Route target filtering
By Aravind
Route target filtering controls the distribution of BGP routes based on VPNs by using the family route-target . PE routers use the NLRI in BGP updates to exchange information about each others route target membership. By doing so, the size of BGP table on the PE routers can be controlled. Additionally reduces the resources consumed for memory by storing less amount of information and processing them. You would only process the route updates for the specific VPNs on the PEs. The RFC calls it route target constraints so route target filtering and Route target constraints (RTC) are used interchangeably
Config needed to enable
Family Route target (AFI 1 SAFI 132) needs to be enabled under [protocols bgp]
set protocols bgp group RR family route-target
Topology
Process
- BGP peers negotiate MP-BGP capabilities during the session establishment.
- Router indicates its interest in VPN route target by advertising to its peers that it contains the VPNs with specific route targets. Format would be
: - Remote peer of PE router uses the route target membership advertised to filter VPN routes that are outbound to the PE router.
- Peer router advertises a VPN route to the PE when
- PE advertised a default route-target membership
- PE advertised membership in any of the route targets associated in the VPN route
- PE then receives and processes the routes sent by its peer to determine which VPN route it needs to advertise.
Validation
- Configure 3 VPNs on OB1 with target communities 100:100, 500:100, 300:100
- Configure 3 VPNs on OB4 with target communities 100:100, 200:100, 300:100
Lets see how the routes propagate from OB1 –> OB4
Once the VPNs are created, the table bgp.rtarget.0 is populated with the VRF targets and the reachability information. These are advertised to OB2. In this case, OB2 and OB3 are ASBR so they are just going to advertise the reachability information further to the far end PE i.e. OB4. Since OB4 has only 100:100 , 200:100 and 300:100 , it only requests these route targets and advertises its capability to OB3 which further sends to OB2.
Now the VRF target 500:100 is not requested by OB4 hence these VPN routes will never get advertised by OB2 there by getting filtered. Similarly on the reverse, the route target 200:100 from OB4 which is advertised is never requested by any PE, so these would be filtered as well at OB3.
MP-eBGP option B and enabling family RTC between ASBRs
Output on PE OB1
root@ob1> show route table bgp.rtarget.0
bgp.rtarget.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
65001:100:100/96
*[RTarget/5] 14:10:19
Type Default
Local
65001:300:100/96
*[RTarget/5] 14:10:19
Type Default
Local
65001:500:100/96
*[RTarget/5] 14:10:19
Type Default
Local
65002:100:100/96
*[BGP/170] 00:06:47, localpref 100, from 2.2.2.2
AS path: 65002 I, validation-state: unverified
> to 192.168.1.2 via ob1_ob2
65002:200:100/96
*[BGP/170] 00:06:47, localpref 100, from 2.2.2.2
AS path: 65002 I, validation-state: unverified
> to 192.168.1.2 via ob1_ob2
65002:300:100/96
*[BGP/170] 00:06:47, localpref 100, from 2.2.2.2
AS path: 65002 I, validation-state: unverified
> to 192.168.1.2 via ob1_ob2
Route tables
root@ob1> show route table VPN1.inet.0
VPN1.inet.0: 7 destinations, 8 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
100.1.1.0/30 *[Direct/0] 1w0d 18:53:19
> via ob1_obce11
[BGP/170] 14:10:51, localpref 100
AS path: 64001 I, validation-state: unverified
> to 100.1.1.2 via ob1_obce11
100.1.1.1/32 *[Local/0] 1w0d 18:53:19
Local via ob1_obce11
100.4.1.0/30 *[BGP/170] 00:07:16, localpref 100, from 2.2.2.2
AS path: 65002 I, validation-state: unverified
> to 192.168.1.2 via ob1_ob2, Push 150
100.11.0.1/32 *[BGP/170] 14:10:51, localpref 100
AS path: 64001 I, validation-state: unverified
> to 100.1.1.2 via ob1_obce11
100.11.0.2/32 *[BGP/170] 14:10:51, localpref 100
AS path: 64001 I, validation-state: unverified
> to 100.1.1.2 via ob1_obce11
100.11.0.3/32 *[BGP/170] 14:10:51, localpref 100
AS path: 64001 I, validation-state: unverified
> to 100.1.1.2 via ob1_obce11
172.17.0.0/16 *[BGP/170] 14:10:51, localpref 100
AS path: 64001 I, validation-state: unverified
> to 100.1.1.2 via ob1_obce11
