Facilitating VRF Table Lookup Using Virtual Loopback Tunnel Interfaces
Configuring Virtual Loopback Tunnels for VRF Table Lookup
To enable egress filtering, you can either configure filtering based on the IP header, or you can configure a virtual loopback tunnel on routers equipped with a Tunnel PIC. Table 1 describes each method.
Method |
Interface Type |
Configuration Guidelines |
Comments |
|---|---|---|---|
Filter traffic based on the IP header |
Nonchannelized Point-to-Point Protocol / High Level Data Link Control (PPP/HDLC) core-facing SONET/SDH interfaces |
Include the For more information, see the Junos OS VPNs Library for Routing Devices. |
There is no restriction on customer-edge (CE) router-to-provider edge (PE) router interfaces. |
Configure a virtual loopback tunnel on routers equipped with a Tunnel PIC |
All interfaces |
See the guidelines in this section. |
Router must be equipped with a Tunnel PIC. There is no restriction on the type of core-facing interface used or CE router-to-PE router interface used. You cannot configure a virtual loopback tunnel and the |
You can configure a virtual loopback tunnel to facilitate VRF table lookup based on MPLS labels. You might want to enable this functionality so you can do either of the following:
Forward traffic on a PE router to CE device interface, in a shared medium, where the CE device is a Layer 2 switch without IP capabilities (for example, a metro Ethernet switch).
The first lookup is done based on the VPN label to determine which VRF table to refer to, and the second lookup is done on the IP header to determine how to forward packets to the correct end hosts on the shared medium.
Perform egress filtering at the egress PE router.
The first lookup on the VPN label is done to determine which VRF table to refer to, and the second lookup is done on the IP header to determine how to filter and forward packets. You can enable this functionality by configuring output filters on the VRF interfaces.
To configure a virtual loopback tunnel to facilitate VRF table
lookup based on MPLS labels, you specify a virtual loopback tunnel
interface name and associate it with a routing instance that belongs
to a particular routing table. The packet loops back through the virtual
loopback tunnel for route lookup. To specify a virtual loopback tunnel
interface name, you configure the virtual loopback tunnel interface
at the [edit interfaces] hierarchy level and include the family inet and family mpls statements:
vt-fpc/pic/port {
unit 0 {
family inet;
family mpls;
}
unit 1 {
family inet;
}
}
To associate the virtual loopback tunnel with a routing instance,
include the virtual loopback tunnel interface name at the [edit
routing-instances] hierarchy level:
interface vt-fpc/pic/port;
On virtual loopback tunnel interfaces, none of the logical
interface statements except the family statement is supported.
Note that you can configure only inet and mpls families, and you cannot configure IPv4 or IPv6 addresses on virtual
loopback tunnel interfaces. Also, virtual loopback tunnel interfaces
do not support class-of-service (CoS) configurations.
See Also
Configuring Tunnel Interfaces for Routing Table Lookup
To configure tunnel interfaces to facilitate routing table lookups
for VPNs, you specify a tunnel’s endpoint IP addresses and associate
them with a routing instance that belongs to a particular routing
table. This enables the Junos OS to search in the appropriate routing
table for the route prefix, because the same prefix can appear in
multiple routing tables. To configure the destination VPN, include
the routing-instance statement:
routing-instance { destination routing-instance-name; }
You can include this statement at the following hierarchy levels:
[edit interfaces gr-fpc/pic/port unit logical-unit-number tunnel][edit logical-systems logical-system-name interfaces gr-fpc/pic/port unit logical-unit-number tunnel]
This configuration indicates that the tunnel’s destination
address is in routing instance routing-instance-name. By default, the tunnel route prefixes are assumed to be in
the default Internet routing table inet.0.
If you configure a virtual loopback tunnel interface and
the vrf-table-label statement on the same routing instance,
the vrf-table-label statement takes precedence over the
virtual loopback tunnel interface. For more information, see Configuring Virtual Loopback Tunnels for VRF Table
Lookup.
For more information about VPNs, see the Junos OS VPNs Library for Routing Devices.
See Also
Example: Configuring a Virtual Loopback Tunnel for VRF Table Lookup
Configure a virtual loopback tunnel for VRF table lookup:
[edit routing-instances]
routing-instance-1 {
instance-type vrf;
interface vt-1/0/0.0;
interface so-0/2/2.0;
route-distinguisher 2:3;
vrf-import VPN-A-import;
vrf-export VPN-A-export;
routing-options {
static {
route 10.0.0.0/8 next-hop so-0/2/2.0;
}
}
}
routing-instance-2 {
instance-type vrf;
interface vt-1/0/0.1;
interface so-0/3/2.0;
route-distinguisher 4:5;
vrf-import VPN-B-import;
vrf-export VPN-B-export;
routing-options {
static {
route 10.0.0.0/8 next-hop so-0/3/2.0;
}
}
}
[edit interfaces]
vt-1/0/0 {
unit 0 {
family inet;
family mpls;
}
unit 1 {
family inet;
}
}
See Also
Example: Virtual Routing and Forwarding (VRF) and Service Configuration
The following example combines virtual routing and forwarding (VRF) and services configuration:
[edit policy-options]
policy-statement test-policy {
term t1 {
then reject;
}
}
[edit routing-instances]
test {
interface ge-0/2/0.0;
interface sp-1/3/0.20;
instance-type vrf;
route-distinguisher 10.58.255.1:37;
vrf-import test-policy;
vrf-export test-policy;
routing-options {
static {
route 0.0.0.0/0 next-table inet.0;
}
}
}
[edit interfaces]
ge-0/2/0 {
unit 0 {
family inet {
service {
input service-set nat-me;
output service-set nat-me;
}
}
}
}
sp-1/3/0 {
unit 0 {
family inet;
}
unit 20 {
family inet;
service-domain inside;
}
unit 21 {
family inet;
service-domain outside;
}
[edit services]
stateful-firewall {
rule allow-any-input {
match-direction input;
term t1 {
then accept;
}
}
}
nat {
pool hide-pool {
address 10.58.16.100;
port automatic;
}
rule hide-all-input {
match-direction input;
term t1 {
then {
translated {
source-pool hide-pool;
translation-type source napt-44;
}
}
}
}
}
service-set nat-me {
stateful-firewall-rules allow-any-input;
nat-rules hide-all-input;
interface-service {
service-interface sp-1/3/0.20;
}
}
}