Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. nsp>
  3. juniper
Filtering Extended Communities from VPN-CE's
scott at gblx
Feb 10, 2003, 5:25 PM
Post #1 of 2 (1367 views)
Permalink
Does anyone know of a way to do this? After hooking up a juniper as a CE in a l3vpn, I was able to tag extended VPN communities on routes advertised to the PE and since we are redistributing based on communities in the core side of the VPN I was able to advertise these blocks into another completely different vrf... I want to allow people to use standard communities but deny any extended that would allow them to introduce their blocks to a neighbor vpn. Thanks.

--Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://puck.nether.net/pipermail/juniper-nsp/attachments/20030210/1af4aeaa/attachment.htm
Filtering Extended Communities from VPN-CE's [ In reply to ]
cliff at juniper
Feb 10, 2003, 6:33 PM
Post #2 of 2 (1330 views)
Permalink
hi scott,

on the PE router, you can create an import policy that strips out all target communities

(target:*:*) before advertising to other PEs.

cliff

--------------------
ex.
cliff@vpn04# show routing-instances vpna
instance-type vrf;
interface es-5/1/0.0;
interface lo0.1;
vrf-target target:69:1;
protocols {
bgp {
group ebgp {
type external;
import delete-target; <<<<<<<<<<<<<
peer-as 100;
as-override;
neighbor 10.49.100.2;
}
}
}

[edit]


POLICY:
cliff@vpn04# show policy-options
policy-statement delete-target {
term 1 {
then {
community delete other-target;
accept;
}
}
}
community other-target members target:*:*;

[edit]



---------------
cliff@vpn04# run show route receive-protocol bgp 10.49.100.2 detail

inet.0: 20 destinations, 27 routes (19 active, 0 holddown, 1 hidden)

inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

vpna.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
* 10.49.30.0/24 (1 entry, 1 announced)
Nexthop: 10.49.100.2
MED: 0
AS path: 100 I
Communities: target:69:2 <<<<<<<<CE sends route with target belonging to another VRF


Here we strip out 'target:69:2' and send the right community.

cliff@vpn04# run show route advertising-protocol bgp 10.255.14.178 detail

...
* 10.49.30.0/24 (1 entry, 1 announced)
BGP group ibgp type Internal
Route Distinguisher: 10.255.14.174:2
VPN Label: 103328
Nexthop: Self
MED: 0
Localpref: 100
AS path: 100 I
Communities: target:69:1 <<<<<<<<<<

...


-----Original Message-----
From: Scott Stoddard [mailto:scott@gblx.net]
Sent: Monday, February 10, 2003 2:32 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] Filtering Extended Communities from VPN-CE's



Does anyone know of a way to do this? After hooking up a juniper as a CE in a l3vpn, I was able to tag extended VPN communities on routes advertised to the PE and since we are redistributing based on communities in the core side of the VPN I was able to advertise these blocks into another completely different vrf... I want to allow people to use standard communities but deny any extended that would allow them to introduce their blocks to a neighbor vpn. Thanks.

--Scott


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://puck.nether.net/pipermail/juniper-nsp/attachments/20030210/8c4755dd/attachment.htm

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal