Re: [j-nsp] Leaking from a vrf to inet0
Le 21/03/2016 18:12, Raphael Mazelier a écrit : Wow look nice. I will give it try. Can I specify a policy in the rib-groups ? So tested and nope. I will stuck with my strange (but working config) configuration. -- Raphael Mazelier ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Leaking from a vrf to inet0
Le 21/03/2016 17:21, chip a écrit : Hi Raphael, If I'm understanding what you want correctly you can use rib-groups to do this. routing-options { rib-groups { FROM-VRF-TO-GLOBAL { import-rib [ SOURCE-VRF inet.0 ]; import-policy WHATEVER-POLICY-YOU-WANT; } } } Nope, this didn't work in this case (mp-bgp learned route to inet.0). -- Raphael Mazelier ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Leaking from a vrf to inet0
On Mon, Mar 21, 2016 at 06:12:57PM +0100, Raphael Mazelier wrote: > > > Le 21/03/2016 18:06, Daniel Dobrijałowski a écrit : > > >Use auto-export and rib-groups together: > >http://www.juniper.net/documentation/en_US/junos15.1/topics/example/vpn-overlapping-vpns-using-automatic-route-export-configuring.html > >See "Configuring Overlapping VPNs and Additional Tables" section. > > > >Remember to read the last paragraph in that section, because usage of > >import-rib > >is not standard (primary table is not listed). > > > >It's very nice feature - you don't have to think about how you've received > >routes (interface, static, BGP, MP-BGP, IGP) and leak them all using single > >policy in rib-group declaration. > > > > Wow look nice. I will give it try. Can I specify a policy in the rib-groups Yes, you can. I've tested it in 11.4R7.5 - works fine in a few l3vpns since 2013. -- Pozdrawiam Daniel "orcus" Dobrijałowski Wrocławskie Centrum Sieciowo-Superkomputerowe ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Leaking from a vrf to inet0
Le 21/03/2016 18:06, Daniel Dobrijałowski a écrit : Use auto-export and rib-groups together: http://www.juniper.net/documentation/en_US/junos15.1/topics/example/vpn-overlapping-vpns-using-automatic-route-export-configuring.html See "Configuring Overlapping VPNs and Additional Tables" section. Remember to read the last paragraph in that section, because usage of import-rib is not standard (primary table is not listed). It's very nice feature - you don't have to think about how you've received routes (interface, static, BGP, MP-BGP, IGP) and leak them all using single policy in rib-group declaration. Wow look nice. I will give it try. Can I specify a policy in the rib-groups ? -- Raphael Mazelier ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Leaking from a vrf to inet0
set routing-instances INTERNET protocols bgp family inet unicast rib-group INTERNET-to-MAIN-UCAST set routing-instances INTERNET protocols bgp family inet6 unicast rib-group INTERNET-to-MAIN-UCAST6 set routing-options rib-groups INTERNET-to-MAIN-UCAST import-rib INTERNET.inet.0 set routing-options rib-groups INTERNET-to-MAIN-UCAST import-rib inet.0 set routing-options rib-groups INTERNET-to-MAIN-UCAST6 import-rib INTERNET.inet6.0 set routing-options rib-groups INTERNET-to-MAIN-UCAST6 import-rib inet6.0 Mhm I have just tested and it does not work this way for me. Here a snipset of my conf : rib-groups { internet-to-inet0 { import-rib [ internet.inet.0 inet.0 ]; import-policy ipv4-internet-out; } } and in the vrf 'internet' : protocols { bgp { group ibgp-internal { type internal; family inet { unicast { rib-group internet-to-inet0; } } neighbor x.x.x.x; } } } without the neighbor knob activated, the pfx are not leaked. -- Raphael Mazelier ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Leaking from a vrf to inet0
Hi, On Mon, Mar 21, 2016 at 05:04:35PM +0100, Raphael Mazelier wrote: > - advertise twice the route in family inet in addition to inet-vpn, in order > to leak it with rib-group (since rib-group only work when pfx is in a > primary table) > This last solution seems to be the less manual (I don't want to make config > for each pfx) but seems tricky/ugly. > I got a working setup with these but definitively looks weird. Use auto-export and rib-groups together: http://www.juniper.net/documentation/en_US/junos15.1/topics/example/vpn-overlapping-vpns-using-automatic-route-export-configuring.html See "Configuring Overlapping VPNs and Additional Tables" section. Remember to read the last paragraph in that section, because usage of import-rib is not standard (primary table is not listed). It's very nice feature - you don't have to think about how you've received routes (interface, static, BGP, MP-BGP, IGP) and leak them all using single policy in rib-group declaration. -- Best Regards Daniel "orcus" Dobrijalowski WCSS ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Leaking from a vrf to inet0
