Routing

 View Only
last person joined: 2 hours ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  Routing-instance instance-type 'mpls-forwarding'

    Posted 11-02-2022 12:49
    Hi All,

    Has anyone ever used an 'mpls-forwarding' routing-instance in their network?

    Reading this document: instance-type I noticed the description for 'mpls-forwarding' stated:

    "(MX Series routers only) Allow filtering and translation of route distinguisher (RD) values in IPv4 and IPv6 VPN address families on both routes received and routes sent for selected BGP sessions. In particular, for Inter-AS VPN Option-B networks, this option can prevent the malicious injection of VPN labels from one peer AS boundary router to another."

    I assume that as this instance-type is 'forwarding' then it has no interfaces associated with it, and requires firewall filters (FBF) to be configured on interfaces (family mpls interfaces?) which then direct labelled traffic to the 'mpls-forwarding' instance? (I also assume rib-groups are used in some capacity? Possibly an 'interface-routes' rib-group as well?)

    Does anyone here have any example configs they can share which would be used with an 'mpls-forwarding' routing-instance? Especially with respect to the config of the firewall filters (family mpls? ... Or family inet?), config of the forwarding-instance itself, and any requisite rib-group config?

    I'd also like to know how the mpls-forwarding instance allows for "filtering and translation of route distinguisher (RD) values in IPv4 and IPv6 VPN address families on both routes received and routes sent for selected BGP sessions" (which begs another question: are BGP sessions configured in the mpls-forwarding instance?)

    Grateful for any info and help on this matter as I can't find any examples of using this instance-type in any Juniper notes on the web!

    TIA



  • 2.  RE: Routing-instance instance-type 'mpls-forwarding'

    Posted 11-08-2022 13:40
    BUMP!

    Anyone??? :-)


  • 3.  RE: Routing-instance instance-type 'mpls-forwarding'

    This message was posted by a user wishing to remain anonymous
    Posted 11-09-2022 06:20
    This message was posted by a user wishing to remain anonymous

    Hi, 

    It might not be the only use case but as per my notes the only use case for that instance-type is mpls spoofing.


    https://www.juniper.net/documentation/us/en/software/junos/multicast/topics/concept/anti-spoofing-support-for-mpls-labels.html
    Inter-AS Option B uses BGP to signal VPN labels between ASBRs.

    The Junos OS anti-spoofing support for Option B implementations works by creating distinct MPLS forwarding table contexts. A separate mpls.0 table is created for each set of VPN ASBR peers. As such, each MPLS forwarding table contains only the relevant labels advertised to the group of inter AS-Option B peers. Packets received with a different MPLS label are dropped. Option B peers are reachable through local interfaces that have been configured as part of the MFI (a new type of routing instance created for inter-AS BGP neighbors that require MPLS spoof-protection), so MPLS packets arriving from the Option B peers are resolved in the instance-specific MPLS forwarding table.

    Assuming the required option-B inter-AS configuration is already in place, the minimum configuration for MPLS anti-spoofing solution is display below:

    -
    set routing-instances <to-as2_name> instance-type mpls-forwarding
    set routing-instances <to-as2_name> interface <interface-to_as2>
    -
    set routing-instances <to-as3_name> instance-type mpls-forwarding
    set routing-instances <to-as3_name> interface <interface-to_as3>
    -
    set protocols bgp group <to-as2_groups> neighbor 2.2.2.2 forwarding-context <to-as2_name>
    set protocols bgp group <to-as3_groups> neighbor 3.3.3.3 forwarding-context <to-as3_name>

    "IGPS and MPLS signaling protocols are not allowed to be configured inside a "mpls-forwarding" type routing-instance"


    filter base forwarding for mpls traffic is not a mainstream solution. Juniper routers most often uses the definition of forwarding-options policies in order to statically map a given customer flow to a given static   LSP.

    The example listed below defines two different lsp defined via RSVP and SPRING to host named  'R4' and uses a policy to assign traffic to a given lsp via forwarding policy.

    https://www.juniper.net/documentation/us/en/software/junos/mpls/topics/topic-map/rsvp-configuration.html#id-example-rsvp-lsp-tunnel-configuration
    
    protocols {
        rsvp {
            interface all;
            interface fxp0.0 {
                disable;
            }
        }
        mpls {
            admin-groups {
                fa 1;
                backup 2;
                other 3;
            }
                label-switched-path fa_lsp_r1r4 {
                to 10.255.41.217;
                bandwidth 400k;
                primary path_r1r4; 
            }
                path path_r1r4 { 
                10.2.4.2;
                10.4.5.2;
                10.3.5.1;
            }
        }
    <snip>
    
        ospf {
            traffic-engineering;
            area 0.0.0.0 {
                interface fxp0.0 {
                    disable;
                }
                interface all;
                peer-interface r4; # Apply the LMP peer interface here.
            }
        }
         link-management { # Configure LMP statements here.
            te-link link_r1r4 { # Assign a name to the TE link here.  < < - -## R4
    
     <snip>       
    
    
    
    policy-options {
        policy-statement choose_lsp {  < < - - ##
            term A {
                from community choose_e2e_lsp;
                then {
                    install-nexthop strict lsp e2e_lsp_r1r4;  < < - - ## RSVP LSP
                    accept;
                }
            }
            term B {
                from community choose_fa_lsp;
                then {
                    install-nexthop strict lsp fa_lsp_r1r4; < < - - ## SPRING LSP
                    accept;
                }
            }
        }
        policy-statement pplb {
            then {
                load-balance per-packet;
            }
        }
        community choose_e2e_lsp members 1000:1000;
        community choose_fa_lsp members 2000:2000;
        community set_e2e_lsp members 1000:1000;
        community set_fa_lsp members 2000:2000;
    }
    <snip>
    
    routing-options {
        forwarding-table {
            export [ pplb choose_lsp ];  << --- # Apply the policy here
        }
    }
    ​


    Hope it helps .



  • 4.  RE: Routing-instance instance-type 'mpls-forwarding'

    Posted 11-09-2022 09:12
    Thanks Anon - that's helpful.