ON THIS PAGE
Example: Using Policy Filters to Filter EVPN Routes
In Junos, routing policies can be used to control Border Gateway Protocol (BGP) route advertisements and to filter routes using different address families. But, although Ethernet VPN (EVPN) uses BGP to exchange MAC-IP addresses between different PE routers, differences such as the EVPN route prefix format and extended community information that is encoded in the BGP update message, mean that special match conditions are needed to be able to filter EVPN routes.
The examples in this topic show the various router configurations available in Junos for filtering EVPN routes.
Requirements
EVPN route filtering is supported on MX, VMX, EX, ACX, and QFX
devices running Junos Release 19.4R1 or later. It is available at
the routing-instance
level of the hierarchy (where it
is configured with vrf-export or vrf-import policy),
and at the protocols bgp
level (in which case you also
need to configure vpn-apply-export
for the policy to take
effect).
Overview
You can use policy filters to filter EVPN routes, for example to specify particular extended community attributes. Routes are filtered according to the match conditions you specify in the from qualifier of the policy. Supported match criteria for EVPN routes include EVPN NLRI type, BGP path attributes, route distinguishers, EVPN Ethernet Tag, Ethernet Segment Identifier (ESI), and MAC addresses in EVPN Type 2 routes.
The following route filters are also supported: local-preference, as-path, community, next-hop, metric, and origin.
Actions are taken according to the criteria you specify in the then qualifier specified in the policy.
See Routing policies for EVPN for a complete list and description of supported match conditions and actions.
Topology
The following network scenarios show the configuration used for setting up various EVPN match conditions.
Base Configuration
- CLI Quick Configuration
- Filtering BGP EVPN routes based on EVPN NLRI type
- Filtering BGP EVPN routes based on route distinguisher
- Filtering BGP EVPN routes based on EVPN Ethernet Tags
- Filtering BGP EVPN routes based on ESI
- Filtering BGP EVPN Type 2 and Type 5 routes based on IP address.
- Filtering BGP EVPN Type 2 routes using MAC address
- Filtering BGP EVPN Type 2 routes that contain (or do not contain) an IP address
- Filtering BGP EVPN routes according to an EVPN extended community
- Copying community information from EVPN Type 2 routes into EVPN Type 5 routes
CLI Quick Configuration
For EVPN routes, a policy can be applied at
the routing-instance
level of the hierarchy, or at the protocols bgp
level. The configuration for both is shown below.
At the routing-instance
level, the policy is applied as
an vrf-export
or vrf-import
policy. When an export policy is applied at the BGP group level, you must
configure vpn-apply-export
for the policy to work properly.
Case 1 shows the mandatory use of the statement vpn-apply-export
when a policy is applied at the BGP level of the hierarchy.
To use the example, you need to navigate to various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.
To quickly configure the examples, copy the list of commands,
paste them into a text file, remove any line breaks, change any details
necessary to match your network configuration, and then copy and paste
the commands into the CLI at the [edit]
hierarchy level.
Case 1: Applying the policy at the protocol BGP level of the hierarchy.
set protocols bgp group evpn-sessions type internal set protocols bgp group evpn-sessions local-address 10.255.255.4 set protocols bgp group evpn-sessions import bgp-evpn-exp set protocols bgp group evpn-sessions family evpn signaling set protocols bgp group evpn-sessions neighbor 10.255.255.1 set protocols bgp group evpn-sessions neighbor 10.255.255.6 set protocols bgp group evpn-sessions neighbor 10.255.255.8 set protocols bgp group evpn-sessions vpn-apply-export set policy-options policy-statement bgp-evpn-exp term 1 from family evpn set policy-options policy-statement bgp-evpn-exp term 1 from nlri-route-type 2 set policy-options policy-statement bgp-evpn-exp term 1 from nlri-route-type 3 set policy-options policy-statement bgp-evpn-exp term 1 then community add COM5 set policy-options policy-statement bgp-evpn-exp term 1 then as-path-prepend 999
Case 2 shows the mandatory use of the statements vrf-export
and vrf-import
when match conditions are being applied
at the routing instances level of the hierarchy.
EVPN uses 8 different route types to extend Layer 2 connectivity. The EVPN NLRI route type is defined in the first octet of the route prefix field in the BGP update message.
In Junos, the following EVPN route types, Type 1 AD per ESI, Type 4 ES, Type 7 IGMP join, and Type 8 IGMP leave, routes are not specific to a given routing-instance. Instead, they are automatically added to the default routing-instance table when exported. As a result no routing-instance vrf-export or vrf-import policies are applied to these route types. If you want to apply an export policy to these routes, you need to do it at the BGP export level of the hierarchy. The same is true for importing Type 1 per ESI, Type 4, Type 7, and Type 8 routes (they are automatically imported into the default-routing instance table). So, to apply an import policy to these route types, you need to do so at the BGP import level of the hierarchy rather than at the routing-instance level.
