[j-nsp] vpn-apply-export

Cliff DeGuzman cliff at juniper.net
Mon Nov 10 11:50:17 EST 2003


Maybe I misunderstood the question.

I thought everything was working correctly with vrf-import/export and
stopped working when the policies were "replaced" with vrf-target.

Cliff

> -----Original Message-----
> From: Harry Reynolds 
> Sent: Monday, November 10, 2003 8:45 AM
> To: Cliff DeGuzman; 'Blaz Zupan'; juniper-nsp at puck.nether.net
> Subject: RE: [j-nsp] vpn-apply-export
> 
> 
> I think that the presence of explicit vrf import/export 
> policy negate the effects of vrf-target automatic policy. 
> IOW, once you specify vrf-target you should delete the 
> vrf-import and vrf-export statements.
> 
> 
> 
> > -----Original Message-----
> > From: juniper-nsp-bounces at puck.nether.net
> > [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of 
> > Cliff DeGuzman
> > Sent: Monday, November 10, 2003 8:17 AM
> > To: Blaz Zupan; juniper-nsp at puck.nether.net
> > Subject: RE: [j-nsp] vpn-apply-export
> > 
> > 
> > Hi,
> > 
> > vrf-target should pick up static routes as well.  Can you
> > please contact our JTAC and open a case so they can 
> investigate this.
> > 
> > Thanks!
> > Cliff
> > 
> > 
> > > -----Original Message-----
> > > From: juniper-nsp-bounces at puck.nether.net
> > > [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of 
> Blaz Zupan
> > > Sent: Sunday, November 09, 2003 11:23 PM
> > > To: juniper-nsp at puck.nether.net
> > > Subject: [j-nsp] vpn-apply-export
> > > 
> > > 
> > > After upgrading yet another M5 from 5.5R1.2 to 5.7R3.4, I 
> found out 
> > > that a customers connection through a L3 MPLS VPN was suddenly 
> > > broken. Although the VPN itself was apparently working, 
> the upgraded 
> > > M5 was not announcing the static default route configured 
> under the 
> > > routing instance to the other PE router (a Cisco 7206 running IOS 
> > > 12.2(14)S3).
> > > 
> > > Here is what I had configured:
> > > 
> > > policy-statement to-ibgp-amis-routes {
> > >     term as8591 {
> > >         from community [ from-customer from-lix from-six ];
> > >         then accept;
> > >     }
> > >     term limited-routes {
> > >         from {
> > >             protocol [ bgp aggregate ];
> > >             as-path limited-routes;
> > >         }
> > >         then accept;
> > >     }
> > >     term everything-else {
> > >         then reject;
> > >    }
> > > }
> > > as-path limited-routes "[0-65535]{0,2}";
> > > 
> > > This was applied as an export policy on the BGP session 
> towards the 
> > > Cisco PE. The Cisco does not have enough memory for the full BGP 
> > > routing table, so I'm limiting the number of routes with 
> the above 
> > > policy.
> > > 
> > > The routing instance for the L3 VPN had this config:
> > > 
> > > somevpn {
> > >     instance-type vrf;
> > >     interface fe-0/1/0.308;
> > >     route-distinguisher 12644:1;
> > >     vrf-import vpn-somevpn-import;
> > >     vrf-export vpn-somevpn-export;
> > >     routing-options {
> > >         static {
> > >             route 0.0.0.0/0 next-hop x.x.x.x;
> > >         }
> > >     }
> > > }
> > > 
> > > I later replaced the vrf-import and vrf-export with "vrf-target 
> > > target:12644:1", because it's much nicer and easier.
> > > 
> > > The above static route was not distributed to the Cisco PE router 
> > > for unknown reasons. After some experimentation, I added 
> "static" to 
> > > this term:
> > > 
> > >     term limited-routes {
> > >         from {
> > >             protocol [ bgp aggregate static ];
> > >             as-path limited-routes;
> > >         }
> > >         then accept;
> > >     }
> > > 
> > > The default route suddenly appeared on the Cisco PE router. 
> > > Obviously the IPv4 unicast policy was affecting the VPNv4 
> routes, so 
> > > in the end effect it behaved like I had vpn-apply-export 
> configured, 
> > > but I did not.
> > > 
> > > Am I misunderstanding something or is this a bug? The same 
> > > configuration was working flawlessly with 5.5R1.2. 
> > > _______________________________________________
> > > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > > http://puck.nether.net/mailman/listinfo/junipe> r-nsp
> > > 
> > 
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net 
> > http://puck.nether.net/mailman/listinfo/juniper-nsp
> > 
> 
> 



More information about the juniper-nsp mailing list