I am trying to understand the use for " vrf-table-label" in IP VPN.
Doc says it is used to advertise a single VPN label for all routes in the VRF"
To test this, I have created a loopback 22 and placed in routing-instance IPVPN as shown below:
set routing-instances IPVPN instance-type vrfset routing-instances IPVPN interface lo0.22set routing-instances IPVPN route-distinguisher 22.214.171.124:11set routing-instances IPVPN vrf-target target:2:2
MX1 will generate a separate label for lo0.22 because we have not configured "set routing-instances IPVPN vrf-table-label"
But I still see MX1 generates single label for all routes in IP VPN:
root@MX1> show route table mpls.068 *[VPN/170] 00:00:15receive table IPVPN.inet.0, Pop
MX1 advertise label 68 for 126.96.36.199 in BGP's update:
root@MX1> show route advertising-protocol bgp 188.8.131.52 extensive | find 184.108.40.206* 220.127.116.11/32 (1 entry, 1 announced)BGP group INTERNAL type InternalRoute Distinguisher: 18.104.22.168:11VPN Label: 68<--------------Nexthop: SelfFlags: Nexthop ChangeLocalpref: 100AS path:  ICommunities: target:2:2
It looks like it does not matter if we have configured vrf-table-label or not.
Or am I missing something?
Thanks and have a good day!!
vrf-table-label is not only about generating a single label.
Without VRF table label you have the following:
In this example:
You can see that PE1 has 3 interfaces in VRF1:
But only advertises labels for the prefixes under gr-2/1/0.4012 and sp-2/1/0.4012, which are point to point interfaces.
10.5.112/24 label 300480
10.6.112/24 label 300576
It does not advertise a label for prefixes associated with interface xe-1/0/0.4012, because to send traffic out of this interface, PE1 would need to figure out what the MAC address to reach the destination IP address is, which would involve looking at the IP header, and ARP and so on. This cannot be done with a simple LABEL IN => INTERFACE OUT (which is how packets are forwarded without vrf-table-label)
If you check the advertised routes, here is what the router shows:
Even more interesting is this:
If you check the routes in mpls.0 (which is the table the router looks at when MPLS packets arrived), you can see that the entries for the labels advertised by the router have an action of pop/interface. For instance, when a packet with label 300480 arrives the action is POP the label, send the packet out of interface gr-2/1/0.4012
You can see this in the diagram below:
PE1 did not look at the destination IP address at all. If you wanted to apply any kind of classification, or filtering, it is not possible.
So, what happens when you enable vrf-table-label?
For starters, as you already know, the router advertises a single label that represents the VRF, and is the same for all the prefixes regardless of which interface they belong to.
If you look at the diagram showing how the new advertisements look like, first thing you might notice is that now the router IS advertising the prefix associated with interface xe-1/0/0.4012. All three prefixes are advertised with the same label (25).
Packets will now be processed this way:
You can see that after removing the label, the router performs a L3 route lookup in VRF1.inet.0. Resolving the MAC address, filtering or CoS on the interface works as it works with any other L3 interface.
Now, how does the router know it needs to do this?
Because the mpls.0 table has an entry for label 25 that instead of pointing to a specific interface, points to the VRF's routing table:
------------------------------Yasmin LaraJuniper AmbassadorJNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SECJNCDS-DC, JNCIA-DevOps, JNCIP-CLOUD, CCNP-ENT------------------------------
There is one more piece of magic behind vrf-table-label.
If you look at the attributes of the VRF routing instance before and after configuring vrf-table-label:
You will find that a new interface was created: an lsi interface.
What is this interface?
Well, that label I said represents the VRF is actually associated with a logical interface called lsi, which is part of the VRF.
At a high level it works like this:
So, under the hood, the router is still doing LABEL IN => INTERFACE OUT, (pop label X => send the packet out of interface Y). except that the interface is internal and loops the packet back into the VRF for further processing. And, there is only one lsi interface for each VRF, with a single label.
------------------------------Yasmin LaraJuniper AmbassadorJNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SECJNCDS-DC, JNCIA-DevOps, JNCIP-CLOUD, CCNP-ENTOriginal Message:Sent: 12-28-2020 16:03From: Unknown UserSubject: BGPEVPN: Use of vrf-table-label in IPVPN vrf
Thanks Yasmin, hands down the most logical well explained answer I ever seen!!!
I did not see that level of details in any book, ( if you do, please recommend ).
Have a nice day!!!
oh, you are more than welcome! Glad it was helpful!
I don't think I have seen a detailed explanation in a single place either. I put the pieces together, reading multiple documents, and testing it in different scenarios (my customer has it on some of his routers for instance and I created those pictures so that I could explain it to him some time ago).