Re: [j-nsp] VMX to VMX traffic on ESXi

2016-03-21 Thread serge vautour 
No I didn't clone the VMs. I did 2 fresh installs from the same juniper
image. You can see in my outputs that the MACs are different. Everything is
working now that I've applied the license. -Serge

On Mon, Mar 21, 2016 at 5:41 PM, Eduardo Schoedler 
wrote:

> Did you cloned VM? Did you change the mac-address?
>
> --
> Eduardo Schoedler
>
> 2016-03-21 16:32 GMT-03:00 serge vautour :
> > Hello,
> >
> > Thanks to everyone who replied with suggestions.
> >
> > I did not have any licenses installed. Oddly enough VMX2 was showing:
> >
> > user@LabVMX2> show pfe statistics traffic bandwidth
> > Configured Bandwidth : 100 bps
> > Bandwidth: 0 bps
> > Average Bandwidth: 339 bps
> >
> > This explains why VMX1 could receive traffic from VMX2. VMX1 had:
> >
> > user@LabVMX1> show pfe statistics traffic bandwidth
> > Configured Bandwidth : 0 bps
> > Bandwidth: 0 bps
> > Average Bandwidth: 0 bps
> >
> > This is very strangle considering I created both VMX from the same
> install
> > file and they have near identical configs!?!
> >
> > Anyway I downloaded a 60 trial license from the Juniper web site and
> > installed on both. Everything is now working as expected.
> >
> > Thanks,
> > Serge
> >
> >
> > On Sun, Mar 20, 2016 at 8:13 AM, Raphael Mazelier 
> wrote:
> >
> >> I have got some strange problem with vmx on vmware.
> >> First double check if all our vswitch are in promiscuous mode.
> >> Check also if you use vxnet or e1000 type of interface, I've got erratic
> >> problems with vxnet, and gave up with it.
> >> Check the mac address mapping, and finaly check if you have proper
> license
> >> installed ;) (I've spend one hour to find why one of my test vmx does
> not
> >> anymore, before I found that the license have expired...)
> >>
> >> --
> >> Raphael Mazelier
> >>
> >> Le 18/03/2016 21:49, serge vautour a écrit :
> >>
> >>> Hello,
> >>>
> >>> I haven't had any replies in the Juniper VMX forum so I thought I'd try
> >>> here:
> >>>
> >>> I have setup 2 VMX (each with a VCP & VPFE) on one ESXi host using
> Junos
> >>> VMX 15.1F4. Each VMX seems to be working fine on it's own. I can
> remotely
> >>> access the fxp0 interface.
> >>>
> >>> I created a dedicated vswitch with promiscuous mode on for the GE
> >>> interface. I used this vswitch for the 3rd NIC on each VPFE. I did not
> >>> attach any physical NICs to the vswitch as I only want to use it for
> >>> VMX-VMX traffic. Each VMX sees all 8 GE with ge-0/0/0 being up. I
> >>> configure:
> >>>
> >>> user@LabVMX1> show configuration interfaces ge-0/0/0
> >>> description "Link to VMX2 ge-0/0/0";
> >>> unit 0 {
> >>> family inet {
> >>> address 10.5.5.0/31;
> >>> }
> >>> }
> >>>
> >>> user@LabVMX2> show configuration interfaces ge-0/0/0
> >>> description "Link to VMX1 ge-0/0/0";
> >>> unit 0 {
> >>> family inet {
> >>> address 10.5.5.1/31;
> >>> }
> >>> }
> >>>
> >>> I also added OSPF to each interface. VMX1 seems to work fine. It shows
> >>> in/out traffic. VMX2 only shows outbound traffic.
> >>>
> >>> Using "monitor traffic interface ge-0/0/0" command I see:
> >>>
> >>> VMX1:
> >>>
> >>> 14:56:57.489954 In IP 10.5.5.1 > 224.0.0.5: OSPFv2, Hello, length 56
> >>> 14:57:02.079691 Out IP truncated-ip - 20 bytes missing! 10.5.5.0 >
> >>> 224.0.0.5:
> >>> OSPFv2, Hello, length 60
> >>>
> >>> VMX2:
> >>> 14:57:48.925035 Out IP truncated-ip - 16 bytes missing! 10.5.5.1 >
> >>> 224.0.0.5:
> >>> OSPFv2, Hello, length 56
> >>>
> >>> 14:57:58.487367 Out IP truncated-ip - 16 bytes missing! 10.5.5.1 >
> >>> 224.0.0.5:
> >>> OSPFv2, Hello, length 56
> >>>
> >>> VMX1 arp cache:
> >>>
> >>> 00:0c:29:a7:e9:09 10.5.5.1 ge-0/0/0.0 none
> >>>
> >>> VMX2 arp cache is empty.
> >>>
> >>> I never see any inbound packets on VMX2. I've tied ping same result. I
> >>> through this might be a broadcast/multicast problem so I tried
> configuring
> >>> static arp entries and then did a ping but this didn't help.
> >>>
> >>> Any help would be appreciated.
> >>>
> >>> Thanks,
> >>> Serge
> >>> ___
> >>> juniper-nsp mailing list juniper-nsp@puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>>
> >>> ___
> >> juniper-nsp mailing list juniper-nsp@puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
> --
> Eduardo Schoedler
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] VMX to VMX traffic on ESXi

