ON THIS PAGE
Example: Configuring Proxy BGP Route Target Filtering for VPNs
This example shows how to configure proxy BGP route target filtering (also known as proxy route target constrain, or proxy RTC).
Requirements
This example uses the following hardware and software components:
Four Juniper Networks devices that can be a combination of M Series, MX Series, or T Series routers.
Junos OS Release 12.2 or later on one or more devices configured for proxy BGP route filtering. In this example, you explicitly configure proxy BGP route filtering on the route reflectors.
Before configuring proxy BGP route target filtering, make sure that you are familiar with and understand the following concepts:
Overview
Route target filtering decreases the number of devices in a network that receive VPN routes that are not needed. Proxy BGP route target filtering allows networks to take advantage of route target filtering in locations where the feature is not currently supported. By configuring this feature, you can realize many of the same network resource savings that are available to you if your network fully supported BGP route target filtering.
To configure proxy BGP route target filtering, you include the family route-target proxy-generate
statement on the devices
that will distribute proxy route target membership (RT membership)
advertisements for the devices that do not support BGP route target
filtering. The proxy BGP route target filtering routes are then stored
in the bgp.rtarget.0 routing table.
Proxy BGP route target filtering is intended to create RT membership
advertisements for devices that do not support the BGP route target
filtering feature. If the proxy-generate
statement is
present, but the route target family is negotiated with the BGP peer,
the proxy-generate functionality is disabled. This allows simplified
configuration of BGP peer groups where a portion of the peers in the
group support route target filtering but others do not. In such an
example case, the family route-target proxy-generate
statement
might be part of the BGP peer group configuration.
When deploying proxy BGP route target filtering in your
network, the advertise-default
statement for BGP route
target filtering causes the device to advertise the default route
target route (0:0:0/0) and suppress all routes that are more specific.
If you have proxy BGP route target filtering configured on one device
and one or more peers have the advertise-default
statement
configured as part of their BGP route target filtering configuration,
the advertise-default configuration is ignored.
Topology Diagram
Figure 1 shows the topology used in this example.
In this example, BGP route target filtering is configured on the route reflectors (Device RR1 and Device RR2) and the provider edge (PE) Device PE2, but the other PE, Device PE1, does not support the BGP route target filtering functionality. Device PE2 has four VPNs configured (vpn1, vpn2, vpn3, and vpn4). Device PE1 has two VPNs configured (vpn1 and vpn2), so this device is only interested in receiving route updates for vpn1 and vpn2. Currently, this is impossible because both route reflectors (Device RR1 and Device RR2) learn and share information about all of the incoming VPN routes (vpn1 through vpn4) with Device PE1. In the sample topology, all devices participate in autonomous system (AS) 203, OSPF is the configured interior gateway protocol (IGP), and LDP is the signaling protocol used by the VPNs. In this example, we use static routes in the VPN routing and forwarding (VRF) instances to generate VPN routes. This is done in place of using a PE to customer edge (CE) protocol such as OSPF or BGP.
To minimize the number of VPN route updates being processed
by Device PE1, you include the family route-target proxy-generate
statement to configure proxy BGP route target filtering on each
route reflector. Each route reflector has a peering session with Device
PE1 and supports route target filtering to the core. However, Device
PE1 does not support route target filtering, so the network resource
savings are unrealized by Device PE1 since it receives all of the
VPN updates. By configuring proxy BGP route target filtering on the
peering sessions facing Device PE1, you limit the number of VPN updates
processed by Device PE1, and the route reflectors generate the proxy
BGP route target routes for Device PE1 throughout the network.
Configuration
- CLI Quick Configuration
- Configuring Device PE1
- Configuring Device RR1
- Configuring Device RR2
- Configuring Device PE2
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit]
hierarchy level.
Device PE1
set interfaces ge-1/0/0 unit 0 description PE1-to-RR1 set interfaces ge-1/0/0 unit 0 family inet address 10.49.0.1/30 set interfaces ge-1/0/0 unit 0 family mpls set interfaces ge-1/0/1 unit 0 description PE1-to-RR2 set interfaces ge-1/0/1 unit 0 family inet address 10.49.10.1/30 set interfaces ge-1/0/1 unit 0 family mpls set protocols ldp interface ge-1/0/0 set protocols ldp interface ge-1/0/1 set protocols bgp group internal type internal set protocols bgp group internal local-address 10.255.163.58 set protocols bgp group internal neighbor 10.255.165.220 family inet-vpn unicast set protocols bgp group internal neighbor 10.255.165.28 family inet-vpn unicast set protocols ospf area 0.0.0.0 interface ge-1/0/0 set protocols ospf area 0.0.0.0 interface ge-1/0/1 set protocols ospf area 0.0.0.0 interface lo0.0 passive set routing-options route-distinguisher-id 10.255.163.58 set routing-options autonomous-system 203 set routing-instances vpn1 instance-type vrf set routing-instances vpn1 vrf-target target:203:100 set routing-instances vpn1 routing-options static route 203.0.113.1/24 discard set routing-instances vpn2 instance-type vrf set routing-instances vpn2 vrf-target target:203:101 set routing-instances vpn2 routing-options static route 203.0.113.2/24 discard
Device RR1
set interfaces ge-1/0/0 unit 0 description RR1-to-PE1 set interfaces ge-1/0/0 unit 0 family inet address 10.49.0.2/30 set interfaces ge-1/0/0 unit 0 family mpls set interfaces ge-1/0/1 unit 0 description RR1-to-PE2 set interfaces ge-1/0/1 unit 0 family inet address 10.50.0.2/30 set interfaces ge-1/0/1 unit 0 family mpls set protocols ldp interface ge-1/0/0 set protocols ldp interface ge-1/0/1 set protocols bgp group internal type internal set protocols bgp group internal local-address 198.51.100.1 set protocols bgp group internal cluster 198.51.100.1 set protocols bgp group internal neighbor 10.255.163.58 description vpn1-to-pe1 family inet-vpn unicast set protocols bgp group internal neighbor 10.255.163.58 family route-target proxy-generate set protocols bgp group internal neighbor 10.255.168.42 description vpn1-to-pe2 family inet-vpn unicast set protocols bgp group internal neighbor 10.255.168.42 family route-target set protocols ospf area 0.0.0.0 interface ge-1/0/0 set protocols ospf area 0.0.0.0 interface ge-1/0/1 set protocols ospf area 0.0.0.0 interface lo0.0 passive set routing-options route-distinguisher-id 10.255.165.220 set routing-options autonomous-system 203
Device RR2
set interfaces ge-1/0/0 unit 0 description RR2-to-PE1 set interfaces ge-1/0/0 unit 0 family inet address 10.49.10.2/30 set interfaces ge-1/0/0 unit 0 family mpls set interfaces ge-1/0/1 unit 0 description RR2-to-PE2 set interfaces ge-1/0/1 unit 0 family inet address 10.50.10.2/30 set interfaces ge-1/0/1 unit 0 family mpls set protocols ldp interface ge-1/0/0 set protocols ldp interface ge-1/0/1 set protocols bgp group internal type internal set protocols bgp group internal local-address 10.255.165.28 set protocols bgp group internal cluster 198.51.100.1 set protocols bgp group internal neighbor 10.255.163.58 description vpn2-to-pe1 family inet-vpn unicast set protocols bgp group internal neighbor 10.255.163.58 family route-target proxy-generate set protocols bgp group internal neighbor 10.255.168.42 description vpn2-to-pe2 family inet-vpn unicast set protocols bgp group internal neighbor 10.255.168.42 family route-target set protocols ospf area 0.0.0.0 interface ge-1/0/0 set protocols ospf area 0.0.0.0 interface ge-1/0/1 set protocols ospf area 0.0.0.0 interface lo0.0 passive set routing-options route-distinguisher-id 10.255.165.28 set routing-options autonomous-system 203