root@ob1> show route table VPN2.inet.0
VPN2.inet.0: 6 destinations, 7 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
100.1.2.0/30 *[Direct/0] 18:32:02
> via ob1_obce12
[BGP/170] 14:10:59, localpref 100
AS path: 64002 I, validation-state: unverified
> to 100.1.2.2 via ob1_obce12
100.1.2.1/32 *[Local/0] 18:32:02
Local via ob1_obce12
100.12.0.1/32 *[BGP/170] 14:10:59, localpref 100
AS path: 64002 I, validation-state: unverified
> to 100.1.2.2 via ob1_obce12
100.12.0.2/32 *[BGP/170] 14:10:59, localpref 100
AS path: 64002 I, validation-state: unverified
> to 100.1.2.2 via ob1_obce12
100.12.0.3/32 *[BGP/170] 14:10:59, localpref 100
AS path: 64002 I, validation-state: unverified
> to 100.1.2.2 via ob1_obce12
172.17.0.0/16 *[BGP/170] 14:10:59, localpref 100
AS path: 64002 I, validation-state: unverified
> to 100.1.2.2 via ob1_obce12
root@ob1> show route table VPN3.inet.0
VPN3.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
100.1.3.0/30 *[Direct/0] 1w0d 18:53:30
> via ob1_obce13
100.1.3.1/32 *[Local/0] 1w0d 18:53:30
Local via ob1_obce13
100.4.3.0/30 *[BGP/170] 00:07:27, localpref 100, from 2.2.2.2
AS path: 65002 I, validation-state: unverified
> to 192.168.1.2 via ob1_ob2, Push 149
Advertising to ASBR
root@ob1> show route advertising-protocol bgp 2.2.2.2
VPN1.inet.0: 7 destinations, 8 routes (7 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
* 100.1.1.0/30 Self 100 I
* 100.11.0.1/32 Self 100 64001 I
* 100.11.0.2/32 Self 100 64001 I
* 100.11.0.3/32 Self 100 64001 I
* 172.17.0.0/16 Self 100 64001 I
VPN3.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
* 100.1.3.0/30 Self 100 I
bgp.rtarget.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
65001:100:100/96
* Self 100 I
65001:300:100/96
* Self 100 I
65001:500:100/96
* Self 100 I
Notice that only interested Rtargets are advertised. Since there are no peers requesting for Rtarget 500:100 , it never gets advertised. SImilar observation is seen on OB4 where it never advertises the target 200:100
Adversing from ASBR to far end ASBR
root@ob2# run show route advertising-protocol bgp 192.168.2.1
bgp.l3vpn.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
300:100:100.1.3.0/30
* Self I
100:100:100.1.1.0/30
* Self I
100:100:100.11.0.1/32
* Self 64001 I
100:100:100.11.0.2/32
* Self 64001 I
100:100:100.11.0.3/32
* Self 64001 I
100:100:172.17.0.0/16
* Self 64001 I
bgp.rtarget.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
65001:100:100/96
* Self I
65001:300:100/96
* Self I
65001:500:100/96
* Self I
Verify on far end PE the routes received
root@ob4> show route receive-protocol bgp 3.3.3.3
inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
VPN1.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
* 100.1.1.0/30 3.3.3.3 100 65001 I
* 100.11.0.1/32 3.3.3.3 100 65001 64001 I
* 100.11.0.2/32 3.3.3.3 100 65001 64001 I
* 100.11.0.3/32 3.3.3.3 100 65001 64001 I
* 172.17.0.0/16 3.3.3.3 100 65001 64001 I
VPN2.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
VPN3.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
* 100.1.3.0/30 3.3.3.3 100 65001 I
mpls.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
bgp.l3vpn.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
300:100:100.1.3.0/30
* 3.3.3.3 100 65001 I
100:100:100.1.1.0/30
* 3.3.3.3 100 65001 I
100:100:100.11.0.1/32
* 3.3.3.3 100 65001 64001 I
100:100:100.11.0.2/32
* 3.3.3.3 100 65001 64001 I
100:100:100.11.0.3/32
* 3.3.3.3 100 65001 64001 I
100:100:172.17.0.0/16
* 3.3.3.3 100 65001 64001 I
inet6.0: 10 destinations, 11 routes (10 active, 0 holddown, 0 hidden)
VPN1.inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
VPN2.inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
VPN3.inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
bgp.rtarget.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
65001:100:100/96
* 3.3.3.3 100 65001 I
65001:300:100/96
* 3.3.3.3 100 65001 I
65001:500:100/96
* 3.3.3.3 100 65001 I
COnfigs
OB1
set interfaces lo unit 0 family inet address 1.1.1.1/32
set policy-options policy-statement ADD_CE2_COMM term 10 then community add ADD_CE2_COMM
set policy-options policy-statement ADD_CE2_COMM term 10 then accept
