ON THIS PAGE
Example: Configuring Layer 3 VPN Protocol Family Qualifiers for Route Filters
This example shows how to control the scope
of BGP import policies by configuring a family qualifier for the BGP
import policy. The family qualifier specifies routes of type inet, inet6, inet-vpn, or inet6-vpn.
Requirements
This example uses Junos OS Release 10.0 or later.
Before you begin:
Configure the device interfaces.
Configure an interior gateway protocol. See the Junos OS Routing Protocols Library.
Configure a BGP session for multiple route types. For example, configure the session for both family
inetroutes and familyinet-vpnroutes. See Configuring IBGP Sessions Between PE Routers in VPNs and Configuring Layer 3 VPNs to Carry IPv6 Traffic.
Overview
Family qualifiers cause a route filter to match only one specific
family. When you configure an IPv4 route filter without a family qualifier,
as shown here, the route filter matches inet and inet-vpn routes.
route-filter ipv4-address/mask;
Likewise, when you configure an IPv6 route filter without a
family qualifier, as shown here, the route filter matches inet6 and inet6-vpn routes.
route-filter ipv6-address/mask;
Consider the case in which a BGP session has been configured
for both family inet routes and family inet-vpn routes, and an import policy has been configured for this BGP session.
This means that both family inet and family inet-vpn routes, when received, share the same import policy. The policy
term might look as follows:
from {
route-filter 0.0.0.0/0 exact;
}
then {
next-hop self;
accept;
}
This route-filter logic matches an inet route of
0.0.0.0 and an inet-vpn route whose IPv4 address portion
is 0.0.0.0. The 8-byte route distinguisher portion of the inet-vpn route is not considered in the route-filter matching. This is a
change in Junos OS behavior that was introduced in Junos OS Release
10.0.
If you do not want your policy to match both types of routes,
add a family qualifier to your policy. To have the route-filter match
only inet routes, add the family inet policy
qualifier. To have the route-filter match only inet-vpn routes, add the family inet-vpn policy qualifier.
The family qualifier is evaluated before the route-filter is
evaluated. Thus, the route-filter is not evaluated if the family match
fails. The same logic applies to family inet6 and family inet6-vpn. The route-filter used in the inet6 example
must use an IPv6 address. There is a potential efficiency gain in
using a family qualifier because the family qualifier is tested before
most other qualifiers, quickly eliminating routes from undesired families.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level.
inet Example
set policy-options policy-statement specific-family from family inet set policy-options policy-statement specific-family from route-filter 0.0.0.0/0 exact set policy-options policy-statement specific-family then next-hop self set policy-options policy-statement specific-family then accept set protocols bgp import specific-family
Inet-vpn Example
set policy-options policy-statement specific-family from family inet-vpn set policy-options policy-statement specific-family from route-filter 0.0.0.0/0 exact set policy-options policy-statement specific-family then next-hop self set policy-options policy-statement specific-family then accept set protocols bgp import specific-family
inet6 Example
set policy-options policy-statement specific-family from family inet6 set policy-options policy-statement specific-family from route-filter 0::0/0 exact set policy-options policy-statement specific-family then next-hop self set policy-options policy-statement specific-family then accept set protocols bgp import specific-family
Inet6-vpn Example
set policy-options policy-statement specific-family from family inet6-vpn set policy-options policy-statement specific-family from route-filter 0::0/0 exact set policy-options policy-statement specific-family then next-hop self set policy-options policy-statement specific-family then accept set protocols bgp import specific-family
Step-by-Step Procedure
The following example requires that you navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure a flow map:
Configure the family qualifier.
[edit policy-options] user@host# set policy-statement specific-family from family inet
Configure the route filter.
[edit policy-options] user@host# set policy-statement specific-family from route-filter 0.0.0.0/0 exact
Configure the policy actions.
[edit policy-options] user@host# set policy-statement specific-family then next-hop self user@host# set policy-statement specific-family then accept
Apply the policy.
[edit protocols bgp] user@host# set import specific-family
Results
From configuration mode, confirm your configuration
by issuing the show protocols and show policy-options command. If the output does not display the intended configuration,
repeat the instructions in this example to correct the configuration.
user@host# show protocols
bgp {
import specific-family;
}
user@host# show policy-options
policy-statement specific-family {
from {
family inet;
route-filter 0.0.0.0/0 exact;
}
then {
next-hop self;
accept;
}
}
If you are done configuring the device, enter commit from configuration mode.
Repeat the procedure for every protocol family for which you need a specific route-filter policy.
Verification
To verify the configuration, run the following commands:
show route advertising-protocol bgp neighbor detailshow route instance instance-name detail