[j-nsp] Filtering Extended Communities from VPN-CE's
Cliff DeGuzman
cliff at juniper.net
Mon Feb 10 15:35:33 EST 2003
hi scott,
on the PE router, you can create an import policy that strips out all target communities
(target:*:*) before advertising to other PEs.
cliff
--------------------
ex.
cliff at vpn04# show routing-instances vpna
instance-type vrf;
interface es-5/1/0.0;
interface lo0.1;
vrf-target target:69:1;
protocols {
bgp {
group ebgp {
type external;
import delete-target; <<<<<<<<<<<<<
peer-as 100;
as-override;
neighbor 10.49.100.2;
}
}
}
[edit]
POLICY:
cliff at vpn04# show policy-options
policy-statement delete-target {
term 1 {
then {
community delete other-target;
accept;
}
}
}
community other-target members target:*:*;
[edit]
---------------
cliff at vpn04# run show route receive-protocol bgp 10.49.100.2 detail
inet.0: 20 destinations, 27 routes (19 active, 0 holddown, 1 hidden)
inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
vpna.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
* 10.49.30.0/24 (1 entry, 1 announced)
Nexthop: 10.49.100.2
MED: 0
AS path: 100 I
Communities: target:69:2 <<<<<<<<CE sends route with target belonging to another VRF
Here we strip out 'target:69:2' and send the right community.
cliff at vpn04# run show route advertising-protocol bgp 10.255.14.178 detail
...
* 10.49.30.0/24 (1 entry, 1 announced)
BGP group ibgp type Internal
Route Distinguisher: 10.255.14.174:2
VPN Label: 103328
Nexthop: Self
MED: 0
Localpref: 100
AS path: 100 I
Communities: target:69:1 <<<<<<<<<<
...
-----Original Message-----
From: Scott Stoddard [mailto:scott at gblx.net]
Sent: Monday, February 10, 2003 2:32 PM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] Filtering Extended Communities from VPN-CE's
Does anyone know of a way to do this? After hooking up a juniper as a CE in a l3vpn, I was able to tag extended VPN communities on routes advertised to the PE and since we are redistributing based on communities in the core side of the VPN I was able to advertise these blocks into another completely different vrf... I want to allow people to use standard communities but deny any extended that would allow them to introduce their blocks to a neighbor vpn. Thanks.
--Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://puck.nether.net/pipermail/juniper-nsp/attachments/20030210/8c4755dd/attachment.htm
More information about the juniper-nsp
mailing list