My solution follows below
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
mtu 1500;
address 192.168.100.1/30;
}
family mpls {
filter {
input mpls;
}
}
}
}
lt-0/0/0 {
unit 1 {
description "Tunnel Interface bound to Packet VRF";
encapsulation frame-relay;
dlci 30;
peer-unit 2;
family inet {
filter {
input packet-mode;
}
}
}
unit 2 {
encapsulation frame-relay;
dlci 30;
peer-unit 1;
family inet;
}
}
fe-0/0/2 {
unit 0 {
family inet {
address 10.15.14.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 1.1.1.2/32;
}
}
unit 1 {
family inet {
address 10.15.16.1/32;
}
}
}
}
protocols {
mpls {
interface ge-0/0/0.0;
interface lo0.0;
}
bgp {
local-address 1.1.1.2;
group ELTEL {
type internal;
family inet {
labeled-unicast;
}
family inet-vpn {
unicast;
}
export iBGP-export;
neighbor 1.1.1.1 {
description RemotePE;
}
}
}
ospf {
reference-bandwidth 40k;
area 0.0.0.1 {
stub;
interface ge-0/0/0.0;
interface lo0.0 {
passive;
}
}
}
ldp {
import LDP_exchange;
export LDP_exchange;
egress-policy LDP_originate;
transport-address 1.1.1.2;
interface ge-0/0/0.0;
interface lo0.0;
}
}
[ Policies obvious and here omitted. ]
security {
zones {
security-zone untrust {
address-book {
address MPLS-LO 1.1.1.2/32;
}
host-inbound-traffic {
system-services {
telnet;
}
protocols {
ospf;
ldp;
bgp;
}
}
interfaces {
ge-0/0/0.0;
lo0.0;
}
}
security-zone trust-flow {
host-inbound-traffic {
system-services {
telnet;
ping;
}
}
interfaces {
fe-0/0/2.0;
}
}
security-zone untrust-flow {
interfaces {
lt-0/0/0.2;
}
}
security-zone untrust-pctks {
interfaces {
lt-0/0/0.1;
lo0.1;
}
}
}
policies {
from-zone untrust to-zone untrust {
policy LDP {
match {
source-address any;
destination-address MPLS-LO;
application [ junos-ldp-tcp junos-ldp-udp ];
}
then {
permit;
}
}
policy BGP {
match {
source-address any-ipv4;
destination-address MPLS-LO;
application junos-bgp;
}
then {
permit;
}
}
}
from-zone trust-flow to-zone untrust-flow {
policy permit-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
default-policy {
deny-all;
}
}
flow {
tcp-mss {
all-tcp {
mss 1400;
}
}
}
}
firewall {
family inet {
filter packet-mode {
interface-specific;
term main {
then {
count pctks;
packet-mode;
accept;
}
}
}
}
family mpls {
filter mpls {
term main {
then {
count mpls;
packet-mode;
accept;
}
}
}
}
}
routing-instances {
TEST {
instance-type vrf;
interface lt-0/0/0.1;
interface lo0.1;
route-distinguisher 65535:111;
vrf-import vrf_TEST_in;
vrf-export vrf_TEST_out;
routing-options {
static {
route 10.15.14.0/24 next-hop lt-0/0/0.1;
}
}
}
TEST-VR {
instance-type virtual-router;
interface lt-0/0/0.2;
interface fe-0/0/2.0;
routing-options {
static {
route 0.0.0.0/0 next-hop lt-0/0/0.2;
}
}
}
}
the solution is in applying appropriate filters to ge-0/0/0 and lt-0/0/0 interfaces. It works well with Junos 10.3 I found hint with filters in presentation from Juniper describing how flow-mode works on branch SRX series.
#SRX#MPLS#flow#Mode#L3VPN