Re: [j-nsp] move routes from VRF to inet.0

[Bastien Pilat]

Hello,
I may have a workable solution.
As pointed by Adam, you cannot copy via rib-groups routes in VRF learned 
from mpBGP since they are already a copy of routes inside bgp.l3vpn table.
I guess you cannot copy either routes from bgp.l3vpn table into inet.0 
via rib-groups since that would copy inet-vpn family routes into a inet 
family table. Actually I didn't try, that may do the trick if JunOS is 
super-smart :) That would require putting some rib-group configuration 
on your main mpBGP session on family inet-vpn that I wouldn't dare put 
on live routers :)


The dirty trick I used is to have loopback interfaces inside the VRF on 
both PEs, and make a iBGP session inside the VRF between both PEs, and 
exchanging routes from PE2 to PE1 on this session.
This way, routes learned from PE2 on PE1 VRF are of family inet and 
considered CE routes (ie their primary table is VRF.inet.0), on top of 
it JunOS puts the correct labels (VRF-label@PE-label) on the push list 
of the routes.
You can then use your C1-internet rib-group applied on protocol BGP 
inside the VRF on PE1, this will copy BGP routes as-is into inet.0, with 
the correct label push list, so packets will end inside VRF on PE2.
You may have to prevent PE2 from advertising its routes in the normal 
way (ie in mpBGP) to prevent duplicates ans only have the iBGP ipv4 
routes on PE1.


I had this setup lab tested, seemed to work, we're gonna have it in 
production in the coming days.
This dirty BGP session from PE to PE may not be suitable for everyone, 
ofc, not the cleanest of setups :)


AFAIK, both Juniper and Redback allow these PE-to-PE BGP sessions, Cisco 
prohibits it (IOS consider CE routes must have CE-PE interfaces as 
next-hop interface)


Regards,
Bastien


Le 04/02/2014 09:47, Tobias Heister a écrit :

Hi,

Am 04.02.2014 04:25, schrieb Bikram Singh:

There might be a couple of alternate solutions coming to mind:
1. move all internet Routes to the CE1 table and use static routes to point 
back at the VRF with next-table from inet.0 which will not really scale beyond 
a single l3vpn.
2. use a separate VRF for the internet routes and use auto-export, rib-groups, 
vrf-import/export policy to move routes around. This would need a rework of our 
network and is not really

feasible right now.

If point 2. is not feasible then you can do below

Since you have already put a static route from VRF pointing to inet.0 for the 
traffic going to internet now you need to work for reverse traffic from 
internetto CE1 or CE2 .

As you have mentioned that they use Public IP in that case you can put all VPN 
routes (from CE1 and CE2 )  or aggregate routes into inet.0 using rib-goups to 
attract reverse traffic from
internet .

That is actually what i am trying right now. But i am not able to put all the 
VPN Routes into inet.0
I have trouble to move the ones learned from the remote PE, as i have no clue 
how and where to match them with a rib-groub as they are from protocol BGP and 
are placed there by the l3vpn
itself. If you happen to have an example how to move the BGP routes received 
from the remote PE to inet.0 i would be happy if you would share it.

I already have a manual aggregate route covering CE1 and CE2 prefixes in inet.0 
which i am exporting into the iBGP to get the internet incoming Traffic to the 
PE1. What i am missing are
routes for the remote CE/PE on PE1 inet.0 in order to direct the traffic to the 
remote PE (PE2/CE2).

regards
Tobias
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] move routes from VRF to inet.0

[Steve Hulshof]

Tobias,

You can use a Logical Tunnel (LT) interface on the PE to interconnect your
VRF with inet.0 and exchange routes between each of them using BGP.


Config example to setup LT interface with VR routing-instance but this will
work with VRF as well:
https://www.juniper.net/techpubs/en_US/junos12.3/topics/example/logical-systems-connecting-ls-interface.html


Hope this helps!


Steve



On Mon, Feb 3, 2014 at 12:43 PM, Tobias Heister li...@tobias-heister.dewrote:

 Hi,

 I am trying to wrap my head around a (seemingly) simple l3VPN Setup with
 internet access. I am labing this up right now and got stuck.

 The setup is very simple:

 CE1 -- PE1 -- PE2 -- CE2

 We have a l3VPN between CE1 und CE2, routes are exchanged and all routes
 from CE1 are seen by CE2 and vice versa. In this example CE-PE protocol is
 OSPF, but it could be any protocol i guess. We do have a sham-link setup
 between the PEs, so we do not need to redistribute the routes from BGP to
 OSPF on the PEs. Up to here eveything works fine.

