[j-nsp] Layer 3 VPN Routing and Forwarding (VRF) Tables Issue

Krasimir Avramski krasi at smartcom.bg
Thu Oct 8 08:09:04 EDT 2009 

Hi, 

It seems the router is RR or ebgp for family inet-vpn. In this case routes
in vrf tables are exported to global bgp.l3vpn.0 with respective vrf-export
policies.

I'm pretty sure the problematic routes are being advertised to remote PEs
but with missing communities. This can be checked:

show route advertising-protocol bgp "remote PE ip" 61.217.192.0/18 detail

In order to solve just add rt-premium community for desired routes in
vrf-export policy applied to CT vrf. 

HTH,
Krasi

> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Jimmy Halim
> Sent: 08.10.2009 4:35 AM
> To: ntarique at juniper.net; juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Layer 3 VPN Routing and Forwarding (VRF) Tables Issue
> 
> Hi Tarique,
> 
> For your info, I have escalated this to JTAC as well. Waiting for their
> update.
> 
> Hi guys,
> 
> Anyone has encountered the same issue before?
> Bgp.l3vpn table is receiving routes from direct peering that is
> provisioned
> on the same PE. This shouldn't be the case.
> And that PE only advertising routes to other PEs under bgp.l3vpn table,
> and
> they are not advertising any routes on any of VRF tables defined on that
> PE.
> 
> Thanks & Regards,
> Jimmy
> 
> -----Original Message-----
> From: Jimmy Halim [mailto:jimmy at pacnet.net]
> Sent: Tuesday, October 06, 2009 11:13 AM
> To: 'ntarique at juniper.net'; 'juniper-nsp at puck.nether.net'
> Subject: RE: [j-nsp] Layer 3 VPN Routing and Forwarding (VRF) Tables Issue
> 
> Hi Tarique,
> 
> I have tried it. But it is still not being advertised :(
> 
> Regarding my query, for strange reason bgp.l3vpn table in router A is
> storing the routes that learned via direct BGP peering that being
> provisioned in router A. I believe this shouldn't be the case. bgp.l3vpn
> table only should store routes that are learned via other PEs.
> 
> ================
> show route table bgp.l3vpn.0 20.139.160.0/20
> 
> bgp.l3vpn.0: 316660 destinations, 316660 routes (316660 active, 0
> holddown,
> 0 hidden)
> + = Active Route, - = Last Active, * = Both
> 
> 1.1.1.1:9001:20.20.0.0/16 ---------> 1.1.1.1:9001 is RT of CT vrf
>                    *[BGP/170] 5d 23:44:00, MED 100, localpref 250
>                       AS path: 123 321 I
>                     > to 20.20.20.1 via ge-0/2/0.0 ================
> 
> So, router A is advertising those routes learned via direct BGP peering
> under bgp.l3vpn table. There are no routes being advertised out to other
> PEs
> under CT vrf table or premium vrf table.
> 
> Thanks & Regards,
> Jimmy
> 
> -----Original Message-----
> From: Nalkhande Tarique Abbas [mailto:ntarique at juniper.net]
> Sent: Monday, October 05, 2009 6:11 PM
> To: Jimmy Halim; juniper-nsp at puck.nether.net
> Subject: RE: [j-nsp] Layer 3 VPN Routing and Forwarding (VRF) Tables Issue
> 
> 
> Hi Jimmy,
> 
> How about adding another term in your premium-export policy ..
> 
> term export-CT {
>     from community csr-CT-vrf;
>     then accept;
> }
> 
> ... before reject on both the sides.
> 
> 
> Coming to your query on direct route in bgp.l3vpn table, do you mean this
> is
> a direct route from inet.0? Is this BGP peer not under any VRF & at a
> global
> level?
> 
> 
> 
> Thanks & Regards,
> Tarique A. Nalkhande
> 
> -----Original Message-----
> From: Jimmy Halim [mailto:jimmy at pacnet.net]
> Sent: Monday, October 05, 2009 2:52 PM
> To: Nalkhande Tarique Abbas; juniper-nsp at puck.nether.net
> Subject: RE: [j-nsp] Layer 3 VPN Routing and Forwarding (VRF) Tables Issue
> 
> Hi Tarique,
> 
> Yes, I am leaking CT crf routes into premium vrf on router A using the
> community.
> 
> policy-options policy-statement csr-rib-policy-from-CT-vrf-peer term aloha
> {
>     from {
>         community csr-CT-vrf;
>     }
>     to rib vrf_premium.inet.0;
>     then {
>         accept;
>     }
> }
> 
> ==========================
> Export policy on router A:
> 
> routing-instances vrf_premium:
> instance-type vrf;
> route-distinguisher 1.1.1.1:9005;
> vrf-export premium-export;
> vrf-table-label;
> 
> ====
> policy-options policy-statement premium-export:
> term add-premium {
>     from protocol [ direct static bgp ];
>     then {
>         community add rt-premium;
>         accept;
>     }
> }
> then reject;
> 
> ====
> community rt-premium:
> members target:10026:9005;
> 
