Junos OS

Hello again,

I'm still having problems setting up MPLS/BGP VPN.

This is my configuration:

r0

version 8.5R1.13;
system {
    host-name r0;
    root-authentication {
        encrypted-password "$1$eRYHj8cM$vuvHGDgNV12hwb4J1ovcz/"; ## SECRET-DATA
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.0.254/24;
            }
        }
    }
    fe-0/0/1 {
        unit 0 {
            family inet {
                address 172.16.0.1/30;
            }
            family mpls;
        }
    }
}
routing-options {
    autonomous-system 65535;
}
protocols {
    rsvp {
        traceoptions {
            file rsvp;
            flag all;
        }
        interface fe-0/0/1.0;
    }
    mpls {
        label-switched-path r0-to-r1 {
            to 172.16.0.2;
        }
        interface fe-0/0/1.0;
        interface fe-0/0/0.0;
    }
    bgp {
        group r0-to-r1 {
            type internal;
            local-address 172.16.0.1;
            family inet-vpn {
                unicast;
            }
            neighbor 172.16.0.2;
        }
    }
    ospf {
        traffic-engineering;
        area 0.0.0.0 {
            interface fe-0/0/1.0;
        }
    }
}
routing-instances {
    VPN {
        instance-type vrf;
        interface fe-0/0/0.0;
        route-distinguisher 65535:0;
        vrf-target target:65535:5;
    }
}

r1

version 8.5R1.13;
system {
    host-name r1;
    root-authentication {
        encrypted-password "$1$ttk6fSnu$zcFVcQdaWWAXghG3/12d10"; ## SECRET-DATA
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.1.254/24;
            }
        }
    }
    fe-0/0/1 {
        unit 0 {
            family inet {
                address 172.16.0.2/30;
            }
            family mpls;
        }
    }
}
routing-options {
    autonomous-system 65535;
}
protocols {
    rsvp {
        interface fe-0/0/1.0;
    }
    mpls {
        label-switched-path r1-to-r0 {
            to 172.16.0.1;
        }
        interface fe-0/0/1.0;
        interface fe-0/0/0.0;
    }
    bgp {
        group r1-to-r0 {
            type internal;
            local-address 172.16.0.2;
            family inet-vpn {
                unicast;
            }
            neighbor 172.16.0.1;
        }
    }
    ospf {
        traffic-engineering;
        area 0.0.0.0 {
            interface fe-0/0/1.0;
        }
    }
}
routing-instances {
    VPN {
        instance-type vrf;
        interface fe-0/0/0.0;
        route-distinguisher 65535:1;
        vrf-target target:65535:5;
    }
}

Some more information:

r0

root@r0> show rsvp neighbor
RSVP neighbor: 1 learned
Address            Idle Up/Dn LastChange HelloInt HelloTx/Rx MsgRcvd
172.16.0.2            0  1/0       21:32        9   147/146  73

root@r0> show mpls lsp
Ingress LSP: 1 sessions
To              From            State Rt ActivePath       P     LSPname
172.16.0.2      172.16.0.1      Up     0                  *     r0-to-r1
Total 1 displayed, Up 1, Down 0

Egress LSP: 1 sessions
To              From            State   Rt Style Labelin Labelout LSPname
172.16.0.1      172.16.0.2      Up       0  1 FF       3        - r1-to-r0
Total 1 displayed, Up 1, Down 0

