[j-nsp] Filtering Extended Communities from VPN-CE's

Cliff DeGuzman cliff at juniper.net
Mon Feb 10 15:35:33 EST 2003


hi scott,
 
on the PE router, you can create an import policy that strips out all target communities 

(target:*:*) before advertising to other PEs.

cliff

--------------------
ex.
cliff at vpn04# show routing-instances vpna 
instance-type vrf;
interface es-5/1/0.0;
interface lo0.1;
vrf-target target:69:1;
protocols {
    bgp {
        group ebgp {
            type external;
            import delete-target;    <<<<<<<<<<<<<
            peer-as 100;
            as-override;
            neighbor 10.49.100.2;
        }
    }
}
 
[edit]

 
POLICY:
cliff at vpn04# show policy-options 
policy-statement delete-target {
    term 1 {
        then {
            community delete other-target;
            accept;
        }
    }
}
community other-target members target:*:*;
 
[edit]

 
 
---------------
cliff at vpn04# run show route receive-protocol bgp 10.49.100.2 detail 
 
inet.0: 20 destinations, 27 routes (19 active, 0 holddown, 1 hidden)
 
inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
 
vpna.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
* 10.49.30.0/24 (1 entry, 1 announced)
     Nexthop: 10.49.100.2
     MED: 0
     AS path: 100 I
     Communities: target:69:2        <<<<<<<<CE sends route with target belonging to another VRF
 
 
Here we strip out 'target:69:2' and send the right community.

cliff at vpn04# run show route advertising-protocol bgp 10.255.14.178 detail 
 
...
* 10.49.30.0/24 (1 entry, 1 announced)
 BGP group ibgp type Internal
     Route Distinguisher: 10.255.14.174:2
     VPN Label: 103328
     Nexthop: Self
     MED: 0
     Localpref: 100
     AS path: 100 I
     Communities: target:69:1    <<<<<<<<<<
 
...


-----Original Message-----
From: Scott Stoddard [mailto:scott at gblx.net]
Sent: Monday, February 10, 2003 2:32 PM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] Filtering Extended Communities from VPN-CE's


 
    Does anyone know of a way to do this? After hooking up a juniper as a CE in a l3vpn, I was able to tag extended VPN communities on routes advertised to the PE and since we are redistributing based on communities in the core side of the VPN I was able to advertise these blocks into another completely different vrf... I want to allow people to use standard communities but deny any extended that would allow them to introduce their blocks to a neighbor vpn. Thanks.
 
--Scott
 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://puck.nether.net/pipermail/juniper-nsp/attachments/20030210/8c4755dd/attachment.htm


More information about the juniper-nsp mailing list