Case 2: Applying the policy at the routing-instance level of the hierarchy.
set routing-instances evpa protocols evpn set routing-instances evpa instance-type evpn set routing-instances evpa vlan-id none set routing-instances evpa routing-interface irb.600 set routing-instances evpa interface ge-0/0/1.600 set routing-instances evpa route-distinguisher 2:3 set routing-instances evpa vrf-export vrf-exp-pol set routing-instances evpa vrf-target target:1:1 set policy-options policy-statement vrf-exp-pol term 1 from family evpn set policy-options policy-statement vrf-exp-pol term 1 from nlri-route-type 1 set policy-options policy-statement vrf-exp-pol term 1 then community add COM11 set policy-options policy-statement vrf-exp-pol term 1 then accept
Filtering BGP EVPN routes based on EVPN NLRI type
CLI Quick Configuration
A complete list of set commands used in the example are presented first, followed by the same commands in step-by-step format, as well as instructions for confirming your configuration. Verification commands that you can use to see relevant output from a properly configured system are shown at the end of this topic.
Filtering BGP EVPN routes based on EVPN NLRI type
set policy-options policy-statement bgp-evpn-exp term 1 from family evpn set policy-options policy-statement bgp-evpn-exp term 1 from nlri-route-type 2 set policy-options policy-statement bgp-evpn-exp term 1 from nlri-route-type 3 set policy-options policy-statement bgp-evpn-exp term 1 then community add COM5 set policy-options policy-statement bgp-evpn-exp term 1 then as-path-prepend 999 set protocols bgp group evpn-session type internal set protocols bgp group evpn-session local-address 10.255.255.4 set protocols bgp group evpn-session family evpn signaling set protocols bgp group evpn-session export bgp-evpn-exp set protocols bgp group evpn-session neighbor 10.255.255.1 set protocols bgp group evpn-session neighbor 10.255.255.6 set protocols bgp group evpn-session neighbor 10.255.255.8 set protocols bgp group evpn-session vpn-apply-export
Step-by-Step Procedure
To set up the filtering of BGP EVPN routes based on BGP path attributes:
Configure the BGP path attributes you want to filter on (enclose multiple types in brackets and separate with a space) and the action to take on the matching routes.
[edit policy-options policy-statement bgp-evpn-exp] user@PE1# set term 1 from family evpn user@PE1# set term 1 from nlri-route-type [2 3] user@PE1# set term 1 then community add COM5 user@PE1# set term 1 then as-path-prepend 999
Configure the BGP group protocol session.
[edit protocols bgp group evpn-session ] user@PE1# set type internal user@PE1# set local-address 10.255.255.4 user@PE1# set family evpn signaling user@PE1# set import bgp-evpn-exp user@PE1# set neighbor 10.255.255.1 user@PE1# set neighbor 10.255.255.6 user@PE1# set neighbor 10.255.255.8 user@PE1# set vpn-apply-export
Results
To see your configuration results, from configuration
mode at the top of the CLI hierarchy, confirm your configuration by
entering the show policy-options policy-statement bgp-evpn-exp
, , and show protocols bgp group evpn-sessions
commands.
If the output does not display the intended configuration, repeat
the instructions in this example to correct the configuration.
user@PE1# show policy-options policy-statement bgp-evpn-exp term 1 { from { family evpn; nlri-route-type [ 2 3 ]; } then { community add COM5; as-path-prepend 999; } }
user@PE1# show protocols bgp group evpn-sessions group evpn-sessions { type internal; local-address 10.255.255.4; export bgp-evpn-exp; family evpn { signaling; neighbor 10.255.255.1; neighbor 10.255.255.6; neighbor 10.255.255.8; vpn-apply-export; }
Filtering BGP EVPN routes based on route distinguisher
CLI Quick Configuration
Route distinguisher (RD) information is encoded in the EVPN route prefix. This example shows how to filter EVPN routes on the basis of the route distinguisher.
A complete list of set commands used in the example are presented first, followed by the same commands in step-by-step format, as well as instructions for confirming your configuration. Verification commands that you can use to see relevant output from a properly configured system are shown at the end of this topic.
Filtering BGP EVPN routes based on route distinguisher
set policy-options policy-statement bgp-evpn-exp term 1 from family evpn set policy-options policy-statement bgp-evpn-exp term 1 from route-distinguisher 100:200 set policy-options policy-statement bgp-evpn-exp term 1 then community add COM5 set policy-options policy-statement bgp-evpn-exp term 1 then as-path-prepend 999 set protocols bgp group evpn-session type internal set protocols bgp group evpn-session local-address 10.255.255.4 set protocols bgp group evpn-session family evpn signaling set protocols bgp group evpn-session export bgp-evpn-exp set protocols bgp group evpn-session neighbor 10.255.255.1 set protocols bgp group evpn-session neighbor 10.255.255.6 set protocols bgp group evpn-session neighbor 10.255.255.8 set protocols bgp group evpn-session vpn-apply-export
Step-by-Step Procedure
To set up the filtering of BGP EVPN routes based on route distinguisher:
Configure the route distinguisher you want to filter on and the action to take on the matching routes.
[edit policy-options policy-statement bgp-evpn-exp] user@PE1# set term 1 from family evpn user@PE1# set term 1 from route-distinguisher 100:200 user@PE1# set term 1 then community add COM5 user@PE1# set term 1 then as-path-prepend 999
Configure the BGP group protocol session.
[edit protocols bgp group evpn-session ] user@PE1# set type internal user@PE1# set local-address 10.255.255.4 user@PE1# set family evpn signaling user@PE1# set export bgp-evpn-exp user@PE1# set neighbor 10.255.255.1 user@PE1# set neighbor 10.255.255.6 user@PE1# set neighbor 10.255.255.8 user@PE1# set vpn-apply-export
Results
To see your configuration results, from configuration
mode at the top of the CLI hierarchy, confirm your configuration by
entering the show policy-options policy-statement bgp-evpn-exp
, show policy-options route-distinguisher RD1
, and show protocols bgp group evpn-sessions
commands. If the output
does not display the intended configuration, repeat the instructions
in this example to correct the configuration.
user@PE1# show policy-options policy-statement bgp-evpn-exp term 1 { from { family evpn; route-distinguisher 100:200; } then { community add COM5; as-path-prepend 999; } }
user@PE1# show protocols bgp group evpn-sessions group evpn-sessions { type internal; local-address 10.255.255.4; import bgp-evpn-exp; family evpn { signaling; neighbor 10.255.255.1; neighbor 10.255.255.6; neighbor 10.255.255.8; vpn-apply-export; }
Filtering BGP EVPN routes based on EVPN Ethernet Tags
CLI Quick Configuration
EVPN Ethernet Tag information (or vlan-id
information) is carried in the prefix of the EVPN route. This example
shows how to filter EVPN routes based on the Ethernet Tag carried
in the prefix of the route. Note that you must include the family
evpn
qualifier when configuring this filtering option.
A complete list of set commands used in the example are presented first, followed by the same commands in step-by-step format, as well as instructions for confirming your configuration. Verification commands that you can use to see relevant output from a properly configured system are shown at the end of this topic.
Filtering BGP EVPN routes based on EVPN Ethernet Tags
set policy-options policy-statement bgp-evpn-exp term 1 from family evpn set policy-options policy-statement bgp-evpn-exp term 1 from evpn-tag [ 10 12 13 ] set policy-options policy-statement bgp-evpn-exp term 1 then community add COM5 set policy-options policy-statement bgp-evpn-exp term 1 then as-path-prepend 999 set protocols bgp group evpn-session type internal set protocols bgp group evpn-session local-address 10.255.255.4 set protocols bgp group evpn-session family evpn signaling set protocols bgp group evpn-session export bgp-evpn-exp set protocols bgp group evpn-session neighbor 10.255.255.1 set protocols bgp group evpn-session neighbor 10.255.255.6 set protocols bgp group evpn-session neighbor 10.255.255.8 set protocols bgp group evpn-session vpn-apply-export
Step-by-Step Procedure
To set up the filtering of BGP EVPN routes based on the EVPN Ethernet Tag:
Configure the EVPN Ethernet Tag you want to filter on and the action to take on the matching routes.
[edit policy-options policy-statement bgp-evpn-exp] user@PE1# set term 1 from family evpn user@PE1# set term 1 from evpn-tag [ 10 12 13 ] user@PE1# set term 1 then community add COM5 user@PE1# set term 1 then as-path-prepend 999
Configure the BGP group protocol session.
