Hello Guys,
I would have a prefix list based vrf-export policy question to You. There is the 10.147.0.0/16 prefix in the VPRN routing table, what is received from a locally connected CE router via eBGP. I do not want to advertise only this exact prefix to remote PEs, therefore I have created a prefix-list with this prefix, and a vrf-export policy to reject only this prefix, and advertise all other prefixes via MP-BGP to remote PEs by using "default-action accept" statement.
Unfortunately after applying this policy as a vrf-export the PE does not advertise any prefix to remote PEs.
Can you check my syntax, please?
Thank you so much for your help in advance!
Regards,
Bela
prefix-list "man-vsrx-10-147"
prefix 10.147.0.0/16 exact
exit
policy-statement "vrf-exp-man"
entry 10
from
protocol bgp
prefix-list "man-vsrx-10-147"
exit
to
protocol bgp-vpn
exit
action reject
exit
default-action accept
exit
exit
*A:DGY-CORE-ALU-001>config>service>vprn# info
----------------------------------------------
description "MAN-VRF"
vrf-export "vrf-exp-man"
autonomous-system 65000
route-distinguisher 10.159.0.25:6
auto-bind-tunnel
resolution-filter
ldp
rsvp
exit
resolution filter
exit
vrf-target target:65000:6
interface "LB" create
address 6.6.6.3/32
loopback
exit
.
.
.
.
VRF export policy with prefix-list
Re: VRF export policy with prefix-list
You could try adding a second entry that matches all but still has "to protocol bgp-vpn" so that what's matched gets redistributed i.e.
Code: Select all
policy-statement "vrf-exp-man"
entry 10
from
protocol bgp
prefix-list "man-vsrx-10-147"
exit
action reject
exit
entry 20
from
protocol bgp
exit
to
protocol bgp-vpn
exit
action accept
exit
exit
Re: VRF export policy with prefix-list
You should be using MP-BGP to distribute VPNv4 prefixes for IPv4 prefixes contained within the VPRNs.
configure router bgp group "MP-BGP_PEERS" family vpn-ipv4
After you have an VPN-IPv4 neighborship between the PEs, you can apply your export policy to the group or neighbor. You can also filter that /16 on the CPE itself. If you wanted to deny it on the PE, a quick policy would be:
configure router policy-options
prefix-list "BLOCKED_NETWORKS"
prefix 10.147.0.0/16 exact
policy-statement "FILTER_ROUTES"
entry 1
from prefix-list "BLOCKED_NETWORKS"
from protocol bgp
action reject
default-action accept
configure router bgp group "MP-BGP_PEERS" family vpn-ipv4
After you have an VPN-IPv4 neighborship between the PEs, you can apply your export policy to the group or neighbor. You can also filter that /16 on the CPE itself. If you wanted to deny it on the PE, a quick policy would be:
configure router policy-options
prefix-list "BLOCKED_NETWORKS"
prefix 10.147.0.0/16 exact
policy-statement "FILTER_ROUTES"
entry 1
from prefix-list "BLOCKED_NETWORKS"
from protocol bgp
action reject
default-action accept