Got it

Route-policy in vpn-instance and BGP vpn-instance family address

Latest reply: Feb 21, 2020 14:33:19 146 1 3 0


A few days ago, a customer reported route policy configured in vpn-instance doesn’t take effect. I checked the configuration, and it seems all normal. Unlike the most scenarios, the route-policy is configured on the vpnv4 address family. So I tested it in ensp and would like to share you guys the conclusion.


Topology is as below:

161307wu8ycddc8cmad61v.png


Corresponding configuration:

R1:

#

bgp 100

 peer 2.2.2.2 as-number 100

 peer 2.2.2.2 connect-interface LoopBack0

 #

 ipv4-family unicast

  undo synchronization

  peer 2.2.2.2 enable

 #

 ipv4-family vpnv4

  policy vpn-target

  peer 2.2.2.2 enable

 #

 ipv4-family vpn-instance vpn1

  import-route direct

#

ip vpn-instance vpn1

  ipv4-family

   route-distinguisher 100:1

   vpn-target 100:1 export-extcommunity

   vpn-target 100:1 import-extcommunity

#

 

R2:

#

bgp 100

 peer 1.1.1.1 as-number 100

 peer 1.1.1.1 connect-interface LoopBack0

 #

 ipv4-family unicast

  undo synchronization

  peer 1.1.1.1 enable

 #

 ipv4-family vpnv4

  policy vpn-target

  peer 1.1.1.1 enable

 #

 ipv4-family vpn-instance vpn1

  import-route direct

#

ip vpn-instance vpn1

 ipv4-family

  route-distinguisher 100:1

  vpn-target 100:1 export-extcommunity

  vpn-target 100:1 import-extcommunity

#

After the configuration, check the BGP vpnv4 routing table on both R1 and R2,

R1:

161307reumvyegymvdgeyt.png

 

R2

161307e6yzwb6e46gn97yk.png

As the result display, all the routes could be learned normally.

 

1.1 Enable route-policy on R1, and apply it as below

161307pyxsyerzf84relfe.png

161308ezh6h1j6jc3q367v.png

 

Check BGP vpnv4 routing table on R1 and R2

R1:

161308avg6vttvg0w54788.png

 

R2:

161308hyq88qdlqdh9n1iq.png

 

As the result display, 20.1.1.0/24 is no longer loaded into the vpn-instance routing table.

 

1.2 Change the R1 configuration as below:

161308igkr5thjd5lzytgl.png

 

Check the BGP vpnv4 routing table on R1 and R2,

R1:

161308qb1qly8ib8gie22e.png

 

R2:

161308pgarfvsh5h2saqvf.png

 

Unlike in previous situation, the export route-policy configured in vpn-instance blocked the vpn-instance routes being advertised to the remote peer.

 

1.3 Change the R1 configuration as below

R1:

161308x25q50qksnqkzzn3.png

 

Check the BGP vpnv4 routing table on R1 and R2

R1:

161309y827suu65sciduum.png

 

R2:

161309umadd15mua6pm2da.png

 

As the result display, it’s quite similar as the export route-policy in vpn-instance. But actually, it’s not like that. route-policy in BGP vpn-instance address family blocks the imported routes even in the vpn-instance routing table.

 

1.4 Change the R1 configuration as below:

161309mx6rogxorjoxzh6r.png

 

Check the BGP vpnv4 routing table on R1 and R2:

R1:

161309fs10n0t2561xbz1q.png

 

R2:

161309v1xl9z1l9egk941m.png

 

As the result displays, the route-policy configure in vpnv4 address family blocked vpnv4 routes.

 

Through these tests, we could get the conclusion below:

route-policy applied in

affect the vpn-instance routing table

affect the vpnv4 routing table

BGP vpn-instance address family

yes

yes

BGP vpnv4 address family

yes

yes

vpn-instance(import)

yes

no

vpn-instance(export)

no

yes

 

Hope you enjoy this article, if you have any further question, please comment below, and I’ll try to explain you.

 


  • x
  • convention:

Mina1
Created Feb 21, 2020 14:33:19 Helpful(0) Helpful(0)

good job
View more
  • x
  • convention:

Comment

Comment
You need to log in to comment to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

My Followers

Login and enjoy all the member benefits

Login

Huawei Enterprise Support Community
Huawei Enterprise Support Community
Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.