[edit protocols bgp group evpn-session ] user@PE1# set type internal user@PE1# set local-address 10.255.255.4 user@PE1# set family evpn signaling user@PE1# set import bgp-evpn-exp user@PE1# set neighbor 10.255.255.1 user@PE1# set neighbor 10.255.255.6 user@PE1# set neighbor 10.255.255.8 user@PE1# set vpn-apply-export
Results
To see your configuration results, from configuration
mode at the top of the CLI hierarchy, confirm your configuration by
entering the show policy-options policy-statement bgp-evpn-exp
, and show protocols bgp group evpn-sessions
commands.
If the output does not display the intended configuration, repeat
the instructions in this example to correct the configuration.
user@PE1# show policy-options policy-statement bgp-evpn-exp term 1 { from { family evpn; evpn-tag [ 10 12 13 ]; } then { community add COM5; as-path-prepend 999; } }
user@PE1# show protocols bgp group evpn-sessions group evpn-sessions { type internal; local-address 10.255.255.4; import bgp-evpn-exp; family evpn { signaling; neighbor 10.255.255.1; neighbor 10.255.255.6; neighbor 10.255.255.8; vpn-apply-export; }
Filtering BGP EVPN routes based on ESI
CLI Quick Configuration
You can use Ethernet Segment Identifier (ESI) based policy filters for Type 1, Type 2, Type 4, Type 7, and Type 8 routes, which are the only types to contain ESI information in the prefix.
A complete list of set commands used in the example are presented first, followed by the same commands in step-by-step format, as well as instructions for confirming your configuration. Verification commands that you can use to see relevant output from a properly configured system are shown at the end of this topic.
Filtering BGP EVPN routes based on ESI
set policy-options policy-statement bgp-evpn-exp term 1 from family evpn set policy-options policy-statement bgp-evpn-exp term 1 from evpn-esi 00:11:22:33:44:55:66:77:88:99 set policy-options policy-statement bgp-evpn-exp term 1 then community add COM1 set protocols bgp group evpn-session type internal set protocols bgp group evpn-session local-address 10.255.255.8 set protocols bgp group evpn-session family evpn signaling set protocols bgp group evpn-session export bgp-evpn-exp set protocols bgp group evpn-session vpn-apply-export set protocols bgp group evpn-session neighbor 10.255.255.1 set protocols bgp group evpn-session neighbor 10.255.255.4 set protocols bgp group evpn-session neighbor 10.255.255.6
Step-by-Step Procedure
To set up the filtering of BGP EVPN routes based on the ESI:
Configure the EVPN ESI you want to filter on and the action to take on the matching routes.
[edit policy-options policy-statement bgp-evpn-exp] user@PE1# set term 1 from family evpn user@PE1# set term 1 from evpn-esi 00:11:22:33:44:55:66:77:88:99 user@PE1# set term 1 then community add COM1
Configure the BGP group protocol session.
[edit protocols bgp group evpn-session ] user@PE1# set type internal user@PE1# set local-address 10.255.255.8 user@PE1# set family evpn signaling user@PE1# set export bgp-evpn-exp user@PE1# set vpn-apply-export user@PE1# set neighbor 10.255.255.1 user@PE1# set neighbor 10.255.255.4 user@PE1# set neighbor 10.255.255.6
Results
To see your configuration results, from configuration
mode at the top of the CLI hierarchy, confirm your configuration by
entering the show policy-options policy-statement bgp-evpn-exp
, and show protocols bgp group evpn-sessions
commands.
If the output does not display the intended configuration, repeat
the instructions in this example to correct the configuration.
user@PE1# show policy-options policy-statement bgp-evpn-exp term 1 { from { family evpn; evpn-esi 00:11:22:33:44:55:66:77:88:99; } then { community add COM1; } }
user@PE1# show protocols bgp group evpn-sessions group evpn-sessions { type internal; local-address 10.255.255.8; family evpn { signaling; export bgp-evpn-exp; vpn-apply-export; neighbor 10.255.255.1; neighbor 10.255.255.4; neighbor 10.255.255.6; }
Filtering BGP EVPN Type 2 and Type 5 routes based on IP address.
CLI Quick Configuration
You can use IPv4 or IPv6 addresses embedded
in the EVPN prefix field to filter EVPN Type 2 and Type 5 routes.
The following prefix-list
and route-filter
qualifiers
are also supported:
from prefix-list
from prefix-list-filter [ exact | longer | orlonger ]
from route-filter [ address-mask | exact | longer | orlonger | prefix-length-range | through | upto ]
from route-filter-list
A complete list of set commands used in the example are presented first, followed by the same commands in step-by-step format, as well as instructions for confirming your configuration. Verification commands that you can use to see relevant output from a properly configured system are shown at the end of this topic.