set policy-options policy-statement ADD_VPN1_COMM term 10 then community add ORG_COMM
set policy-options policy-statement ADD_VPN1_COMM term 10 then accept
set policy-options community ADD_CE2_COMM members origin:100.1.2.2:3
set policy-options community ORG_COMM members origin:100.1.1.2:3
set routing-instances VPN1 instance-type vrf
set routing-instances VPN1 protocols bgp group PE-CE-VPN1 type external
set routing-instances VPN1 protocols bgp group PE-CE-VPN1 family inet unicast
set routing-instances VPN1 protocols bgp group PE-CE-VPN1 peer-as 64001
set routing-instances VPN1 protocols bgp group PE-CE-VPN1 neighbor 100.1.1.2 local-address 100.1.1.1
set routing-instances VPN1 interface ob1_obce11
set routing-instances VPN1 route-distinguisher 100:100
set routing-instances VPN1 vrf-target target:100:100
set routing-instances VPN1 vrf-table-label
set routing-instances VPN2 instance-type vrf
set routing-instances VPN2 protocols bgp group PE-CE-CE2 type external
set routing-instances VPN2 protocols bgp group PE-CE-CE2 family inet unicast
set routing-instances VPN2 protocols bgp group PE-CE-CE2 peer-as 64002
set routing-instances VPN2 protocols bgp group PE-CE-CE2 neighbor 100.1.2.2 local-address 100.1.2.1
set routing-instances VPN2 interface ob1_obce12
set routing-instances VPN2 route-distinguisher 500:100
set routing-instances VPN2 vrf-target target:500:100
set routing-instances VPN2 vrf-table-label
set routing-instances VPN3 instance-type vrf
set routing-instances VPN3 interface ob1_obce13
set routing-instances VPN3 route-distinguisher 300:100
set routing-instances VPN3 vrf-target target:300:100
set routing-instances VPN3 vrf-table-label
set routing-options router-id 1.1.1.1
set routing-options autonomous-system 65001
set protocols bgp group OB2 type internal
set protocols bgp group OB2 traceoptions file bgp.log
set protocols bgp group OB2 traceoptions file size 10m
set protocols bgp group OB2 traceoptions flag all
set protocols bgp group OB2 family inet-vpn unicast
set protocols bgp group OB2 family route-target
set protocols bgp group OB2 neighbor 2.2.2.2 local-address 1.1.1.1
set protocols ldp interface ob1_ob2
set protocols mpls icmp-tunneling
set protocols mpls interface all
set protocols ospf area 0.0.0.100 interface ob1_ob2
set protocols ospf area 0.0.0.100 interface lo.0 passive
OB2
set interfaces lo unit 0 family inet address 2.2.2.2/32
set policy-options policy-statement LEAK_POLICY term 10 from route-filter 192.168.2.0/30 exact
set policy-options policy-statement LEAK_POLICY term 10 then accept
set policy-options policy-statement LEAK_POLICY term 20 then reject
set policy-options policy-statement NH_SELF then next-hop self
set policy-options policy-statement NH_SELF then accept
set policy-options community ORG_COMM members origin:100.1.1.2:3
set policy-options community ORG_COMM members origin:100.1.2.2:3
set routing-options interface-routes rib-group inet LEAK
set routing-options router-id 2.2.2.2
set routing-options autonomous-system 65001
set routing-options rib-groups LEAK import-rib inet.0
set routing-options rib-groups LEAK import-rib inet.3
set routing-options rib-groups LEAK import-policy LEAK_POLICY
set protocols bgp group OB2-RR type internal
set protocols bgp group OB2-RR keep all
set protocols bgp group OB2-RR family inet-vpn unicast
set protocols bgp group OB2-RR family route-target
set protocols bgp group OB2-RR export NH_SELF
set protocols bgp group OB2-RR cluster 2.2.2.2
set protocols bgp group OB2-RR neighbor 1.1.1.1 local-address 2.2.2.2
set protocols bgp group OB2-RR neighbor 192.168.2.1 local-address 192.168.2.2
deactivate protocols bgp group OB2-RR
set protocols bgp group OB2 type internal
set protocols bgp group OB2 family inet-vpn unicast
set protocols bgp group OB2 family route-target
set protocols bgp group OB2 neighbor 1.1.1.1 local-address 2.2.2.2
set protocols bgp group OB3 type external
set protocols bgp group OB3 family inet-vpn unicast
set protocols bgp group OB3 family route-target
set protocols bgp group OB3 peer-as 65002
set protocols bgp group OB3 neighbor 192.168.2.1
set protocols ldp interface ob2_ob1
set protocols mpls icmp-tunneling
set protocols mpls interface all
set protocols ospf area 0.0.0.100 interface ob2_ob1
