Routing

Hi experts,

I hope someone can help me to understand "vrf-target" syntax in L3vpn configuration.

I understand that BGP extended communities (Route Target) or Import/export policies can be used. Also "vrf-target" field is used in order to add received routes to VRF (of course if vrf-target matches) and at the same time to advertise VPNv4 addresses to remote PE.

I will only try and put the config string which i cant fully understand.

"vrf-target target:65512:101;"

Book explains this vrf is linked to vrf target community but doesnt explain which community (Looks like route target community)

In the syntax above i believe 65512 is an ISP AS and 101 is the customer site ID which book didnt explain how and where to configure customer site ID and how does PE identifies routes for 101


######################################################################################################################################################################################

Scenario of import/export

I understand import syntax is used to import the matched routes into VRF and export is used to advertised depending on the import/export policies.

Config strings

"vrf-import import-vpn-A;"
"vrf-export export-vpn-A;"

Of course import/export-vpn-A policies needs to be configured.

-------Policy configuration is something i fail to understand--------

policy-statement import-vpn-a{
    term 1 {
        from {
        protocol bgp;       (I understand match bgp routes)
        community vpn-a;    -----> (Dont understand how we are matching community vpn-a)
        }

        then accept;
        }

    term 2 {
        then reject;
        }

    }

community vpn-a member target:65512:101;  (Is this the config string to defind VPN-a community?)

This above string doesnt mean target community?? I though either Target community or import/export was supposed to be used??

Apologies for taking a lot of your time but will appreciate if someone can share their ideas on this to help me understand.


Regards
er

Would appreciate if someone can explain please??

There are two ways to configure route matching, you have shown both in your original question. You don't need to use both. Either use vrf-target, or use the vrf-import/export policies.

 

The Route Target is a extended BGP community defined by RFC4360. In Junos, we show it as target:xxxx:xxxx. I believe Cisco IOS shows it a rt:xxxx:xxxx. Both are correct, because the target: and rt: are really just words to represent the underlying bit pattern for route targets (see RFC).

 

So let's break down your questions.

 

-------- Part I ---------

When you use the "vrf-target", Junos creates the policy for you. It is hidden, but essentially it imports and exports ALL routes for that local VRF based on the route target you define.

 

vrf-target target:65512:101;

 

"vrf-target" is the command, "target:65512:101" is the community. It is defined, in Junos, simply by enter this configuration statement. You don't need to specify any other policy (vrf-import/export) if you use this method.

 

------- Part II -------

 

The next part of your question involved defining the VRF import and export policies explicitly. This is different than the configuration above. They accomplish the same thing but use one or the other - not both.

 

vrf-import import-vpn-A;
vrf-export export-vpn-A;

We need to think about how policy works and what is its purpose. When you create a VRF, you are creating a dedicated routing table for this instance. This route table will look something like vpn-a.inet.0

 

Now this is where it might get confusing, but bear with me. There is another routing table, bgp.l3vpn.0, that has the "L3VPN MPLS" routes. It is bgp.l3vpn.0 that gets shared with all the other MPLS routers in your network.

 

vrf-import defines the policy that you use to get routes from the mpls routing table and put them in the local route table. The import policy matches routes in bgp.l3vpn.0 and delivers to the local table vpn-a.inet.0

 

vrf-export defines the policy that you use to share routes from the local vrf routing table to mpls routing table. So it matches routes from vpn-a.inet.0 and exports it to bgp.l3vpn.0

 

Now we have defined policy direction, lets look into the policies.

 

The VRF-IMPORT policy:

 

policy-statement import-vpn-a {
term 1 {
    from {
       protocol bgp; (Match routes in bgp.l3vpn.0 - REQUIRED)
       community vpn-a; (match routes in bgp.l3vpn.0 that have the route target community target:65512:101)
    }
    then accept;
    }
term 2 {
    then reject; (if it doesn't match the term above then don't import)
    }
}
community vpn-a member target:65512:101;

 

The VRF-EXPORT policy:

 

policy-statement import-vpn-a {
  term 1 {
      from {
          protocol [ direct bgp ospf ]; (Match routes in vpn-a.inet.0 - NOT REQUIRED - omission matches ALL)
         }
      then {
          community add vpn-a; (add the route target to the mpls routes)
          accept;
          }
      }
  term 2 {
      then reject; (if it doesn't match the term above then don't export)
  }
}
community vpn-a member target:65512:101;

 

Hopefully this makes sense.

Hi jwparks,

 

Many thanks for your explanation.

 

My main concern was the "vrf-target target:65512:101". I understand vrf-target is a command but what i dont understand is how we come up what the target will be. Also what "65512:101" relly mean?

 

 

Similary in import/export policy's match statement as shown below.

 

term 1 {
    from {
       protocol bgp; 
       community vpn-a;

Where do we define community VPN-a ???

 

I also mentioned a statement in my original question "community vpn-a member target:65512:101". Is it how we define community vpn-a?

 

If yes again the question remains how do we come up with number 65512:101 ?

 

I hope i am not troubling you guys out there.

 

thanks

er

 

Gotcha.

 

Communities don't mean anything by themselves.  I'll give you *my* way of giving meaning to communities.

 

I like to use the real ASN when defining communities. I don't actually run a network since I work for Juniper, so I'll use 12345.

 

All of my communities would be some form of 12345:xxxx.  Extended communities would be the same: origin:12345:xxxx, target:12345:xxxx, etc

 

The last portion (:xxxx) is usually assigned to a customer and/or service. I would do something like this:

 

NOTE:  If you use something like my method, you can tie the last part to the Route distinguisher.  rd:<ipaddress_of_pe>:<cust-svc-id>

 

L3VPN: 10000-11999

 

customer-a      10000

customer-b      10001

customer-c      10002

customer-d      10003

 

L2VPN/VPLS: 20000-21999

 

customer-a     20000

customer-x     20001

customer-z     20002

 

Tying this all together.  When customer-a wants me to deliver a L3VPN service I would configure their route target as target:12345:10000.  Since customer-a wanted a VPLS service as well, I would assign the route target as target:12345:20000.

 

I just gave meaning to the communities and made a community matrix that allows me to discern certain information from the community.  The answer to your question is "You make it up"

 

If I see a route on a PE with the community of target:12345:10000 - I know that this is a VRF route (target:), L3VPN service (between 10000 & 11999), belonging to customer-a (10000).

 

Defining communities:

 

• With vrf-target - the community you add is the defined community - no further configuration necessary.
• Communities in a policy must be defined under policy-options.  Which is exactly what you did.

My Junos Config would be:

community cust-a-vrf member target:12345:10000;

term 1 {
    from {
       protocol BGP; 
       community cuts-a-vrf;

 Any more clear?

A great post. Must say many thanks!

 

On a slightly related note, I was reading a Juniper documentation on what routes populate routing-instance-name.inet.0 table and this is what I found.

 

"routing-instance-name.inet.0—Stores all unicast IPv4 routes received from directly connected CE routers in a routing instance (that is, in a single VPN) and all explicitly configured static routes in the routing instance. This is the VRF table and is present only on PE routers. For example, for a routing instance named VPN-A, the routing table for that instance is named VPN-A.inet.0."

 

Please can you confirm my understanding that in addtion to the routes in the quotes above direct routes specifically assigned using "interface x/y/z" under routing-instance hierarchy will also populate the routing-instance-name.inet.0 table. As such there's no need to use rib group or other similar configuration to add direct routes to outing-instance-name.inet.0.

Any interface or statically configured route under the VRF stanza will appear in the same vrf routing table.  You don't need a rib-group.

That's was a great explation on vrf-target. Just a supmlementary question; if customer route is received statically (CE<-->PE) does only defining vrf-target works or we need EXPORT those STATIC route to BGP and IMPORT BGP rotue based on the matching community?

 

Cheers

Fakrul

The use of vrf-target target:xxxx:xxxx, will automatically generate the appropriate policy to match "all" routes for export.  If you create your own export policy then you will need match on the protocols that you are using for your PE-CE link.

 

The import policy only has to match BGP, since all of the VRF routes are being imported from bgp.l3vpn.0 (multiprotocol BGP). Again, vrf-target target:xxxx:xxxx , does this automatically for you.

 

To create your own policies you qould use vrf-export and vrf-import.

Thanks Experts, very useful not only to the asker but to all the novice guys like us bigining the journey .

Many thanks indeed!!!!

Great post