Filtering BGP EVPN Type 2 and Type 5 routes based on the IP address
set policy-options prefix-list pp1 10.1.1.10/32 set policy-options prefix-list pp1 10.1.1.11/32 set policy-options policy-statement bgp-evpn-exp term 1 from family evpn set policy-options policy-statement bgp-evpn-exp term 1 from prefix-list pp1 set policy-options policy-statement bgp-evpn-exp term 1 then community add COM1 set protocols bgp group evpn-session type internal set protocols bgp group evpn-session local-address 10.255.255.8 set protocols bgp group evpn-session family evpn signaling set protocols bgp group evpn-session export bgp-evpn-exp set protocols bgp group evpn-session vpn-apply-export set protocols bgp group evpn-session neighbor 10.255.255.1 set protocols bgp group evpn-session neighbor 10.255.255.4 set protocols bgp group evpn-session neighbor 10.255.255.6
Step-by-Step Procedure
To set up the filtering of BGP EVPN Type 2 and Type 5 routes based on the IP address:
Create a prefix list to be used in the policy statement.
[ edit policy-options prefix-list pp1] user@PE1# set 10.1.1.10/32 user@PE1# set 10.1.1.11/32
Configure the Type 2 and Type 5 IP address you want to filter on and the action to take on the matching routes.
[edit policy-options policy-statement bgp-evpn-exp] user@PE1# set term 1 from family evpn user@PE1# set term 1 from prefix-list pp1 user@PE1# set term 1 then community add COM1
Configure the BGP group protocol session.
[edit protocols bgp group evpn-session ] user@PE1# set type internal user@PE1# set local-address 10.255.255.8 user@PE1# set family evpn signaling user@PE1# set export bgp-evpn-exp user@PE1# set vpn-apply-export user@PE1# set neighbor 10.255.255.1 user@PE1# set neighbor 10.255.255.4 user@PE1# set neighbor 10.255.255.6
Results
To see your configuration results, from configuration
mode at the top of the CLI hierarchy, confirm your configuration by
entering the show policy-options policy-statement bgp-evpn-exp
, and show protocols bgp group evpn-sessions
commands.
If the output does not display the intended configuration, repeat
the instructions in this example to correct the configuration.
user@PE1# show policy-options prefix-list pp1 10.1.1.10/32; 10.1.1.11/32;
user@PE1# show policy-options policy-statement bgp-evpn-exp term 1 { from { family evpn; prefix-list pp1; } then { community add COM1; } }
user@PE1# show protocols bgp group evpn-sessions group evpn-sessions { type internal; local-address 10.255.255.8; family evpn { signaling; export bgp-evpn-exp; vpn-apply-export; neighbor 10.255.255.1; neighbor 10.255.255.4; neighbor 10.255.255.6; }
Filtering BGP EVPN Type 2 routes using MAC address
CLI Quick Configuration
You can use the MAC address in EVPN prefix to filter EVPN Type 2 routes.
A complete list of set commands used in the example are presented first, followed by the same commands in step-by-step format, as well as instructions for confirming your configuration. Verification commands that you can use to see relevant output from a properly configured system are shown at the end of this topic.
Filtering BGP EVPN Type 2 routes using MAC address
set policy-options mac-list mfl1 01:87:88:04:50:00 set policy-options mac-list mfl1 02:87:88:04:50:00 set policy-options mac-list mfl1 03:87:88:04:50:00 set policy-options mac-list mfl1 04:87:88:04:50:00 set policy-options mac-list mfl1 05:87:88:04:50:00 set policy-options mac-list mfl1 06:87:88:04:50:00 set policy-options mac-list mfl1 07:87:88:04:50:00 set policy-options mac-list mfl1 08:87:88:04:50:00 set policy-options mac-list mfl1 64:87:88:04:50:00 set policy-options policy-statement bgp-evpn-exp term 1 from family evpn set policy-options policy-statement bgp-evpn-exp term 1 from mac-filter-list mfl1 set policy-options policy-statement bgp-evpn-exp term 1 then accept set protocols bgp group evpn-session type internal set protocols bgp group evpn-session local-address 10.255.255.8 set protocols bgp group evpn-session family evpn signaling set protocols bgp group evpn-session export bgp-evpn-exp set protocols bgp group evpn-session vpn-apply-export set protocols bgp group evpn-session neighbor 10.255.255.1 set protocols bgp group evpn-session neighbor 10.255.255.4 set protocols bgp group evpn-session neighbor 10.255.255.6
Step-by-Step Procedure
To set up the filtering of BGP EVPN Type 2 routes using MAC address:
Create the list of the MAC addresses you want to filter on (mfl1 in this example).
