[an error occurred while processing this directive][an error occurred while processing this directive]

Route Origin for VPNs

You can use route origin to prevent routes learned from one customer edge (CE) router marked with origin community from being advertised back to it from another CE router in the same AS.

In the example, the route origin is used to prevent routes learned from CE Router A that are marked with origin community from being advertised back to CE Router E by AS 200. The example topology is shown in Figure 1.

Figure 1: Network Topology of Site of Origin Example

Image g015555.gif

In this topology, CE Router A and CE Router E are in the same AS (AS200). They use EBGP to exchange routes with their respective provider edge (PE) routers, PE Router B and PE Router D. The two CE routers have a back connection.

The following sections describe how to configure the route origin for a group of VPNs:

Configuring the Site of Origin Community on CE Router A

The following section describes how to configure CE Router A to advertise routes with a site of origin community to PE Router B for this example.

Note: In this example, direct routes are configured to be advertised, but any route can be configured.

Configure a policy to advertise routes with my-soo community on CE Router A as follows:

[edit]policy-options {policy-statement export-to-my-isp {term a {from {protocol direct;}then {community add my-soo;accept;}}}}

Configuring the Community on CE Router A

Configure the my-soo community on CE Router A as follows:

[edit]policy-options {community my-soo {members origin:100:1;}}

Applying the Policy Statement on CE Router A

Apply the export-to-my-isp policy statement as an export policy to the EBGP peering on the CE Router A as follows:

[edit]protocols {bgp {group my_isp {export export-to-my-isp;}}}

When you issue the show route receive-protocol bgp detail command, you should see the following routes originated from PE Router B with my-soo community:


user@host> show route receive-protocol bgp 10.12.99.2 detail
inet.0: 16 destinations, 16 routes (15 active, 0 holddown, 1 hidden)
inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
vpn_blue.inet.0: 8 destinations, 10 routes (8 active, 0 holddown, 0 hidden)
* 10.12.33.0/30 (2 entries, 1 announced)
     Nexthop: 10.12.99.2
     AS path: 100 I
     Communities: origin:100:1
  10.12.99.0/30 (2 entries, 1 announced)
     Nexthop: 10.12.99.2
     AS path: 100 I
     Communities: origin:100:1
* 10.255.71.177/32 (1 entry, 1 announced)
     Nexthop: 10.12.99.2
     AS path: 100 I
     Communities: origin:100:1
* 192.168.64.0/21 (1 entry, 1 announced)
     Nexthop: 10.12.99.2
     AS path: 100 I
     Communities: origin:100:1
iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
mpls.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
bgp.l3vpn.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
__juniper_private1__.inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 
hidden)

Configuring the Policy on PE Router D

Configure a policy on PE Router D that prevents routes with my-soo community tagged by CE Router A from being advertised to CE Router E as follows:

[edit]policy-options {policy-statement soo-ce1-policy {term a {from {community my-soo;then {reject;}}}}}

Configuring the Community on PE Router D

Configure the community on PE Router D as follows:

[edit]policy-options {community my-soo {members origin:100:1;}}

Applying the Policy on PE Router D

To prevent routes learned from CE Router A from being advertised to CE Router E (the two routers can communicate these routes directly), apply the soo-ce1-policy policy statement as an export policy to the PE Router D and CE Router E EBGP session vpn_blue.

View the EBGP session on PE Router D using the show routing-instances command.


user@host# show routing-instances
vpn_blue {
    instance-type vrf;
    interface fe-2/0/0.0;
    vrf-target target:100:200;
    protocols {
        bgp {
            group ce2 {
                advertise-peer-as;
                peer-as 100;
                neighbor 10.12.99.6;
            }
        }
    }
}

Apply the soo-ce1-policy policy statement as an export policy to the PE Router D and CE Router E EBGP session vpn_blue as follows:

[edit routing-instances]vpn_blue {protocols {bgp {group ce2{export soo-ce1-policy;}}}}

Published: 2010-04-27

[an error occurred while processing this directive]