2016-03-21 Thread Eduardo Schoedler 
Did you cloned VM? Did you change the mac-address?

--
Eduardo Schoedler

2016-03-21 16:32 GMT-03:00 serge vautour :
> Hello,
>
> Thanks to everyone who replied with suggestions.
>
> I did not have any licenses installed. Oddly enough VMX2 was showing:
>
> user@LabVMX2> show pfe statistics traffic bandwidth
> Configured Bandwidth : 100 bps
> Bandwidth: 0 bps
> Average Bandwidth: 339 bps
>
> This explains why VMX1 could receive traffic from VMX2. VMX1 had:
>
> user@LabVMX1> show pfe statistics traffic bandwidth
> Configured Bandwidth : 0 bps
> Bandwidth: 0 bps
> Average Bandwidth: 0 bps
>
> This is very strangle considering I created both VMX from the same install
> file and they have near identical configs!?!
>
> Anyway I downloaded a 60 trial license from the Juniper web site and
> installed on both. Everything is now working as expected.
>
> Thanks,
> Serge
>
>
> On Sun, Mar 20, 2016 at 8:13 AM, Raphael Mazelier  wrote:
>
>> I have got some strange problem with vmx on vmware.
>> First double check if all our vswitch are in promiscuous mode.
>> Check also if you use vxnet or e1000 type of interface, I've got erratic
>> problems with vxnet, and gave up with it.
>> Check the mac address mapping, and finaly check if you have proper license
>> installed ;) (I've spend one hour to find why one of my test vmx does not
>> anymore, before I found that the license have expired...)
>>
>> --
>> Raphael Mazelier
>>
>> Le 18/03/2016 21:49, serge vautour a écrit :
>>
>>> Hello,
>>>
>>> I haven't had any replies in the Juniper VMX forum so I thought I'd try
>>> here:
>>>
>>> I have setup 2 VMX (each with a VCP & VPFE) on one ESXi host using Junos
>>> VMX 15.1F4. Each VMX seems to be working fine on it's own. I can remotely
>>> access the fxp0 interface.
>>>
>>> I created a dedicated vswitch with promiscuous mode on for the GE
>>> interface. I used this vswitch for the 3rd NIC on each VPFE. I did not
>>> attach any physical NICs to the vswitch as I only want to use it for
>>> VMX-VMX traffic. Each VMX sees all 8 GE with ge-0/0/0 being up. I
>>> configure:
>>>
>>> user@LabVMX1> show configuration interfaces ge-0/0/0
>>> description "Link to VMX2 ge-0/0/0";
>>> unit 0 {
>>> family inet {
>>> address 10.5.5.0/31;
>>> }
>>> }
>>>
>>> user@LabVMX2> show configuration interfaces ge-0/0/0
>>> description "Link to VMX1 ge-0/0/0";
>>> unit 0 {
>>> family inet {
>>> address 10.5.5.1/31;
>>> }
>>> }
>>>
>>> I also added OSPF to each interface. VMX1 seems to work fine. It shows
>>> in/out traffic. VMX2 only shows outbound traffic.
>>>
>>> Using "monitor traffic interface ge-0/0/0" command I see:
>>>
>>> VMX1:
>>>
>>> 14:56:57.489954 In IP 10.5.5.1 > 224.0.0.5: OSPFv2, Hello, length 56
>>> 14:57:02.079691 Out IP truncated-ip - 20 bytes missing! 10.5.5.0 >
>>> 224.0.0.5:
>>> OSPFv2, Hello, length 60
>>>
>>> VMX2:
>>> 14:57:48.925035 Out IP truncated-ip - 16 bytes missing! 10.5.5.1 >
>>> 224.0.0.5:
>>> OSPFv2, Hello, length 56
>>>
>>> 14:57:58.487367 Out IP truncated-ip - 16 bytes missing! 10.5.5.1 >
>>> 224.0.0.5:
>>> OSPFv2, Hello, length 56
>>>
>>> VMX1 arp cache:
>>>
>>> 00:0c:29:a7:e9:09 10.5.5.1 ge-0/0/0.0 none
>>>
>>> VMX2 arp cache is empty.
>>>
>>> I never see any inbound packets on VMX2. I've tied ping same result. I
>>> through this might be a broadcast/multicast problem so I tried configuring
>>> static arp entries and then did a ping but this didn't help.
>>>
>>> Any help would be appreciated.
>>>
>>> Thanks,
>>> Serge
>>> ___
>>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