[edit policy-options mac-list mfl1] user@PE1# set 01:87:88:04:50:00; user@PE1# set 02:87:88:04:50:00; user@PE1# set 03:87:88:04:50:00; user@PE1# set 04:87:88:04:50:00; user@PE1# set 05:87:88:04:50:00; user@PE1# set 06:87:88:04:50:00; user@PE1# set 07:87:88:04:50:00; user@PE1# set 08:87:88:04:50:00;
Apply a list of the MAC addresses you want to filter on, and the action you want to take (Accept, in this example).
[edit policy-options policy-statement bgp-evpn-exp] user@PE1# set term 1 from family evpn user@PE1# set term 1 from mac-filter-list mfl1 user@PE1# set term 1 then accept
Configure the BGP group protocol session.
[edit protocols bgp group evpn-session ] user@PE1# set type internal user@PE1# set local-address 10.255.255.8 user@PE1# set family evpn signaling user@PE1# set export bgp-evpn-exp user@PE1# set neighbor 10.255.255.1 user@PE1# set neighbor 10.255.255.4 user@PE1# set neighbor 10.255.255.6 user@PE1# set vpn-apply-export
Results
To see your configuration results, from configuration
mode at the top of the CLI hierarchy, confirm your configuration by
entering the show policy-options mac-list mfl1
, show
policy-options policy-statement bgp-evpn-exp
, and show
protocols bgp group evpn-sessions
commands. If the output does
not display the intended configuration, repeat the instructions in
this example to correct the configuration.
user@PE1# show policy-options mac-list mfl1 01:87:88:04:50:00; 02:87:88:04:50:00; 03:87:88:04:50:00; 04:87:88:04:50:00; 05:87:88:04:50:00; 06:87:88:04:50:00; 07:87:88:04:50:00; 08:87:88:04:50:00;
user@PE1# show policy-options policy-statement bgp-evpn-exp term 1 { from { family evpn; mac-filter-list mfl1; } then { accept; } }
user@PE1# show protocols bgp group evpn-sessions group evpn-sessions { type internal; local-address 10.255.255.8; family evpn { signaling; export bgp-evpn-exp; vpn-apply-export; neighbor 10.255.255.1; neighbor 10.255.255.4; neighbor 10.255.255.6; }
Filtering BGP EVPN Type 2 routes that contain (or do not contain) an IP address
CLI Quick Configuration
EVPN Type 2 routes have a MAC address and can additionally have an IP address (IPv4 or IPv6) in the prefix. With BGP EVPN Type 2 filters, you can filter Type 2 routes based according to whether it has only a MAC address, a MAC address and IPv4 address, or a MAC address and IPv6 address (not a specific IP address, but any IP address in the prefix). These options are mutually exclusive.
A complete list of set commands used in the example are presented first, followed by the same commands in step-by-step format, as well as instructions for confirming your configuration. Verification commands that you can use to see relevant output from a properly configured system are shown at the end of this topic.
Filtering BGP EVPN Type 2 routes with MAC address only
set policy-options policy-statement bgp-evpn-exp term 1 from family evpn set policy-options policy-statement bgp-evpn-exp term 1 from evpn-mac-route mac-only set policy-options policy-statement bgp-evpn-exp term 1 then community add COM1 set protocols bgp group evpn-session type internal set protocols bgp group evpn-session local-address 10.255.255.8 set protocols bgp group evpn-session family evpn signaling set protocols bgp group evpn-session export bgp-evpn-exp set protocols bgp group evpn-session vpn-apply-export set protocols bgp group evpn-session neighbor 10.255.255.1 set protocols bgp group evpn-session neighbor 10.255.255.4 set protocols bgp group evpn-session neighbor 10.255.255.6
Step-by-Step Procedure
To set up the filtering of BGP EVPN Type 2 routes with MAC address only:
Create a policy and the action you want to take.
[edit policy-options policy-statement bgp-evpn-exp] user@PE1# set term 1 from family evpn user@PE1# set term 1 from evpn-mac-route mac-only user@PE1# set term 1 then community add COM1
Configure the BGP group protocol session (we use
export bgp-evpn-exp
here to apply the policy).[edit protocols bgp group evpn-session ] user@PE1# set type internal user@PE1# set local-address 10.255.255.8 user@PE1# set family evpn signaling user@PE1# set export bgp-evpn-exp user@PE1# set neighbor 10.255.255.1 user@PE1# set neighbor 10.255.255.4 user@PE1# set neighbor 10.255.255.6
Results
To see your configuration results, from configuration
mode at the top of the CLI hierarchy, confirm your configuration by
entering the, show policy-options policy-statement bgp-evpn-exp
, and show protocols bgp group evpn-sessions
commands.
