I did a test that with and without vrf-table-label enabled on PE router with shared medium.
As below, The next-hop of label 299968 is pointing to 18.104.22.168, the IP address of CE, not to vrf table.
It is the same MPLS label operation Pop as well, however PE router don't forward any packet to CE.
I am not able to understand. Why PE router don't forward any packet to CE, although the mpls.0 table indicates the label 299968 operation is Pop and the next-hop is pointing to the address 22.214.171.124 of CE?
<<<<<<< This table without vrf-table-label enabled. <<<<ernest@pe2> show route table mpls.0
mpls.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both
0 *[MPLS/0] 08:39:20, metric 1 Receive1 *[MPLS/0] 08:39:20, metric 1 Receive2 *[MPLS/0] 08:39:20, metric 1 Receive299968 *[VPN/170] 00:08:14 <<<<<< inner VPN label. > to 126.96.36.199 via ge-1/0/0.902, Pop <<<< pointing to CE, label operstion is Pop.<<<<< This table with vrf-table-label enabled. <<<<<pe2> show route table mpls.0
0 *[MPLS/0] 07:03:57, metric 1Receive1 *[MPLS/0] 07:03:57, metric 1Receive2 *[MPLS/0] 07:03:57, metric 1Receive16 *[VPN/0] 00:03:45 <<<<<< inner VPN label.to table ce2.inet.0, Pop <<<<<< pointing to next vrf table, label operation is Pop. This is normal configuration for PE with shared medium.
It comes down to the fact that the router has to build a layer2 header for multiaccess media. vrf-table-label allows two lookups to take place. The first lookup is done on the VPN label to determine which VRF table to refer to, and the second lookup is done on the IP header to determine how to forward packets to the correct end hosts on the shared medium.
Without vrf-table-label, the ASIC doesn't know how to construct the layer2 header to put the packet on the wire. It is only with point-to-point media that vrf-table-label can be left off.
You could also use a vt- interface - either way, this is required to build the L2 header on shared access media.
I am unable to understand,1. Why point to point interface doesn't need a ASIC to construct layer2 header (ppp or hdlc)?2. Why the system doesn't need to check IP header when the interface is point to point? What if the VRF has two point to point interfaces?
With p2p interfaces inside the vrf, you do NOT need to perform a mac lookup, because, if you will, you already know your remote endpoint: "it's the other end of this interface".
However, if the interface inside the vrf is a, say, /24, an IP/mac lookup will be required after the label lookup. That is why wi thout vrf-table-label (or vt- interfaces), you would see this interface as /32 and not /24 on a remote PE.
Hope this helps,
By default, Junos allocates separate VPN labels per next-hop.
For example , if you have two routes with next-hop 10.10.10.1 and 1 route with next-hop 188.8.131.52 the label allocation at the ingress PE will look like below ( by default - without vrf-table-label)
Route next-hop allocated label
10.0.1.0/24 10.10.10.1 222111
192.168.1.0/24 10.10.10.1 222111
192.168.2.0/24 184.108.40.206 111123
Juniper forwarding mechanism is bit different, when a labeled packet arrives to the PE with the VPN label, the PE will not check the IP header. It will send the packet straight away to the output interface.
This behavior is fine with P2P links, because there will be a single host as next-hop and the routes learnt through different interfaces will have different labels.
But, in multi-access networks, sending the packet through the output interface ( without knowing the Layer2 next-hop information) will not work. Therefore the PE needs to check the IP header first to find out the layer 3 next-hop and then ARP to resolve the Layer 2 address of the next-hop.
Vrf-Table-LAbel (VTL) is a feature which instructs the PE to advertise a single unique VPN label for all routes in the respective routing-instance. This label is bound to a software created logical interface.
with VTL configured
10.0.1.0/24 10.10.10.1 16
192.168.1.0/24 10.10.10.1 16
192.168.2.0/24 220.127.116.11 16
All packets come with this label (16) will be handled by this logical interface first, and hence the VPN label will be popped, resulting IP packet will be treated by the regular forwarding mechanism.
ie: Layer 3 lookup , ARP resolution for next-hop, then forwarding through Physical media.
This is the reason for using VTL in routing instance with Multi-access ( Ethernet) interfaces.
I hope this clarifies your query.
[Why PE router don't forward any packet to CE, although the mpls.0 table indicates the label 299968 operation is Pop and the next-hop is pointing to the address 18.104.22.168 of CE?]
it's weird. As noted above, I still can ping the CE's ip. That means PE can forward packets to CE without vrf-table-label config and my egress interface (PE-CE) type is XE (Multiaccess).
My environment: MX104
Please go over below link