set protocols ospf area 0.0.0.100 interface lo.0 passive
set protocols ospf area 0.0.0.0 interface ob2_ob3
deactivate protocols ospf area 0.0.0.0
set protocols ospf rib-groups inet LEAK
deactivate protocols ospf rib-groups
OB3
set interfaces lo unit 0 family inet address 3.3.3.3/32
set policy-options policy-statement LEAK_POLICY term 10 from route-filter 192.168.2.0/30 exact
set policy-options policy-statement LEAK_POLICY term 10 then accept
set policy-options policy-statement LEAK_POLICY term 20 then reject
set policy-options policy-statement NH_SELF then next-hop self
set policy-options policy-statement NH_SELF then accept
set routing-options interface-routes rib-group inet LEAK
set routing-options router-id 3.3.3.3
set routing-options autonomous-system 65002
set routing-options rib-groups LEAK import-rib inet.0
set routing-options rib-groups LEAK import-rib inet.3
set routing-options rib-groups LEAK import-policy LEAK_POLICY
set protocols bgp group RR-OB3 type internal
set protocols bgp group RR-OB3 keep all
set protocols bgp group RR-OB3 family inet-vpn unicast
set protocols bgp group RR-OB3 family route-target
set protocols bgp group RR-OB3 export NH_SELF
set protocols bgp group RR-OB3 cluster 3.3.3.3
set protocols bgp group RR-OB3 neighbor 4.4.4.4 local-address 3.3.3.3
set protocols bgp group RR-OB3 neighbor 192.168.2.2 local-address 192.168.2.1
set protocols bgp group RR-OB3 neighbor 192.168.2.2 local-as 65001
deactivate protocols bgp group RR-OB3
set protocols bgp group OB2 type external
set protocols bgp group OB2 family inet-vpn unicast
set protocols bgp group OB2 family route-target
set protocols bgp group OB2 peer-as 65001
set protocols bgp group OB2 neighbor 192.168.2.2
set protocols bgp group OB4 type internal
set protocols bgp group OB4 family inet-vpn unicast
set protocols bgp group OB4 family route-target
set protocols bgp group OB4 neighbor 4.4.4.4
set protocols ldp interface ob3_ob4
set protocols mpls icmp-tunneling
set protocols mpls interface all
set protocols ospf area 0.0.0.200 interface ob3_ob4
set protocols ospf area 0.0.0.200 interface lo.0 passive
set protocols ospf area 0.0.0.0 interface ob3_ob2
deactivate protocols ospf area 0.0.0.0
set protocols ospf rib-groups inet LEAK
deactivate protocols ospf rib-groups
OB4
set routing-instances VPN1 instance-type vrf
set routing-instances VPN1 interface ob4_obce41
set routing-instances VPN1 route-distinguisher 100:101
set routing-instances VPN1 vrf-target target:100:100
set routing-instances VPN1 vrf-table-label
set routing-instances VPN2 instance-type vrf
set routing-instances VPN2 interface ob4_obce42
set routing-instances VPN2 route-distinguisher 200:101
set routing-instances VPN2 vrf-target target:200:100
set routing-instances VPN2 vrf-table-label
set routing-instances VPN3 instance-type vrf
set routing-instances VPN3 interface ob4_obce43
set routing-instances VPN3 route-distinguisher 300:101
set routing-instances VPN3 vrf-target target:300:100
set routing-instances VPN3 vrf-table-label
set routing-options router-id 4.4.4.4
set routing-options autonomous-system 65002
set protocols bgp group OB3 type internal
set protocols bgp group OB3 family inet-vpn unicast
set protocols bgp group OB3 family route-target
set protocols bgp group OB3 neighbor 3.3.3.3 local-address 4.4.4.4
set protocols ldp interface ob4_ob3
set protocols mpls icmp-tunneling
set protocols mpls interface all
set protocols ospf area 0.0.0.200 interface ob4_ob3
set protocols ospf area 0.0.0.200 interface lo.0 passive
If doing MP-iBGP option B and having an inline RR
This causes a lot of confusion due to the below reason
- Possibility of cluster ID loops when using inline RR and doing inter-AS option B with MP-iBGP
- In this case need to use local-as and do iBGP and configure a different ASN under [routing-options], otherwise all sort of loops occur and possibility of VPN routes being hidden due to looping
- The below output described also has cluster looping and hence you would notice the rtarget table has the routes both as
localandbgp. The RR readvertises the same ASN back to the PE and hence bgp.rtarget.0 sees a BGP route along with local route.
Route table outputs
At OB1
root@ob1# run show route table bgp.rtarget.0
bgp.rtarget.0: 6 destinations, 9 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
65001:100:100/96
*[RTarget/5] 00:30:21
Type Default
Local
[BGP/170] 00:17:42, localpref 100, from 2.2.2.2
AS path: I, validation-state: unverified
> to 192.168.1.2 via ob1_ob2
65001:300:100/96
*[RTarget/5] 00:30:21
Type Default
Local
[BGP/170] 00:17:42, localpref 100, from 2.2.2.2
AS path: I, validation-state: unverified
> to 192.168.1.2 via ob1_ob2
65001:500:100/96
*[RTarget/5] 00:30:21
Type Default
Local
[BGP/170] 00:53:51, localpref 100, from 2.2.2.2
AS path: I, validation-state: unverified
> to 192.168.1.2 via ob1_ob2
65002:100:100/96
*[BGP/170] 00:17:17, localpref 100, from 2.2.2.2
AS path: 65002 I, validation-state: unverified
> to 192.168.1.2 via ob1_ob2
65002:200:100/96
*[BGP/170] 00:17:17, localpref 100, from 2.2.2.2
AS path: 65002 I, validation-state: unverified
> to 192.168.1.2 via ob1_ob2
65002:300:100/96
*[BGP/170] 00:17:17, localpref 100, from 2.2.2.2
AS path: 65002 I, validation-state: unverified
> to 192.168.1.2 via ob1_ob2
At OB2
root@ob2# run show route table bgp.rtarget.0
bgp.rtarget.0: 6 destinations, 9 routes (6 active, 0 holddown, 3 hidden)
+ = Active Route, - = Last Active, * = Both
65001:100:100/96
*[BGP/170] 00:58:28, localpref 100, from 1.1.1.1
AS path: I, validation-state: unverified
> to 192.168.1.1 via ob2_ob1
65001:300:100/96
*[BGP/170] 00:58:28, localpref 100, from 1.1.1.1
AS path: I, validation-state: unverified
> to 192.168.1.1 via ob2_ob1
65001:500:100/96
*[BGP/170] 00:58:28, localpref 100, from 1.1.1.1
AS path: I, validation-state: unverified
> to 192.168.1.1 via ob2_ob1
65002:100:100/96
*[BGP/170] 00:21:54, localpref 100
AS path: 65002 I, validation-state: unverified
> to 192.168.2.1 via ob2_ob3
65002:200:100/96
*[BGP/170] 00:21:54, localpref 100
AS path: 65002 I, validation-state: unverified
> to 192.168.2.1 via ob2_ob3
65002:300:100/96
*[BGP/170] 00:21:54, localpref 100
AS path: 65002 I, validation-state: unverified
> to 192.168.2.1 via ob2_ob3
At OB3
root@ob3# run show route table bgp.rtarget.0
bgp.rtarget.0: 6 destinations, 9 routes (6 active, 0 holddown, 3 hidden)
+ = Active Route, - = Last Active, * = Both
65001:100:100/96
*[BGP/170] 00:22:33, localpref 100
AS path: I, validation-state: unverified
> to 192.168.2.2 via ob3_ob2
65001:300:100/96
*[BGP/170] 00:22:33, localpref 100
AS path: I, validation-state: unverified
> to 192.168.2.2 via ob3_ob2
65001:500:100/96
*[BGP/170] 00:22:33, localpref 100
AS path: I, validation-state: unverified
> to 192.168.2.2 via ob3_ob2
65002:100:100/96
*[BGP/170] 00:22:36, localpref 100, from 4.4.4.4
AS path: I, validation-state: unverified
> to 192.168.3.2 via ob3_ob4
65002:200:100/96
*[BGP/170] 00:22:36, localpref 100, from 4.4.4.4
AS path: I, validation-state: unverified
> to 192.168.3.2 via ob3_ob4
65002:300:100/96
*[BGP/170] 00:22:36, localpref 100, from 4.4.4.4
AS path: I, validation-state: unverified
> to 192.168.3.2 via ob3_ob4
At OB4
root@ob4# run show route table bgp.rtarget.0
bgp.rtarget.0: 6 destinations, 9 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
65001:100:100/96
*[BGP/170] 00:23:35, localpref 100, from 3.3.3.3
AS path: 65001 I, validation-state: unverified
> to 192.168.3.1 via ob4_ob3
65001:300:100/96
*[BGP/170] 00:23:35, localpref 100, from 3.3.3.3
AS path: 65001 I, validation-state: unverified
> to 192.168.3.1 via ob4_ob3
65001:500:100/96
*[BGP/170] 00:23:35, localpref 100, from 3.3.3.3
AS path: 65001 I, validation-state: unverified
> to 192.168.3.1 via ob4_ob3
65002:100:100/96
*[RTarget/5] 00:24:00
Type Default
Local
[BGP/170] 00:23:57, localpref 100, from 3.3.3.3
AS path: I, validation-state: unverified
> to 192.168.3.1 via ob4_ob3
65002:200:100/96
*[RTarget/5] 00:24:00
Type Default
Local
[BGP/170] 00:23:57, localpref 100, from 3.3.3.3
AS path: I, validation-state: unverified
> to 192.168.3.1 via ob4_ob3
65002:300:100/96
*[RTarget/5] 00:24:00
Type Default
Local
[BGP/170] 00:23:57, localpref 100, from 3.3.3.3
AS path: I, validation-state: unverified
> to 192.168.3.1 via ob4_ob3
Advertisement from OB2 to OB3
