Routing

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



rib-group import-policy processing

  • 1.  rib-group import-policy processing

    Posted 08-12-2021 15:30

    I am very familiar with rib-groups and require use of them extensively throughout my designs, but there is an example in Juniper docs that I cannot seem to wrap my head around.

    In the L3VPN guide under routing internet traffic bidirectionally over a link, there is an example that uses rib-groups with an import-policy under BGP and the order of operations is causing massive confusion for me.

    https://www.juniper.net/documentation/us/en/software/junos/vpn-l3/topics/topic-map/l3-vpns-internet-access.html#id-routing-vpn-and-internet-traffic-through-the-same-interface-bidirectionally-vpn-has-private

    Summary - In an instance, BGP accepts routes with private/public communities from the CE. rib-groups are used to selectively duplicate the public routes into the inet.0 table. However, a policy-statement is used for both the BGP import as well as the rib-group import-policy. This is the example config in the documentation:


    routing-options {
        rib-groups {
            vpna-to-inet0 {
                import-policy import-public-addr-to-inet0;
                import-rib [ vpna.inet.0 inet.0 ];
            }
        }
    }
    policy-options {
        policy-statement import-public-addr-to-inet0 {
            term a {
                from {
                    protocol bgp;
                    rib vpna.inet.0;
                    community [ public-comm private-comm ];
                }
                then accept;
            }
            term b {
                from {
                    protocol bgp;
                    community public-comm;
                }
                to rib inet.0;
                then accept;
            }
            term c {
                then reject;
            }
        }
        community private-comm members target:1:333;
        community public-comm members target:1:111;
        community vpna-comm members target:63000:100;
    }
    [edit routing-instances vpna]
    protocols {
        bgp {
            group to-CE1 {
                import import-public-addr-to-inet0;
                family inet {
                    unicast {
                        rib-group vpna-to-inet0;
                    }
                }



    The confusion and lack of documentation applies to the last BGP configuration, which policy is applied first and either way this is viewed, what point of view does the import-policy use for rib-groups? Reason being that my assumption is term a should match on both import policies.

    My assumption is the BGP group import is processed first as would be needed to even populate the tables in the following order:

    1. received routes from CE stored into RIB-IN of vpna.inet.0

    2. BGP import policy ran against routes and accepted routes moved to RIB-LOCAL of vpna.inet.0

    3. rib-group import-policy runs against routes in vpna.inet.0

     Term a in the example and the from rib vpna.inet.0 should apply as routes should be populated in the RIB-IN table for vpna.inet.0 prior to the import processing. Following that, then the rib-group import-policy should be ran after the routes have been imported.

    Then comes the question of the import-policy, since the table is populated, from rib vpna.inet.0 should match term a and should be both accepted and duplicated into inet.0. But I labbed this and it is indeed correct. To add on to confusion, removing from rib vpna.inet.0 results in both private/public routes to match and be duplicated to the inet.0 table. This verifies the processes if processing from a table other than the primary.

    Question:

    1. What point of view is the rib-group import-policy using? All other use cases assume this is from the primary table in the rib-group tables and removing the `from rib` statement causes all routes to match `term a`

    2. Does a policy that includes to/from rib [table] change the processing of the policy? Ex. implicitly adds to/from rib [primary-table] to other terms in the policies not specifying to rib?

    3. What is the OOO for processing incoming routes on an import policy of both the protocol (BGP in this case) and an additional policy for the rib import?