[j-nsp] Leaking from a vrf to inet0

Mon Mar 21 12:21:16 EDT 2016

Hi Raphael,

  If I'm understanding what you want correctly you can use rib-groups to do
this.

routing-options {
  rib-groups {
    FROM-VRF-TO-GLOBAL {
      import-rib [ SOURCE-VRF inet.0 ];
      import-policy WHATEVER-POLICY-YOU-WANT;
    }
  }
}

see:
http://forums.juniper.net/t5/TheRoutingChurn/Using-rib-groups-or-auto-export-for-route-leaking/ba-p/202349

http://kb.juniper.net/InfoCenter/index?page=content&id=kb16133&actp=search

--chip

On Mon, Mar 21, 2016 at 12:04 PM, Raphael Mazelier <raph at futomaki.net>
wrote:

> Hello,
>
> I am currently evaluating how to migrate the internet dmz, and the public
> pfx of my customers into VRF.
> During the migration phase I have to leak pfx from vrf to the global table.
> Don't ask why, but I cannot do the leaking on the PE-CE side as it should
> normaly occur.
> So I want to do leaking on the remote PE from pfx learned via mp-bgp on
> the vrf to the global, and afaik it is not possible directly.
>
> I know that this topic have been discussed before, but if someone have
> some hints on how to do this the cleanest way possible.
>
> Options I found in old threads are :
> - use static routes with next-table (tested and work but completely manual)
> - use a lt interface between global and vrf (and use some routing protocol
> ?)
> - advertise twice the route in family inet in addition to inet-vpn, in
> order to leak it with rib-group (since rib-group only work when pfx is in a
> primary table)
>
> This last solution seems to be the less manual (I don't want to make
> config for each pfx) but seems tricky/ugly.
> I got a working setup with these but definitively looks weird.
>
> What are your opinions/hints ?
>
> --
> Raphael Mazelier
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

-- 
Just my $.02, your mileage may vary,  batteries not included, etc....