Configuring Policy for the PE Router s VRF Table

Configuring Policy for the PE Router's VRF Table

On each PE router, you must define policies that define how routes are imported into and exported from the router's VRF table. In these policies, you must define the route target, and you can optionally define the route origin.

In the import and export policies for the PE router's VRF table, you must define the route target, which defines which VPN the route is part of. To do this, include the target option in the community statement:

 [edit policy-options]  community  name  members target:  community-id  ; 

In the import and export policies for the PE router's VRF table, you can optionally define the route origin ( otherwise known as the site of origin), which identifies the set of routes learned from a particular CE site. To do this, include the origin option in the community statement:

 [edit policy-options]  community  name  members origin:  community-id  ; 

name is the name of the community. community-id is the identifier of the community. You specify it in one of the following formats:

• as-number : number , where as-number is an AS number (a 2-byte value), and number is a 4-byte community identifier. The AS number can be in the range 1 through 65,535. We recommend that you use an IANA assigned, nonprivate AS number, preferably the ISP's own or the customer's own AS number. The community identifier can be a number in the range 0 through 2 ³² 1.

• ip-address : number , where ip-address is an IPv4 address (a 4-byte value), and number is a 2-byte community identifier. The IP address can be any globally unique unicast address. We recommend that you use the address that you configure in the router-id statement, which is a nonprivate address in your assigned prefix range. The community identifier can be a number in the range 1 through 65,535.

Each VPN must have a policy that defines how routes are imported into the PE router's VRF table. The import policy is applied to routes received from other PE routers in the VPN. The policy must evaluate all routes received over the IBGP session with the other PE router. If the routes match the conditions, the route is installed in the PE router's routing-instance-name .inet.0 VRF table. The import policy must contain a second term that rejects all other routes. Unless the import policy contains only a then reject statement, it must include a reference to a community. Otherwise, when you try to commit the configuration, the commit fails. You can configure multiple import policies.

To configure an import policy for the PE router's VRF table, follow these steps:

1. To define the import policy, include the policy-statement statement. For all PE routers, the import policy must always include the following, at a minimum. This policy evaluates all routes received over the IBGP session with the other PE router. If the routes match the conditions in the from statement, the route is installed in the PE router's routing-instance-name .inet.0 VRF table. The second term in the policy rejects all other routes.

    [edit]  policy-options {   policy-statement  import-policy-name  {     term  import-term-name  {       from {         protocol bgp;         community  community-id  ;       }       then accept;     }     term  term-name  {       then reject;     }   } } 

2. To apply the import policy, include the vrf-import statement:

    [edit routing-instances  routing-instance-name  ]  vrf-import [  import-policy-names  ]; 

Each VPN must have a policy that defines how routes are exported from the PE router's VRF table. The export policy is applied to routes sent to other PE routers in the VPN. The export policy must evaluate all routes received over the routing protocol session with the CE router. (This session can use either the BGP, OSPF, or RIP routing protocol or static routes.) If the routes match the conditions, the specified community target (which is the route target) is added to them, and they are exported to the remote PE routers. The export policy must contain a second term that rejects all other routes. Export policies defined within the VPN routing instance are the only export policies that apply to the VRF table. Any export policy that you define on the IBGP session between the PE routers has no effect on the VRF table. You can configure multiple export policies.

To configure an export policy for the PE router's VRF table, follow these steps:

1. To define the export policy, include the policy-statement statement. For all PE routers, the export policy must distribute VPN routes to and from the connected CE routers in accordance with the type of routing protocol that you configure between the CE and PE routers within the routing instance. The export policy must always include the following, at a minimum. The first term evaluates all routes received over the routing protocol session with the CE router. (This session can use either the BGP, OSPF, or RIP routing protocol or static routes.) If the routes match the conditions in the from statement, the community target specified in the then community add statement is added to them, and they are exported to the remote PE routers. The second term in the policy rejects all other routes.

    [edit]  policy-options {   policy-statement  export-policy-name  {     term  export-term-name  {       from protocol (bgp  ospf  rip  static);       then {         community add  community-id  ;         accept;       }     }     term  term-name  {       then reject;     }   } } 

2. To apply the policy, include the vrf-export statement:

    [edit routing-instances  routing-instance-name  ]  vrf-export [  export-policy-names  ];