Transit LSP: 0 sessions
Total 0 displayed, Up 0, Down 0

root@r0> show bgp neighbor
Peer: 172.16.0.2+64915 AS 65535 Local: 172.16.0.1+179 AS 65535
  Type: Internal    State: Established    Flags: <Sync>
  Last State: OpenConfirm   Last Event: RecvKeepAlive
  Last Error: None
  Options: <Preference LocalAddress AddressFamily Rib-group Refresh>
  Address families configured: inet-vpn-unicast
  Local Address: 172.16.0.1 Holdtime: 90 Preference: 170
  Number of flaps: 1
  Last flap event: RecvNotify
  Error: 'Cease' Sent: 0 Recv: 1
  Peer ID: 172.16.0.2       Local ID: 172.16.0.1       Active Holdtime: 90
  Keepalive Interval: 30         Peer index: 0
  BFD: disabled, down
  NLRI advertised by peer: inet-vpn-unicast
  NLRI for this session: inet-vpn-unicast
  Peer supports Refresh capability (2)
  Table bgp.l3vpn.0
    RIB State: BGP restart is complete
    RIB State: VPN restart is complete
    Send state: not advertising
    Active prefixes:              0
    Received prefixes:            0
    Suppressed due to damping:    0
  Table VPN.inet.0 Bit: 20000
    RIB State: BGP restart is complete
    RIB State: VPN restart is complete
    Send state: in sync
    Active prefixes:              0
    Received prefixes:            0
    Suppressed due to damping:    0
    Advertised prefixes:          1
  Last traffic (seconds): Received 15   Sent 11   Checked 60
  Input messages:  Total 30     Updates 1       Refreshes 1     Octets 626
  Output messages: Total 32     Updates 2       Refreshes 0     Octets 686
  Output Queue[0]: 0
  Output Queue[1]: 0

root@r0> show bgp group
Group Type: Internal    AS: 65535                  Local AS: 65535
  Name: r0-to-r1        Index: 0                   Flags: <Export Eval>
  Holdtime: 0
  Total peers: 1        Established: 1
  172.16.0.2+64915
  bgp.l3vpn.0: 0/0/0
  VPN.inet.0: 0/0/0

Groups: 1  Peers: 1    External: 0    Internal: 1    Down peers: 0   Flaps: 1
Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
bgp.l3vpn.0            0          0          0          0          0          0
VPN.inet.0             0          0          0          0          0          0
inet.0                 0          0          0          0          0          0

root@r0> show route

inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.0.0/30      *[Direct/0] 00:22:50
                    > via fe-0/0/1.0
172.16.0.1/32      *[Local/0] 00:22:50
                      Local via fe-0/0/1.0
224.0.0.5/32       *[OSPF/10] 00:22:50, metric 1
                      MultiRecv

inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.0.2/32      *[RSVP/7] 00:22:20, metric 65535
                    > to 172.16.0.2 via fe-0/0/1.0, label-switched-path r0-to-r1

__juniper_private1__.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.0.1/32        *[Direct/0] 00:22:50
                    > via lo0.16385
10.0.0.16/32       *[Direct/0] 00:22:50
                    > via lo0.16385

VPN.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.0.0/24     *[Direct/0] 00:22:50
                    > via fe-0/0/0.0
192.168.0.254/32   *[Local/0] 00:22:50
                      Local via fe-0/0/0.0

mpls.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0                  *[MPLS/0] 00:22:50, metric 1
                      Receive
1                  *[MPLS/0] 00:22:50, metric 1
                      Receive
2                  *[MPLS/0] 00:22:50, metric 1
                      Receive

root@r0> show route table bgp.l3vpn.0

root@r0>

r1

root@r1> show rsvp neighbor
RSVP neighbor: 1 learned
Address            Idle Up/Dn LastChange HelloInt HelloTx/Rx MsgRcvd
172.16.0.1            5  1/0       23:10        9   156/156  74

root@r1> show mpls lsp
Ingress LSP: 1 sessions
To              From            State Rt ActivePath       P     LSPname
172.16.0.1      172.16.0.2      Up     0                  *     r1-to-r0
Total 1 displayed, Up 1, Down 0

Egress LSP: 1 sessions
To              From            State   Rt Style Labelin Labelout LSPname
172.16.0.2      172.16.0.1      Up       0  1 FF       3        - r0-to-r1
Total 1 displayed, Up 1, Down 0

