Configuring Virtual Loopback Tunnels for VRF Table Lookup
To enable egress filtering, you can either configure filtering based on the IP header, or you can configure a virtual loopback tunnel on routers equipped with a Tunnel PIC. Table 1 describes each method.
Table 1: Methods for Configuring Egress Filtering
Method | Interface Type | Configuration Guidelines | Comments |
|---|---|---|---|
Filter traffic based on the IP header | Nonchannelized Point-to-Point Protocol / High Level Data Link Control (PPP/HDLC) core-facing SONET/SDH interfaces | Include the vrf-table-label statement at the [edit routing-instances instance-name] hierarchy level. For more information, see the Junos OS VPNs Configuration Guide. | There is no restriction on customer-edge (CE) router-to-provider edge (PE) router interfaces. |
Configure a virtual loopback tunnel on routers equipped with a Tunnel PIC | All interfaces | See the guidelines in this section. | Router must be equipped with a Tunnel PIC. There is no restriction on the type of core-facing interface used or CE router-to-PE router interface used. You cannot configure a virtual loopback tunnel and the vrf-table-label statement at the same time. |
You can configure a virtual loopback tunnel to facilitate VRF table lookup based on MPLS labels. You might want to enable this functionality so you can do either of the following:
- Forward traffic on a PE router to CE device interface,
in a shared medium, where the CE device is a Layer 2 switch
without IP capabilities (for example, a metro Ethernet switch).
The first lookup is done based on the VPN label to determine which VRF table to refer to, and the second lookup is done on the IP header to determine how to forward packets to the correct end hosts on the shared medium.
- Perform egress filtering at the egress PE router.
The first lookup on the VPN label is done to determine which VRF table to refer to, and the second lookup is done on the IP header to determine how to filter and forward packets. You can enable this functionality by configuring output filters on the VRF interfaces.
To configure a virtual loopback tunnel to facilitate VRF table lookup based on MPLS labels, you specify a virtual loopback tunnel interface name and associate it with a routing instance that belongs to a particular routing table. The packet loops back through the virtual loopback tunnel for route lookup. To specify a virtual loopback tunnel interface name, you configure the virtual loopback tunnel interface at the [edit interfaces] hierarchy level and include the family inet and family mpls statements:
To associate the virtual loopback tunnel with a routing instance, include the virtual loopback tunnel interface name at the [edit routing-instances] hierarchy level:
 | Note: On virtual loopback tunnel interfaces, none of the logical interface statements except the family statement is supported. Note that you can configure only inet and mpls families, and you cannot configure IPv4 or IPv6 addresses on virtual loopback tunnel interfaces. Also, virtual loopback tunnel interfaces do not support class-of-service (CoS) configurations. |
