- play_arrow Overview
- play_arrow Managing Group Membership
- play_arrow Configuring IGMP and MLD
- play_arrow Configuring IGMP Snooping
- IGMP Snooping Overview
- Overview of Multicast Forwarding with IGMP Snooping or MLD Snooping in an EVPN-VXLAN Environment
- Configuring IGMP Snooping on Switches
- Example: Configuring IGMP Snooping on Switches
- Example: Configuring IGMP Snooping on EX Series Switches
- Verifying IGMP Snooping on EX Series Switches
- Changing the IGMP Snooping Group Timeout Value on Switches
- Monitoring IGMP Snooping
- Example: Configuring IGMP Snooping
- Example: Configuring IGMP Snooping on SRX Series Devices
- Configuring Point-to-Multipoint LSP with IGMP Snooping
- play_arrow Configuring MLD Snooping
- Understanding MLD Snooping
- Configuring MLD Snooping on an EX Series Switch VLAN (CLI Procedure)
- Configuring MLD Snooping on a Switch VLAN with ELS Support (CLI Procedure)
- Example: Configuring MLD Snooping on EX Series Switches
- Example: Configuring MLD Snooping on SRX Series Devices
- Configuring MLD Snooping Tracing Operations on EX Series Switches (CLI Procedure)
- Configuring MLD Snooping Tracing Operations on EX Series Switch VLANs (CLI Procedure)
- Example: Configuring MLD Snooping on EX Series Switches
- Example: Configuring MLD Snooping on Switches with ELS Support
- Verifying MLD Snooping on EX Series Switches (CLI Procedure)
- Verifying MLD Snooping on Switches
- play_arrow Configuring Multicast VLAN Registration
-
- play_arrow Configuring Protocol Independent Multicast
- play_arrow Understanding PIM
- play_arrow Configuring PIM Basics
- Configuring Different PIM Modes
- Configuring Multiple Instances of PIM
- Changing the PIM Version
- Optimizing the Number of Multicast Flows on QFabric Systems
- Modifying the PIM Hello Interval
- Preserving Multicast Performance by Disabling Response to the ping Utility
- Configuring PIM Trace Options
- Configuring BFD for PIM
- Configuring BFD Authentication for PIM
- play_arrow Routing Content to Densely Clustered Receivers with PIM Dense Mode
- play_arrow Routing Content to Larger, Sparser Groups with PIM Sparse Mode
- Understanding PIM Sparse Mode
- Examples: Configuring PIM Sparse Mode
- Configuring Static RP
- Example: Configuring Anycast RP
- Configuring PIM Bootstrap Router
- Understanding PIM Auto-RP
- Configuring All PIM Anycast Non-RP Routers
- Configuring a PIM Anycast RP Router with MSDP
- Configuring Embedded RP
- Configuring PIM Filtering
- Examples: Configuring PIM RPT and SPT Cutover
- Disabling PIM
- play_arrow Configuring Designated Routers
- play_arrow Receiving Content Directly from the Source with SSM
- Understanding PIM Source-Specific Mode
- Example: Configuring Source-Specific Multicast
- Example: Configuring PIM SSM on a Network
- Example: Configuring an SSM-Only Domain
- Example: Configuring SSM Mapping
- Example: Configuring Source-Specific Multicast Groups with Any-Source Override
- Example: Configuring SSM Maps for Different Groups to Different Sources
- play_arrow Minimizing Routing State Information with Bidirectional PIM
- play_arrow Rapidly Detecting Communication Failures with PIM and the BFD Protocol
- play_arrow Configuring PIM Options
- play_arrow Verifying PIM Configurations
-
- play_arrow Configuring Multicast Routing Protocols
- play_arrow Connecting Routing Domains Using MSDP
- play_arrow Handling Session Announcements with SAP and SDP
- play_arrow Facilitating Multicast Delivery Across Unicast-Only Networks with AMT
- play_arrow Routing Content to Densely Clustered Receivers with DVMRP
-
- play_arrow General Multicast Options
- play_arrow Bit Index Explicit Replication (BIER)
- play_arrow Prevent Routing Loops with Reverse Path Forwarding
- play_arrow Use Multicast-Only Fast Reroute (MoFRR) to Minimize Packet Loss During Link Failures
- play_arrow Enable Multicast Between Layer 2 and Layer 3 Devices Using Snooping
- play_arrow Configure Multicast Routing Options
- play_arrow Controller-Based BGP Multicast Signaling
-
- play_arrow Troubleshooting
- play_arrow Knowledge Base
-
- play_arrow Configuration Statements and Operational Commands
Anti-spoofing support for MPLS labels in BGP/MPLS IP VPNs (Inter-AS Option B)
Service providers have traditionally adopted Option A VPN deployment scenarios instead of Option B because Option B is unable to ensure that the provider network is protected in the event of incorrect route distinguisher (RD) advertisements or spoofed MPLS labels.
Inter-AS Option B, however, can provide VPN services that are built using BGP based L3VPN. It is more scalable than the Option A alternative because Inter-autonomous system (AS) VPN routes are stored only in the BGP RIBs, as opposed to Option A which results in AS boundary routers (ASBRs) creating multiple VRF tables, each of which includes all IP routes.
Inter-AS Option B is also known as RFC 4364, BGP/MPLS IP Virtual Private Networks.
Junos OS Release 16.1 and later address the security shortcomings attributed to Option B. New features provide policy-based RD filtering (protection against MPLS label spoofing) to ensure that only RDs generated within the service provider domain are accepted. At the same time, the filtering can be used to filter loopback VPN-IPv4 addresses generated by PIM Rosen implementations from Cisco PEs, which can cause routing issues and traffic loss if imported into customer Virtual Routing and Forwarding (VRF) tables. These features are supported on M, MX, and T Series routers when using MPC1, MPC2, and MPC3D MPCs.
Inter-AS Option B uses BGP to signal VPN labels between ASBRs. The base MPLS tunnels are local to each AS, and stacked tunnels run from end-to-end between PE routers on the different AS VPN routes. The Junos OS anti-spoofing support for Option B implementations works by creating distinct MPLS forwarding table contexts. A separate mpls.0 table is created for each set of VPN ASBR peers. As such, each MPLS forwarding table contains only the relevant labels advertised to the group of inter AS-Option B peers. Packets received with a different MPLS label are dropped. Option B peers are reachable through local interfaces that have been configured as part of the MFI (a new type of routing instance created for inter-AS BGP neighbors that require MPLS spoof-protection), so MPLS packets arriving from the Option B peers are resolved in the instance-specific MPLS forwarding table.
To enable anti-spoofing support for MPLS labels, configure separate instances of the
new routing instance type, mpls-forwarding, on all MPLS-enabled Inter-AS links
(which must be running a supported MPC). Then configure each Option B peer to use this routing
instance as its forwarding-context under BGP. This forms the transport session
with the peers and performs forwarding functions for traffic from peers. Spoof checking occurs
between any peers with different mpls-forwarding MFIs. For peers with the same forwarding-context, spoof-checking is not necessary because peers share the same MFI.mpls.0
table.
Note that anti-spoofing support for MPLS labels is also supported on mixed networks,
that is, those that include Juniper network devices that are not running a supported MPC,
as long as the MPLS-enabled Inter-AS link is on a supported MPC. Any existing label-switched
interface (LSI) features in the network, such as vrf-table-label, will continue
to work as usual.
Inter-AS Option B supports graceful RE switchover (GRES), nonstop active routing (NSR), and in service software upgrades (unified ISSU).