If the output does not display the intended configuration, repeat
the instructions in this example to correct the configuration.
user@PE1# show policy-options policy-statement bgp-evpn-exp term 1 { from { family evpn; evpn-mac-route mac-only; } then { community add COM1; } }
user@PE1# show protocols bgp group evpn-sessions group evpn-sessions { type internal; local-address 10.255.255.8; family evpn { signaling; export bgp-evpn-exp; vpn-apply-export; neighbor 10.255.255.1; neighbor 10.255.255.4; neighbor 10.255.255.6; }
Filtering BGP EVPN routes according to an EVPN extended community
CLI Quick Configuration
BGP EVPN routes can have a set of extended communities carried in the BGP update message path attribute, and as such, you can use these extended communities for filtering BGP EVPN routes. . The EVPN specific information included in the extended communities includes encapsulation type, MAC-mobility information, EVPN split-horizon label,, ESI mode, E-Tree leaf label, and more.
See Border Gateway Protocol (BGP) Extended Communities for the full list of extended communities.
An extended community is an eight-octet value divided into two main sections, and typically uses a notation of type:administrator:assigned-number. However, to specify EVPN extended communities in the Junos configuration for BGP EVPN, instead of using a word to specify the type, all values (including type) are in decimal. Type is 2 octet, with the higher-order octet defining the actual type of extended community, and the low-order octet defining the community. The sub-type; val1 and val2 can be specified as [2 + 4] octets, or as [4 + 2] octets.
Typical configuration for extended communities in Junos:
set policy-options community name members type:val1:val2
Specifying an extended community numerically for BGP EVPN configurations in Junos. See BGP MPLS-Based Ethernet VPN for more information on numerical representations of extended communities.
In the example below, the decimal 780 is used to match the encapsulation extended community (for example, VXLAN). For 780, the value of the high-order octet of the extended type field is 0x03, which indicates that it is transitive. The value of the low-order octet of the extended type field is 0x0c; thus, the first 2 octet value is 0x030c, which is where the decimal 780 comes from. The remaining value fields, where val1 is 0 and val2 is 8, are used to identify VXLAN tunnel type.
The full list of tunnel types related to EVPN is defined in RFC 8365, Section 11 (link below), but some pertinent ones are listed here:
Value 8 = VXLAN Encapsulation
Value 9 = NVGRE Encapsulation
Value 10 = MPLS Encapsulation
Value 11 = MPLS in GRE Encapsulation
Value 12 = VXLAN GPE Encapsulation
See RFC 5512, Section 4.5, Reserved field and RFC 8365, Section 11 for details.
set policy-options community name members 780:0:8
A complete list of set commands used in the example are presented first, followed by the same commands in step-by-step format, as well as instructions for confirming your configuration. Verification commands that you can use to see relevant output from a properly configured system are shown at the end of this topic.
Filtering BGP EVPN routes according to the EVPN extended communities
set policy-options community COM5 members 780:0:8 set policy-options policy-statement bgp-evpn-exp term 1 from community COM5 set policy-options policy-statement bgp-evpn-exp term 1 then reject set protocols bgp group evpn-session type internal set protocols bgp group evpn-session local-address 10.255.255.4 set protocols bgp group evpn-session family evpn signaling set protocols bgp group evpn-session export bgp-evpn-exp set protocols bgp group evpn-session neighbor 10.255.255.1 set protocols bgp group evpn-session neighbor 10.255.255.6 set protocols bgp group evpn-session neighbor 10.255.255.8
Step-by-Step Procedure
To set up the filtering of BGP EVPN routes according to an EVPN extended community:
Create a list of the community members you want to filter on, and the action you want to take.
[edit policy-options] user@PE1# set community COM5 members 780:0:8
Create a list of the community members you want to filter on, and the action you want to take.
[edit policy-options policy-statement bgp-evpn-exp] user@PE1# set term 1 from community COM5 user@PE1# set term 1 then reject
Configure the BGP group protocol session (we use
export bgp-evpn-exp
here to apply the policy).[edit protocols bgp group evpn-session ] user@PE1# set type internal user@PE1# set local-address 10.255.255.4 user@PE1# set family evpn signaling user@PE1# set export bgp-evpn-exp user@PE1# set neighbor 10.255.255.1 user@PE1# set neighbor 10.255.255.6 user@PE1# set neighbor 10.255.255.8
Results
To see your configuration results, from configuration
mode at the top of the CLI hierarchy, confirm your configuration by
entering the, show policy-options policy-statement bgp-evpn-exp
, and show protocols bgp group evpn-sessions
commands.