Transit LSP: 0 sessions
Total 0 displayed, Up 0, Down 0

root@r1> show bgp neighbor
Peer: 172.16.0.1+179 AS 65535  Local: 172.16.0.2+64915 AS 65535
  Type: Internal    State: Established    Flags: <Sync>
  Last State: OpenConfirm   Last Event: RecvKeepAlive
  Last Error: None
  Options: <Preference LocalAddress AddressFamily Rib-group Refresh>
  Address families configured: inet-vpn-unicast
  Local Address: 172.16.0.2 Holdtime: 90 Preference: 170
  Number of flaps: 0
  Peer ID: 172.16.0.1       Local ID: 172.16.0.2       Active Holdtime: 90
  Keepalive Interval: 30         Peer index: 0
  BFD: disabled, down
  NLRI advertised by peer: inet-vpn-unicast
  NLRI for this session: inet-vpn-unicast
  Peer supports Refresh capability (2)
  Table bgp.l3vpn.0
    RIB State: BGP restart is complete
    RIB State: VPN restart is complete
    Send state: not advertising
    Active prefixes:              0
    Received prefixes:            0
    Suppressed due to damping:    0
  Table VPN.inet.0 Bit: 20000
    RIB State: BGP restart is complete
    RIB State: VPN restart is complete
    Send state: in sync
    Active prefixes:              0
    Received prefixes:            0
    Suppressed due to damping:    0
    Advertised prefixes:          1
  Last traffic (seconds): Received 17   Sent 20   Checked 8
  Input messages:  Total 33     Updates 2       Refreshes 0     Octets 679
  Output messages: Total 34     Updates 1       Refreshes 1     Octets 702
  Output Queue[0]: 0
  Output Queue[1]: 0

root@r1> show bgp group
Group Type: Internal    AS: 65535                  Local AS: 65535
  Name: r1-to-r0        Index: 0                   Flags: <Export Eval>
  Holdtime: 0
  Total peers: 1        Established: 1
  172.16.0.1+179
  bgp.l3vpn.0: 0/0/0
  VPN.inet.0: 0/0/0

Groups: 1  Peers: 1    External: 0    Internal: 1    Down peers: 0   Flaps: 0
Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
bgp.l3vpn.0            0          0          0          0          0          0
VPN.inet.0             0          0          0          0          0          0
inet.0                 0          0          0          0          0          0

root@r1> show route

inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.0.0/30      *[Direct/0] 00:24:00
                    > via fe-0/0/1.0
172.16.0.2/32      *[Local/0] 00:24:00
                      Local via fe-0/0/1.0
224.0.0.5/32       *[OSPF/10] 00:24:00, metric 1
                      MultiRecv

inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.0.1/32      *[RSVP/7] 00:10:33, metric 65535
                    > to 172.16.0.1 via fe-0/0/1.0, label-switched-path r1-to-r0

__juniper_private1__.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.0.1/32        *[Direct/0] 00:24:00
                    > via lo0.16385
10.0.0.16/32       *[Direct/0] 00:24:00
                    > via lo0.16385

VPN.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.1.0/24     *[Direct/0] 00:24:00
                    > via fe-0/0/0.0
192.168.1.254/32   *[Local/0] 00:24:00
                      Local via fe-0/0/0.0

mpls.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0                  *[MPLS/0] 00:24:00, metric 1
                      Receive
1                  *[MPLS/0] 00:24:00, metric 1
                      Receive
2                  *[MPLS/0] 00:24:00, metric 1
                      Receive

root@r1> show route table bgp.l3vpn.0

root@r1>

Where am I wrong?

Thanks!

Hello there,

You don't have an export policy for your MP-BGP.

By default, BGP advertises only BGP routes (if it has them).

Write a policy to accept static|direct|OSPF, etc routes and apply if as export policy to your MP-BGP group.

Rgds

Alex

As the documentation states, the default policy for VPN exported routes is to accept them.

You're controlling the routes using vrf-import or vrf-export policies.

Just to be sure, I've altered the configuration as follows:

r0

[edit]
root@r0# show policy-options
policy-statement accept {
    then accept;
}

[edit]
root@r0# show protocols bgp
group r0-to-r1 {
    type internal;
    local-address 172.16.0.1;
    import accept;
    family inet-vpn {
        unicast;
    }
    export accept;
    neighbor 172.16.0.2;
}

r1

root@r1# show policy-options
policy-statement accept {
    then accept;
}

[edit]
root@r1# show protocols bgp
group r1-to-r0 {
    type internal;
    local-address 172.16.0.2;
    import accept;
    family inet-vpn {
        unicast;
    }
    export accept;
    neighbor 172.16.0.1;
}

Still no change. Routing tables are the same.

Hello there,

It seems that "vrf-target" statement is not working for you

It should import the static+direct routes into BGP RIB.

Do you see the 172.16.0.1/32 and 172.16.0.2/32 routes in inet.3 table?

EDITED:

I re-read your original post and see that indeed 172.16.0.1/32 and 172.16.0.2/32 are making it into inet.3

Could you please post printout "show route advertising-protocol bgp 172.16.0.1|172.16.0.2"?

HTH

Rgds

Alex

the inet.3 for both routers is included in my [code] section above

Indeed I re-read your original post and noticed that.

Could you please post these printouts:

show route advertising-protocol bgp 172.16.0.1
show route advertising-protocol bgp 172.16.0.2

Rgds

Alex

root@r0> show route advertising-protocol bgp 172.16.0.1

root@r0> show route advertising-protocol bgp 172.16.0.2

VPN.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 192.168.0.0/24          Not advertised               100        I

root@r0>

root@r1> show route advertising-protocol bgp 172.16.0.1

VPN.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 192.168.1.0/24          Not advertised               100        I

root@r1> show route advertising-protocol bgp 172.16.0.2

root@r1>

Hello there,

Thanks for posting the printouts. I think we both see a problem here: the next-hop value should be "Self" but instead it shows "Not advertised". The reference printout (for comparison) is shown here

http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/swcmdref-protocols/show-route-advertising-protocol.html#jd0e36218

I think you have 2 options here:

1/ try setting next-hop explicitly in vrf-export policy. This means you have to use "vrf-import" and "vrf-export" statements and not "vrf-target" statement , plus write appropriate policies.

2/ try to set up your MP-iBGP peering between loopbacks. To do that, you have to configure r0/r1 lo0.0 interfaces with reachable IP addresses, make sure these addresses are known by OSPF (which I think is the default setting in 8.5) and also re-establish your RSVP LSP between r0 lo0.0 and r1 lo0.0.

HTH

Rgds

Alex

root@r1> show route advertising-protocol bgp 172.16.0.1

VPN.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 192.168.1.0/24          Not advertised               100        I

root@r1> show route advertising-protocol bgp 172.16.0.2

root@r1> edit
Entering configuration mode

[edit]
root@r1# show interfaces lo0.0
family inet {
    address 172.16.254.2/32;
}

[edit]
root@r1# show protocols rsvp
interface fe-0/0/1.0;
interface lo0.0;

[edit]
root@r1# show protocols mpls
label-switched-path r1-to-r0 {
    from 172.16.254.2;
    to 172.16.254.1;
}
interface fe-0/0/1.0;
interface fe-0/0/0.0;
interface lo0.0;

[edit]
root@r1# run show mpls lsp
Ingress LSP: 1 sessions
To              From            State Rt ActivePath       P     LSPname
172.16.254.1    172.16.254.2    Up     0                  *     r1-to-r0
Total 1 displayed, Up 1, Down 0

Egress LSP: 1 sessions
To              From            State   Rt Style Labelin Labelout LSPname
172.16.254.2    172.16.254.1    Up       0  1 FF       3        - r0-to-r1
Total 1 displayed, Up 1, Down 0

Transit LSP: 0 sessions
Total 0 displayed, Up 0, Down 0

Still not working.

How would the vrf-export policy look like to set next-hop to self?

Hello again,

Please reconfigure your BGP to peer between lo0.0 as opposed to physical link addresses.

Rgds

Alex

version 8.5R1.13;
system {
    host-name r1;
    root-authentication {
        encrypted-password "$1$ttk6fSnu$zcFVcQdaWWAXghG3/12d10"; ## SECRET-DATA
    }
    services {
        ssh {
            root-login allow;
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.1.254/24;
            }
            family mpls;
        }
    }
    fe-0/0/1 {
        unit 0 {
            family inet {
                address 172.16.0.2/30;
            }
            family mpls;
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 172.16.254.2/32;
            }
        }
    }
}
routing-options {
    autonomous-system 65535;
}
protocols {
    rsvp {
        interface fe-0/0/1.0;
        interface lo0.0;
    }
    mpls {
        label-switched-path r1-to-r0 {
            from 172.16.254.2;
            to 172.16.254.1;
        }
        interface fe-0/0/1.0;
        interface fe-0/0/0.0;
        interface lo0.0;
    }
    bgp {
        group r1-to-r0 {
            type internal;
            local-address 172.16.254.2;
            family inet-vpn {
                unicast;
            }
            neighbor 172.16.254.1;
        }
    }
    ospf {
        traffic-engineering;
        area 0.0.0.0 {
            interface fe-0/0/1.0;
            interface lo0.0;
        }
    }
}
policy-options {
    policy-statement bgp-export {
        term a {
            then {
                community add VPN;
                next-hop self;
                accept;
            }
        }
        term b {
            then reject;
        }
    }
    policy-statement bgp-import {
        term a {
            from community VPN;
            then accept;
        }
        term b {
            then reject;
        }
    }
    community VPN members target:65535:5;
}
routing-instances {
    VPN {
        instance-type vrf;
        interface fe-0/0/0.0;
        route-distinguisher 65535:1;
        vrf-import bgp-import;
        vrf-export bgp-export;
    }
}

and:

root@r1> show route advertising-protocol bgp 172.16.254.1

VPN.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 192.168.1.0/24          Not advertised               100        I

Hello,

One more request: change your bgp-export policy

set policy-options policy-statement bgp-export term a from protocol [ static direct ]

- and bounce your BGP session.

Rgds

Alex

Same behaviour.

Didn't understand what you mean by "bounce", I'm new to bgp, so, I deactivated protocols bgp, commited, and re-activated it.

I've checked after the BGP session was established, btw...

Hello,

"bounce" means "clear bgp neighbor <IP address>" command, it's a well-known saying in networking

Please post the complete configs and also following printouts:

show bgp neighbor 172.16.254.1
show bgp neighbor 172.16.254.2
show route advertising-protocol bgp 172.16.254.1 extensive
show route advertising-protocol bgp 172.16.254.2 extensive
show route table inet.3 extensive
show route 172.16.254.1 extensive
show route 172.16.254.2 extensive

 Rgds

Alex

I found the solution.

You won't belive your eyes:

http://kb.juniper.net/index?page=content&id=KB12430&cat=BGP&actp=LIST

root@r1> show configuration routing-instances VPN routing-options static
route 192.168.2.0/24 next-hop 192.168.1.253;

root@r1> show route advertising-protocol bgp 172.16.254.1

VPN.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 192.168.1.0/24          Self                         100        I
* 192.168.2.0/24          Self                         100        I

Now, the question is, how do I work around this? 🙂

Hello,

I wonder if this can also help:

set routing-instances VPN vrf-table-label

Rgds

Alex

This solved the problem.

The other solution added all the routes to the routing table, but I couldn't ping the other PE's end.

