SRX Services Gateway
Highlighted
SRX Services Gateway

error: MAIN: vrf-import policy permits accept action only if matching conditions contain a target community

[ Edited ]
‎11-01-2018 02:39 PM

SRX220H2 running 12.3X48-D75.4

 

This is my first foray into configuring MPLS on any Juniper device.

 

I'm trying to get the route target import and export working.  When I apply the import policy, I get the error in the subject line.

 

Policies look like this:

 

[edit policy-options]
root@MIRf1c1# show
policy-statement EXPORT-RT-POLICY {
    from {
        family route-target;
        rtf-prefix-list EXPORT-RT;
    }
    then accept;
}
policy-statement IMPORT-RT-POLICY {
    from {
        family route-target;
        rtf-prefix-list IMPORT-RT;
    }
    then accept;
}
rtf-prefix-list EXPORT-RT {
    65001:1200:12/96;
}
rtf-prefix-list IMPORT-RT {
    65001:1200:12/96;
    65001:1300:12/96;
    65001:500:12/96;
    65001:501:12/96;
    65001:600:12/96;
    65001:601:12/96;
}

 

My VRF MAIN routing instance looks like this:

 

[edit routing-instances MAIN]
root@MIRf1c1# show
instance-type vrf;
interface lo0.12;
route-distinguisher 1200:12;
vrf-import IMPORT-RT-POLICY;
vrf-export EXPORT-RT-POLICY;
vrf-target target:1200:12;
protocols {
  pim {
    rp {
       static {
           address 192.168.200.252;
       }
    }
  }
}

 

When I try to set a target without using the 65001 AS, I get the following:

 

[edit policy-options rtf-prefix-list IMPORT-RT]
root@MIRf1c1# set target:1200:12/96
error: prefix: 'target:1200:12/96': Use format 'as:x:y/len' where 'as' is an AS number and 'x' is an AS number followed by an option
al 'L' (To indicate 4 byte AS), or an IP address and 'y' is a number. e.g. 123456L:100 and len is a prefix length from 32 to 96 or 0
error: statement creation failed: target:1200:12/96

 

And when I try to commit my config, I get:

 

root@MIRf1c1# commit
error: MAIN: vrf-import policy permits accept action only if matching conditions contain a target community
error: configuration check-out failed

 

I was looking at https://www.juniper.net/documentation/en_US/junos/topics/example/vpn-bgp-route-target-filtering.html as an example, but in the example, it references vpn3-import and vpn3-export, but gives no example definition of either of those.

 

I know the export policy is formatted correctly, because I can remove the vrf-import statement and it commits.

 

Ideas on how to get past this hurdle?

 

Thanks,

Matt

 

2 REPLIES 2
Highlighted
SRX Services Gateway

Re: error: MAIN: vrf-import policy permits accept action only if matching conditions contain a target community

‎11-01-2018 10:19 PM

Hello,

You've mixed up RT NRLI  (RFC 4684 section 4 https://tools.ietf.org/html/rfc4684#section-4) and RT communities (RFC 4364 section 4.3.1 https://tools.ietf.org/html/rfc4364#section-4.3.1). 

In JUNOS, RT NLRI are auto-constructed from VRF import policies for anouncement to other PEs (if You are using full mesh ) or BGP RR.  

So the policies You configured are NOT good for filtering on import to|export from VRF. They are good for filtering OUT/IN the RT NLRIs, on import from|export to another BGP peer that supports RT filtering AFI/SAFI, or Route Reflector.

If You want to allow routes with multiple RT communities into VRF and/or export the same route from VRF with multiple RT communuties, use the following policy:

 

set policy-options community RT1200 members target:1200:12
set policy-options community RT1300 members target:1300:12
set policy-options community RT500 members target:500:12
set policy-options community RT501 members target:501:12
set policy-options community RT600 members target:600:12
set policy-options community RT601 members target:601:12 

set policy-options policy-statement VRF-EXPORT term 1 from protocol <whatever>
set policy-options policy-statement VRF-EXPORT term 1 then community add RT1200
set policy-options policy-statement VRF-EXPORT term 1 then accept
set policy-options policy-statement VRF-EXPORT term else then reject
set policy-options policy-statement VRF-IMPORT term 1 from community RT1200
set policy-options policy-statement VRF-IMPORT term 1 then accept
set policy-options policy-statement VRF-IMPORT term 2 from community RT1300
set policy-options policy-statement VRF-IMPORT term 2 then accept
set policy-options policy-statement VRF-IMPORT term 3 from community RT500
set policy-options policy-statement VRF-IMPORT term 3 then accept
set policy-options policy-statement VRF-IMPORT term 4 from community RT501
set policy-options policy-statement VRF-IMPORT term 4 then accept
set policy-options policy-statement VRF-IMPORT term 5 from community RT600
set policy-options policy-statement VRF-IMPORT term 5 then accept
set policy-options policy-statement VRF-IMPORT term 6 from community RT601
set policy-options policy-statement VRF-IMPORT term 6 then accept
set policy-options policy-statement VRF-IMPORT term else then reject

 

 HTH

Thx

Alex

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
SRX Services Gateway

Re: error: MAIN: vrf-import policy permits accept action only if matching conditions contain a target community

‎11-13-2018 03:00 PM

Hi aarseniev,

 

Just wanted to say thank you.  I read your response.  It makes sense.  I'm going to try what you describe below this week and see if I can get it to work.

 

Thanks,

Matt