Got it

Import 2 route policies in 1 vpn-instance

Created: Jul 1, 2020 11:20:46Latest reply: Jul 6, 2020 09:58:40 190 8 1 0
  HiCoins as reward: 0 (problem unresolved)

Hello Team, 


My requirement is to import 10.129.0.0/16 from vpn-instance l2tp and 0.0.0.0/0 from vpn-instance fw to vpn-instance ipafemto_nat.

But the issue I have is that I can't configure vpn-instance ipafemto_nat to import 2 route policies to match my criteria.

I only want to import the "default route" from the vpn-instance fw to vpn-instance ipafemto_nat.
How can i do this?



 ip vpn-instance ipafemto_nat

 ipv4-family

  route-distinguisher 10.113.3.253:140

  import route-policy l2tp_fw-to-ipanat                 // The new vrf "ipafemto_nat" will only import 10.129.0.0/16 from vrf "l2tp"

  vpn-target 64589:140 export-extcommunity

  vpn-target 64589:140 import-extcommunity

#

ip vpn-instance l2tp

 ipv4-family

  route-distinguisher 10.113.3.253:81

  export route-policy l2tp_fw-to-ipanat                // This will only export 10.129.0.0/16 to vrf "ipafemto_nat"

  vpn-target 64589:81 export-extcommunity

  vpn-target 64589:81 64589:1 64589:2 64589:51 64589:54 64589:53 64589:10 64589:3 import-extcommunity

  vpn-target 64589:4 64589:101 64589:100 64589:72 64589:76 64589:9 64589:6 64589:97 import-extcommunity

  vpn-target 64589:56 64589:140 import-extcommunity // Routes from vrf "ipafemto_nat" will be imported to vrf "l2tp"

  traffic-statistics enable

#

ip vpn-instance fw

 ipv4-family

  route-distinguisher 10.113.3.253:201

  export route-policy l2tp_fw-to-ipanat         // This will only export 0.0.0.0/0 to vrf "ipafemto_nat"

  vpn-target 64589:201 export-extcommunity

  vpn-target 64589:201 64589:1 64589:2 64589:3 64589:4 64589:6 64589:51 64589:52 import-extcommunity

  vpn-target 64589:53 64589:54 64589:55 64589:10 64589:9 64589:30 64589:56 64589:140 import-extcommunity    // Routes from vrf "ipafemto_nat" will be imported to vrf "fw"

#


route-policy l2tp_fw-to-ipanat permit node 10

 if-match ip-prefix l2tp_fw-to-ipanat

#

ip ip-prefix l2tp_fw-to-ipanat index 10 permit 10.129.0.0 16 greater-equal 28 less-equal 32

ip ip-prefix l2tp_fw-to-ipanat index 20 permit 0.0.0.0 0

#


  • x
  • convention:

Featured Answers

Recommended answer

chenhui
Admin Created Jul 3, 2020 02:04:29 Helpful(1) Helpful(1)

Posted by KasunRajapakse at 2020-07-02 11:12 Hi, All vpn-instance are on the same router. I just want "vpn-instance ipafemto_nat" to have only  ...

Hi,

For your scenario, what you need is the route leaking between the vpn-instances. Kindly refer to the example below:

route-leaking


BTW, if you are using the VRP V8 platform, you can use the import-rib to do the route leaking. Kindly refer to the example below:

#
ip route-static vpn-instance 1 30.1.1.0 255.255.255.0 vpn-instance 3 30.1.1.2
ip route-static vpn-instance 2 30.1.1.0 255.255.255.0 vpn-instance 3 30.1.1.2
ip route-static vpn-instance 3 10.1.1.0 255.255.255.0 vpn-instance 1 10.1.1.2
#
ip vpn-instance 3
 ipv4-family
  import-rib vpn-instance 2 protocol direct      
  route-distinguisher 100:3
  import route-policy 1
  vpn-target 100:3 export-extcommunity
  vpn-target 100:3 import-extcommunity
  vpn-target 100:1 import-extcommunity
#

In this solution, the route from vpn-instance 3 to vpn-instance 2 is imported into vpn-instance 3 through the import-rib command, rather than the static route. What should be pointed out, in solution 2, you can import the RIB not only direct routes, but also other protocols, such as OSPF, ISIS. And, you can configure the route-policy to control which parts of the routes could be imported. 

Based on the solution 2, the routing table of vpn-instance 3 is as below:

[~HUAWEI]dis ip rout vpn 3
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole
 route
------------------------------------------------------------------------------
Routing Table : 3
         Destinations : 11       Routes : 11        

Destination/Mask    Proto   Pre  Cost Flags NextHop     Interface
        2.2.2.2/32  Direct  0    0      D   127.0.0.1   LoopBack0
        3.3.3.3/32  Direct  0    0      D   127.0.0.1   LoopBack1
       10.1.1.0/24  Static  60   0      RD  10.1.1.2    Ethernet1/0/1
       20.1.1.0/24  Direct  0    0      D   20.1.1.1    Ethernet1/0/2
       20.1.1.1/32  Direct  0    0      D   127.0.0.1   Ethernet1/0/2
     20.1.1.255/32  Direct  0    0      D   127.0.0.1   Ethernet1/0/2
       30.1.1.0/24  Direct  0    0      D   30.1.1.1    Ethernet1/0/3
       30.1.1.1/32  Direct  0    0      D   127.0.0.1   Ethernet1/0/3
     30.1.1.255/32  Direct  0    0      D   127.0.0.1   Ethernet1/0/3
      127.0.0.0/8   Direct  0    0      D   127.0.0.1   InLoopBack0
255.255.255.255/32  Direct  0    0      D   127.0.0.1   InLoopBack0
[~HUAWEI]


As you can see, with this solution, all the directly connected routes are imported into the vpn-instance 3.

The imported routes list as below 

        2.2.2.2/32  Direct  0    0             D   127.0.0.1       LoopBack0

       20.1.1.0/24  Direct  0    0             D   20.1.1.1        Ethernet1/0/2

       20.1.1.1/32  Direct  0    0             D   127.0.0.1       Ethernet1/0/2

     20.1.1.255/32  Direct  0    0             D   127.0.0.1       Ethernet1/0/2


Any further questions, kindly let me know.

View more
  • x
  • convention:

All Answers
jason_hu
jason_hu Admin Created Jul 1, 2020 11:22:32 Helpful(1) Helpful(1)

Hello,
It's nice to meet you in the community.
We're working on your problem. Please be patient.
View more
  • x
  • convention:

ster
ster Created Jul 1, 2020 11:54:53 Helpful(0) Helpful(0)

Hello,
You can create vpn-instance fw instance under vpn-instance ipafemto_nat instance.
View more
  • x
  • convention:

KasunRajapakse Created Jul 1, 2020 13:08:17
This doesn't help me to ONLY import default route from vpn-instance fw  
chenhui
chenhui Admin Created Jul 2, 2020 09:55:27 Helpful(0) Helpful(0)

Hi,
Are these three vpn-instances on the same router? Or the vpn-instance are in different routers and the routes are transferred on the MPLS VPN?
For the first situation, I think, what you want is the route leaking, and the export route-policy, in my opinion, will not take effect. Cause it is used to control the route spreading in the MPLS VPN scenario.
For the second scenario, I don't think the routes could be accepted correctly due to the vpn-target mismatch.
Please help to confirm.
Thanks.
View more
  • x
  • convention:

KasunRajapakse
KasunRajapakse Created Jul 2, 2020 11:12:58 Helpful(0) Helpful(0)

Posted by chenhui at 2020-07-02 09:55 Hi,Are these three vpn-instances on the same router? Or the vpn-instance are in different routers an ...
Hi,
All vpn-instance are on the same router.
I just want "vpn-instance ipafemto_nat" to have only 2 routes in it's routing table. That is the 10.129.0.0/16 exported from l2tp and 0.0.0.0/0 from fw
View more
  • x
  • convention:

chenhui
chenhui Admin Created Jul 3, 2020 02:04:29 Helpful(1) Helpful(1)

Posted by KasunRajapakse at 2020-07-02 11:12 Hi, All vpn-instance are on the same router. I just want "vpn-instance ipafemto_nat" to have only  ...

