Routing

Hi,

I am getting myself confused over the use of both the VRF commands vrf-import and vrf-export with a policy and that is matching a community target (import). I see all routes in the bgp.l3vn.0 table but it is what gets into or not into the VRF table and how the vrf-import or vrf-export policy influences that as opposed to an edge eBGP peering config with no policies.

With the configuration below will eBGP routes be imported to the VRF table with a community that does not match the policy, because when I have this in the lab eBGP routes from the CE that do not match the community value in the vrf-import policy get imported from the bgp.l3vpn.0 table to the TEST1 VRF table ?

user@MXrouter> show configuration routing-instances TEST1
instance-type vrf;
interface xe-1/0/0.0; #edge eBGP peering
route-distinguisher 64512:00000;
vrf-import POLICY1_IMPORT;
vrf-export POLICY1_EXPORT;
vrf-table-label;
autonomous-system 64512;
}
protocols {
bgp {
group CE_ROUTER {
type external;
local-address 10.1.1.1;
peer-as 65534;
neighbor 10.1.1.2; #edge eBGP peering
}
}
}
{master}
user@MXrouter>show configuration policy-options policy-statement POLICY1_IMPORT
term IMPORT {
from {
protocol bgp;
community ROUTES_IN_RT;
}
then accept;
}
term REJECT_ALL {
then reject;
}
set policy-options community ROUTES_IN_RT members target:65534:11110001
}
user@MXrouter>show route 10.100.200.0 detail receive-protocol bgp 10.1.1.2 table TEST1.inet

RMG_GCP_ICE.inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)
* 10.100.200.0 (1 entry, 1 announced)
Accepted
Nexthop: 10.1.1.2
AS path: 65534 ?
Communities: target:65535:11110002 target:65536:11110003

{master}
user@MXrouter>

I thought this route should have been rejected as the community values dont match ?

Hello,

"vrf-import" policy does NOT affect routes received on PE-CE BGP sessions. If You want to filter routes received from CE, You need to put an import policy under CE neighbor/group level. 

In case of MPLS L3vpn, "vrf-import" only affects the routes on the way from bgp.l3vpn.0 table to <vrfname>.inet.0 table, and only in that direction.

HTH

Thx

Alex

Thanks Alex, thats good explaination, but where my understanding gets confused is why I see the PE-CE remote route in the bgp.l3vpn table, apologies if I'm not seeing the obvious here:

user@MXrouter> show route table bgp.l3vpn.0 protocol bgp

bgp.l3vpn.0: 44 destinations, 54 routes (44 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

64512:10190:10.100.200.0/29
*[BGP/170] 5w1d 00:46:50, localpref 100
AS path: 65534 I, validation-state: unverified
> to 10.1.1.2 via xe-1/0/0.0

user@MXrouter> show route table bgp.l3vpn.0 10.100.200.0/29 detail

bgp.l3vpn.0: 44 destinations, 54 routes (44 active, 0 holddown, 0 hidden)
64512:10000:10.100.200.0/29 (1 entry, 1 announced)
*BGP Preference: 170/-101
Next hop type: Router, Next hop index: 765
Address: 0x~~~~~~~
Next-hop reference count: 30
Source: 10.1.1.1
Next hop: 10.1.1.2 via xe-1/0/0.0, selected
Session Id: 0x###
State: <Secondary Active Ext>
Local AS: 64512 Peer AS: 65534
Age: 1w5d 16:46:00
Validation State: unverified
Task: BGP_65534_64512.10.1.1.2
Announcement bits (1): 1-BGP_RT_Background
AS path: 65534 ?
Communities: target:65535:11110002 target:65536:11110003
Accepted
Localpref: 100
Router ID: x.x.x.x
Primary Routing Table TEST1.inet.0

Hello,

---

@colin1000 wrote:

why I see the PE-CE remote route in the bgp.l3vpn table,

---

That's "vrf-export" policy which gets a route received from CE into bgp.l3vpn.0 table.

One more time:

- "vrf-import" : works for bgp.l3vpn.0 -> <vrfname>.inet.0 

- "vrf-export" : works for <vrfname>.inet.0 -> bgp.l3vpn.0

- PE-side BGP CE-neighbor import policy: works for CE->PE BGP RIB-In -> <vrfname>.inet.0

Hope this makes sense.

HTH

Thx

Alex

Hi Alex,

The penny drops, your time to repond is much appreciated 🙂