If the output does not display the intended configuration, repeat
the instructions in this example to correct the configuration.
user@PE1# show policy-options community COM5 members members 780:0:8;
user@PE1# show policy-options policy-statement bgp-evpn-exp term 1 { from { community COM5; } then { reject; } }
user@PE1# show protocols bgp group evpn-sessions group evpn-sessions { type internal; local-address 10.255.255.4; family evpn { signaling; export bgp-evpn-exp; vpn-apply-export; neighbor 10.255.255.1; neighbor 10.255.255.6; neighbor 10.255.255.8; }
Copying community information from EVPN Type 2 routes into EVPN Type 5 routes
You can use BGP EVPN filtering to include the MAC address (if any) and IPv4 or IPv6 addresses from EVPN type 2 route advertisements received from remote PEs as EVPN Type 5 routes. Likewise, you can copy the community information from EVPN Type 2 routes into EVPN Type 5 route that have been generated from routes in the vrf.inet table(specifically, VPN-IPv4 (AFI/SAFI 1/128), VPN-IPv6 (AFI/SAFI 2/128), IPv4 (AFI/SAFI 1/1) and IPv6 (AFI/SAFI 2/1).
To include any contained MAC address and IPv4 or IPv6 addresses from EVPN Type 2 route advertisements into EVPN Type 5, enable the following command:
set routing-instances evpna protocols evpn remote-ip-host-routes no-advertise-community
You can also control which routing attributes are carried between the IP and EVPN routes. In other words, you can choose which route attributes to include from the import direction when generating IP routes from EVPN Type 5 routes, and for the export direction, also choose which route attributes to include when generating EVPN Type 5 routes from IP routes. These route attributes are, as-path
, community
, and preference
. Note that if you do not explicitly include the community
route attribute during import, due to how Junos handles route attributes in the vrf.inet.0 table, color community information will not be included (and thus this information not available for the nexthop resolution of the affected routes).
To include a given route attribute, use the following commands, and set an import or export action, which can be either allow or skip (here, the import-action is allow):
set routing-instances evpna protocols evpn ip-prefix-routes route-attributes as-path import-action allow set routing-instances evpna protocols evpn ip-prefix-routes route-attributes preference import-action allow set routing-instances evpna protocols evpn ip-prefix-routes route-attributes community import-action allow
Results
To see your configuration results, from configuration
mode at the top of the CLI hierarchy, confirm your configuration by
entering the, show policy-options policy-statement bgp-evpn-exp
, and show protocols bgp group evpn-sessions
commands.
If the output does not display the intended configuration, repeat
the instructions in this example to correct the configuration.
user@PE1# show policy-options policy-statement bgp-evpn-exp term 1 { from { family evpn; evpn-mac-route mac-only; } then { community add COM1; } }
user@PE1# show protocols bgp group evpn-sessions group evpn-sessions { type internal; local-address 10.255.255.8; family evpn { signaling; export bgp-evpn-exp; vpn-apply-export; neighbor 10.255.255.1; neighbor 10.255.255.4; neighbor 10.255.255.6; }
Verification
Confirm that the configuration is working properly. For each of the examples given above, run a version of these commands that uses the configuration you want to confirm. The verification example below is based on the example given for filtering BGP EVPN routes based on the EVPN NLRI type.
Verifying the various BGP EVPN filtering
Purpose
Display information about the BGP EVPN routes filtered according to the specified criteria.
Action
From operational mode on the target device, enter following commands:
user@device> show evpn instance user@device> show evpn instance extensive user@device> show evpn database user@device> show evpn mac-ip-table
From operational mode on PE1, enter following commands:
user@PE1> show route table bgp.evpn.0 user@PE1> show route table EVPN-1.evpn.0 user@PE1> show route table default_evpn__.evpn.0 user@PE1> show route advertising-protocol bgp 100.100.100.2 table bgp.evpn.0 user@PE1> show route advertising-protocol bgp 100.100.100.2 table EVPN-1.evpn.0 user@PE1> show route advertising-protocol bgp 100.100.100.2 table default_evpn__.evpn.0
From operational mode on PE2, enter following commands:
user@PE2> show route receive-protocol bgp 100.100.100.1 table bgp.evpn.0 user@PE2> show route receive-protocol bgp 100.100.100.1 table EVPN-1.evpn.0 user@PE2> show route receive-protocol bgp 100.100.100.1 table default_evpn__.evpn.0 user@PE2> show route table bgp.evpn.0 user@PE2> show route table EVPN-1.evpn.0 user@PE2> show route table default_evpn__.evpn.0