Junos OS

Expand all | Collapse all

How to filter VPN routes with community in vrf-import policy

  • 1.  How to filter VPN routes with community in vrf-import policy

    Posted 12-01-2020 02:13
    Hi, I have a situation that I need to filter out vpn routes based on those routes community, in the vrf-import policy I have to match proper route target community for the routes to be imported from bgp.l3vpn.0 table, how can I further process those routes based on those routes' regular community which is set in remote sites?

    For example, I have MPLS VPN sites A, B, C, Site C's vrf imports routes from A and B with route-target "target:100:100" in vrf-import policy, both site A and site B advertises 10.0.0.0/8 but with their own regular BGP community 1:1 and 2:2 respectively -- in addition to extended RT community "target:100:100", now I want to assign higher local preference in site C such that 10.0.0.0/8 route learned with community 1:1 will have high local preference, how can I compose site C's vrf-import policy to achieve what I want?

    Thanks,
    JG

    ------------------------------
    John Gerro
    ------------------------------


  • 2.  RE: How to filter VPN routes with community in vrf-import policy

     
    Posted 12-01-2020 08:41
    Hi John,

    You can create a policy that matches the community that you'd like to absorb and implement as vrf-import on the VRF Routing-instance. 

    For example:

    > show configuration policy-options
    policy-statement test {
    term term1 {
    from {
    protocol bgp;
    community comm1;
    }
    then next term;
    }
    term term2 {
    from community comm2;
    then accept;
    }
    }
    community comm1 members 11:1;
    community comm2 members target:1:11;

    Hope this helps.
    Regards,
    -r.
    --------------------------------------------------
    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).



  • 3.  RE: How to filter VPN routes with community in vrf-import policy

    Posted 12-01-2020 11:59
    Hi, thanks, I will try this out ... but conceptually you would need to match RT community first to get the route to this VRF before you can match the regular community right?

    ------------------------------
    John Gerro
    ------------------------------



  • 4.  RE: How to filter VPN routes with community in vrf-import policy

    Posted 12-02-2020 20:06
    Hi, this "next-term" actually works ... to some extent, what I ultimately want is to be able to filter remote routes entering local vrf based on regular BGP community, but I can not do it since vrf-import policy won't allow accept/reject action if the matching community is not extended RT community. I guess I can add additional extended RT community for the routes I need special processing in originating remote PEs, but that is a rather big change...

    Any work around?

    ------------------------------
    John Gerro
    ------------------------------



  • 5.  RE: How to filter VPN routes with community in vrf-import policy

    Posted 12-02-2020 04:12
    Hi John,

    try to configure by separating them in different terms, 1st is more specific, 2nd is less specific, 3rd is simple reject on site C:

    set policy-options community SITE_A_COMM members 1:1
    set policy-options community SITE_B_COMM members 2:2
    set policy-options community ABC_COMM members target:100:100

    set policy-options policy-statement VRF_IMPORT term 1 from protocol bgp
    set policy-options policy-statement VRF_IMPORT term 1 from community SITE_A_COMM
    set policy-options policy-statement VRF_IMPORT term 1 then local-preference 999
    set policy-options policy-statement VRF_IMPORT term 1 then accept
    set policy-options policy-statement VRF_IMPORT term 2 from protocol bgp
    set policy-options policy-statement VRF_IMPORT term 2 from community ABC_COMM
    set policy-options policy-statement VRF_IMPORT term 2 then accept
    set policy-options policy-statement VRF_IMPORT term 3 then reject

    set routing-instances VRF vrf-import VRF_IMPORT



    ------------------------------
    Regards,
    Elchin
    ------------------------------



  • 6.  RE: How to filter VPN routes with community in vrf-import policy

    Posted 12-01-2020 11:55
    No, that was first thing I tried, this configuration fails commit check.

    "vrf-import policy permits accept action only if matching conditions contain a target community"

    ------------------------------
    John Gerro
    ------------------------------



  • 7.  RE: How to filter VPN routes with community in vrf-import policy

     
    Posted 12-02-2020 21:16
    Can A, and B tag the routes with two route target communities instead of a route target and a standard community?  

    Regards,

    ------------------------------
    Yasmin Lara
    Juniper Ambassador
    JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
    JNCDS-DC, JNCIA-DevOps, JNCIP-CLOUD, CCNP-ENT
    ------------------------------



  • 8.  RE: How to filter VPN routes with community in vrf-import policy

    Posted 12-02-2020 22:33
    Hi, Yasmin,

    Thanks, yes that would work, but since it will involve remote PEs configuration change, and some remote PEs' VRF are using vrf-target configuration, adding a new route target community is not trivial, plus the regular community was set before the route shows up in MPLS VPN PE devices, so I would rather to have a local solution.




    ------------------------------
    John Gerro
    ------------------------------



  • 9.  RE: How to filter VPN routes with community in vrf-import policy

     
    Posted 12-02-2020 22:46




    ------------------------------
    Yasmin Lara
    Juniper Ambassador
    JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
    JNCDS-DC, JNCIA-DevOps, JNCIP-CLOUD, CCNP-ENT
    ------------------------------



  • 10.  RE: How to filter VPN routes with community in vrf-import policy

     
    Posted 12-02-2020 23:10
    It also works like this: 

    Regards,

    ------------------------------
    Yasmin Lara
    Juniper Ambassador
    JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
    JNCDS-DC, JNCIA-DevOps, JNCIP-CLOUD, CCNP-ENT
    ------------------------------



  • 11.  RE: How to filter VPN routes with community in vrf-import policy

    Posted 12-03-2020 00:32
    Thanks again, Yasmin, I am using the 2nd solution, the problem with it is you can do whatever with the routes, you can not reject them on vrf-import policy, or you would have to configure export policy towards CE to filter them.
    While the 1st solution allows you to reject the route, but you would need to do extra on remote PE to add the extended RT community which might not always be easily done especially when the regular community was set before it gets to PE.

    I do have a question about 2nd solution though, hope you can shed some light on it,  when Junos is processing term1 of import_vrf_policy, it is matching a prefix's regular community,  at this moment it does not even know this route  will eventually be put into local, say VRF-A table or not, so the policy will  change the attributes of this route in bgp.l3vpn.0 table, right?  does this mean that if another VRF-B in the same box is also importing this route's extended RT community, this route in VRF-B will inherit the attributes changed by VRF-A's vrf import policy? But then this argument does not make sense, say VRF-B also has a similar import policy, then there will be a chaos (I don't think this will ever happen in real world, this is for pure argument purpose only, I just what to understand how Junos works in this scenario).

    BTW, I don't think you need next-hop-self in export_vrf_policy, MP-BGP will always set next-hop-self for inet-vpn routes.

    ------------------------------
    John Gerro
    ------------------------------