which the GRE header is stripped. The upstream interface for P-joins is the core-facing interface that faces towards the sender PE router.

Use the show pim join extensive command to verify that Router PE3 has the following state in its P-PIM database. The downstream neighbor interface points to the GRE de-encapsulation subinterface:

user@PE3> show pim join extensive

On the VRF side of the receiver PE router, C-PIM installs a join entry in its C-PIM database. The OIL of this entry points to the local VPN interface, indicating active local receivers. The upstream protocol, interface, and neighbor of this entry point to the next-generation-MVPN network. Routers referenced in this topic are shown in Understanding Next-Generation MVPN Network Topology.

Use the show pim join extensive instance vpna 224.1.1.1 command to verify that Router PE3 has the following state in its C-PIM database:

user@PE3> show pim join extensive instance vpna 224.1.1.1

The forwarding entry corresponding to the C-PIM entry on the receiver PE router uses the multicast tunnel de-encapsulation subinterface as the upstream interface.

Use the show multicast route extensive instance vpna group 224.1.1.1 command to verify that Router PE3 has installed the following multicast forwarding entry for the local receiver:

user@PE3> show multicast route extensive instance vpna group 224.1.1.1

Provider Tunnels Signaled by RSVP-TE (Inclusive and Selective)

Junos OS supports signaling both inclusive and selective provider tunnels by RSVP-TE point-to-multipoint label-switched paths (LSPs). You can configure a combination of inclusive and selective provider tunnels per VPN.

  • If you configure a VPN to use an inclusive provider tunnel, the sender PE router signals one point-to-multipoint LSP for the VPN.

  • If you configure a VPN to use selective provider tunnels, the sender PE router signals a point-to-multipoint LSP for each selective tunnel configured.

Sender (ingress) PE routers and receiver (egress) PE routers play different roles in the point-to-multipoint LSP setup. Sender PE routers are mainly responsible for initiating the parent point-to-multipoint LSP and the sub-LSPs associated with it. Receiver PE routers are responsible for setting up state such that they can forward packets received over a sub-LSP to the correct VRF table (binding a provider tunnel to the VRF).

Inclusive Tunnels: Ingress PE Router Point-to-Multipoint LSP Setup

The point-to-multipoint LSP and associated sub-LSPs are signaled by the ingress PE router. The information about the point-to-multipoint LSP is advertised to egress PE routers in the PMSI attribute via BGP.

The ingress PE router signals point-to-multipoint sub-LSPs by originating point-to-multipoint RSVP path messages toward egress PE routers. The ingress PE router learns the identity of the egress PE routers from Type 1 routes installed in its <routing-instance-name>.mvpn.0 table. Each RSVP path message carries an S2L_Sub_LSP object along with the point-to-multipoint session object. The S2L_Sub_LSP object carries a 4-byte sub-LSP destination (egress) IP address.

In Junos OS, sub-LSPs associated with a point-to-multipoint LSP can be signaled automatically by the system or via a static sub-LSP configuration. When they are automatically signaled, the system chooses a name for the point-to-multipoint LSP and each sub-LSP associated with it using the following naming convention.

Point-to-multipoint LSPs naming convention:

<ingress PE rid>:<a per VRF unique number>:mvpn:<routing-instance-name>

Sub-LSPs naming convention:

<egress PE rid>:<ingress PE rid>:<a per VRF unique number>:mvpn:<routing-instance-name>

Use the show mpls lsp p2mp command to verify that the following LSPs have been created by Router PE1:

Parent P2MP LSP: 10.1.1.1:65535:mvpn:vpna

Sub-LSPs: 10.1.1.2:10.1.1.1:65535:mvpn:vpna (Router PE1 to Router PE2) and

10.1.1.3:10.1.1.1:65535:mvpn:vpna (Router PE1 to Router PE3)

user@PE1> show mpls lsp p2mp

The values in this example are as follows:

  • I-PMSI P2MP LSP name: 10.1.1.1:65535:mvpn:vpna

  • I-PMSI P2MP sub-LSP name (to PE2): 10.1.1.2:10.1.1.1:65535:mvpn:vpna

  • I-PMSI P2MP sub-LSP name (to PE3): 10.1.1.3:10.1.1.1:65535:mvpn:vpna

Inclusive Tunnels: Egress PE Router Point-to-Multipoint LSP Setup

An egress PE router responds to an RSVP path message by originating an RSVP reservation (RESV) message per normal RSVP procedures. The RESV message contains the MPLS label allocated by the egress PE router for this sub-LSP and is forwarded hop by hop toward the ingress PE router, thus setting up state on the network. Routers referenced in this topic are shown in Understanding Next-Generation MVPN Network Topology.

