Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Using Policy Filters to Filter EVPN Routes

In Junos, routing policies can be used to control Border Gateway Protocol (BGP) route advertisements and to filter routes using different address families. But, although Ethernet VPN (EVPN) uses BGP to exchange MAC-IP addresses between different PE routers, differences such as the EVPN route prefix format and extended community information that is encoded in the BGP update message, mean that special match conditions are needed to be able to filter EVPN routes.

The examples in this topic show the various router configurations available in Junos for filtering EVPN routes.

Requirements

EVPN route filtering is supported on MX, VMX, EX, ACX, and QFX devices running Junos Release 19.4R1 or later. It is available at the routing-instance level of the hierarchy (where it is configured with vrf-export or vrf-import policy), and at the protocols bgp level (in which case you also need to configure vpn-apply-export for the policy to take effect).

Overview

You can use policy filters to filter EVPN routes, for example to specify particular extended community attributes. Routes are filtered according to the match conditions you specify in the from qualifier of the policy. Supported match criteria for EVPN routes include EVPN NLRI type, BGP path attributes, route distinguishers, EVPN Ethernet Tag, Ethernet Segment iIdentifier (ESI), and MAC addresses in EVPN Type 2 routes.

The following route filters are also supported: local-preference, as-path, community, next-hop, metric, and origin.

Actions are taken according to the criteria you specify in the then qualifier specified in the policy.

See Routing policies for EVPN for a complete list and description of supported match conditions and actions.

Topology

The following network scenarios show the configuration used for setting up various EVPN match conditions.

Base Configuration

CLI Quick Configuration

For EVPN routes, a policy can be applied at the routing-instance level of the hierarchy, or at the protocols bgp level. The configuration for both is shown below. At the routing-instance level, the policy is applied as an vrf-export or vrf-import policy. When an export policy is applied at the BGP group level, you must configure vpn-apply-export for the policy to work properly.

Case 1 shows the mandatory use of the statement vpn-apply-export when a policy is applied at the BGP level of the hierarchy.

To use the example, you need to navigate to various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To quickly configure the examples, copy the list of commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Case 1: Applying the policy at the protocol BGP level of the hierarchy.

Case 2 shows the mandatory use of the statements vrf-export and vrf-import when match conditions are being applied at the routing instances level of the hierarchy.

EVPN uses 8 different route types to extend Layer 2 connectivity. The EVPN NLRI route type is defined in the first octet of the route prefix field in the BGP update message.

Note:

In Junos, the following EVPN route types, Type 1 AD per ESI, Type 4 ES, Type 7 IGMP join, and Type 8 IGMP leave, routes are not specific to a given routing-instance. Instead, they are automatically added to the default routing-instance table when exported. As a result no routing-instance vrf-export or vrf-import policies are applied to these route types. If you want to apply an export policy to these routes, you need to do it at the BGP export level of the hierarchy. The same is true for importing Type 1 per ESI, Type 4, Type 7, and Type 8 routes (they are automatically imported into the default-routing instance table). So, to apply an import policy to these route types, you need to do so at the BGP import level of the hierarchy rather than at the routing-instance level.

Case 2: Applying the policy at the routing-instance level of the hierarchy.

Filtering BGP EVPN routes based on EVPN NLRI type

CLI Quick Configuration

A complete list of set commands used in the example are presented first, followed by the same commands in step-by-step format, as well as instructions for confirming your configuration. Verification commands that you can use to see relevant output from a properly configured system are shown at the end of this topic.

Filtering BGP EVPN routes based on EVPN NLRI type

Step-by-Step Procedure

To set up the filtering of BGP EVPN routes based on BGP path attributes:

  1. Configure the BGP path attributes you want to filter on (enclose multiple types in brackets and separate with a space) and the action to take on the matching routes.

