[j-nsp] MX loopbacks, routing instances and broadcast/unicast to RE

Fri Jun 17 12:05:09 EDT 2011

This is a side issue related to my last "MX loopback filter and monitor 
traffic" thread:

I am trying to understand how traffic on different routing instances 
(virtual routers, VRFs) get picked up on different loopback interfaces on 
the MX.   I am trying to design appropriate RE-protect filters, but it 
isn't intuitive to me as to how this works on this platform.

For example, let's say I have the global routing instance, plus two VRFs 
(A and B, each one is a separate routing instance):

[edit interfaces lo0]
root at MX-Rtr# show
unit 0 {
     description "This interface belongs to the Global routing instance";
     family inet {
         filter {
             input re-protect-global;
         }
         address 192.168.0.1/32;
     }
}
unit 1 {
     description "This interface belongs to  VRF A routing instance";
     family inet {
         filter {
            input re-protect-vrfa;
         }
         address 192.168.100.1/32;
     }
}
unit 2 {
     description "This interface belongs to  VRF B routing instance";
     family inet {
         filter {
            input re-protect-vrfb;
         }
         address 192.168.200.1/32;
     }
}

Here is what I am seeing:  for unicast traffic destined to the RE, traffic 
hits the loopback interface according to the appropriate routing instance; 
e.g. traffic coming into the MX on the global routing instance destined to 
the RE is seen by the filter "re-protect-global",  traffic coming in on 
VRF A is seen by the "re-protect-vrfa" filter, and traffic coming in on 
VRF B is seen by the "re-protect-vrfb" filter.

The same logic applies to multicast traffic.  For example, if you run OSPF 
in different routing instances, the appropriate filters per routing 
instance will see the appropriate OSPF multicast traffic.

Makes sense.

However, broadcast traffic is handled differently.   First, I have 
recently learned that Junos takes the OPPOSITE default position than Cisco 
IOS does on their 6500/7600 platforms.   By default, Cisco does not pass 
on directed broadcast to the Supervisor.  Junos, on the other hand, sends 
all direct broadcast to the RE by default.

Secondly, this broadcast traffic is ALWAYS seen on the "re-protect-global" 
filter -- no matter what routing instance the traffic entered the router 
on.  So, directed broadcast on VRF A does NOT get seen by re-protect-vrfa. 
Directed broadcast on VRF B does NOT bet seen by re-protect-vrfb. Instead, 
you will always see that traffic on the "re-protect-global" filter.

This appears to be true whether or not you are looking at directed 
broadcast on a "sub interface" or on IRBs.

So, I have two questions:  (1) why does Junos send directed broadcast to 
the RE by default, and (2) why does directed broadcast traffic show up on 
lo0.0 irrespective of the "arriving" routing instance?

Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187