Use the show rsvp session command to verify that Router PE2 has assigned label 299840 for the sub-LSP 10.1.1.2:10.1.1.1:65535:mvpn:vpna:

user@PE2> show rsvp session

Use the show mpls lsp p2mp command to verify that Router PE3 has assigned label 16 for the sub-LSP 10.1.1.3:10.1.1.1:65535:mvpn:vpna:

user@PE3> show mpls lsp p2mp

Inclusive Tunnels: Egress PE Router Data Plane Setup

The egress PE router installs a forwarding entry in its mpls table for the label it allocated for the sub-LSP. The MPLS label is installed with a pop operation (a pop operation removes the top MPLS label), and the packet is passed on to the VRF table for a second route lookup. The second lookup on the egress PE router is necessary for the VPN multicast data packets to be processed inside the VRF table using normal C-PIM procedures.

Use the show route table mpls label 16 command to verify that Router PE3 has installed the following label entry in its MPLS forwarding table:

user@PE3> show route table mpls label 16

In Junos OS, VPN multicast routing entries are stored in the <routing-instance-name>.inet.1 table, which is where the second route lookup occurs. In the example above, even though vpna.inet.0 is listed as the routing table where the second lookup happens after the pop operation, internally the lookup is pointed to the vpna.inet.1 table. Routers referenced in this topic are shown in Understanding Next-Generation MVPN Network Topology.

Use the show route table vpna.inet.1 command to verify that Router PE3 contains the following entry in its VPN multicast routing table:

user@PE3> show route table vpna.inet.1

Use the show multicast route extensive instance vpna command to verify that Router PE3 contains the following VPN multicast forwarding entry corresponding to the multicast routing entry for the Llocal join. The upstream interface points to lsi.0 and the downstream interface (OIL) points to the so-0/2/0.0 interface (toward local receivers). The Upstream protocol value is MVPN because the VPN multicast source is reachable via the next-generation MVPN network. The lsi.0 interface is similar to the multicast tunnel interface used when PIM-based provider tunnels are used. The lsi.0 interface is used for removing the top MPLS header.

user@PE3> show multicast route extensive instance vpna

The requirement for a double route lookup on the VPN packet header requires two additional configuration statements on the egress PE routers when provider tunnels are signaled by RSVP-TE.

First, since the top MPLS label used for the point-to-multipoint sub-LSP is actually tied to the VRF table on the egress PE routers, the penultimate-hop popping (PHP) operation is not used for next-generation MVPNs. Only ultimate-hop popping is used. PHP allows the penultimate router (router before the egress PE router) to remove the top MPLS label. PHP works well for VPN unicast data packets because they typically carry two MPLS labels: one for the VPN and one for the transport LSP.

After the LSP label is removed, unicast VPN packets still have a VPN label that can be used for determining the VPN to which the packets belong. VPN multicast data packets, on the other hand, carry only one MPLS label that is directly tied to the VPN. Therefore, the MPLS label carried by VPN multicast packets must be preserved until the packets reach the egress PE router. Normally, PHP must be disabled through manual configuration.

To simplify the configuration, PHP is disabled by default on Juniper Networks PE routers when you include the mvpn statement at the [edit routing-instances routing-interface-name interface] hierarchy level. PHP is also disabled by default when you include the vrf-table-label statement at the [edit routing-instances routing-instance-name] hierarchy level.

Second, in Junos OS, VPN labels associated with a VRF table can be allocated in two ways.

  • Allocate a unique label for each VPN next hop (PE-CE interface). This is the default behavior.

  • Allocate one label for the entire VRF table, which requires additional configuration. Only allocating a label for the entire VRF table allows a second lookup on the VPN packet’s header. Therefore, PE routers supporting next-generation-MVPN services must be configured to allocate labels for the VRF table. There are two ways to do this as shown in Figure 1.

    • One is by including a virtuall tunnel interface named vt at the [edit routing-instances routing-instance-name interfaces] hierarchy level, which requires a Tunnel PIC.

    • The second is by including the vrf-table-label statement at the [routing-instances routing-instance-name] hierarchy level, which does not require a Tunnel PIC.

Both of these options enable an egress PE router to perform two route lookups. However, there are some differences in the way in which the second lookup is done

If the vt interface is used, the allocated label is installed in the mpls table with a pop operation and a forwarding next hop pointing to the vt interface.

Figure 1: Enabling Double Route Lookup on VPN Packet Headers
Enabling
Double Route Lookup on VPN Packet Headers

Use the show route table mpls label 299840 command to verify that Router PE2 has installed the following entry and uses a vt interface in the mpls table. The label associated with the point-to-multipoint sub-LSP (299840) is installed with a pop and a forward operation with the vt-0/1/0.0 interface being the next hop. VPN multicast packets received from the core exit the vt-0/1/0.0 interface without their MPLS header, and the egress Router PE2 does a second lookup on the packet header in the vpna.inet.1 table.

user@PE2> show route table mpls label 299840

If the vrf-table-label is configured, the allocated label is installed in the mpls table with a pop operation, and the forwarding entry points to the <routing-instance-name>.inet.0 table (which internally triggers the second lookup to be done in the <routing-instance-name>.inet.1 table).

Use the show route table mpls label 16 command to verify that Router PE3 has installed the following entry in its mpls table and uses the vrf-table-label statement:

user@PE3> show route table mpls label 16

Configuring label allocation for each VRF table affects both unicast VPN and MVPN routes. However, you can enable per-VRF label allocation for MVPN routes only if per-VRF allocation is configured via vt. This feature is configured via multicast and unicast keywords at the [edit routing-instances routing-instance-name interface vt-x/y/z.0] hierarchy level.

Note that including the vrf-table-label statement enables per-VRF label allocation for both unicast and MVPN routes and cannot be turned off for either type of routes (it is either on or off for both).

If a PE router is a bud router, meaning it has local receivers and also forwards MPLS packets received over a point-to-multipoint LSP downstream to other P and PE routers, then there is a difference in how the vrf-table-label and vt statements work. When, the vrf-table-label statement is included, the bud PE router receives two copies of the packet from the penultimate router: one to be forwarded to local receivers and the other to be forwarded to downstream P and PE routers. When the vt statement is included, the PE router receives a single copy of the packet.

Inclusive Tunnels: Ingress and Branch PE Router Data Plane Setup

On the ingress PE router, local VPN data packets are encapsulated with the MPLS label received from the network for sub-LSPs.

Use the show rsvp session command to verify that on the ingress Router PE1, VPN multicast data packets are encapsulated with MPLS label 300016 (advertised by Router P1 per normal RSVP RESV procedures) and forwarded toward Router P1 down the sub-LSPs 10.1.1.3:10.1.1.1:65535:mvpn:vpna and 10.1.1.2:10.1.1.1:65535:mvpn:vpna.

user@PE1> show rsvp session

RFC 4875 describes a branch node as “an LSR that replicates the incoming data on to one or more outgoing interfaces.” On a branch Rrouter, the incoming data carrying an MPLS label is replicated onto one or more outgoing interfaces that can use different MPLS labels. Branch nodes keep track of incoming and outgoing labels associated with point-to-multipoint LSPs. Routers referenced in this topic are shown in Understanding Next-Generation MVPN Network Topology.

Use the show rsvp session command to verify that branch node P1 has the incoming label 300016 and outgoing labels 16 for sub-LSP 10.1.1.3:10.1.1.1:65535:mvpn:vpna (to Router PE3) and 299840 for sub-LSP 10.1.1.2:10.1.1.1:65535:mvpn:vpna (to Router PE2).

user@P1> show rsvp session

Use the show route table mpls label 300016 command to verify that the corresponding forwarding entry on Router P1 shows that the packets coming in with one MPLS label (300016) are swapped with labels 16 and 299840 and forwarded out through their respective interfaces (so-0/0/3.0 and so-0/0/1.0 respectively toward Router PE2 and Router PE3).

user@P1> show route table mpls label 300016

Selective Tunnels: Type 3 S-PMSI Autodiscovery and Type 4 Leaf Autodiscovery Routes

Selective provider tunnels are configured by including the selective statement at the [edit routing-instances routing-instance-name provider-tunnel] hierarchy level. You can configure a threshold to trigger the signaling of a selective provider tunnel. Including the selective statement triggers the following events.

First, the ingress PE router originates a Type 3 S-PMSI autodiscovery route. The S-PMSI autodiscovery route contains the route distinguisher of the VPN where the tunnel is configured and the (C-S, C-G) pair that uses the selective provider tunnel.

In this section assume that Router PE1 is signaling a selective tunnel for (192.168.1.2, 224.1.1.1) and Router PE3 has an active receiver.