 We now want to give the customer/VRF access to the internet at PE1. PE1
 has a full table in inet.0 so we configure a static default route on CE1
 pointing to table inet.0

 static {
 route 0.0.0.0/0 next-table inet.0;
 }

 On CE1 we redistribute that default route to ospf so that CE2 knows how to
 reach the internet
 CE2 can see the default route and will route all traffic to CE1

 Now we need to let the Internet know how to reach the IPs of CE1 and
 CE2. Lets assume they use public addresses and we do not need to use nat.
 We can use rib-groups to move the interfaces routes for CE1 to inet.0 we
 can also use a rib-group under protocols ospf in the routing instance on
 PE1 to get the ospf routes into inet.0

 ## routing instance ##

 routing-options {
 interface-routes {
 rib-group inet C1-internet;
 }
 }
 protocols {
 ospf {
 rib-group C1-internet;
 export C1-export-default;
 
 }
 }

 ## rib-group

 C1-internet {
 import-rib [ C1.inet.0 inet.0 ];
 }

 Afterwards we do have all the routes known via OSPF and all the direct
 routes visible in inet.0
 But what about the routes from CE2? They are only know as BGP routes
 imported via the vrf-target configuration.
 Is there any way to move these BGP routes to the inet.0 table in PE1?

 I have tried a couple of things e.g. auto-export but it seems only to work
 on the OSPF and direct routes, and i already have them covered with the
 rib-groups from above. Simply putting an route with next-table VRF into
 inet.0 will not work because we already have a route pointing back to
 inet.0 in this table and the junos parser will not let that happen.

  error: [rib inet.0 routing-options static]
  next-table may loop

 I also tried to find help in the documentation, but it seems that this
 scenario is not covered. I also found a couple of older threads around the
 internet, but none of them really has a solution.

 There might be a couple of alternate solutions coming to mind:
 1. move all internet Routes to the CE1 table and use static routes to
 point back at the VRF with next-table from inet.0 which will not really
 scale beyond a single l3vpn.
 2. use a separate VRF for the internet routes and use auto-export,
 rib-groups, vrf-import/export policy to move routes around. This would need
 a rework of our network and is not really feasible right now.

 Do i miss something, like an easy knob? Or am i asking the wrong questions?

 --
 Kind Regards
 Tobias
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] move routes from VRF to inet.0

[Olivier Benghozi]

Hi Mike,

also what we do here.

However, that was not that easy, we observed that a discard route imported to 
another vrf via auto-export on the same box was imported with its next-hop, 
that is... discard, instead of triggering an additional lookup in the internet 
table (what we use on some Ericsson/Redback routers in the same MPLS network).
We ended up to find a way with some stupidly overcomplicated tricks (next-table 
route imported from a third vrf only used to contain such next-table routes 
with vrf-no-advertise, preventing its readvertisement once imported, while 
taking advantage of that next-table routes are more preferred than discard 
routes in a Junos RIB, etc...) leaving us with a nicely working but 
outrageously complicated config (but sometimes I suspect that it's the Junos 
Signature...).

So, I'm rather curious to know the way you implemented that, in fact :)
But maybe the routes you import are not discard?

regards,
Olivier

Le 3 févr. 2014 à 23:44, Michael Gehrmann mgehrm...@macquarietelecom.com a 
écrit :
 Hi Tobias,
 
 To put it simply your alternative option 2 would work. We use an Internet 
 table/vrf to collect CE routes and then import a default from the Internet 
 table into the CE vrf. To make it easy we add communities to the routes for 
 easy identification.
 
 Regards
 Mike


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] move routes from VRF to inet.0

[Adam Tajer]

Tobias,


When you receive inet-vpn routes from remote PE, they are put into
bgp.l3vpn.0 first. This is their primary RIB from the perspective of this
PE. Entries in VRF are considered secondary  are already leaked based on
vrf-target/vrf-import policy (think of it as automatic leaking between
these two tables that happens in the background w/o additional config).
When you try to leak routes from VRF into inet.0 via rib-groups, you are
only touching the VRF routes local to this instance (import-rib definition
has to contain the primary table first - vpn-x.inet.0 in this case) 
copying them into inet.0. You cannot copy prefixes coming from remote PEs
in this way.