  2. Configure the BGP group protocol session.

Results

To see your configuration results, from configuration mode at the top of the CLI hierarchy, confirm your configuration by entering the show policy-options policy-statement bgp-evpn-exp, , and show protocols bgp group evpn-sessions commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Filtering BGP EVPN routes based on route distinguisher

CLI Quick Configuration

Route distinguisher (RD) information is encoded in the EVPN route prefix. This example shows how to filter EVPN routes on the basis of the route distinguisher.

A complete list of set commands used in the example are presented first, followed by the same commands in step-by-step format, as well as instructions for confirming your configuration. Verification commands that you can use to see relevant output from a properly configured system are shown at the end of this topic.

Filtering BGP EVPN routes based on route distinguisher

Step-by-Step Procedure

To set up the filtering of BGP EVPN routes based on route distinguisher:

  1. Configure the route distinguisher you want to filter on and the action to take on the matching routes.

  2. Configure the BGP group protocol session.

Results

To see your configuration results, from configuration mode at the top of the CLI hierarchy, confirm your configuration by entering the show policy-options policy-statement bgp-evpn-exp, show policy-options route-distinguisher RD1, and show protocols bgp group evpn-sessions commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Filtering BGP EVPN routes based on EVPN Ethernet Tags

CLI Quick Configuration

EVPN Ethernet Tag information (or vlan-id information) is carried in the prefix of the EVPN route. This example shows how to filter EVPN routes based on the Ethernet Tag carried in the prefix of the route. Note that you must include the family evpn qualifier when configuring this filtering option.

A complete list of set commands used in the example are presented first, followed by the same commands in step-by-step format, as well as instructions for confirming your configuration. Verification commands that you can use to see relevant output from a properly configured system are shown at the end of this topic.

Filtering BGP EVPN routes based on EVPN Ethernet Tags

Step-by-Step Procedure

To set up the filtering of BGP EVPN routes based on the EVPN Ethernet Tag:

  1. Configure the EVPN Ethernet Tag you want to filter on and the action to take on the matching routes.

  2. Configure the BGP group protocol session.

Results

To see your configuration results, from configuration mode at the top of the CLI hierarchy, confirm your configuration by entering the show policy-options policy-statement bgp-evpn-exp, and show protocols bgp group evpn-sessions commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Filtering BGP EVPN routes based on ESI

CLI Quick Configuration

You can use Ethernet Segment Identifier (ESI) based policy filters for Type 1, Type 2, Type 4, Type 7, and Type 8 routes, which are the only types to contain ESI information in the prefix.

A complete list of set commands used in the example are presented first, followed by the same commands in step-by-step format, as well as instructions for confirming your configuration. Verification commands that you can use to see relevant output from a properly configured system are shown at the end of this topic.

Filtering BGP EVPN routes based on ESI

Step-by-Step Procedure

To set up the filtering of BGP EVPN routes based on the ESI:

  1. Configure the EVPN ESI you want to filter on and the action to take on the matching routes.

  2. Configure the BGP group protocol session.

Results

To see your configuration results, from configuration mode at the top of the CLI hierarchy, confirm your configuration by entering the show policy-options policy-statement bgp-evpn-exp, and show protocols bgp group evpn-sessions commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Filtering BGP EVPN Type 2 and Type 5 routes based on IP address.

CLI Quick Configuration

You can use IPv4 or IPv6 addresses embedded in the EVPN prefix field to filter EVPN Type 2 and Type 5 routes. The following prefix-list and route-filter qualifiers are also supported:

  • from prefix-list

  • from prefix-list-filter [ exact | longer | orlonger ]

  • from route-filter [ address-mask | exact | longer | orlonger | prefix-length-range | through | upto ]

  • from route-filter-list

A complete list of set commands used in the example are presented first, followed by the same commands in step-by-step format, as well as instructions for confirming your configuration. Verification commands that you can use to see relevant output from a properly configured system are shown at the end of this topic.

Filtering BGP EVPN Type 2 and Type 5 routes based on the IP address

Step-by-Step Procedure

To set up the filtering of BGP EVPN Type 2 and Type 5 routes based on the IP address:

  1. Create a prefix list to be used in the policy statement.

  2. Configure the Type 2 and Type 5 IP address you want to filter on and the action to take on the matching routes.

  3. Configure the BGP group protocol session.

Results

To see your configuration results, from configuration mode at the top of the CLI hierarchy, confirm your configuration by entering the show policy-options policy-statement bgp-evpn-exp, and show protocols bgp group evpn-sessions commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Filtering BGP EVPN Type 2 routes using MAC address

CLI Quick Configuration

You can use the MAC address in EVPN prefix to filter EVPN Type 2 routes.

A complete list of set commands used in the example are presented first, followed by the same commands in step-by-step format, as well as instructions for confirming your configuration. Verification commands that you can use to see relevant output from a properly configured system are shown at the end of this topic.

Filtering BGP EVPN Type 2 routes using MAC address

Step-by-Step Procedure

To set up the filtering of BGP EVPN Type 2 routes using MAC address:

  1. Create the list of the MAC addresses you want to filter on (mfl1 in this example).

  2. Apply a list of the MAC addresses you want to filter on, and the action you want to take (Accept, in this example).

  3. Configure the BGP group protocol session.

Results

To see your configuration results, from configuration mode at the top of the CLI hierarchy, confirm your configuration by entering the show policy-options mac-list mfl1, show policy-options policy-statement bgp-evpn-exp, and show protocols bgp group evpn-sessions commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Filtering BGP EVPN Type 2 routes that contain (or do not contain) an IP address

CLI Quick Configuration

EVPN Type 2 routes have a MAC address and can additionally have an IP address (IPv4 or IPv6) in the prefix. With BGP EVPN Type 2 filters, you can filter Type 2 routes based according to whether it has only a MAC address, a MAC address and IPv4 address, or a MAC address and IPv6 address (not a specific IP address, but any IP address in the prefix). These options are mutually exclusive.

A complete list of set commands used in the example are presented first, followed by the same commands in step-by-step format, as well as instructions for confirming your configuration. Verification commands that you can use to see relevant output from a properly configured system are shown at the end of this topic.

Filtering BGP EVPN Type 2 routes with MAC address only

Step-by-Step Procedure

To set up the filtering of BGP EVPN Type 2 routes with MAC address only:

  1. Create a policy and the action you want to take.

  2. Configure the BGP group protocol session (we use export bgp-evpn-exp here to apply the policy).

Results

To see your configuration results, from configuration mode at the top of the CLI hierarchy, confirm your configuration by entering the, show policy-options policy-statement bgp-evpn-exp, and show protocols bgp group evpn-sessions commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Filtering BGP EVPN routes according to an EVPN extended community

CLI Quick Configuration

BGP EVPN routes can have a set of extended communities carried in the BGP update message path attribute, and as such, you can use these extended communities for filtering BGP EVPN routes. . The EVPN specific information included in the extended communities includes encapsulation type, MAC-mobility information, EVPN split-horizon label,, ESI mode, E-Tree leaf label, and more.

See Border Gateway Protocol (BGP) Extended Communities for the full list of extended communities.

An extended community is an eight-octet value divided into two main sections, and typically uses a notation of type:administrator:assigned-number. However, to specify EVPN extended communities in the Junos configuration for BGP EVPN, instead of using a word to specify the type, all values (including type) are in decimal. Type is 2 octet, with the higher-order octet defining the actual type of extended community, and the low-order octet defining the community. The sub-type; val1 and val2 can be specified as [2 + 4] octets, or as [4 + 2] octets.

Typical configuration for extended communities in Junos:

  • set policy-options community name members type:val1:val2

Specifying an extended community numerically for BGP EVPN configurations in Junos. See BGP MPLS-Based Ethernet VPN for more information on numerical representations of extended communities.

In the example below, the decimal 780 is used to match the encapsulation extended community (for example, VXLAN). For 780, the value of the high-order octet of the extended type field is 0x03, which indicates that it is transitive. The value of the low-order octet of the extended type field is 0x0c; thus, the first 2 octet value is 0x030c, which is where the decimal 780 comes from. The remaining value fields, where val1 is 0 and val2 is 8, are used to identify VXLAN tunnel type.

The full list of tunnel types related to EVPN is defined in RFC 8365, Section 11 (link below), but some pertinent ones are listed here:

  • Value 8 = VXLAN Encapsulation

  • Value 9 = NVGRE Encapsulation

  • Value 10 = MPLS Encapsulation

  • Value 11 = MPLS in GRE Encapsulation

  • Value 12 = VXLAN GPE Encapsulation

See RFC 5512, Section 4.5, Reserved field and RFC 8365, Section 11 for details.

  • set policy-options community name members 780:0:8

A complete list of set commands used in the example are presented first, followed by the same commands in step-by-step format, as well as instructions for confirming your configuration. Verification commands that you can use to see relevant output from a properly configured system are shown at the end of this topic.

Filtering BGP EVPN routes according to the EVPN extended communities

Step-by-Step Procedure

To set up the filtering of BGP EVPN routes according to an EVPN extended community:

  1. Create a list of the community members you want to filter on, and the action you want to take.

  2. Create a list of the community members you want to filter on, and the action you want to take.

  3. Configure the BGP group protocol session (we use export bgp-evpn-exp here to apply the policy).

Results

To see your configuration results, from configuration mode at the top of the CLI hierarchy, confirm your configuration by entering the, show policy-options policy-statement bgp-evpn-exp, and show protocols bgp group evpn-sessions commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Copying community information from EVPN Type 2 routes into EVPN Type 5 routes

You can use BGP EVPN filtering to include the MAC address (if any) and IPv4 or IPv6 addresses from EVPN type 2 route advertisements received from remote PEs as EVPN Type 5 routes. Likewise, you can copy the community information from EVPN Type 2 routes into EVPN Type 5 route that have been generated from routes in the vrf.inet table(specifically, VPN-IPv4 (AFI/SAFI 1/128), VPN-IPv6 (AFI/SAFI 2/128), IPv4 (AFI/SAFI 1/1) and IPv6 (AFI/SAFI 2/1).

To include any contained MAC address and IPv4 or IPv6 addresses from EVPN Type 2 route advertisements into EVPN Type 5, enable the following command:

  • set routing-instances evpna protocols evpn remote-ip-host-routes no-advertise-community

You can also control which routing attributes are carried between the IP and EVPN routes. In other words, you can choose which route attributes to include from the import direction when generating IP routes from EVPN Type 5 routes, and for the export direction, also choose which route attributes to include when generating EVPN Type 5 routes from IP routes. These route attributes are, as-path, community, and preference. Note that if you do not explicitly include the community route attribute during import, due to how Junos handles route attributes in the vrf.inet.0 table, color community information will not be included (and thus this information not available for the nexthop resolution of the affected routes).

To include a given route attribute, use the following commands, and set an import or export action, which can be either allow or skip (here, the import-action is allow):

Results

To see your configuration results, from configuration mode at the top of the CLI hierarchy, confirm your configuration by entering the, show policy-options policy-statement bgp-evpn-exp, and show protocols bgp group evpn-sessions commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Verification

Confirm that the configuration is working properly. For each of the examples given above, run a version of these commands that uses the configuration you want to confirm. The verification example below is based on the example given for filtering BGP EVPN routes based on the EVPN NLRI type.

Verifying the various BGP EVPN filtering

Purpose

Display information about the BGP EVPN routes filtered according to the specified criteria.

Action

From operational mode on the target device, enter following commands:

From operational mode on PE1, enter following commands:

From operational mode on PE2, enter following commands: