[an error occurred while processing this directive][an error occurred while processing this directive]

Configuring Overlapping VPNs

Policy-based instance export automatically exports routes between VRF instances that refer to the same route target community. If this feature is enabled, a VRF-target tree is constructed by examining the vrf-import and vrf-export policies configured on the system. When an instance refers to a given target in its vrf-import policy, this instance is added to the import list of the target. Similarly, if the instance refers to a specific route target in its vrf-export policy, the instance is added to the export list for that target. Route targets that contain a single importer that matches a single exporter, or that lack importers and exporters altogether, are ignored by the router when policies are evaluated.

The “rt-export” module tracks changes in routing tables that export a specified route target. When routing changes occur, the vpn-export policy of an instance is applied to the route. Also, if allowed, the route will be imported to all the import tables (subject to vrf-import policy) of the route targets set by the export policy.

The auto-export statement is particularly useful for configuring overlapping VPNs. The auto-export statement determines which routing tables to export routes from and import routes to by examining the existing policy configuration, which can include vrf-target configuration. (For more information on the vrf-target statement, see the JUNOS VPNs Configuration Guide.)

When you use the auto-export statement, the behavior varies significantly from the behavior of the rib-groups statement. With the auto-export statement, only the primary route from the originating routing table is exported. In addition, routes exported from the originating VRF to another on the same PE router honor the export policy changes to route attributes. As a result, you must add each originating route target to the exported routes when you use the auto-export statement.

The next sample configuration uses a Border Gateway Protocol (BGP) session between a PE and a CE router. It shows the configuration changes required when you use the autoexport feature. Text marked in italics indicates the rib-group statements from JUNOS Release 5.4 and earlier that can be omitted, whereas bold text highlights the new, simplified style of configuration.

[edit]# routing-options { # Old method# rib-groups { # Old method# vpna-vpnab { # Old method# import-rib [VPN-A.inet.0 VPN-AB.inet.0]; # Old method}## vpnab-vpna_and_vpnb { # Old method## import-rib [VPN-AB.inet.0 VPN-A.inet.0 VPN-B.inet.0]; # Old method}}}routing-instances {VPN-A {instance-type vrf;interface fe-1/0/0.0;route-distinguisher 10.255.255.175:3;vrf-import vpna-import;vrf-export vpna-export; routing-options { # New method auto-export; # New method}}protocols {bgp {group vpna-site1 {##family inet { # Old method##unicast { # Old method##rib-group vpna-vpnab; # Old method}}peer-as 1;neighbor 192.255.197.141;}}}}VPN-AB {instance-type vrf;interface fe-1/1/0.0;route-distinguisher 10.255.255.175:9;vrf-import vpnab-import;vrf-export vpnab-export;routing-options { # New methodauto-export; # New method}}protocols {bgp {group vpnab-site1 {##family inet { # Old method##unicast { # Old method##rib-group vpnab-vpna_and_vpnb; # Old method}}peer-as 9;neighbor 192.255.197.178;}}}

In some overlapping VPN cases, additional configuration information is required:

  • When vrf-import and vrf-export policies are configured on a per-instance basis, you must enable or disable the policies individually for unicast or multicast, especially when multicast network layer reachability information (NLRI) is configured.
  • When you use auto-export between overlapping VPNs and require a subset of the routes learned from an instance to be installed into the inet.0 or instance.inet.2 routing tables, you must install the routes with additional configuration statements.

To support scenarios in which not all the required information is present in the vrf-import and vrf-export policies, you can configure additional routing tables with a routing table group. For example, if you wish to add routes from VPN A and VPN AB to the inet.0 routing table, the following additional configuration parameters are required:

[edit]routing-options {rib-groups {inet-access {import-rib inet.0;}}}routing-instances {VPN-A {routing-options {auto-export {family inet {unicast {rib-group inet-access;}}}}}VPN-AB {routing-options {auto-export {family inet {unicast {rib-group inet-access;}}}}}}

There is a significant difference in how routing table groups are used in this case and how they are used more generally. Typically, routing table groups require that the exporting routing table be referenced as the primary import routing table in the rib-group configuration. In this case, the restriction is lifted and the routing table group functions as an additional list of tables that export routes.

 

Note: When upgrading to JUNOS Release 5.4 or later, be aware that route export behavior differs when using the auto-export command instead of rib-group export:

  • When you use the rib-group statement to export between routing tables, both primary routes (routes in the originating routing table) and secondary routes (routes imported from other routing tables) are exported to the remote PE routers. When you use the auto-export statement, only the primary routes from the originating routing table are exported.
  • Routes exported from an originating VRF instance to another on the same PE now honor export policy changes to route attributes. When you use the auto-export statement, you must add the originating route target to the exported routes. With rib-group statements, no additional configuration is necessary.

Published: 2010-04-15

[an error occurred while processing this directive]