Thanks,
Adam


On Tue, Feb 4, 2014 at 9:47 AM, Tobias Heister li...@tobias-heister.dewrote:

 Hi,

 Am 04.02.2014 04:25, schrieb Bikram Singh:
  There might be a couple of alternate solutions coming to mind:
  1. move all internet Routes to the CE1 table and use static routes to
 point back at the VRF with next-table from inet.0 which will not really
 scale beyond a single l3vpn.
  2. use a separate VRF for the internet routes and use auto-export,
 rib-groups, vrf-import/export policy to move routes around. This would need
 a rework of our network and is not really
  feasible right now.
 
  If point 2. is not feasible then you can do below
 
  Since you have already put a static route from VRF pointing to inet.0
 for the traffic going to internet now you need to work for reverse traffic
 from internetto CE1 or CE2 .
 
  As you have mentioned that they use Public IP in that case you can put
 all VPN routes (from CE1 and CE2 )  or aggregate routes into inet.0 using
 rib-goups to attract reverse traffic from
  internet .

 That is actually what i am trying right now. But i am not able to put all
 the VPN Routes into inet.0
 I have trouble to move the ones learned from the remote PE, as i have no
 clue how and where to match them with a rib-groub as they are from protocol
 BGP and are placed there by the l3vpn
 itself. If you happen to have an example how to move the BGP routes
 received from the remote PE to inet.0 i would be happy if you would share
 it.

 I already have a manual aggregate route covering CE1 and CE2 prefixes in
 inet.0 which i am exporting into the iBGP to get the internet incoming
 Traffic to the PE1. What i am missing are
 routes for the remote CE/PE on PE1 inet.0 in order to direct the traffic
 to the remote PE (PE2/CE2).

 regards
 Tobias
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] move routes from VRF to inet.0

[Tobias Heister]

Hi,

I am trying to wrap my head around a (seemingly) simple l3VPN Setup with 
internet access. I am labing this up right now and got stuck.

The setup is very simple: 

CE1 -- PE1 -- PE2 -- CE2

We have a l3VPN between CE1 und CE2, routes are exchanged and all routes from 
CE1 are seen by CE2 and vice versa. In this example CE-PE protocol is OSPF, but 
it could be any protocol i guess. We do have a sham-link setup between the PEs, 
so we do not need to redistribute the routes from BGP to OSPF on the PEs. Up to 
here eveything works fine.

We now want to give the customer/VRF access to the internet at PE1. PE1 has a 
full table in inet.0 so we configure a static default route on CE1 pointing to 
table inet.0

static {
route 0.0.0.0/0 next-table inet.0;
}

On CE1 we redistribute that default route to ospf so that CE2 knows how to 
reach the internet
CE2 can see the default route and will route all traffic to CE1

Now we need to let the Internet know how to reach the IPs of CE1 and CE2. 
Lets assume they use public addresses and we do not need to use nat.
We can use rib-groups to move the interfaces routes for CE1 to inet.0 we can 
also use a rib-group under protocols ospf in the routing instance on PE1 to get 
the ospf routes into inet.0

## routing instance ##

routing-options {
interface-routes {
rib-group inet C1-internet;
}
}
protocols {
ospf {
rib-group C1-internet;
export C1-export-default;

}
}

## rib-group

C1-internet {
import-rib [ C1.inet.0 inet.0 ];
}

Afterwards we do have all the routes known via OSPF and all the direct routes 
visible in inet.0
But what about the routes from CE2? They are only know as BGP routes imported 
via the vrf-target configuration.
Is there any way to move these BGP routes to the inet.0 table in PE1?

I have tried a couple of things e.g. auto-export but it seems only to work on 
the OSPF and direct routes, and i already have them covered with the rib-groups 
from above. Simply putting an route with next-table VRF into inet.0 will not 
work because we already have a route pointing back to inet.0 in this table and 
the junos parser will not let that happen.

 error: [rib inet.0 routing-options static]
 next-table may loop

I also tried to find help in the documentation, but it seems that this scenario 
is not covered. I also found a couple of older threads around the internet, but 
none of them really has a solution.

There might be a couple of alternate solutions coming to mind:
1. move all internet Routes to the CE1 table and use static routes to point 
back at the VRF with next-table from inet.0 which will not really scale beyond 
a single l3vpn.
2. use a separate VRF for the internet routes and use auto-export, rib-groups, 
vrf-import/export policy to move routes around. This would need a rework of our 
network and is not really feasible right now.

