Routing

HI All,

Below is the configuration VRF in one Physical MX. My question is it have easy way to leak the route between VPN-A to VPN-B and vice versa besides of using RIB-Groups? Is it need to use vrf-import and vrf-export on both VPN routing instace or just enough only at new VRF (VPN-B)?

Thanks and appreciate somene feedback

Existing VRF (VRF1)

run show configuration routing-instances VPN-A

instance-type vrf;

interface ge-0/0/3.500
interface ge-0/0/7.400
route-distinguisher 4001:1;
vrf-target target:4001:11;
vrf-table-label;
routing-options {
    static {
        route 172.24.34.0/24 next-hop 172.24.30.1;
        route 172.24.0.3/32 next-hop 172.24.30.1;

New VRF (VRF-2)

root@Lab-MX960# run show configuration routing-instances VPN-B
instance-type vrf;
interface ge-4/0/1.20; --------------------------------------------> EBGP to New Upstream
interface ge-5/0/3.102; -------------------------------------------> OSPF to CE
interface lo0.3;
route-distinguisher 34000.13311:21432;
vrf-import VPN-B-import;
vrf-export VPN-B-export;
vrf-table-label;
routing-options {
    autonomous-system 34000.13311;
    auto-export;
}
protocols {
    bgp {
        group VPN-B-UPSTREAM {
            type external;
            peer-as 3777;
            neighbor 11.77.144.51 {
                bfd-liveness-detection {
                    minimum-interval 300;
                    multiplier 3;
                }
            }
        }
    }
    ospf {
        export BGP-to-OSPF;
        area 0.0.0.0 {
            interface ge-5/0/3.102;
            interface lo0.3;
        }
    }
}

Will auto-export work for you:

http://www.juniper.net/techpubs/en_US/junos12.3/information-products/topic-collections/nce/auto-export-understanding/auto-export-understanding.pdf

Hi Evt,

Thanks for the feedback. One more question. If u look on my existing config VPN-A it's dont use vrf-import and vrf-export. But on new vrf VPN-B i'm using vrf-import and vrd-export. So do i need to do that on VPN-A or just enough with add auto-export on VPN-A and VPN-B?

Thanks and appreciate someone feedback

Hi All,

Instead i'm using vrf-import & vrf-export to leak route between each VRF can i do as per below. Just using vrf-target import target:x:x and export target:x::x

Can someone explain whether this can achieve my objective or have some limitation.  Thanks and appreciate someone feedback

SITE_1 {
        instance-type vrf;
        interface ge-4/0/1.35;
        interface ge-2/1/1.70;
        route-distinguisher 7777:1111;
        vrf-target {
            target:7777:1111;
            import target:4:4;
            export target:4:4;
        routing-options {
             auto-export



SITE_2 {
        instance-type vrf;
        interface ge-1/1/1.40;
        interface ge-3/2/2.50;
        route-distinguisher 7777:2222;
        vrf-target {
            target:7777:2222;
            import target:4:4;
            export target:4:4;
        routing-options {
             auto-export

Hi All,

May i know whether vrf-target import target:x:x will overide vrf-target target:x:x ? As i'm understand the  vrf-target target:x:x use to communicate with remote peer but what purpose of  vrf-target import target:x:x ?Can someone explain to me.

        vrf-target {
            target:7777:1111;
            import target:4:4;

 Thanks and appreciate any feedback

vrf-target import target:x:x will override vrf-target target:x:x

I assume this behavior has to do with the general convention of more specific ones being preferred ,over generic ones

vrf-target target:x:x by default generate the appropriate policy to match "all" routes for both export and import .

vrf-target import target:x:x  by default generate the appropriate policy to match "all" routes for  import that matches the configured target and places in the bgp.l3vpn.0,as your vrf routes are imported from bgp.l3vpn.0.

There is no difference as such between the two ,as the former  is meant for both import and export and the latter  meant specifically for import

No explicit policy required in both the cases to match the PE-CE protocol for export and matching BGP in import(as VRF routes are being imported from bgp.l3vpn.0).

Explicit policy is required matching the protocol , only when vrf-import and vrf-export is being used.

Please let me know for any clarification

Hi Vinod,

So u mean the vrf-target import target:4:4 and vrf-target export target:4:4 will replace / overide tag route the vrf-target target:x:x ? So if it overide then the Remote PE cannot connect using vrf-target target:x:x and it will made an outage right? Without the vrf-target import target:4:4 and vrf-target export target:4:4  i'm cannot leak route between this two VRF.

SITE_1 {
        instance-type vrf;
        interface ge-4/0/1.35;
        interface ge-2/1/1.70;
        route-distinguisher 7777:1111; 
        vrf-target {
            target:7777:1111; -------------> To remote PE
            import target:4:4;
            export target:4:4;
        routing-options {
             auto-export



SITE_2 {
        instance-type vrf;
        interface ge-1/1/1.40;
        interface ge-3/2/2.50;
        route-distinguisher 7777:2222;
        vrf-target {
            target:7777:2222; --------------> To Remote PE
            import target:4:4;
            export target:4:4;
        routing-options {
             auto-export

Thanks and appreciate someone confirmation

Yes vrf-target export and vrf-target import overrides vrf-target target:x:x

Please use vrf-import  and vrf-export instead of vrf-target import and vrf-target export, using this you can use multiple RT's

for import and export.

Only difference is you have to do via policy.

An example for vrf-import

routing-instances SITE-1 vrf-import import-vpn-A

policy-options{
policy-statement import-vpn-a {
term 1 {
from {
protocol bgp ; <<<< THIS IS always bgp as vrf routes are imported from bgp.l3vpn.0 
community vpn-a;
}
then {
accept;
}

}

}
community vpn-a member target:7777:1111;
community vpn-a member target:4:4;

An example for vrf-export

routing-instances SITE-1 vrf-export export-vpn-A

If BGP is the PE-CE protocol

 policy-options{
policy-statement export-vpn-a {
term 1 {
from {
protocol [bgp direct];
}

then 

{
community add vpn-a;

}

}

}

If OSPF is the PE-CE protocol

 policy-options{
policy-statement export-vpn-a {
term 1 {
from {
protocol [ospf direct];
}

then 

{
community add vpn-a;

}

}

}

community vpn-a member target:7777:1111;
community vpn-a member target:4:4;

One of these targets can be your route-leak target(common between the leaked instances) and the other can be the target specific to the particular vrf....

Please rever back if you face any issues

Hi Vinod,

If need use vrf-import and vrf-export it need a lot changes in entire PE customer because the existing network dont use community style. The just use vrf-target target:x:x to make sure other VRF in other PE can communicate each other.  Beside use vrf-import and vrf-export is there any way more simplest with minimal outage. I'm not sure if i'm use rib-group style can mde big outage if i make config mistake.

Thanks and appreciate some info.

Not sure about ways, other than community style for accepting/exporting multiple RT's , I will check for an alternative,if there is any.

RIB groups can be done without config mistake . If you can share your requirement , we can try with RIB-group .

Hi Vinod,

Thanks for your kindness to help me. I already PM u for futher dicussion.

Thanks