On Mon, Mar 21, 2016 at 05:04:35PM +0100, Raphael Mazelier wrote: > I am currently evaluating how to migrate the internet dmz, and the > public pfx of my customers into VRF. > During the migration phase I have to leak pfx from vrf to the global table. > Don't ask why, but I cannot do the leaking on the PE-CE side as it > should normaly occur. > So I want to do leaking on the remote PE from pfx learned via mp-bgp > on the vrf to the global, and afaik it is not possible directly. > > I know that this topic have been discussed before, but if someone > have some hints on how to do this the cleanest way possible. You can use rib-groups to do this. > - advertise twice the route in family inet in addition to inet-vpn, > in order to leak it with rib-group (since rib-group only work when > pfx is in a primary table) I don't think this is true. I'm doing this and it works. set routing-instances INTERNET protocols bgp family inet unicast rib-group INTERNET-to-MAIN-UCAST set routing-instances INTERNET protocols bgp family inet6 unicast rib-group INTERNET-to-MAIN-UCAST6 set routing-options rib-groups INTERNET-to-MAIN-UCAST import-rib INTERNET.inet.0 set routing-options rib-groups INTERNET-to-MAIN-UCAST import-rib inet.0 set routing-options rib-groups INTERNET-to-MAIN-UCAST6 import-rib INTERNET.inet6.0 set routing-options rib-groups INTERNET-to-MAIN-UCAST6 import-rib inet6.0 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Leaking from a vrf to inet0
Hi Raphael, If I'm understanding what you want correctly you can use rib-groups to do this. routing-options { rib-groups { FROM-VRF-TO-GLOBAL { import-rib [ SOURCE-VRF inet.0 ]; import-policy WHATEVER-POLICY-YOU-WANT; } } } see: http://forums.juniper.net/t5/TheRoutingChurn/Using-rib-groups-or-auto-export-for-route-leaking/ba-p/202349 http://kb.juniper.net/InfoCenter/index?page=content=kb16133=search --chip On Mon, Mar 21, 2016 at 12:04 PM, Raphael Mazelierwrote: > Hello, > > I am currently evaluating how to migrate the internet dmz, and the public > pfx of my customers into VRF. > During the migration phase I have to leak pfx from vrf to the global table. > Don't ask why, but I cannot do the leaking on the PE-CE side as it should > normaly occur. > So I want to do leaking on the remote PE from pfx learned via mp-bgp on > the vrf to the global, and afaik it is not possible directly. > > I know that this topic have been discussed before, but if someone have > some hints on how to do this the cleanest way possible. > > Options I found in old threads are : > - use static routes with next-table (tested and work but completely manual) > - use a lt interface between global and vrf (and use some routing protocol > ?) > - advertise twice the route in family inet in addition to inet-vpn, in > order to leak it with rib-group (since rib-group only work when pfx is in a > primary table) > > This last solution seems to be the less manual (I don't want to make > config for each pfx) but seems tricky/ugly. > I got a working setup with these but definitively looks weird. > > What are your opinions/hints ? > > -- > Raphael Mazelier > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- Just my $.02, your mileage may vary, batteries not included, etc ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Leaking from a vrf to inet0
Hello, I am currently evaluating how to migrate the internet dmz, and the public pfx of my customers into VRF. During the migration phase I have to leak pfx from vrf to the global table. Don't ask why, but I cannot do the leaking on the PE-CE side as it should normaly occur. So I want to do leaking on the remote PE from pfx learned via mp-bgp on the vrf to the global, and afaik it is not possible directly. I know that this topic have been discussed before, but if someone have some hints on how to do this the cleanest way possible. Options I found in old threads are : - use static routes with next-table (tested and work but completely manual) - use a lt interface between global and vrf (and use some routing protocol ?) - advertise twice the route in family inet in addition to inet-vpn, in order to leak it with rib-group (since rib-group only work when pfx is in a primary table) This last solution seems to be the less manual (I don't want to make config for each pfx) but seems tricky/ugly. I got a working setup with these but definitively looks weird. What are your opinions/hints ? -- Raphael Mazelier ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp