To use this feature, network IP interfaces that can have the feature enabled must first be identified. Participating interfaces are identified as having the untrusted state. The router supports a maximum of 15 network interfaces that can participate in this feature.
The following command is used to enable or disable this feature.
config>router>interface>untrusted [default-forwarding {forward | drop}]
Normally, the user applies the untrusted command to an inter-AS interface and PIP keeps track of the untrusted status of each interface. In the data path, an inter-AS interface that is flagged by PIP will cause the default forwarding to be set to the value of the default-forwarding keyword (forward or drop).
For backward compatibility, default-forwarding on the interface is set to the forward value. This means that labeled packets will be checked in the normal way against the table of programmed ILMs to decide if it should be dropped or forwarded in a GRT, a VRF, or a Layer 2 service context.
If the user sets the default-forwarding argument to the drop value, all labeled packets received on that interface are dropped. For details, see Data Path Forwarding Behavior.
This feature sets the default behavior for an untrusted interface in the data path and for all ILMs. To allow the data path to provide an exception to the normal way of forwarding handling away from the default for VPRN ILMs, BGP must flag those ILMs to the data path.
The user enables exceptional ILM forwarding behavior, on a per-VPN-family basis, by using the following command:
configure>router>bgp>neighbor-trust [vpn-ipv4] [vpn-ipv6]
At a high level, BGP tracks each direct EBGP neighbor over an untrusted interface and to which it sent a VPRN prefix label. For each of those VPRN prefixes, BGP programs a bit map in the ILM that indicates, on a per-untrusted interface basis, whether the matching packets must be forwarded or dropped. For details, see CPM Behavior.