Device PE2
set interfaces ge-1/0/0 unit 0 description PE2-to-RR1 set interfaces ge-1/0/0 unit 0 family inet address 10.50.0.1/30 set interfaces ge-1/0/0 unit 0 family mpls set interfaces ge-1/0/1 unit 0 description PE2-to-RR2 set interfaces ge-1/0/1 unit 0 family inet address 10.50.10.1/30 set interfaces ge-1/0/1 unit 0 family mpls set protocols ldp interface ge-1/0/0 set protocols ldp interface ge-1/0/1 set protocols bgp group internal type internal set protocols bgp group internal local-address 10.255.168.42 set protocols bgp group internal family inet-vpn unicast set protocols bgp group internal family route-target set protocols bgp group internal neighbor 10.255.165.220 set protocols bgp group internal neighbor 10.255.165.28 set protocols ospf area 0.0.0.0 interface ge-1/0/0 set protocols ospf area 0.0.0.0 interface ge-1/0/1 set protocols ospf area 0.0.0.0 interface lo0.0 passive set routing-options route-distinguisher-id 10.255.168.42 set routing-options autonomous-system 203 set routing-instances vpn1 instance-type vrf set routing-instances vpn1 vrf-target target:203:100 set routing-instances vpn1 routing-options static route 203.0.113.1/24 discard set routing-instances vpn2 instance-type vrf set routing-instances vpn2 vrf-target target:203:101 set routing-instances vpn2 routing-options static route 203.0.113.2/24 discard set routing-instances vpn3 instance-type vrf set routing-instances vpn3 vrf-target target:203:103 set routing-instances vpn3 routing-options static route 203.0.113.3/24 discard set routing-instances vpn4 instance-type vrf set routing-instances vpn4 vrf-target target:203:104 set routing-instances vpn4 routing-options static route 203.0.113.4/24 discard
Configuring Device PE1
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.
To configure Device PE1:
Configure the interfaces.
[edit interfaces] user@PE1# set ge-1/0/0 unit 0 description PE1-to-RR1 user@PE1# set ge-1/0/0 unit 0 family inet address 10.49.0.1/30 user@PE1# set ge-1/0/0 unit 0 family mpls user@PE1# set ge-1/0/1 unit 0 description PE1-to-RR2 user@PE1# set ge-1/0/1 unit 0 family inet address 10.49.10.1/30 user@PE1# set ge-1/0/1 unit 0 family mpls
Configure the route distinguisher and the AS number.
[edit routing-options] user@PE1# set route-distinguisher-id 10.255.163.58 user@PE1# set autonomous-system 203
Configure LDP as the signaling protocol used by the VPN.
[edit protocols ldp] user@PE1# set interface ge-1/0/0 user@PE1# set interface ge-1/0/1
Configure BGP.
[edit protocols bgp group internal] user@PE1# set type internal user@PE1# set local-address 10.255.163.58 user@PE1# set neighbor 10.255.165.220 family inet-vpn unicast user@PE1# set neighbor 10.255.165.28 family inet-vpn unicast
Configure OSPF.
[edit protocols ospf area 0.0.0.0] user@PE1# set interface ge-1/0/0 user@PE1# set interface ge-1/0/1 user@PE1# set interface lo0.0 passive
Configure the VPN routing instances.
[edit routing-instances vpn1] user@PE1# set instance-type vrf user@PE1# set vrf-target target:203:100 user@PE1# set routing-options static route 203.0.113.1/24 discard
[edit routing-instances vpn2] user@PE1# set instance-type vrf user@PE1# set vrf-target target:203:101 user@PE1# set routing-options static route 203.0.113.2/24 discard
If you are done configuring the device, commit the configuration.
[edit] user@PE1# commit
Results
From configuration mode, confirm your configuration by entering
the show interfaces
, show protocols
, show
routing-options
, and show routing-instances
commands.
If the output does not display the intended configuration, repeat
the instructions in this example to correct the configuration.
user@PE1# show interfaces ge-1/0/0 { unit 0 { description PE1-to-RR1; family inet { address 10.49.0.1/30; } family mpls; } } ge-1/0/1 { unit 0 { description PE1-to-RR2; family inet { address 10.49.10.1/30; } family mpls; } }
user@PE1# show protocols bgp { group internal { type internal; local-address 10.255.163.58; neighbor 10.255.165.220 { family inet-vpn { unicast; } } neighbor 10.255.165.28 { family inet-vpn { unicast; } } } } ospf { area 0.0.0.0 { interface ge-1/0/0.0; interface ge-1/0/1.0; interface lo0.0 { passive; } } } ldp { interface ge-1/0/0.0; interface ge-1/0/1.0; }
user@PE1# show routing-options route-distinguisher-id 10.255.14.182; autonomous-system 203;
user@PE1# show routing-instances vpn1 { instance-type vrf; vrf-target target:203:100; routing-options { static { route 203.0.113.1/24 discard; } } } vpn2 { instance-type vrf; vrf-target target:203:101; routing-options { static { route 203.0.113.2/24 discard; } } }
Configuring Device RR1
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.
To configure Device RR1:
Configure the interfaces.
[edit interfaces] user@RR1# set ge-1/0/0 unit 0 description RR1-to-PE1 user@RR1# set ge-1/0/0 unit 0 family inet address 10.49.0.2/30 user@RR1# set ge-1/0/0 unit 0 family mpls user@RR1# set ge-1/0/1 unit 0 description RR1-to-PE2 user@RR1# set ge-1/0/1 unit 0 family inet address 10.50.0.2/30 user@RR1# set ge-1/0/1 unit 0 family mpls
Configure the route distinguisher and the AS number.
[edit routing-options] user@RR1# set route-distinguisher-id 10.255.165.220 user@RR1# set autonomous-system 203
Configure LDP as the signaling protocol used by the VPN.
[edit protocols ldp] user@RR1# set interface ge-1/0/0 user@RR1# set interface ge-1/0/1
Configure BGP.
[edit protocols bgp group internal] user@RR1# set type internal user@RR1# set local-address 10.255.165.220 user@RR1# set cluster 198.51.100.1 user@RR1# set neighbor 10.255.163.58 description vpn1-to-pe1 family inet-vpn unicast user@RR1# set neighbor 10.255.168.42 description vpn1-to-pe2 family inet-vpn unicast
Configure BGP route target filtering on the peering session with Device PE2.
[edit protocols bgp group internal] user@RR1# set neighbor 10.255.168.42 family route-target
Configure proxy BGP route target filtering on the peering session with Device PE1.
[edit protocols bgp group internal] user@RR1# set neighbor 10.255.163.58 family route-target proxy-generate
Configure OSPF.
[edit protocols ospf area 0.0.0.0] user@RR1# set interface ge-1/0/0 user@RR1# set interface ge-1/0/1 user@RR1# set interface lo0.0 passive
If you are done configuring the device, commit the configuration.
[edit] user@RR1# commit
Results
From configuration mode, confirm your configuration by entering
the show interfaces
, show protocols
and show routing-options
commands. If the output does not display
the intended configuration, repeat the instructions in this example
to correct the configuration.
user@RR1# show interfaces ge-1/0/0 { unit 0 { description RR1-to-PE1; family inet { address 10.49.0.2/30; } family mpls; } } ge-1/0/1 { unit 0 { description RR1-to-PE2; family inet { address 10.50.0.2/30; } family mpls; } }
user@RR1# show protocols bgp { group internal { type internal; local-address 198.51.100.1; cluster 198.51.100.1; neighbor 10.255.163.58 { description vpn1-to-pe1; family inet-vpn { unicast; } family route-target { proxy-generate; } } neighbor 10.255.168.42 { description vpn1-to-pe2; family inet-vpn { unicast; } family route-target; } } } ospf { area 0.0.0.0 { interface ge-1/0/0.0; interface ge-1/0/1.0; interface lo0.0 { passive; } } } ldp { interface ge-1/0/0.0; interface ge-1/0/1.0; }
user@RR1# show routing-options route-distinguisher-id 10.255.165.220; autonomous-system 203;
Configuring Device RR2
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.
To configure Device RR2:
Configure the interfaces.
[edit interfaces] user@RR2# set ge-1/0/0 unit 0 description RR2-to-PE1 user@RR2# set ge-1/0/0 unit 0 family inet address 10.49.10.2/30 user@RR2# set ge-1/0/0 unit 0 family mpls user@RR2# set ge-1/0/1 unit 0 description RR2-to-PE2 user@RR2# set ge-1/0/1 unit 0 family inet address 10.50.10.2/30 user@RR2# set ge-1/0/1 unit 0 family mpls
Configure the route distinguisher and the AS number.
[edit routing-options] user@RR2# set route-distinguisher-id 10.255.165.28 user@RR2# set autonomous-system 203
Configure LDP as the signaling protocol used by the VPN.
[edit protocols ldp] user@RR2# set interface ge-1/0/0 user@RR2# set interface ge-1/0/1
Configure BGP.
[edit protocols bgp group internal] user@RR2# set type internal user@RR2# set local-address 10.255.165.28 user@RR2# set cluster 198.51.100.1 user@RR2# set neighbor 10.255.163.58 description vpn2-to-pe1 family inet-vpn unicast user@RR2# set neighbor 10.255.168.42 description vpn2-to-pe2 family inet-vpn unicast
Configure BGP route target filtering on the peering session with Device PE2.
[edit protocols bgp group internal] user@RR2# set neighbor 10.255.168.42 family route-target
Configure proxy BGP route target filtering on the peering session with Device PE1.
[edit protocols bgp group internal] user@RR2# set neighbor 10.255.163.58 family route-target proxy-generate
Configure OSPF.
[edit protocols ospf area 0.0.0.0] user@RR2# set interface ge-1/0/0 user@RR2# set interface ge-1/0/1 user@RR2# set interface lo0.0 passive
If you are done configuring the device, commit the configuration.
[edit] user@RR2# commit
Results
From configuration mode, confirm your configuration by entering
the show interfaces
, show protocols
, and show routing-options
commands. If the output does not display
the intended configuration, repeat the instructions in this example
to correct the configuration.
user@RR2# show interfaces ge-1/0/0 { unit 0 { description RR2-to-PE1; family inet { address 10.49.10.2/30; } family mpls; } } ge-1/0/1 { unit 0 { description RR2-to-PE2; family inet { address 10.50.10.2/30; } family mpls; } }
user@RR2# show protocols bgp { group internal { local-address 10.255.165.28; cluster 198.51.100.1; neighbor 10.255.163.58 { description vpn2-to-pe1; family inet-vpn { unicast; } family route-target { proxy-generate; } } neighbor 10.255.168.42 { description vpn2-to-pe2; family inet-vpn { unicast; } family route-target; } } } ospf { area 0.0.0.0 { interface ge-1/0/0.0; interface ge-1/0/1.0; interface lo0.0 { passive; } } } ldp { interface ge-1/0/0.0; interface ge-1/0/1.0; }
user@RR2# show routing-options route-distinguisher-id 10.255.165.28; autonomous-system 203;
Configuring Device PE2
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.
To configure Device PE2:
Configure the interfaces.
[edit interfaces] user@PE2# set ge-1/0/0 unit 0 description PE2-to-RR1 user@PE2# set ge-1/0/0 unit 0 family inet address 10.50.0.1/30 user@PE2# set ge-1/0/0 unit 0 family mpls user@PE2# set ge-1/0/1 unit 0 description PE2-to-RR2 user@PE2# set ge-1/0/1 unit 0 family inet address 10.50.10.1/30 user@PE2# set ge-1/0/1 unit 0 family mpls
Configure the route distinguisher and the AS number.
[edit routing-options] user@PE2# set route-distinguisher-id 10.255.168.42 user@PE2# set autonomous-system 203
Configure LDP as the signaling protocol used by the VPN.
[edit protocols ldp] user@PE2# set interface ge-1/0/0 user@PE2# set interface ge-1/0/1
Configure BGP.
[edit protocols bgp group internal] user@PE2# set type internal user@PE2# set local-address 10.255.168.42 user@PE2# set family inet-vpn unicast user@PE2# set family route-target user@PE2# set neighbor 10.255.165.220 user@PE2# set neighbor 10.255.165.28
Configure OSPF.
