SRX

Expand all | Collapse all

error: MAIN: vrf-import policy permits accept action only if matching conditions contain a target community

  • 1.  error: MAIN: vrf-import policy permits accept action only if matching conditions contain a target community

    Posted 11-01-2018 14:39

    SRX220H2 running 12.3X48-D75.4

     

    This is my first foray into configuring MPLS on any Juniper device.

     

    I'm trying to get the route target import and export working.  When I apply the import policy, I get the error in the subject line.

     

    Policies look like this:

     

    [edit policy-options]
    root@MIRf1c1# show
    policy-statement EXPORT-RT-POLICY {
        from {
            family route-target;
            rtf-prefix-list EXPORT-RT;
        }
        then accept;
    }
    policy-statement IMPORT-RT-POLICY {
        from {
            family route-target;
            rtf-prefix-list IMPORT-RT;
        }
        then accept;
    }
    rtf-prefix-list EXPORT-RT {
        65001:1200:12/96;
    }
    rtf-prefix-list IMPORT-RT {
        65001:1200:12/96;
        65001:1300:12/96;
        65001:500:12/96;
        65001:501:12/96;
        65001:600:12/96;
        65001:601:12/96;
    }

     

    My VRF MAIN routing instance looks like this:

     

    [edit routing-instances MAIN]
    root@MIRf1c1# show
    instance-type vrf;
    interface lo0.12;
    route-distinguisher 1200:12;
    vrf-import IMPORT-RT-POLICY;
    vrf-export EXPORT-RT-POLICY;
    vrf-target target:1200:12;
    protocols {
      pim {
        rp {
           static {
               address 192.168.200.252;
           }
        }
      }
    }

     

    When I try to set a target without using the 65001 AS, I get the following:

     

    [edit policy-options rtf-prefix-list IMPORT-RT]
    root@MIRf1c1# set target:1200:12/96
    error: prefix: 'target:1200:12/96': Use format 'as:x:y/len' where 'as' is an AS number and 'x' is an AS number followed by an option
    al 'L' (To indicate 4 byte AS), or an IP address and 'y' is a number. e.g. 123456L:100 and len is a prefix length from 32 to 96 or 0
    error: statement creation failed: target:1200:12/96

     

    And when I try to commit my config, I get:

     

    root@MIRf1c1# commit
    error: MAIN: vrf-import policy permits accept action only if matching conditions contain a target community
    error: configuration check-out failed

     

    I was looking at https://www.juniper.net/documentation/en_US/junos/topics/example/vpn-bgp-route-target-filtering.html as an example, but in the example, it references vpn3-import and vpn3-export, but gives no example definition of either of those.

     

    I know the export policy is formatted correctly, because I can remove the vrf-import statement and it commits.

     

    Ideas on how to get past this hurdle?

     

    Thanks,

    Matt

     



  • 2.  RE: error: MAIN: vrf-import policy permits accept action only if matching conditions contain a target community

    Posted 11-01-2018 22:19

    Hello,

    You've mixed up RT NRLI  (RFC 4684 section 4 https://tools.ietf.org/html/rfc4684#section-4) and RT communities (RFC 4364 section 4.3.1 https://tools.ietf.org/html/rfc4364#section-4.3.1). 

    In JUNOS, RT NLRI are auto-constructed from VRF import policies for anouncement to other PEs (if You are using full mesh ) or BGP RR.  

    So the policies You configured are NOT good for filtering on import to|export from VRF. They are good for filtering OUT/IN the RT NLRIs, on import from|export to another BGP peer that supports RT filtering AFI/SAFI, or Route Reflector.

    If You want to allow routes with multiple RT communities into VRF and/or export the same route from VRF with multiple RT communuties, use the following policy:

     

    set policy-options community RT1200 members target:1200:12
    set policy-options community RT1300 members target:1300:12
    set policy-options community RT500 members target:500:12
    set policy-options community RT501 members target:501:12
    set policy-options community RT600 members target:600:12
    set policy-options community RT601 members target:601:12 
    
    set policy-options policy-statement VRF-EXPORT term 1 from protocol <whatever>
    set policy-options policy-statement VRF-EXPORT term 1 then community add RT1200
    set policy-options policy-statement VRF-EXPORT term 1 then accept
    set policy-options policy-statement VRF-EXPORT term else then reject
    set policy-options policy-statement VRF-IMPORT term 1 from community RT1200
    set policy-options policy-statement VRF-IMPORT term 1 then accept
    set policy-options policy-statement VRF-IMPORT term 2 from community RT1300
    set policy-options policy-statement VRF-IMPORT term 2 then accept
    set policy-options policy-statement VRF-IMPORT term 3 from community RT500
    set policy-options policy-statement VRF-IMPORT term 3 then accept
    set policy-options policy-statement VRF-IMPORT term 4 from community RT501
    set policy-options policy-statement VRF-IMPORT term 4 then accept
    set policy-options policy-statement VRF-IMPORT term 5 from community RT600
    set policy-options policy-statement VRF-IMPORT term 5 then accept
    set policy-options policy-statement VRF-IMPORT term 6 from community RT601
    set policy-options policy-statement VRF-IMPORT term 6 then accept
    set policy-options policy-statement VRF-IMPORT term else then reject

     

     HTH

    Thx

    Alex

     



  • 3.  RE: error: MAIN: vrf-import policy permits accept action only if matching conditions contain a target community

    Posted 11-13-2018 15:00

    Hi aarseniev,

     

    Just wanted to say thank you.  I read your response.  It makes sense.  I'm going to try what you describe below this week and see if I can get it to work.

     

    Thanks,

    Matt