Do i miss something, like an easy knob? Or am i asking the wrong questions?

-- 
Kind Regards
Tobias
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] move routes from VRF to inet.0

[Michael Gehrmann]

Hi Tobias,

To put it simply your alternative option 2 would work. We use an Internet 
table/vrf to collect CE routes and then import a default from the Internet 
table into the CE vrf. To make it easy we add communities to the routes for 
easy identification.

Regards
Mike

-Original Message-
From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of 
Tobias Heister
Sent: Tuesday, 4 February 2014 4:43 AM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] move routes from VRF to inet.0

Hi,

I am trying to wrap my head around a (seemingly) simple l3VPN Setup with 
internet access. I am labing this up right now and got stuck.

The setup is very simple: 

CE1 -- PE1 -- PE2 -- CE2

We have a l3VPN between CE1 und CE2, routes are exchanged and all routes from 
CE1 are seen by CE2 and vice versa. In this example CE-PE protocol is OSPF, but 
it could be any protocol i guess. We do have a sham-link setup between the PEs, 
so we do not need to redistribute the routes from BGP to OSPF on the PEs. Up to 
here eveything works fine.

We now want to give the customer/VRF access to the internet at PE1. PE1 has a 
full table in inet.0 so we configure a static default route on CE1 pointing to 
table inet.0

static {
route 0.0.0.0/0 next-table inet.0;
}

On CE1 we redistribute that default route to ospf so that CE2 knows how to 
reach the internet
CE2 can see the default route and will route all traffic to CE1

Now we need to let the Internet know how to reach the IPs of CE1 and CE2. 
Lets assume they use public addresses and we do not need to use nat.
We can use rib-groups to move the interfaces routes for CE1 to inet.0 we can 
also use a rib-group under protocols ospf in the routing instance on PE1 to get 
the ospf routes into inet.0

## routing instance ##

routing-options {
interface-routes {
rib-group inet C1-internet;
}
}
protocols {
ospf {
rib-group C1-internet;
export C1-export-default;

}
}

## rib-group

C1-internet {
import-rib [ C1.inet.0 inet.0 ];
}

Afterwards we do have all the routes known via OSPF and all the direct routes 
visible in inet.0 But what about the routes from CE2? They are only know as BGP 
routes imported via the vrf-target configuration.
Is there any way to move these BGP routes to the inet.0 table in PE1?

I have tried a couple of things e.g. auto-export but it seems only to work on 
the OSPF and direct routes, and i already have them covered with the rib-groups 
from above. Simply putting an route with next-table VRF into inet.0 will not 
work because we already have a route pointing back to inet.0 in this table and 
the junos parser will not let that happen.

 error: [rib inet.0 routing-options static]
 next-table may loop

I also tried to find help in the documentation, but it seems that this scenario 
is not covered. I also found a couple of older threads around the internet, but 
none of them really has a solution.

There might be a couple of alternate solutions coming to mind:
1. move all internet Routes to the CE1 table and use static routes to point 
back at the VRF with next-table from inet.0 which will not really scale beyond 
a single l3vpn.
2. use a separate VRF for the internet routes and use auto-export, rib-groups, 
vrf-import/export policy to move routes around. This would need a rework of our 
network and is not really feasible right now.

Do i miss something, like an easy knob? Or am i asking the wrong questions?

--
Kind Regards
Tobias
___
juniper-nsp mailing list juniper-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] move routes from VRF to inet.0

[Bikram Singh]

 There might be a couple of alternate solutions coming to mind:
 1. move all internet Routes to the CE1 table and use static routes to point 
 back at the VRF with next-table from inet.0 which will not really scale 
 beyond a single l3vpn.
 2. use a separate VRF for the internet routes and use auto-export, 
 rib-groups, vrf-import/export policy to move routes around. This would need a 
 rework of our network and is not really feasible right now.

If point 2. is not feasible then you can do below

Since you have already put a static route from VRF pointing to inet.0 for the 
traffic going to internet now you need to work for reverse traffic from 
internet to CE1 or CE2 . 

As you have mentioned that they use Public IP in that case you can put all VPN 
routes (from CE1 and CE2 )  or aggregate routes into inet.0 using rib-goups to 
attract reverse traffic from internet . 


Bikram
  
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp