Re: [j-nsp] Leaking from a vrf to inet0
Le 21/03/2016 18:12, Raphael Mazelier a écrit : Wow look nice. I will give it try. Can I specify a policy in the rib-groups ? So tested and nope. I will stuck with my strange (but working config) configuration. -- Raphael Mazelier ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Leaking from a vrf to inet0
Le 21/03/2016 17:21, chip a écrit :
Hi Raphael,
If I'm understanding what you want correctly you can use rib-groups
to do this.
routing-options {
rib-groups {
FROM-VRF-TO-GLOBAL {
import-rib [ SOURCE-VRF inet.0 ];
import-policy WHATEVER-POLICY-YOU-WANT;
}
}
}
Nope, this didn't work in this case (mp-bgp learned route to inet.0).
--
Raphael Mazelier
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Leaking from a vrf to inet0
On Mon, Mar 21, 2016 at 06:12:57PM +0100, Raphael Mazelier wrote: > > > Le 21/03/2016 18:06, Daniel Dobrijałowski a écrit : > > >Use auto-export and rib-groups together: > >http://www.juniper.net/documentation/en_US/junos15.1/topics/example/vpn-overlapping-vpns-using-automatic-route-export-configuring.html > >See "Configuring Overlapping VPNs and Additional Tables" section. > > > >Remember to read the last paragraph in that section, because usage of > >import-rib > >is not standard (primary table is not listed). > > > >It's very nice feature - you don't have to think about how you've received > >routes (interface, static, BGP, MP-BGP, IGP) and leak them all using single > >policy in rib-group declaration. > > > > Wow look nice. I will give it try. Can I specify a policy in the rib-groups Yes, you can. I've tested it in 11.4R7.5 - works fine in a few l3vpns since 2013. -- Pozdrawiam Daniel "orcus" Dobrijałowski Wrocławskie Centrum Sieciowo-Superkomputerowe ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Leaking from a vrf to inet0
Le 21/03/2016 18:06, Daniel Dobrijałowski a écrit : Use auto-export and rib-groups together: http://www.juniper.net/documentation/en_US/junos15.1/topics/example/vpn-overlapping-vpns-using-automatic-route-export-configuring.html See "Configuring Overlapping VPNs and Additional Tables" section. Remember to read the last paragraph in that section, because usage of import-rib is not standard (primary table is not listed). It's very nice feature - you don't have to think about how you've received routes (interface, static, BGP, MP-BGP, IGP) and leak them all using single policy in rib-group declaration. Wow look nice. I will give it try. Can I specify a policy in the rib-groups ? -- Raphael Mazelier ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Leaking from a vrf to inet0
set routing-instances INTERNET protocols bgp family inet unicast rib-group
INTERNET-to-MAIN-UCAST
set routing-instances INTERNET protocols bgp family inet6 unicast rib-group
INTERNET-to-MAIN-UCAST6
set routing-options rib-groups INTERNET-to-MAIN-UCAST import-rib INTERNET.inet.0
set routing-options rib-groups INTERNET-to-MAIN-UCAST import-rib inet.0
set routing-options rib-groups INTERNET-to-MAIN-UCAST6 import-rib
INTERNET.inet6.0
set routing-options rib-groups INTERNET-to-MAIN-UCAST6 import-rib inet6.0
Mhm I have just tested and it does not work this way for me.
Here a snipset of my conf :
rib-groups {
internet-to-inet0 {
import-rib [ internet.inet.0 inet.0 ];
import-policy ipv4-internet-out;
}
}
and in the vrf 'internet' :
protocols {
bgp {
group ibgp-internal {
type internal;
family inet {
unicast {
rib-group internet-to-inet0;
}
}
neighbor x.x.x.x;
}
}
}
without the neighbor knob activated, the pfx are not leaked.
--
Raphael Mazelier
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Leaking from a vrf to inet0
Hi, On Mon, Mar 21, 2016 at 05:04:35PM +0100, Raphael Mazelier wrote: > - advertise twice the route in family inet in addition to inet-vpn, in order > to leak it with rib-group (since rib-group only work when pfx is in a > primary table) > This last solution seems to be the less manual (I don't want to make config > for each pfx) but seems tricky/ugly. > I got a working setup with these but definitively looks weird. Use auto-export and rib-groups together: http://www.juniper.net/documentation/en_US/junos15.1/topics/example/vpn-overlapping-vpns-using-automatic-route-export-configuring.html See "Configuring Overlapping VPNs and Additional Tables" section. Remember to read the last paragraph in that section, because usage of import-rib is not standard (primary table is not listed). It's very nice feature - you don't have to think about how you've received routes (interface, static, BGP, MP-BGP, IGP) and leak them all using single policy in rib-group declaration. -- Best Regards Daniel "orcus" Dobrijalowski WCSS ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Leaking from a vrf to inet0
On Mon, Mar 21, 2016 at 05:04:35PM +0100, Raphael Mazelier wrote: > I am currently evaluating how to migrate the internet dmz, and the > public pfx of my customers into VRF. > During the migration phase I have to leak pfx from vrf to the global table. > Don't ask why, but I cannot do the leaking on the PE-CE side as it > should normaly occur. > So I want to do leaking on the remote PE from pfx learned via mp-bgp > on the vrf to the global, and afaik it is not possible directly. > > I know that this topic have been discussed before, but if someone > have some hints on how to do this the cleanest way possible. You can use rib-groups to do this. > - advertise twice the route in family inet in addition to inet-vpn, > in order to leak it with rib-group (since rib-group only work when > pfx is in a primary table) I don't think this is true. I'm doing this and it works. set routing-instances INTERNET protocols bgp family inet unicast rib-group INTERNET-to-MAIN-UCAST set routing-instances INTERNET protocols bgp family inet6 unicast rib-group INTERNET-to-MAIN-UCAST6 set routing-options rib-groups INTERNET-to-MAIN-UCAST import-rib INTERNET.inet.0 set routing-options rib-groups INTERNET-to-MAIN-UCAST import-rib inet.0 set routing-options rib-groups INTERNET-to-MAIN-UCAST6 import-rib INTERNET.inet6.0 set routing-options rib-groups INTERNET-to-MAIN-UCAST6 import-rib inet6.0 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Leaking from a vrf to inet0
Hi Raphael,
If I'm understanding what you want correctly you can use rib-groups to do
this.
routing-options {
rib-groups {
FROM-VRF-TO-GLOBAL {
import-rib [ SOURCE-VRF inet.0 ];
import-policy WHATEVER-POLICY-YOU-WANT;
}
}
}
see:
http://forums.juniper.net/t5/TheRoutingChurn/Using-rib-groups-or-auto-export-for-route-leaking/ba-p/202349
http://kb.juniper.net/InfoCenter/index?page=content=kb16133=search
--chip
On Mon, Mar 21, 2016 at 12:04 PM, Raphael Mazelier
wrote:
> Hello,
>
> I am currently evaluating how to migrate the internet dmz, and the public
> pfx of my customers into VRF.
> During the migration phase I have to leak pfx from vrf to the global table.
> Don't ask why, but I cannot do the leaking on the PE-CE side as it should
> normaly occur.
> So I want to do leaking on the remote PE from pfx learned via mp-bgp on
> the vrf to the global, and afaik it is not possible directly.
>
> I know that this topic have been discussed before, but if someone have
> some hints on how to do this the cleanest way possible.
>
> Options I found in old threads are :
> - use static routes with next-table (tested and work but completely manual)
> - use a lt interface between global and vrf (and use some routing protocol
> ?)
> - advertise twice the route in family inet in addition to inet-vpn, in
> order to leak it with rib-group (since rib-group only work when pfx is in a
> primary table)
>
> This last solution seems to be the less manual (I don't want to make
> config for each pfx) but seems tricky/ugly.
> I got a working setup with these but definitively looks weird.
>
> What are your opinions/hints ?
>
> --
> Raphael Mazelier
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
--
Just my $.02, your mileage may vary, batteries not included, etc
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Leaking from a vrf to inet0
Hello, I am currently evaluating how to migrate the internet dmz, and the public pfx of my customers into VRF. During the migration phase I have to leak pfx from vrf to the global table. Don't ask why, but I cannot do the leaking on the PE-CE side as it should normaly occur. So I want to do leaking on the remote PE from pfx learned via mp-bgp on the vrf to the global, and afaik it is not possible directly. I know that this topic have been discussed before, but if someone have some hints on how to do this the cleanest way possible. Options I found in old threads are : - use static routes with next-table (tested and work but completely manual) - use a lt interface between global and vrf (and use some routing protocol ?) - advertise twice the route in family inet in addition to inet-vpn, in order to leak it with rib-group (since rib-group only work when pfx is in a primary table) This last solution seems to be the less manual (I don't want to make config for each pfx) but seems tricky/ugly. I got a working setup with these but definitively looks weird. What are your opinions/hints ? -- Raphael Mazelier ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
