Routing

Expand all | Collapse all

VRF RIB group leaking into another VRF - Dual Stack

Jump to Best Answer
  • 1.  VRF RIB group leaking into another VRF - Dual Stack

    Posted 07-13-2018 08:50

    Here is the scenario.  

    We are trying to deploy dual stack IPv6 to our customers.  We have an INTERNET_PUBLIC vrf and an INTERNET_PRIVATE vrf.  We have trying to dual stack all customer facing interfaces with includes customers with private and public interfaces.

     

    I am primarily am a Cisco guy, but we recently switched our core network to Juniper.  I am still learning the nuances of Juniper and I am not quite sure where to go with this situation.  We don't want to leak the IPv4 space between the Public and Private vrfs.  We just want the IPv6 tables sharing routes with each other.

     

    Our Private IPv4 customers are pushed through F5 CGN, but we do not have the licensing to route through the CGN box.  So we cannot point a default route for our IPv6 customers to F5 and just have it route the traffic.  

     

    What I have been doing is trying to use RIB groups to leak INTERNET_PUBLIC .inet6.0 into INTERNET_PRIVATE.inet6.0 and vice-versa with partial success.  I can see the routes on the PE routeter between both of the VRFs, however, I am not learning BGP/default routes , only the direct routes.  

     

    set routing-options rib-groups PUBv6_to_PRIVv6 import-rib INTERNET_PUBLIC.inet6.0
    set routing-options rib-groups PUBv6_to_PRIVv6 import-rib INTERNET_PRIVATE.inet6.0
    set routing-options rib-groups PUBv6_to_PRIVv6 import-policy P_PUBv6_to_PRIVv6
    set routing-options rib-groups PRIVv6_to_PUBv6 import-rib INTERNET_PRIVATE.inet6.0
    set routing-options rib-groups PRIVv6_to_PUBv6 import-rib INTERNET_PUBLIC.inet6.0
    set routing-options rib-groups PRIVv6_to_PUBv6 import-policy P_PRIVv6_to_PUBv6
    set policy-options policy-statement P_PRIVv6_to_PUBv6 term ACCEPT_PROTOCOLS from protocol static
    set policy-options policy-statement P_PRIVv6_to_PUBv6 term ACCEPT_PROTOCOLS from protocol direct
    set policy-options policy-statement P_PRIVv6_to_PUBv6 term ACCEPT_PROTOCOLS from protocol bgp
    set policy-options policy-statement P_PRIVv6_to_PUBv6 term ACCEPT_PROTOCOLS then accept
    set policy-options policy-statement P_PRIVv6_to_PUBv6 term REJECT then reject
    set policy-options policy-statement P_PUBv6_to_PRIVv6 term ACCEPT_PROTOCOLS from protocol static
    set policy-options policy-statement P_PUBv6_to_PRIVv6 term ACCEPT_PROTOCOLS from protocol direct
    set policy-options policy-statement P_PUBv6_to_PRIVv6 term ACCEPT_PROTOCOLS from protocol bgp
    set policy-options policy-statement P_PUBv6_to_PRIVv6 term ACCEPT_PROTOCOLS then accept
    set policy-options policy-statement P_PUBv6_to_PRIVv6 term REJECT then reject
    set routing-instances INTERNET_PRIVATE routing-options interface-routes rib-group inet6 PRIVv6_to_PUBv6
    set routing-instances INTERNET_PUBLIC routing-options interface-routes rib-group inet6 PUBv6_to_PRIVv6

     

    Any help or advice to change the way we are doing this would be greatly appreciated.

     

    Thanks.



  • 2.  RE: VRF RIB group leaking into another VRF - Dual Stack

    Posted 07-13-2018 09:16

    Hello,


    @beauharrington wrote:

    Here is the scenario.  

    We are trying to deploy dual stack IPv6 to our customers.  We have an INTERNET_PUBLIC vrf and an INTERNET_PRIVATE vrf. 


     "instance-type vrf" or "instance-type virtual-router"? This makes a huge difference in JUNOS world.

     


    @beauharrington wrote:

    I can see the routes on the PE routeter between both of the VRFs, however, I am not learning BGP/default routes , only the direct routes.  

     

     


     if "instance-type vrf" _AND_ BGP default route is learnt from MP-iBGP then this is expected in JUNOS. Without going into too much detail, You can fix this by importing ::/0 directly from MP-iBGP into INTERNET_PRIVATE.inet6.0 with help of appropriate "vrf-import" policy applied to "INTERNET-PRIVATE" VRF && matching on specific route-target.

    If BGP default route is learnt from CE-PE BGP, then You need to apply Your RIB-group to that CE-PE BGP "neighbor <> family inet6-unicast rib-group" stanza

    HTH

    Thx
    Alex



  • 3.  RE: VRF RIB group leaking into another VRF - Dual Stack

    Posted 07-13-2018 09:56

    We are using instance-type vrf with MP-BGP.

     

    So I would have to import the route-target from the INTERNET_PUBLIC vrf in the INTERNET_PRIVATE vrf and create a policy to permit the IPv6 default route only tied to the INTERNET_PUBLIC route target import?

     

    Wouldn't I have to do this in reverse for the return routes?  I have listed the data flow for our customers to the internet.  The PE router connected to the Edge routers would need the return routes for the INTERNET_PRIVATE vrf.  The INTERNET_PRIVATE vrf does not exist on the INET-PE1 router.  

     

    customers -> SVC-PE1 -> Core -> INET-PE1 -> Edge Routers



  • 4.  RE: VRF RIB group leaking into another VRF - Dual Stack
    Best Answer

    Posted 07-13-2018 10:21

    Hello,


    @beauharrington wrote:

     

    So I would have to import the route-target from the INTERNET_PUBLIC vrf in the INTERNET_PRIVATE vrf and create a policy to permit the IPv6 default route only tied to the INTERNET_PUBLIC route target import?

     

     


     Correct.

     


    @beauharrington wrote:

     

    Wouldn't I have to do this in reverse for the return routes?  I have listed the data flow for our customers to the internet.  The PE router connected to the Edge routers would need the return routes for the INTERNET_PRIVATE vrf.  The INTERNET_PRIVATE vrf does not exist on the INET-PE1 router.  

     

    customers -> SVC-PE1 -> Core -> INET-PE1 -> Edge Routers


     Correct again.

     

    HTH

    Thx
    Alex