Configuring Virtual Loopback Tunnels for VRF Table Lookup

To enable egress filtering, you can either configure filtering based on the IP header, or you can configure a virtual loopback tunnel on routers equipped with a Tunnel PIC. Table 22 describes each method.

Table 22: Methods for Configuring Egress Filtering

Method	Interface Type	Configuration Guidelines	Comments
Filter traffic based on the IP header	Nonchannelized Point-to-Point Protocol / High Level Data Link Control (PPP/HDLC) core-facing SONET/SDH interfaces	Include the vrf-table-label statement at the [edit routing-instances instance-name] hierarchy level. For more information, see the Junos VPNs Configuration Guide.	There is no restriction on customer-edge (CE) router-to-provider edge (PE) router interfaces.
Configure a virtual loopback tunnel on routers equipped with a Tunnel PIC	All interfaces	See the guidelines in this section.	Router must be equipped with a Tunnel PIC. There is no restriction on the type of core-facing interface used or CE router-to-PE router interface used. You cannot configure a virtual loopback tunnel and the vrf-table-label statement at the same time.

Method

Interface Type

Configuration Guidelines

Comments

Filter traffic based on the IP header

Nonchannelized Point-to-Point Protocol / High Level Data Link Control (PPP/HDLC) core-facing SONET/SDH interfaces

Include the vrf-table-label statement at the [edit routing-instances instance-name] hierarchy level.

For more information, see the Junos VPNs Configuration Guide.

There is no restriction on customer-edge (CE) router-to-provider edge (PE) router interfaces.

Configure a virtual loopback tunnel on routers equipped with a Tunnel PIC

All interfaces

See the guidelines in this section.

Router must be equipped with a Tunnel PIC.

There is no restriction on the type of core-facing interface used or CE router-to-PE router interface used.

You cannot configure a virtual loopback tunnel and the vrf-table-label statement at the same time.

You can configure a virtual loopback tunnel to facilitate VRF table lookup based on MPLS labels. You might want to enable this functionality so you can do either of the following:

Forward traffic on a PE router to CE device interface, in a shared medium, where the CE device is a Layer 2 switch without IP capabilities (for example, a metro Ethernet switch).
The first lookup is done based on the VPN label to determine which VRF table to refer to, and the second lookup is done on the IP header to determine how to forward packets to the correct end hosts on the shared medium.
Perform egress filtering at the egress PE router.
The first lookup on the VPN label is done to determine which VRF table to refer to, and the second lookup is done on the IP header to determine how to filter and forward packets. You can enable this functionality by configuring output filters on the VRF interfaces.

To configure a virtual loopback tunnel to facilitate VRF table lookup based on MPLS labels, you specify a virtual loopback tunnel interface name and associate it with a routing instance that belongs to a particular routing table. The packet loops back through the virtual loopback tunnel for route lookup. To specify a virtual loopback tunnel interface name, you configure the virtual loopback tunnel interface at the [edit interfaces] hierarchy level and include the family inet and family mpls statements:

vt-fpc/pic/port {unit 0 {family inet;family mpls;}unit 1 {family inet;}}

To associate the virtual loopback tunnel with a routing instance, include the virtual loopback tunnel interface name at the [edit routing-instances] hierarchy level:

interface vt-fpc/pic/port;

Note: For the virtual loopback tunnel interface, none of the logical interface statements are valid, except for the family statement; in particular, you cannot configure IPv4 or IPv6 addresses on these interfaces. Also, virtual loopback tunnels do not support class-of-service (CoS) configurations.