> ===========================
> Import policy on router B:
> 
> routing-instances vrf_premium:
> instance-type vrf;
> route-distinguisher 2:2:2:2:9005;
> vrf-import premium-import;
> vrf-table-label;
> 
> ====
> policy-options policy-statement premium-import term add-premium {
>     from community rt-premium;
>     then accept;
> }
> then reject;
> 
> ====
> community rt-premium:
> members target:10026:9005
> ========================
> 
> By the way, what do you think of the route table bgp.l3vpn.0?
> Is it correct to say that it shouldn't show the direct peering routes that
> is provisioned on the same PE?
> 
> route table bgp.l3vpn.0 61.217.192.0/18
> 
> bgp.l3vpn.0: 316803 destinations, 316803 routes (316803 active, 0
> holddown,
> 0 hidden)
> + = Active Route, - = Last Active, * = Both
> 
> 122.122.122.1:9003:61.217.192.0/18
>                    *[BGP/170] 6w6d 21:34:02, MED 100, localpref 250, from
> 122.5.5.1
>                       AS path: 1334 I
>                       to 122.5.5.2 via so-1/2/0.0 ---------> Direct
> peering
> interface
>                     > to 122.5.5.3 via so-1/3/0.0 ---------> Direct
> peering
> interface ==========================
> 
> Cheers,
> Jimmy
> 
> 
> -----Original Message-----
> From: Nalkhande Tarique Abbas [mailto:ntarique at juniper.net]
> Sent: Monday, October 05, 2009 4:55 PM
> To: Jimmy Halim; juniper-nsp at puck.nether.net
> Subject: RE: [j-nsp] Layer 3 VPN Routing and Forwarding (VRF) Tables Issue
> 
> 
> <You said>
> 
> --I have confirmed that in router A, all the routes that are learned via
> direct peering (CT vrf) are inside premium vrf route table.
> 
> --I can confirm that direct connected, static, and customer's BGP routes
> that are provisioned in router A under premium vrf are being seen under
> router B under premium vrf. So the issue is only on those routes that
> are
> learned via direct peering under CT vrf. Those routes are not advertised
> to
> router B premium vrf. Any clue?
> 
> 
> 
> <Tarique>
> So how do you leak CT vrf routes into premium vrf on router A, by means
> of
> community? These routes certainly won't fall under static, direct or
> customers bgp (of premium).
> 
> With the available information, I would still doubt the export policy on
> router A & import on router B of premium vrf. Though having a look at
> outputs/config on both sides would help.
> 
> 
> 
> Thanks & Regards,
> Tarique A. Nalkhande
> 
> 
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Jimmy Halim
> Sent: Monday, October 05, 2009 2:03 PM
> To: juniper-nsp at puck.nether.net
> Cc: jimmy at pacnet.net
> Subject: [j-nsp] Layer 3 VPN Routing and Forwarding (VRF) Tables Issue
> 
> Hi guys,
> 
> I have a situation where the PE (router A) is not advertising the routes
> that they got from direct peering (for example under CT vrf) to other PE
> (router B) under different vrf (for example premium vrf).
> 
> I have confirmed that in router A, all the routes that are learned via
> direct peering (CT vrf) are inside premium vrf route table.
> It means the import policy is working.
> 
> The strange thing, thouse routes are not being advertised to premium vrf
> in
> router B. I have confirmed there is no problem with export policy in
> router
> A and import policy in router B.
> 
> In router A, under route table bgp.l3vpn.0, I am seeing the route that
> is
> learned via direct peering interface. This shouldn't be the case right?
> 
> ==============================
> route table bgp.l3vpn.0 61.217.192.0/18
> 
> bgp.l3vpn.0: 316803 destinations, 316803 routes (316803 active, 0
> holddown,
> 0 hidden)
> + = Active Route, - = Last Active, * = Both
> 
> 122.122.122.1:9003:61.217.192.0/18
>                    *[BGP/170] 6w6d 21:34:02, MED 100, localpref 250,
> from
> 122.5.5.1
>                       AS path: 1334 I
>                       to 122.5.5.2 via so-1/2/0.0 ---------> Direct
> peering
> interface
>                     > to 122.5.5.3 via so-1/3/0.0 ---------> Direct
> peering
> interface ==============================
> 
> I can confirm that direct connected, static, and customer's BGP routes
> that
> are provisioned in router A under premium vrf are being seen under
> router B
> under premium vrf. So the issue is only on those routes that are learned
> via
> direct peering under CT vrf. Those routes are not advertised to router B
> premium vrf.
> 
> Any clue?
> 
> Cheers,
> Jimmy
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list