Protection against label spoofing or errant label injection across ASBRs

You can use regular BGP implicit and explicit export policies to restrict VPN ASBR peer route advertisement to a given routing instance. This is especially useful in the context of Inter-AS VPN Option-B ASBRs because it prevents a peer ASBR in a neighboring AS from spoofing or unintentionally injecting a VPN label intended for a different peer AS or intra-AS into the protected AS. In other words, service providers can configure a common ASBR so it does not accept MPLS packets from a peer ASBR unless the label has been explicitly advertised to the common ASBR. Two new commands are introduced to provide this protection: mpls-forwarding at the [edit routing-instances name instance-type mpls-forwarding] hierarchy level and forwarding-context at the [edit protocols bgp group group-name neighbor address], hierarchy level.