[edit protocols ospf area 0.0.0.0] user@PE2# set interface ge-1/0/0 user@PE2# set interface ge-1/0/1 user@PE2# set interface lo0.0 passive
Configure the VPN routing instances.
[edit routing-instances vpn1] user@PE2# set instance-type vrf user@PE2# set vrf-target target:203:100 user@PE2# set routing-options static route 203.0.113.1/24 discard
[edit routing-instances vpn2] user@PE2# set instance-type vrf user@PE2# set vrf-target target:203:101 user@PE2# set routing-options static route 203.0.113.2/24 discard
[edit routing-instances vpn3] user@PE2# set instance-type vrf user@PE2# set vrf-target target:203:103 user@PE2# set routing-options static route 203.0.113.3/24 discard
[edit routing-instances vpn4] user@PE2# set instance-type vrf user@PE2# set vrf-target target:203:104 user@PE2# set routing-options static route 203.0.113.4/24 discard
If you are done configuring the device, commit the configuration.
[edit] user@PE2# commit
Results
From configuration mode, confirm your configuration by entering
the show interfaces
, show protocols
, show
routing-options
, and show routing-instances
commands.
If the output does not display the intended configuration, repeat
the instructions in this example to correct the configuration.
user@PE2# show interfaces ge-1/0/0 { unit 0 { description PE2-to-RR1; family inet { address 10.50.0.1/30; } family mpls; } } ge-1/0/1 { unit 0 { description PE2-to-RR2; family inet { address 10.50.10.1/30; } family mpls; } }
user@PE2# show protocols bgp { group internal { type internal; local-address 10.255.168.42; family inet-vpn { unicast; } family route-target; neighbor 10.255.165.220; neighbor 10.255.165.28; } } ospf { area 0.0.0.0 { interface ge-1/0/0.0; interface ge-1/0/1.0; interface lo0.0 { passive; } } } ldp { interface ge-1/0/0.0; interface ge-1/0/1.0; }
user@PE2# show routing-options route-distinguisher-id 10.255.168.42; autonomous-system 203;
user@PE2# show routing-instances vpn1 { instance-type vrf; vrf-target target:203:100; routing-options { static { route 203.0.113.1/24 discard; } } } vpn2 { instance-type vrf; vrf-target target:203:101; routing-options { static { route 203.0.113.2/24 discard; } } } vpn3 { instance-type vrf; vrf-target target:203:103; routing-options { static { route 203.0.113.3/24 discard; } } } vpn4 { instance-type vrf; vrf-target target:203:104; routing-options { static { route 203.0.113.4/24 discard; } } }
Verification
Confirm that the configuration is working properly.
Verifying the Proxy BGP Route Target Routes
Purpose
Verify that the proxy BGP route target routes are displayed in the bgp.rtarget.0 table on Device RR1.
Action
From operational mode, enter the show route table
bgp.rtartget.0
command to display the proxy BGP route targets.
user@RR1# show route table bgp.rtarget.0 4 destinations, 6 routes (4 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 203:203:100/96 *[RTarget/5] 00:01:22 Type Proxy for 10.255.163.58 Local [BGP/170] 00:04:55, localpref 100, from 10.255.168.42 AS path: I, validation-state: unverified > to 10.50.0.1 via ge-1/0/1 203:203:101/96 *[RTarget/5] 00:01:22 Type Proxy for 10.255.163.58 Local [BGP/170] 00:04:55, localpref 100, from 10.255.168.42 AS path: I, validation-state: unverified > to 10.50.0.1 via ge-1/0/1 203:203:103/96 *[BGP/170] 00:04:55, localpref 100, from 10.255.168.42 AS path: I, validation-state: unverified > to 10.50.0.1 via ge-1/0/1 203:203:104/96 *[BGP/170] 00:04:55, localpref 100, from 10.255.168.42 AS path: I, validation-state: unverified > to 10.50.0.1 via ge-1/0/1
Meaning
Device RR1 is generating the proxy BGP route target
routes on behalf of its peer Device PE1. The proxy BGP route target
routes are identified with the protocol and preference [RTarget/5]
and the route target type of Proxy
.