Use the show route table vpna.mvpn.0 | find 3: command to verify that Router PE1 has installed the following Type 3 route after the selective provider tunnel is configured:

user@PE1> show route table vpna.mvpn.0 | find 3:

Second, the ingress PE router attaches a PMSI attribute to a Type 3 route. This PMSI attribute is similar to the PMSI attribute advertised for inclusive provider tunnels with one difference: the PMSI attribute carried with Type 3 routes has its Flags bit set to Leaf Information Required. This means that the sender PE router is requesting receiver PE routers to send a Type 4 route if they have active receivers for the (C-S, C-G) carried in the Type 3 route. Also, remember that for each selective provider tunnel, a new point-to-multipoint and associated sub-LSPs are signaled. The PMSI attribute of a Type 3 route carries information about the new point-to-multipoint LSP.

Use the show route advertising-protocol bgp 10.1.1.3 detail table vpna.mvpn | find 3: command to verify that Router PE1 advertises the following Type 3 route and the PMSI attribute. The point-to-multipoint session object included in the PMSI attribute has a different port number (29499) than the one used for the inclusive tunnel (6574) indicating that this is a new point-to-multipoint tunnel.

user@PE1> show route advertising-protocol bgp 10.1.1.3 detail table vpna.mvpn | find 3:

Egress PE routers with active receivers should respond to a Type 3 route by originating a Type 4 leaf autodiscovery route. A leaf autodiscovery route contains a route key and the originating router’s IP address fields. The Route Key field of the leaf autodiscovery route contains the original Type 3 route that is received. The originating router’s IP address field is set to the router ID of the PE router originating the leaf autodiscovery route.

The ingress PE router adds each egress PE router that originated the leaf autodiscovery route as a leaf (destination of the sub-LSP for the selective point-to-multipoint LSP). Similarly, the egress PE router that originated the leaf autodiscovery route sets up forwarding state to start receiving data through the selective provider tunnel.

Egress PE routers advertise Type 4 routes with a route target that is specific to the PE router signaling the selective provider tunnel. This route target is in the form of target:<rid of the sender PE>:0. The sender PE router (the PE router signaling the selective provider tunnel) applies a special internal import policy to Type 4 routes that looks for a route target with its own router ID. Routers referenced in this topic are shown in Understanding Next-Generation MVPN Network Topology.

Use the show route table vpna.mvpn | find 4:3: command to verify that Router PE3 originates the following Type 4 route. The local Type 4 route is installed by the MVPN module.

user@PE3> show route table vpna.mvpn | find 4:3:

Use the show route advertising-protocol bgp 10.1.1.1 table vpna.mvpn detail | find 4:3: command to verify that Router PE3 has advertised the local Type 4 route with the following route target community. This route target carries the IP address of the sender PE router (10.1.1.1) followed by a 0.

user@PE3> show route advertising-protocol bgp 10.1.1.1 table vpna.mvpn detail | find 4:3:

Use the show policy __vrf-mvpn-import-cmcast-leafAD-global-internal__ command to verify that Router PE1 (the PE router signaling the selective provider tunnel) has applied the following import policy to Type 4 routes. The routes are accepted if their route target matches target:10.1.1.1:0.

user@PE1> show policy __vrf-mvpn-import-cmcast-leafAD-global-internal__

For each selective provider tunnel configured, a Type 3 route is advertised and a new point-to-multipoint LSP is signaled. Point-to-multipoint LSPs created by Junos OS for selective provider tunnels are named using the following naming conventions:

  • Selective point-to-multipoint LSPs naming convention:

    <ingress PE rid>:<a per VRF unique number>:mv<a unique number>:<routing-instance-name>

  • Selective point-to-multipoint sub-LSP naming convention:

    <egress PE rid>:<ingress PE rid>:<a per VRF unique>:mv<a unique number>:<routing-instance-name>

Use the show mpls lsp p2mp command to verify that Router PE1 signals point-to-multipoint LSP 10.1.1.1:65535:mv5:vpna with one sub-LSP 10.1.1.3:10.1.1.1:65535:mv5:vpna. The first point-to-multipoint LSP 10.1.1.1:65535:mvpn:vpna is the LSP created for the inclusive tunnel.

user@PE1> show mpls lsp p2mp

The values in this example are as follows.

  • I-PMSI P2MP LSP name: 10.1.1.1:65535:mvpn:vpna

  • I-PMSI P2MP sub-LSP name (to PE2): 10.1.1.2:10.1.1.1:65535:mvpn:vpna

  • I-PMSI P2MP sub-LSP name (to PE3): 10.1.1.3:10.1.1.1:65535:mvpn:vpna

  • S-PMSI P2MP LSP name: 10.1.1.1:65535:mv5:vpna

  • S-PMSI P2MP sub-LSP name (to PE3): 10.1.1.3:10.1.1.1:65535:mv5:vpna