Routing

Expand all | Collapse all

with and without vrf-table-label enabled on PE router

Jump to Best Answer
  • 1.  with and without vrf-table-label enabled on PE router

    Posted 08-26-2012 10:02

    Hi,

    I did a test that with and without vrf-table-label enabled on PE router with shared medium.

    As below, The next-hop of label 299968 is pointing to 9.9.9.3, the IP address of CE, not to vrf table.

    It is the same MPLS label operation Pop as well, however PE router don't forward any packet to CE.

    I am not able to understand. Why PE router don't forward any packet to CE, although the mpls.0 table indicates the label 299968 operation is Pop and the next-hop is pointing to the address 9.9.9.3 of CE?

     

    CE1--PE1--P1--P2--PE2--CE2

     

    <<<<<<< This table without vrf-table-label enabled. <<<<
    ernest@pe2> show route table mpls.0

    mpls.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    0 *[MPLS/0] 08:39:20, metric 1
    Receive
    1 *[MPLS/0] 08:39:20, metric 1
    Receive
    2 *[MPLS/0] 08:39:20, metric 1
    Receive
    299968 *[VPN/170] 00:08:14 <<<<<< inner VPN label.
    > to 9.9.9.3 via ge-1/0/0.902, Pop <<<< pointing to CE, label operstion is Pop.


    <<<<< This table with vrf-table-label enabled. <<<<<
    pe2> show route table mpls.0

    mpls.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    0 *[MPLS/0] 07:03:57, metric 1
    Receive
    1 *[MPLS/0] 07:03:57, metric 1
    Receive
    2 *[MPLS/0] 07:03:57, metric 1
    Receive
    16 *[VPN/0] 00:03:45 <<<<<< inner VPN label.
    to table ce2.inet.0, Pop <<<<<< pointing to next vrf table, label operation is Pop. This is normal configuration for PE with shared medium.



  • 2.  RE: with and without vrf-table-label enabled on PE router

    Posted 08-27-2012 06:25

    It comes down to the fact that the router has to build a layer2 header for multiaccess media.  vrf-table-label allows two lookups to take place.  The first lookup is done on the VPN label to determine which VRF table to refer to, and the second lookup is done on the IP header to determine how to forward packets to the correct end hosts on the shared medium.

     

    Without vrf-table-label, the ASIC doesn't know how to construct the layer2 header to put the packet on the wire.  It is only with point-to-point media that vrf-table-label can be left off.

     

    You could also use a vt- interface - either way, this is required to build the L2 header on shared access media.



  • 3.  RE: with and without vrf-table-label enabled on PE router

    Posted 08-27-2012 11:17

    I am unable to understand,
    1. Why point to point interface doesn't need a ASIC to construct layer2 header (ppp or hdlc)?
    2. Why the system doesn't need to check IP header when the interface is point to point? What if the VRF has two point to point interfaces?

     

    Thanks.

    Ernest Lin



  • 4.  RE: with and without vrf-table-label enabled on PE router

    Posted 08-27-2012 11:24

    Hey there,

     

     With p2p interfaces inside the vrf, you do NOT need to perform a mac lookup, because, if you will, you already know your remote endpoint: "it's the other end of this interface".

     

     However, if the interface inside the vrf is a, say, /24,  an IP/mac lookup will be required after the label lookup. That is why wi thout vrf-table-label (or vt- interfaces), you would see this interface as /32 and not /24 on a remote PE.

     

     Hope this helps,



  • 5.  RE: with and without vrf-table-label enabled on PE router
    Best Answer

    Posted 08-27-2012 17:19

    Hi,

    By default, Junos allocates separate VPN labels per next-hop.

     

    For example , if you have two routes with next-hop 10.10.10.1 and 1 route with next-hop 20.20.20.1 the label allocation at the ingress PE will look like below ( by default - without vrf-table-label)

     

    Route                     next-hop      allocated label

    10.0.1.0/24           10.10.10.1   222111

    192.168.1.0/24    10.10.10.1   222111

    192.168.2.0/24     20.20.20.1  111123

     

     

    Juniper forwarding mechanism is bit different, when a labeled packet arrives to the PE with the VPN label, the PE will not  check the IP header. It will send the packet straight away to the output interface.

     

    This behavior is fine with P2P links, because there will be a single host as next-hop and the routes learnt  through different interfaces will have different labels.

     

    But, in multi-access networks, sending the packet through the output interface ( without knowing the Layer2 next-hop information) will not work. Therefore the PE needs to check the IP header first to find out the layer 3 next-hop and then ARP to resolve the Layer 2 address of the next-hop.

     

    Vrf-Table-LAbel (VTL) is a feature which instructs the PE to advertise a single unique VPN label for all routes in the respective routing-instance. This label is bound to a software created logical interface.

     

    with VTL configured

     

    Route                     next-hop      allocated label

    10.0.1.0/24           10.10.10.1   16

    192.168.1.0/24    10.10.10.1   16

    192.168.2.0/24     20.20.20.1  16

     

    All packets come with this label (16) will be handled by this logical interface first, and hence the VPN label will be popped, resulting IP packet will be treated by the regular forwarding mechanism.

    ie: Layer 3 lookup , ARP resolution for next-hop, then forwarding through Physical media.

     

    This is the reason for using VTL in routing instance with Multi-access ( Ethernet) interfaces.

     

    I hope this clarifies your query.

     

    Regards,

    Moses



  • 6.  RE: with and without vrf-table-label enabled on PE router

    Posted 06-18-2019 00:48

    [Why PE router don't forward any packet to CE, although the mpls.0 table indicates the label 299968 operation is Pop and the next-hop is pointing to the address 9.9.9.3 of CE?]

     

    it's weird. As noted above, I still can ping the CE's ip. That means PE can forward packets to CE without vrf-table-label config and my egress interface (PE-CE) type is XE (Multiaccess).

     

    My environment: MX104

    Junos 13.3R5.9 

     



  • 7.  RE: with and without vrf-table-label enabled on PE router

     
    Posted 06-18-2019 00:57