root@ob2# run show route advertising-protocol bgp 192.168.2.1
bgp.l3vpn.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
300:100:100.1.3.0/30
* Self 100 I
100:100:100.1.1.0/30
* Self 100 I
100:100:100.11.0.1/32
* Self 100 64001 I
100:100:100.11.0.2/32
* Self 100 64001 I
100:100:100.11.0.3/32
* Self 100 64001 I
100:100:172.17.0.0/16
* Self 100 64001 I
bgp.rtarget.0: 6 destinations, 9 routes (6 active, 0 holddown, 3 hidden)
Prefix Nexthop MED Lclpref AS path
65001:100:100/96
* Self 100 I
65001:300:100/96
* Self 100 I
65001:500:100/96
* Self 100 I
65002:100:100/96
* Self 100 65002 I
65002:200:100/96
* Self 100 65002 I
65002:300:100/96
* Self 100 65002 I
Notice here that only routes with target communities 100:100 and 300:100 are advertised but not 500:100. This is because the far end hasn’t requested for target community 500:100.
Received routes on OB4 from OB3
root@ob4# run show route receive-protocol bgp 3.3.3.3
inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
VPN1.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
* 100.1.1.0/30 3.3.3.3 100 65001 I
* 100.11.0.1/32 3.3.3.3 100 65001 64001 I
* 100.11.0.2/32 3.3.3.3 100 65001 64001 I
* 100.11.0.3/32 3.3.3.3 100 65001 64001 I
* 172.17.0.0/16 3.3.3.3 100 65001 64001 I
VPN2.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
VPN3.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
* 100.1.3.0/30 3.3.3.3 100 65001 I
mpls.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
bgp.l3vpn.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
300:100:100.1.3.0/30
* 3.3.3.3 100 65001 I
100:100:100.1.1.0/30
* 3.3.3.3 100 65001 I
100:100:100.11.0.1/32
* 3.3.3.3 100 65001 64001 I
100:100:100.11.0.2/32
* 3.3.3.3 100 65001 64001 I
100:100:100.11.0.3/32
* 3.3.3.3 100 65001 64001 I
100:100:172.17.0.0/16
* 3.3.3.3 100 65001 64001 I
inet6.0: 10 destinations, 11 routes (10 active, 0 holddown, 0 hidden)
VPN1.inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
VPN2.inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
VPN3.inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
bgp.rtarget.0: 6 destinations, 9 routes (6 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
65001:100:100/96
* 3.3.3.3 100 65001 I
65001:300:100/96
* 3.3.3.3 100 65001 I
65001:500:100/96
* 3.3.3.3 100 65001 I
65002:100:100/96
3.3.3.3 100 I
65002:200:100/96
3.3.3.3 100 I
65002:300:100/96
3.3.3.3 100 I
Notice that VPN routes only for Route target communities 100:100 and 300:100 are received under bgp.l3vpn.0 and then imported into respective VRFs VPN1 and VPN3
Display VPN routes on OB4
root@ob4# run show route table VPN1.inet.0
VPN1.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
100.1.1.0/30 *[BGP/170] 00:27:57, localpref 100, from 3.3.3.3
AS path: 65001 I, validation-state: unverified
> to 192.168.3.1 via ob4_ob3, Push 250
100.4.1.0/30 *[Direct/0] 1w0d 08:23:58
> via ob4_obce41
100.4.1.1/32 *[Local/0] 1w0d 08:23:58
Local via ob4_obce41
100.11.0.1/32 *[BGP/170] 00:27:57, localpref 100, from 3.3.3.3
AS path: 65001 64001 I, validation-state: unverified
> to 192.168.3.1 via ob4_ob3, Push 250
100.11.0.2/32 *[BGP/170] 00:27:57, localpref 100, from 3.3.3.3
AS path: 65001 64001 I, validation-state: unverified
> to 192.168.3.1 via ob4_ob3, Push 250
100.11.0.3/32 *[BGP/170] 00:27:57, localpref 100, from 3.3.3.3
AS path: 65001 64001 I, validation-state: unverified
> to 192.168.3.1 via ob4_ob3, Push 250
172.17.0.0/16 *[BGP/170] 00:27:57, localpref 100, from 3.3.3.3
AS path: 65001 64001 I, validation-state: unverified
> to 192.168.3.1 via ob4_ob3, Push 250
[edit]
root@ob4# run show route table VPN2.inet.0
VPN2.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
100.4.2.0/30 *[Direct/0] 05:35:54
> via ob4_obce42
100.4.2.1/32 *[Local/0] 05:35:54
Local via ob4_obce42
[edit]
root@ob4# run show route table VPN3.inet.0
VPN3.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
100.1.3.0/30 *[BGP/170] 00:28:07, localpref 100, from 3.3.3.3
AS path: 65001 I, validation-state: unverified
> to 192.168.3.1 via ob4_ob3, Push 251
100.4.3.0/30 *[Direct/0] 1w0d 08:24:08
> via ob4_obce43
100.4.3.1/32 *[Local/0] 1w0d 08:24:08
Local via ob4_obce43
Similarly for the other direction is noticed.