Your solution solved the prolem 100%

Here are the configurations for everybody's use! 🙂

r0

version 8.5R1.13;
system {
    host-name r0;
    root-authentication {
        encrypted-password "$1$eRYHj8cM$vuvHGDgNV12hwb4J1ovcz/"; ## SECRET-DATA
    }
    services {
        ssh {
            root-login allow;
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.0.254/24;
            }
        }
    }
    fe-0/0/1 {
        unit 0 {
            family inet {
                address 172.16.0.1/30;
            }
            family mpls;
        }
    }
}
routing-options {
    autonomous-system 65535;
}
protocols {
    rsvp {
        interface fe-0/0/1.0;
    }
    mpls {
        label-switched-path r0-to-r1 {
            from 172.16.0.1;
            to 172.16.0.2;
        }
        interface fe-0/0/1.0;
        interface fe-0/0/0.0;
    }
    bgp {
        group r0-to-r1 {
            type internal;
            local-address 172.16.0.1;
            family inet-vpn {
                unicast;
            }
            neighbor 172.16.0.2;
        }
    }
    ospf {
        traffic-engineering;
        area 0.0.0.0 {
            interface fe-0/0/1.0;
        }
    }
}
routing-instances {
    VPN {
        instance-type vrf;
        interface fe-0/0/0.0;
        route-distinguisher 65535:0;
        vrf-target target:65535:5;
        vrf-table-label;
    }
}

r1:

version 8.5R1.13;
system {
    host-name r1;
    root-authentication {
        encrypted-password "$1$ttk6fSnu$zcFVcQdaWWAXghG3/12d10"; ## SECRET-DATA
    }
    services {
        ssh {
            root-login allow;
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.1.254/24;
            }
            family mpls;
        }
    }
    fe-0/0/1 {
        unit 0 {
            family inet {
                address 172.16.0.2/30;
            }
            family mpls;
        }
    }
}
routing-options {
    autonomous-system 65535;
}
protocols {
    rsvp {
        interface fe-0/0/1.0;
    }
    mpls {
        label-switched-path r1-to-r0 {
            from 172.16.0.2;
            to 172.16.0.1;
        }
        interface fe-0/0/1.0;
        interface fe-0/0/0.0;
    }
    bgp {
        group r1-to-r0 {
            type internal;
            local-address 172.16.0.2;
            family inet-vpn {
                unicast;
            }
            neighbor 172.16.0.1;
        }
    }
    ospf {
        traffic-engineering;
        area 0.0.0.0 {
            interface fe-0/0/1.0;
        }
    }
}
routing-instances {
    VPN {
        instance-type vrf;
        interface fe-0/0/0.0;
        route-distinguisher 65535:1;
        vrf-target target:65535:5;
        vrf-table-label;
    }
}

The right routing table (Finally!):

root@r1> show route

inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.0.0/30      *[Direct/0] 10:00:53
                    > via fe-0/0/1.0
172.16.0.2/32      *[Local/0] 10:00:53
                      Local via fe-0/0/1.0
224.0.0.5/32       *[OSPF/10] 10:00:53, metric 1
                      MultiRecv

inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.0.1/32      *[RSVP/7] 00:10:00, metric 65535
                    > to 172.16.0.1 via fe-0/0/1.0, label-switched-path r1-to-r0

__juniper_private1__.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.0.1/32        *[Direct/0] 10:00:53
                    > via lo0.16385
10.0.0.16/32       *[Direct/0] 10:00:53
                    > via lo0.16385