Hi,

For your scenario, what you need is the route leaking between the vpn-instances. Kindly refer to the example below:

route-leaking


BTW, if you are using the VRP V8 platform, you can use the import-rib to do the route leaking. Kindly refer to the example below:

#
ip route-static vpn-instance 1 30.1.1.0 255.255.255.0 vpn-instance 3 30.1.1.2
ip route-static vpn-instance 2 30.1.1.0 255.255.255.0 vpn-instance 3 30.1.1.2
ip route-static vpn-instance 3 10.1.1.0 255.255.255.0 vpn-instance 1 10.1.1.2
#
ip vpn-instance 3
 ipv4-family
  import-rib vpn-instance 2 protocol direct      
  route-distinguisher 100:3
  import route-policy 1
  vpn-target 100:3 export-extcommunity
  vpn-target 100:3 import-extcommunity
  vpn-target 100:1 import-extcommunity
#

In this solution, the route from vpn-instance 3 to vpn-instance 2 is imported into vpn-instance 3 through the import-rib command, rather than the static route. What should be pointed out, in solution 2, you can import the RIB not only direct routes, but also other protocols, such as OSPF, ISIS. And, you can configure the route-policy to control which parts of the routes could be imported. 

Based on the solution 2, the routing table of vpn-instance 3 is as below:

[~HUAWEI]dis ip rout vpn 3
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole
 route
------------------------------------------------------------------------------
Routing Table : 3
         Destinations : 11       Routes : 11        

Destination/Mask    Proto   Pre  Cost Flags NextHop     Interface
        2.2.2.2/32  Direct  0    0      D   127.0.0.1   LoopBack0
        3.3.3.3/32  Direct  0    0      D   127.0.0.1   LoopBack1
       10.1.1.0/24  Static  60   0      RD  10.1.1.2    Ethernet1/0/1
       20.1.1.0/24  Direct  0    0      D   20.1.1.1    Ethernet1/0/2
       20.1.1.1/32  Direct  0    0      D   127.0.0.1   Ethernet1/0/2
     20.1.1.255/32  Direct  0    0      D   127.0.0.1   Ethernet1/0/2
       30.1.1.0/24  Direct  0    0      D   30.1.1.1    Ethernet1/0/3
       30.1.1.1/32  Direct  0    0      D   127.0.0.1   Ethernet1/0/3
     30.1.1.255/32  Direct  0    0      D   127.0.0.1   Ethernet1/0/3
      127.0.0.0/8   Direct  0    0      D   127.0.0.1   InLoopBack0
255.255.255.255/32  Direct  0    0      D   127.0.0.1   InLoopBack0
[~HUAWEI]


As you can see, with this solution, all the directly connected routes are imported into the vpn-instance 3.

The imported routes list as below 

        2.2.2.2/32  Direct  0    0             D   127.0.0.1       LoopBack0

       20.1.1.0/24  Direct  0    0             D   20.1.1.1        Ethernet1/0/2

       20.1.1.1/32  Direct  0    0             D   127.0.0.1       Ethernet1/0/2

     20.1.1.255/32  Direct  0    0             D   127.0.0.1       Ethernet1/0/2


Any further questions, kindly let me know.

View more
  • x
  • convention:

KasunRajapakse
KasunRajapakse Created Jul 6, 2020 09:01:37 Helpful(0) Helpful(0)

Hello Chenhui,

I need to export some routes which are learned by BGP in a particular VRF to another.
How can I do this?


Example.

VRF 1 will have it's default route learned via BGP from somewhere.
I now need to export this default route (which is learned via BGP) to VRF 2.
How can I do this?



Thanks

View more
  • x
  • convention:

chenhui
chenhui Admin Created Jul 6, 2020 09:58:40 Helpful(0) Helpful(0)

Posted by KasunRajapakse at 2020-07-06 09:01 Hello Chenhui,I need to export some routes which are learned by BGP in a particular VRF to another.H ...
Hi,
Does the VRF 1 learn the default route through MPLS VPN or the normal BGP peer?
Actually, the convenient processing is configure the default route on VRF 2 as below:
#
ip route-static vpn-instance 1 0.0.0.0 0.0.0.0 Ethernet1/0/0 // Ethernet1/0/0 is the outward interface.
#

What's more, you can draw a sample topology and mark your requirement on the sample.
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

My Followers

Login and enjoy all the member benefits

Login

Huawei Enterprise Support Community
Huawei Enterprise Support Community
Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.