VRF Table Label

This command is primarily used to overcome a security feature within Junos that prevents a multiaccess/broadcast attachment circuit from being advertised into MP-BGP. Under normal operation a PE router will only announce a multipoint interface when it receives a dynamic route that uses the link as a next-hop, or a locally configured static route that uses the multiaccess interface as its next hop.

In cases where there is no static or dynamic routing the vrf-table-label command can be added to the VRF configuration. This overrides the default security feature and forces the interface to be exported into MP-BGP without the need for a dependent route.

When the command is applied to a VRF it also adds a second behaviour that changes the way VPN labels are allocated in the core network; normally each prefix is given a different VPN label, however when vrf-table-label is applied a single VRF label is added to all exported prefixes, which has the benefit of optimising the amount of labels used in the provider network.

When adding vrf-table-label into the VRF configuration a software based LSI interface is created. This interface can be used to provide an additional lookup process when a VPNv4 packet enters the PE. This can be useful in scenarios where ingress firewall filters, CoS or additional policy is present, to allow the LSI interface to handle the first lookup before a second ARP lookup is carried out through the PFE.

On older Juniper routers the software lookup was used when a tunnel-services PIC was not present; the tunnel-service PIC provides a hardware based logical vt-interface for additional secondary look up capabilities. On newer MX routers tunnel services is built into the line card.

The example below shows a VRF with the command configured and the output showing the LSI interface

routing-instances {
green-vpn-a {
instance-type vrf;
interface ae0.20;
vrf-target target:45501:200;
lab123@r1> show interfaces terse lsi
Interface Admin Link Proto Local Remote
lsi up up
lsi.0 up up inet