Notes
Configs
OB1
set interfaces lo unit 0 family inet address 1.1.1.1/32
set policy-options policy-statement ADD_CE2_COMM term 10 then community add ADD_CE2_COMM
set policy-options policy-statement ADD_CE2_COMM term 10 then accept
set policy-options policy-statement ADD_VPN1_COMM term 10 then community add ORG_COMM
set policy-options policy-statement ADD_VPN1_COMM term 10 then accept
set policy-options community ADD_CE2_COMM members origin:100.1.2.2:3
set policy-options community ORG_COMM members origin:100.1.1.2:3
set routing-instances VPN1 instance-type vrf
set routing-instances VPN1 protocols bgp group PE-CE-VPN1 type external
set routing-instances VPN1 protocols bgp group PE-CE-VPN1 family inet unicast
set routing-instances VPN1 protocols bgp group PE-CE-VPN1 peer-as 64001
set routing-instances VPN1 protocols bgp group PE-CE-VPN1 neighbor 100.1.1.2 local-address 100.1.1.1
set routing-instances VPN1 interface ob1_obce11
set routing-instances VPN1 route-distinguisher 100:100
set routing-instances VPN1 vrf-target target:100:100
set routing-instances VPN1 vrf-table-label
set routing-instances VPN2 instance-type vrf
set routing-instances VPN2 protocols bgp group PE-CE-CE2 type external
set routing-instances VPN2 protocols bgp group PE-CE-CE2 family inet unicast
set routing-instances VPN2 protocols bgp group PE-CE-CE2 peer-as 64002
set routing-instances VPN2 protocols bgp group PE-CE-CE2 neighbor 100.1.2.2 local-address 100.1.2.1
set routing-instances VPN2 interface ob1_obce12
set routing-instances VPN2 route-distinguisher 500:100
set routing-instances VPN2 vrf-target target:500:100
set routing-instances VPN2 vrf-table-label
set routing-instances VPN3 instance-type vrf
set routing-instances VPN3 interface ob1_obce13
set routing-instances VPN3 route-distinguisher 300:100
set routing-instances VPN3 vrf-target target:300:100
set routing-instances VPN3 vrf-table-label
set routing-options router-id 1.1.1.1
set routing-options autonomous-system 65001
set protocols bgp group OB2 type internal
set protocols bgp group OB2 traceoptions file bgp.log
set protocols bgp group OB2 traceoptions file size 10m
set protocols bgp group OB2 traceoptions flag all
set protocols bgp group OB2 family inet-vpn unicast
set protocols bgp group OB2 family route-target
set protocols bgp group OB2 neighbor 2.2.2.2 local-address 1.1.1.1
set protocols ldp interface ob1_ob2
set protocols mpls icmp-tunneling
set protocols mpls interface all
set protocols ospf area 0.0.0.100 interface ob1_ob2
set protocols ospf area 0.0.0.100 interface lo.0 passive
OB2
set interfaces lo unit 0 family inet address 2.2.2.2/32
set policy-options policy-statement LEAK_POLICY term 10 from route-filter 192.168.2.0/30 exact
set policy-options policy-statement LEAK_POLICY term 10 then accept
set policy-options policy-statement LEAK_POLICY term 20 then reject
set policy-options policy-statement NH_SELF then next-hop self
set policy-options policy-statement NH_SELF then accept
set policy-options community ORG_COMM members origin:100.1.1.2:3
set policy-options community ORG_COMM members origin:100.1.2.2:3
set routing-options interface-routes rib-group inet LEAK
set routing-options router-id 2.2.2.2
set routing-options autonomous-system 65001
set routing-options rib-groups LEAK import-rib inet.0
set routing-options rib-groups LEAK import-rib inet.3
set routing-options rib-groups LEAK import-policy LEAK_POLICY
set protocols bgp group OB2-RR type internal
set protocols bgp group OB2-RR keep all
set protocols bgp group OB2-RR family inet-vpn unicast
set protocols bgp group OB2-RR family route-target
set protocols bgp group OB2-RR export NH_SELF
set protocols bgp group OB2-RR cluster 2.2.2.2
set protocols bgp group OB2-RR neighbor 1.1.1.1 local-address 2.2.2.2