-- 
Eduardo Schoedler
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] VMX to VMX traffic on ESXi

2016-03-21 Thread serge vautour 
Hello,

Thanks to everyone who replied with suggestions.

I did not have any licenses installed. Oddly enough VMX2 was showing:

user@LabVMX2> show pfe statistics traffic bandwidth
Configured Bandwidth : 100 bps
Bandwidth: 0 bps
Average Bandwidth: 339 bps

This explains why VMX1 could receive traffic from VMX2. VMX1 had:

user@LabVMX1> show pfe statistics traffic bandwidth
Configured Bandwidth : 0 bps
Bandwidth: 0 bps
Average Bandwidth: 0 bps

This is very strangle considering I created both VMX from the same install
file and they have near identical configs!?!

Anyway I downloaded a 60 trial license from the Juniper web site and
installed on both. Everything is now working as expected.

Thanks,
Serge


On Sun, Mar 20, 2016 at 8:13 AM, Raphael Mazelier  wrote:

> I have got some strange problem with vmx on vmware.
> First double check if all our vswitch are in promiscuous mode.
> Check also if you use vxnet or e1000 type of interface, I've got erratic
> problems with vxnet, and gave up with it.
> Check the mac address mapping, and finaly check if you have proper license
> installed ;) (I've spend one hour to find why one of my test vmx does not
> anymore, before I found that the license have expired...)
>
> --
> Raphael Mazelier
>
> Le 18/03/2016 21:49, serge vautour a écrit :
>
>> Hello,
>>
>> I haven't had any replies in the Juniper VMX forum so I thought I'd try
>> here:
>>
>> I have setup 2 VMX (each with a VCP & VPFE) on one ESXi host using Junos
>> VMX 15.1F4. Each VMX seems to be working fine on it's own. I can remotely
>> access the fxp0 interface.
>>
>> I created a dedicated vswitch with promiscuous mode on for the GE
>> interface. I used this vswitch for the 3rd NIC on each VPFE. I did not
>> attach any physical NICs to the vswitch as I only want to use it for
>> VMX-VMX traffic. Each VMX sees all 8 GE with ge-0/0/0 being up. I
>> configure:
>>
>> user@LabVMX1> show configuration interfaces ge-0/0/0
>> description "Link to VMX2 ge-0/0/0";
>> unit 0 {
>> family inet {
>> address 10.5.5.0/31;
>> }
>> }
>>
>> user@LabVMX2> show configuration interfaces ge-0/0/0
>> description "Link to VMX1 ge-0/0/0";
>> unit 0 {
>> family inet {
>> address 10.5.5.1/31;
>> }
>> }
>>
>> I also added OSPF to each interface. VMX1 seems to work fine. It shows
>> in/out traffic. VMX2 only shows outbound traffic.
>>
>> Using "monitor traffic interface ge-0/0/0" command I see:
>>
>> VMX1:
>>
>> 14:56:57.489954 In IP 10.5.5.1 > 224.0.0.5: OSPFv2, Hello, length 56
>> 14:57:02.079691 Out IP truncated-ip - 20 bytes missing! 10.5.5.0 >
>> 224.0.0.5:
>> OSPFv2, Hello, length 60
>>
>> VMX2:
>> 14:57:48.925035 Out IP truncated-ip - 16 bytes missing! 10.5.5.1 >
>> 224.0.0.5:
>> OSPFv2, Hello, length 56
>>
>> 14:57:58.487367 Out IP truncated-ip - 16 bytes missing! 10.5.5.1 >
>> 224.0.0.5:
>> OSPFv2, Hello, length 56
>>
>> VMX1 arp cache:
>>
>> 00:0c:29:a7:e9:09 10.5.5.1 ge-0/0/0.0 none
>>
>> VMX2 arp cache is empty.
>>
>> I never see any inbound packets on VMX2. I've tied ping same result. I
>> through this might be a broadcast/multicast problem so I tried configuring
>> static arp entries and then did a ping but this didn't help.
>>
>> Any help would be appreciated.
>>
>> Thanks,
>> Serge
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Leaking from a vrf to inet0

2016-03-21 Thread Raphael Mazelier 



Le 21/03/2016 18:12, Raphael Mazelier a écrit :



Wow look nice. I will give it try. Can I specify a policy in the
rib-groups ?



So tested and nope. I will stuck with my strange (but working config) 
configuration.


--
Raphael Mazelier
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Leaking from a vrf to inet0

2016-03-21 Thread Raphael Mazelier 



Le 21/03/2016 17:21, chip a écrit :

Hi Raphael,

   If I'm understanding what you want correctly you can use rib-groups
to do this.

routing-options {
   rib-groups {
 FROM-VRF-TO-GLOBAL {
   import-rib [ SOURCE-VRF inet.0 ];
   import-policy WHATEVER-POLICY-YOU-WANT;
 }
   }
}



Nope, this didn't work in this case (mp-bgp learned route to inet.0).

--
Raphael Mazelier
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Leaking from a vrf to inet0

2016-03-21 Thread Daniel Dobrijałowski 
On Mon, Mar 21, 2016 at 06:12:57PM +0100, Raphael Mazelier wrote:
> 
> 
> Le 21/03/2016 18:06, Daniel Dobrijałowski a écrit :
> 
> >Use auto-export and rib-groups together:
> >http://www.juniper.net/documentation/en_US/junos15.1/topics/example/vpn-overlapping-vpns-using-automatic-route-export-configuring.html
> >See "Configuring Overlapping VPNs and Additional Tables" section.
> >
> >Remember to read the last paragraph in that section, because usage of 
> >import-rib
> >is not standard (primary table is not listed).
> >
> >It's very nice feature - you don't have to think about how you've received
> >routes (interface, static, BGP, MP-BGP, IGP) and leak them all using single
> >policy in rib-group declaration.
> >
> 
> Wow look nice. I will give it try. Can I specify a policy in the rib-groups

Yes, you can. I've tested it in 11.4R7.5 - works fine in a few l3vpns since 
2013.

-- 
Pozdrawiam
Daniel "orcus" Dobrijałowski
Wrocławskie Centrum Sieciowo-Superkomputerowe
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Leaking from a vrf to inet0

2016-03-21 Thread Raphael Mazelier 



Le 21/03/2016 18:06, Daniel Dobrijałowski a écrit :


Use auto-export and rib-groups together:
http://www.juniper.net/documentation/en_US/junos15.1/topics/example/vpn-overlapping-vpns-using-automatic-route-export-configuring.html
See "Configuring Overlapping VPNs and Additional Tables" section.

Remember to read the last paragraph in that section, because usage of import-rib
is not standard (primary table is not listed).

It's very nice feature - you don't have to think about how you've received
routes (interface, static, BGP, MP-BGP, IGP) and leak them all using single
policy in rib-group declaration.



Wow look nice. I will give it try. Can I specify a policy in the 
rib-groups ?


--
Raphael Mazelier
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Leaking from a vrf to inet0

2016-03-21 Thread Raphael Mazelier 




set routing-instances INTERNET protocols bgp family inet unicast rib-group 
INTERNET-to-MAIN-UCAST
set routing-instances INTERNET protocols bgp family inet6 unicast rib-group 
INTERNET-to-MAIN-UCAST6
set routing-options rib-groups INTERNET-to-MAIN-UCAST import-rib INTERNET.inet.0
set routing-options rib-groups INTERNET-to-MAIN-UCAST import-rib inet.0
set routing-options rib-groups INTERNET-to-MAIN-UCAST6 import-rib 
INTERNET.inet6.0
set routing-options rib-groups INTERNET-to-MAIN-UCAST6 import-rib inet6.0


Mhm I have just tested and it does not work this way for me.
Here a snipset of my conf :

rib-groups {
internet-to-inet0 {
import-rib [ internet.inet.0 inet.0 ];
import-policy ipv4-internet-out;
}
}

and in the vrf 'internet' :

protocols {
bgp {
group ibgp-internal {
type internal;
family inet {
unicast {
rib-group internet-to-inet0;
}
}
neighbor x.x.x.x;
}
}
}

without the neighbor knob activated, the pfx are not leaked.

--
Raphael Mazelier

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Leaking from a vrf to inet0

2016-03-21 Thread Daniel Dobrijałowski 
Hi,

On Mon, Mar 21, 2016 at 05:04:35PM +0100, Raphael Mazelier wrote:
> - advertise twice the route in family inet in addition to inet-vpn, in order
> to leak it with rib-group (since rib-group only work when pfx is in a
> primary table)
 
> This last solution seems to be the less manual (I don't want to make config
> for each pfx) but seems tricky/ugly.
> I got a working setup with these but definitively looks weird.

Use auto-export and rib-groups together:
http://www.juniper.net/documentation/en_US/junos15.1/topics/example/vpn-overlapping-vpns-using-automatic-route-export-configuring.html
See "Configuring Overlapping VPNs and Additional Tables" section.

Remember to read the last paragraph in that section, because usage of import-rib
is not standard (primary table is not listed). 

It's very nice feature - you don't have to think about how you've received
routes (interface, static, BGP, MP-BGP, IGP) and leak them all using single
policy in rib-group declaration. 

-- 
Best Regards
Daniel "orcus" Dobrijalowski
WCSS
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Leaking from a vrf to inet0

2016-03-21 Thread Chuck Anderson 

On Mon, Mar 21, 2016 at 05:04:35PM +0100, Raphael Mazelier wrote:
> I am currently evaluating how to migrate the internet dmz, and the
> public pfx of my customers into VRF.
> During the migration phase I have to leak pfx from vrf to the global table.
> Don't ask why, but I cannot do the leaking on the PE-CE side as it
> should normaly occur.
> So I want to do leaking on the remote PE from pfx learned via mp-bgp
> on the vrf to the global, and afaik it is not possible directly.
> 
> I know that this topic have been discussed before, but if someone
> have some hints on how to do this the cleanest way possible.

You can use rib-groups to do this.

> - advertise twice the route in family inet in addition to inet-vpn,
> in order to leak it with rib-group (since rib-group only work when
> pfx is in a primary table)

I don't think this is true.  I'm doing this and it works.

set routing-instances INTERNET protocols bgp family inet unicast rib-group 
INTERNET-to-MAIN-UCAST
set routing-instances INTERNET protocols bgp family inet6 unicast rib-group 
INTERNET-to-MAIN-UCAST6
set routing-options rib-groups INTERNET-to-MAIN-UCAST import-rib INTERNET.inet.0
set routing-options rib-groups INTERNET-to-MAIN-UCAST import-rib inet.0
set routing-options rib-groups INTERNET-to-MAIN-UCAST6 import-rib 
INTERNET.inet6.0
set routing-options rib-groups INTERNET-to-MAIN-UCAST6 import-rib inet6.0
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Leaking from a vrf to inet0

2016-03-21 Thread chip 
Hi Raphael,

  If I'm understanding what you want correctly you can use rib-groups to do
this.

routing-options {
  rib-groups {
FROM-VRF-TO-GLOBAL {
  import-rib [ SOURCE-VRF inet.0 ];
  import-policy WHATEVER-POLICY-YOU-WANT;
}
  }
}

see:
http://forums.juniper.net/t5/TheRoutingChurn/Using-rib-groups-or-auto-export-for-route-leaking/ba-p/202349

http://kb.juniper.net/InfoCenter/index?page=content=kb16133=search

--chip

On Mon, Mar 21, 2016 at 12:04 PM, Raphael Mazelier 
wrote:

> Hello,
>
> I am currently evaluating how to migrate the internet dmz, and the public
> pfx of my customers into VRF.
> During the migration phase I have to leak pfx from vrf to the global table.
> Don't ask why, but I cannot do the leaking on the PE-CE side as it should
> normaly occur.
> So I want to do leaking on the remote PE from pfx learned via mp-bgp on
> the vrf to the global, and afaik it is not possible directly.
>
> I know that this topic have been discussed before, but if someone have
> some hints on how to do this the cleanest way possible.
>
> Options I found in old threads are :
> - use static routes with next-table (tested and work but completely manual)
> - use a lt interface between global and vrf (and use some routing protocol
> ?)
> - advertise twice the route in family inet in addition to inet-vpn, in
> order to leak it with rib-group (since rib-group only work when pfx is in a
> primary table)
>
> This last solution seems to be the less manual (I don't want to make
> config for each pfx) but seems tricky/ugly.
> I got a working setup with these but definitively looks weird.
>
> What are your opinions/hints ?
>
> --
> Raphael Mazelier
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



-- 
Just my $.02, your mileage may vary,  batteries not included, etc
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Leaking from a vrf to inet0

2016-03-21 Thread Raphael Mazelier 

Hello,

I am currently evaluating how to migrate the internet dmz, and the 
public pfx of my customers into VRF.

During the migration phase I have to leak pfx from vrf to the global table.
Don't ask why, but I cannot do the leaking on the PE-CE side as it 
should normaly occur.
So I want to do leaking on the remote PE from pfx learned via mp-bgp on 
the vrf to the global, and afaik it is not possible directly.


I know that this topic have been discussed before, but if someone have 
some hints on how to do this the cleanest way possible.


Options I found in old threads are :
- use static routes with next-table (tested and work but completely manual)
- use a lt interface between global and vrf (and use some routing 
protocol ?)
- advertise twice the route in family inet in addition to inet-vpn, in 
order to leak it with rib-group (since rib-group only work when pfx is 
in a primary table)


This last solution seems to be the less manual (I don't want to make 
config for each pfx) but seems tricky/ugly.

I got a working setup with these but definitively looks weird.

What are your opinions/hints ?

--
Raphael Mazelier
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp