On 4/3/24 08:07, Saku Ytti via juniper-nsp wrote:
If I understand you correctly, the problem is not that you can't copy direct into CleanVRF, the problem is that ScrubberPE that does clean lookup in in CleanVRF, has label stack of [EgressPE TableLabel], instead of [EgressPE EgressCE], this causes the EgressPE to do IP lookup, which will then see the Direct/32 advertised by the scrubber, causing loop. While what you want is end-to-end MPLS lookup, so that egressPE MPLS lookup has egressMAC. I believe in BGP-LU you could fix this, without actually paying for duplicate RIB/FIB and without opportunistically copying routes to CleanVRF, every prefix would be scrubbable by default. You'd have per-ce for rest, but per-prefix for connected routes, I believe then you would have [EgressPE EgressMAC_CE] label for connected routes, so each host route would have their own label, allowing mac rewrite without additional local IP lookup. I'm not sure if this is the only way, I'm not sure if there would be a way in CleanVRF to force each direct/32 to have a label as well, avoiding the egress IP lookup loops. One doesn't immediately spring to mind, but technically implementation could certainly allow such mode.
At old job, we managed to do this with a virtual-router VRF that carried traffic between the scrubbing PE and the egress PE via MPLS, to avoid the IP loop.
It was quite an involved configuration, but it actually worked. It sort of mimicked the ability of the scrubbing device being able to participate in your IGP (which is something I wanted but the scrubbing vendor was not keen to support).
Mark. _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