set protocols bgp group OB2-RR neighbor 192.168.2.1 local-address 192.168.2.2
set protocols ldp interface ob2_ob1
set protocols mpls icmp-tunneling
set protocols mpls interface all
set protocols ospf area 0.0.0.100 interface ob2_ob1
set protocols ospf area 0.0.0.100 interface lo.0 passive
set protocols ospf area 0.0.0.0 interface ob2_ob3
deactivate protocols ospf area 0.0.0.0
set protocols ospf rib-groups inet LEAK
deactivate protocols ospf rib-groups
OB3
set interfaces lo unit 0 family inet address 3.3.3.3/32
set policy-options policy-statement LEAK_POLICY term 10 from route-filter 192.168.2.0/30 exact
set policy-options policy-statement LEAK_POLICY term 10 then accept
set policy-options policy-statement LEAK_POLICY term 20 then reject
set policy-options policy-statement NH_SELF then next-hop self
set policy-options policy-statement NH_SELF then accept
set routing-options interface-routes rib-group inet LEAK
set routing-options router-id 3.3.3.3
set routing-options autonomous-system 65002
set routing-options rib-groups LEAK import-rib inet.0
set routing-options rib-groups LEAK import-rib inet.3
set routing-options rib-groups LEAK import-policy LEAK_POLICY
set protocols bgp group RR-OB3 type internal
set protocols bgp group RR-OB3 keep all
set protocols bgp group RR-OB3 family inet-vpn unicast
set protocols bgp group RR-OB3 family route-target
set protocols bgp group RR-OB3 export NH_SELF
set protocols bgp group RR-OB3 cluster 3.3.3.3
set protocols bgp group RR-OB3 neighbor 4.4.4.4 local-address 3.3.3.3
set protocols bgp group RR-OB3 neighbor 192.168.2.2 local-address 192.168.2.1
set protocols bgp group RR-OB3 neighbor 192.168.2.2 local-as 65001
set protocols ldp interface ob3_ob4
set protocols mpls icmp-tunneling
set protocols mpls interface all
set protocols ospf area 0.0.0.200 interface ob3_ob4
set protocols ospf area 0.0.0.200 interface lo.0 passive
set protocols ospf area 0.0.0.0 interface ob3_ob2
deactivate protocols ospf area 0.0.0.0
set protocols ospf rib-groups inet LEAK
deactivate protocols ospf rib-groups
OB4
set interfaces lo unit 0 family inet address 4.4.4.4/32
set routing-instances VPN1 instance-type vrf
set routing-instances VPN1 interface ob4_obce41
set routing-instances VPN1 route-distinguisher 100:101
set routing-instances VPN1 vrf-target target:100:100
set routing-instances VPN1 vrf-table-label
set routing-instances VPN2 instance-type vrf
set routing-instances VPN2 interface ob4_obce42
set routing-instances VPN2 route-distinguisher 200:101
set routing-instances VPN2 vrf-target target:200:100
set routing-instances VPN2 vrf-table-label
set routing-instances VPN3 instance-type vrf
set routing-instances VPN3 interface ob4_obce43
set routing-instances VPN3 route-distinguisher 300:101
set routing-instances VPN3 vrf-target target:300:100
set routing-instances VPN3 vrf-table-label
set routing-options router-id 4.4.4.4
set routing-options autonomous-system 65002
set protocols bgp group OB3 type internal
set protocols bgp group OB3 family inet-vpn unicast
set protocols bgp group OB3 family route-target
set protocols bgp group OB3 neighbor 3.3.3.3 local-address 4.4.4.4
set protocols ldp interface ob4_ob3
set protocols mpls icmp-tunneling
set protocols mpls interface all
set protocols ospf area 0.0.0.200 interface ob4_ob3
set protocols ospf area 0.0.0.200 interface lo.0 passive
Advertising Default route
one can configure BGP to send a default route to indicate to its peer that it can accept routes for any VPNs associated with any route target. This is applicable on the Route reflectors since they need to have the routes advertising to one of its PE router clients. To advertise default Rtarget, use the below knob
set protocols bgp group RR family route-target advertise-default
crpd junos juniper mx