VPN.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.0.0/24     *[BGP/170] 00:00:04, localpref 100
                      AS path: I
                    > to 172.16.0.1 via fe-0/0/1.0, label-switched-path r1-to-r0
192.168.1.0/24     *[Direct/0] 10:00:53
                    > via fe-0/0/0.0
192.168.1.254/32   *[Local/0] 10:00:53
                      Local via fe-0/0/0.0

mpls.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0                  *[MPLS/0] 10:00:53, metric 1
                      Receive
1                  *[MPLS/0] 10:00:53, metric 1
                      Receive
2                  *[MPLS/0] 10:00:53, metric 1
                      Receive
16                 *[VPN/0] 00:08:00
                      to table VPN.inet.0, Pop

bgp.l3vpn.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

65535:0:192.168.0.0/24
                   *[BGP/170] 00:06:56, localpref 100
                      AS path: I
                    > to 172.16.0.1 via fe-0/0/1.0, label-switched-path r1-to-r0

And pinging working right:

root@r1> ping 192.168.0.254 routing-instance VPN
PING 192.168.0.254 (192.168.0.254): 56 data bytes
64 bytes from 192.168.0.254: icmp_seq=0 ttl=64 time=5.191 ms
64 bytes from 192.168.0.254: icmp_seq=1 ttl=64 time=4.123 ms
64 bytes from 192.168.0.254: icmp_seq=2 ttl=64 time=57.057 ms
64 bytes from 192.168.0.254: icmp_seq=3 ttl=64 time=4.724 ms
^C
--- 192.168.0.254 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 4.123/17.774/57.057/22.683 ms

Thank you very very very much 🙂

Solution accepted 🙂

Glad to help

Just a comment for everyone's benefit: this behavior is observed because JUNOS allocates labels per next-hop.

Direct routes on Ethernet interfaces don't have a next-hop as such and therefore cannot be allocated a VPN label.

"vrf-table-label" creates a single label per whole VRF table and receiving PE performs VPN label pop followed by IP lookup to route the pkt out.

Rgds

Alex

What are the cons of using vrf-table-label, btw?

I can name a few offhand:

1/ Not all PICs support it. Generally speaking, channelised PICs such as CH-STM1 do not support "vrf-table-label".

But on J-series there are no restrictions AFAIR.

2/ in VRF "hub-and-spoke" setup, if "vrf-table-label" is configured on the hub PE, the spoke-to-spoke traffic is turned around in the hub PE instead of being sent to the hub CE.

3/ if you manage MPLS L3VPN core and are concerned about security, "vrf-table-label" allows customers to ping/probe remote PE-CE links from their local CEs without default route being present in the VRF table. This can be mitigated by properly configured firewall filters on core routers.

Rgds

Alex

I tried this configuration on a pair of J2320s running JUNOS 10.1 and I wasn't able to get my routing to work.  Any suggestions?

R1:

## Last commit: 2010-04-09 07:49:04 UTC by root
version 10.1R1.8;
system {
    root-authentication {
        encrypted-password "$1$rCvhYHAW$hsOQZGGNTtgG7hpfIN1OV."; ## SECRET-DATA
    }
    services {
        ssh;
        web-management {
            http {
                interface ge-0/0/0.0;
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;   
        }
    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.0.254/24;
            }
            family mpls;
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 172.16.0.1/30;
            }
            family mpls;                
        }
    }
}
routing-options {
    autonomous-system 65535;
}
protocols {
    rsvp {
        interface ge-0/0/1.0;
    }
    mpls {
        label-switched-path r1-to-r2 {
            from 172.16.0.1;
            to 172.16.0.2;
        }
        interface ge-0/0/0.0;
        interface ge-0/0/1.0;
    }
    bgp {
        group r1-to-r2 {
            type internal;
            local-address 172.16.0.1;
            family inet-vpn {           
                unicast;
            }
            neighbor 172.16.0.2;
        }
    }
    ospf {
        traffic-engineering;
        area 0.0.0.0 {
            interface ge-0/0/1.0;
        }
    }
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {                       
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000; ## Warning: 'queue-size' is deprecated
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            http;
                            https;
                            ssh;
                            telnet;     
                            dhcp;
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }                       
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }                       
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy default-deny {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}
routing-instances {
    VPN {
        instance-type vrf;
        interface ge-0/0/0.0;           
        route-distinguisher 65535:0;
        vrf-target target:65535:5;
        vrf-table-label;
    }
}

R2:

## Last changed: 2010-04-09 02:40:49 UTC
version 10.1R1.8;
system {
    root-authentication {
        encrypted-password "$1$cdlBbj3B$S30fAu6RF4MCM6jLtya1.0"; ## SECRET-DATA
    }
    services {
        ssh;
        web-management {
            http {
                interface ge-0/0/0.0;
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;   
        }
    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.1.254/24;
            }
            family mpls;
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 172.16.0.2/30;
            }
            family mpls;                
        }
    }
}
routing-options {
    autonomous-system 65535;
}
protocols {
    rsvp {
        interface ge-0/0/1.0;
    }
    mpls {
        label-switched-path r2-to-r1 {
            from 172.16.0.2;
            to 172.16.0.1;
        }
        interface ge-0/0/0.0;
        interface ge-0/0/1.0;
    }
    bgp {
        group r2-to-r1 {
            type internal;
            local-address 172.16.0.2;
            family inet-vpn {           
                unicast;
            }
            neighbor 172.16.0.1;
        }
    }
    ospf {
        traffic-engineering;
        area 0.0.0.0 {
            interface ge-0/0/1.0;
        }
    }
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {                       
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000; ## Warning: 'queue-size' is deprecated
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            http;
                            https;
                            ssh;
                            telnet;     
                            dhcp;
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }                       
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }                       
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy default-deny {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}
routing-instances {
    VPN {
        instance-type vrf;
        interface ge-0/0/0.0;           
        route-distinguisher 65535:1;
        vrf-target target:65535:5;
        vrf-table-label;
    }
}

[edit]
root# exit 
Exiting configuration mode

root> show route 

inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.0.0/30      *[Direct/0] 00:57:51
                    > via ge-0/0/1.0
172.16.0.2/32      *[Local/0] 00:59:17
                      Local via ge-0/0/1.0
224.0.0.5/32       *[OSPF/10] 00:41:37, metric 1
                      MultiRecv

inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.0.1/32      *[RSVP/7/1] 00:41:07, metric 65535
                    > to 172.16.0.1 via ge-0/0/1.0, label-switched-path r2-to-r1

VPN.inet.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.1.254/32   *[Local/0] 00:41:35
                      Reject
                                        
mpls.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0                  *[MPLS/0] 00:59:18, metric 1
                      Receive
1                  *[MPLS/0] 00:59:18, metric 1
                      Receive
2                  *[MPLS/0] 00:59:18, metric 1
                      Receive
16                 *[VPN/0] 00:41:36
                      to table VPN.inet.0, Pop      

root> show route advertising-protocol bgp 172.16.0.1 

root> show route advertising-protocol bgp 172.16.0.2    

root>

Hello,

I see You have this on R2:

VPN.inet.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.1.254/32   *[Local/0] 00:41:35
                      Reject

This route is usually auto-created when interface is up/down. Check if ge-0/0/0 is properly connected and up/up on R2.

"vrf-target" knob only auto-exports static and direct routes inside VRF.

If you need an interface inside VRF which is always up/up, you can create a nonzero unit on lo0 and add it into VRF.

HTH

Regards

Alex

Hi Guys,

There is no configuration between PE and CE in the routing instence set the protocol run between the CE and PE like

#Set routing -instance L3VPN protocol .....  ( just like configuring the normal protocol) in PE router

lab# show routing-instances
L3VPN {
    instance-type vrf;
    interface em0.0;
    route-distinguisher 4.4.4.4:20;
    vrf-target target:1.1.1.1:20;
    vrf-table-label;
    protocols {
        ospf {
            export BGP_OSPF;
            area 0.0.0.0 {
                interface em0.0;
            }
        }
    }
}