This message was posted by a user wishing to remain anonymous
Hi,
It might not be the only use case but as per my notes the only use case for that instance-type is mpls spoofing.
https://www.juniper.net/documentation/us/en/software/junos/multicast/topics/concept/anti-spoofing-support-for-mpls-labels.htmlInter-AS Option B uses BGP to signal VPN labels between ASBRs.
The Junos OS anti-spoofing support for Option B implementations works by creating distinct MPLS forwarding table contexts. A separate mpls.0 table is created for each set of VPN ASBR peers. As such, each MPLS forwarding table contains only the relevant labels advertised to the group of inter AS-Option B peers. Packets received with a different MPLS label are dropped. Option B peers are reachable through local interfaces that have been configured as part of the MFI (a new type of routing instance created for inter-AS BGP neighbors that require MPLS spoof-protection), so MPLS packets arriving from the Option B peers are resolved in the instance-specific MPLS forwarding table.Assuming the required option-B inter-AS configuration is already in place, the minimum configuration for MPLS anti-spoofing solution is display below:
-
set routing-instances <to-as2_name> instance-type mpls-forwarding
set routing-instances <to-as2_name> interface <interface-to_as2>
-
set routing-instances <to-as3_name> instance-type mpls-forwarding
set routing-instances <to-as3_name> interface <interface-to_as3>
-
set protocols bgp group <to-as2_groups> neighbor 2.2.2.2 forwarding-context <to-as2_name>
set protocols bgp group <to-as3_groups> neighbor 3.3.3.3 forwarding-context <to-as3_name>
"IGPS and MPLS signaling protocols are not allowed to be configured inside a "mpls-forwarding" type routing-instance"
filter base forwarding for mpls traffic is not a mainstream solution. Juniper routers most often uses the definition of forwarding-options policies in order to statically map a given customer flow to a given static LSP.
The example listed below defines two different lsp defined via RSVP and SPRING to host named 'R4' and uses a policy to assign traffic to a given lsp via forwarding policy.
https://www.juniper.net/documentation/us/en/software/junos/mpls/topics/topic-map/rsvp-configuration.html#id-example-rsvp-lsp-tunnel-configuration
protocols {
rsvp {
interface all;
interface fxp0.0 {
disable;
}
}
mpls {
admin-groups {
fa 1;
backup 2;
other 3;
}
label-switched-path fa_lsp_r1r4 {
to 10.255.41.217;
bandwidth 400k;
primary path_r1r4;
}
path path_r1r4 {
10.2.4.2;
10.4.5.2;
10.3.5.1;
}
}
<snip>
ospf {
traffic-engineering;
area 0.0.0.0 {
interface fxp0.0 {
disable;
}
interface all;
peer-interface r4; # Apply the LMP peer interface here.
}
}
link-management { # Configure LMP statements here.
te-link link_r1r4 { # Assign a name to the TE link here. < < - -## R4
<snip>
policy-options {
policy-statement choose_lsp { < < - - ##
term A {
from community choose_e2e_lsp;
then {
install-nexthop strict lsp e2e_lsp_r1r4; < < - - ## RSVP LSP
accept;
}
}
term B {
from community choose_fa_lsp;
then {
install-nexthop strict lsp fa_lsp_r1r4; < < - - ## SPRING LSP
accept;
}
}
}
policy-statement pplb {
then {
load-balance per-packet;
}
}
community choose_e2e_lsp members 1000:1000;
community choose_fa_lsp members 2000:2000;
community set_e2e_lsp members 1000:1000;
community set_fa_lsp members 2000:2000;
}
<snip>
routing-options {
forwarding-table {
export [ pplb choose_lsp ]; << --- # Apply the policy here
}
}
Hope it helps .
Original Message:
Sent: 11-08-2022 13:39
From: Unknown User
Subject: Routing-instance instance-type 'mpls-forwarding'
BUMP!
Anyone??? :-)
Original Message:
Sent: 11-02-2022 12:48
From: Unknown User
Subject: Routing-instance instance-type 'mpls-forwarding'
Hi All,
Has anyone ever used an 'mpls-forwarding' routing-instance in their network?
Reading this document: instance-type I noticed the description for 'mpls-forwarding' stated:
"(MX Series routers only) Allow filtering and translation of route distinguisher (RD) values in IPv4 and IPv6 VPN address families on both routes received and routes sent for selected BGP sessions. In particular, for Inter-AS VPN Option-B networks, this option can prevent the malicious injection of VPN labels from one peer AS boundary router to another."
I assume that as this instance-type is 'forwarding' then it has no interfaces associated with it, and requires firewall filters (FBF) to be configured on interfaces (family mpls interfaces?) which then direct labelled traffic to the 'mpls-forwarding' instance? (I also assume rib-groups are used in some capacity? Possibly an 'interface-routes' rib-group as well?)
Does anyone here have any example configs they can share which would be used with an 'mpls-forwarding' routing-instance? Especially with respect to the config of the firewall filters (family mpls? ... Or family inet?), config of the forwarding-instance itself, and any requisite rib-group config?
I'd also like to know how the mpls-forwarding instance allows for "filtering and translation of route distinguisher (RD) values in IPv4 and IPv6 VPN address families on both routes received and routes sent for selected BGP sessions" (which begs another question: are BGP sessions configured in the mpls-forwarding instance?)
Grateful for any info and help on this matter as I can't find any examples of using this instance-type in any Juniper notes on the web!
TIA