I am very familiar with rib-groups and require use of them extensively throughout my designs, but there is an example in Juniper docs that I cannot seem to wrap my head around.
In the L3VPN guide under routing internet traffic bidirectionally over a link, there is an example that uses rib-groups with an import-policy under BGP and the order of operations is causing massive confusion for me.
https://www.juniper.net/documentation/us/en/software/junos/vpn-l3/topics/topic-map/l3-vpns-internet-access.html#id-routing-vpn-and-internet-traffic-through-the-same-interface-bidirectionally-vpn-has-private
Summary - In an instance, BGP accepts routes with private/public communities from the CE. rib-groups are used to selectively duplicate the public routes into the inet.0 table. However, a policy-statement is used for both the BGP import as well as the rib-group import-policy. This is the example config in the documentation:
routing-options {
rib-groups {
vpna-to-inet0 {
import-policy import-public-addr-to-inet0;
import-rib [ vpna.inet.0 inet.0 ];
}
}
}
policy-options {
policy-statement import-public-addr-to-inet0 {
term a {
from {
protocol bgp;
rib vpna.inet.0;
community [ public-comm private-comm ];
}
then accept;
}
term b {
from {
protocol bgp;
community public-comm;
}
to rib inet.0;
then accept;
}
term c {
then reject;
}
}
community private-comm members target:1:333;
community public-comm members target:1:111;
community vpna-comm members target:63000:100;
}
[edit routing-instances vpna]
protocols {
bgp {
group to-CE1 {
import import-public-addr-to-inet0;
family inet {
unicast {
rib-group vpna-to-inet0;
}
}
The confusion and lack of documentation applies to the last BGP configuration, which policy is applied first and either way this is viewed, what point of view does the import-policy use for rib-groups? Reason being that my assumption is term a
should match on both import policies.
My assumption is the BGP group import
is processed first as would be needed to even populate the tables in the following order:
-
received routes from CE stored into RIB-IN of vpna.inet.0
-
BGP import policy ran against routes and accepted routes moved to RIB-LOCAL of vpna.inet.0
-
rib-group import-policy runs against routes in vpna.inet.0
Term a
in the example and the from rib vpna.inet.0
should apply as routes should be populated in the RIB-IN table for vpna.inet.0
prior to the import processing. Following that, then the rib-group import-policy
should be ran after the routes have been imported.
Then comes the question of the import-policy, since the table is populated, from rib vpna.inet.0
should match term a
and should be both accepted and duplicated into inet.0
. But I labbed this and it is indeed correct. To add on to confusion, removing from rib vpna.inet.0
results in both private/public routes to match and be duplicated to the inet.0
table. This verifies the processes if processing from a table other than the primary.
Question:
-
What point of view is the rib-group import-policy using? All other use cases assume this is from the primary table in the rib-group tables and removing the `from rib` statement causes all routes to match `term a`
-
Does a policy that includes to/from rib [table]
change the processing of the policy? Ex. implicitly adds to/from rib [primary-table]
to other terms in the policies not specifying to rib?
-
What is the OOO for processing incoming routes on an import policy of both the protocol (BGP in this case) and an additional policy for the rib import?