Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to individually limit IPv4 and IPv6 routes in a VPN scenario

0

0

Article ID: KB24203 KB Last Updated: 24 Feb 2020Version: 2.0
Summary:
This article provides information on how to individually limit IPv4 and IPv6 routes in a VPN scenario.
Symptoms:
You can limit the routes in a VPN scenario by defining the maximum-prefix threshold. The limit can be put in individually for IPv4 and IPv6.
Solution:
You can set the limit separately for IPv4 and IPv6, instead of a common limit, by defining the following configurations under the VPN routing-instance:
[edit]
User1@router1# show routing-instances 
VPNA {
    instance-type vrf;
    interface ge-3/1/7.0;
    route-distinguisher 100:1;
    vrf-target target:100:100;
    routing-options {
        rib VPNA.inet.0 {
            maximum-prefixes 15 threshold 100; < maximum-prefixes prefix-limit <log-only |threshold value log-interval seconds>
        }
        rib VPNA.inet6.0 {
            maximum-prefixes 20 threshold 100; < maximum-prefixes prefix-limit <log-only | threshold value log-interval seconds>
        }
    }
    protocols {
        bgp {
            group CE1 {
                neighbor 172.168.1.2 {
                    family inet {
                        unicast;
                    }
                    peer-as 65001;
                }
                neighbor cafe:1890:5000:30d4::2 {
                    family inet6 {
                        unicast;
                    }
                    peer-as 65001;
                }
            }
        }
    }
}
With CE advertising 10 prefixes each for IPv4 and IPv6, you will have:
[edit]
user@router# run show bgp summary 
Groups: 2 Peers: 3 Down peers: 0
Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
inet.0                 0          0          0          0          0          0
bgp.l3vpn.0            0          0          0          0          0          0
Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
4.4.4.4                 100         46         45       0       0       11:40 Establ
  bgp.l3vpn.0: 0/0/0/0
  bgp.l3vpn-inet6.0: 0/0/0/0
172.168.1.2           65001         27         37      0       2           2 Establ
  VPNA.inet.0: 10/10/10/0
cafe:1890:5000:30d4::2 65001        23         37       0       2         23 Establ
  VPNA.inet6.0: 10/10/10/0
Now, when the other side's PE starts to advertise 15 IPv6 routes and 20 IPv4 routes, you will see the limit being hit:
May 17 16:12:22  router1 rpd[69633]: RPD_RT_PREFIX_LIMIT_REACHED:
 Number of prefixes (15)  in table VPNA.inet.0 still exceeds or equals configured maximum (15)  May 17 16:12:24
router1 rpd[69633]:RPD_RT_PREFIX_LIMIT_REACHED: Number of prefixes (20) in table VPNA.inet6.0  reached configured maximum (20)

[edit]
User1@router1# run show bgp summary    
Groups: 2 Peers: 3 Down peers: 0
Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
inet.0                 0          0          0          0          0          0
bgp.l3vpn.0           21         21          0          0          0          0
Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
4.4.4.4                 100         55         49       0       0       13:47 Establ
  VPNA.inet.0: 3/3/3/0
  VPNA.inet6.0: 6/6/6/0
  bgp.l3vpn.0: 21/21/21/0
  bgp.l3vpn-inet6.0: 16/16/16/0
172.168.1.2           65001         31         42       0       2        2:09 Establ
  VPNA.inet.0: 10/10/10/0
cafe:1890:5000:30d4::2       65001         27         43       0       2        2:30 Establ
  VPNA.inet6.0: 10/10/10/0
Out of the 16 IPv6 routes (bgp-l3vpn-inet6.0) from other PE, you will see only 6 being pushed to VPNA.inet6.0. And out of the 21 IPv4 routes (bgp-l3vpn.0), only 3 will be pushed to the VPNA.inet.0 table

Note: The remaining 2 IPv4 routes (after considering 10 from CE and 3 from remote PE) are Local and Direct routes for the VRF interface. The same applies to IPv6 as well, in which 4 routes are Local and Direct routes for the VRF interface.
[edit]
User1@router1# run show route table VPNA.inet.0 terse 

VPNA.inet.0: 15 destinations, 15 routes (15 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

A Destination        P Prf   Metric 1   Metric 2  Next hop        AS path
* 20.0.14.0/24       B 170        100            >so-5/0/2.0      65002 ?
* 20.0.15.0/24       B 170        100            >so-5/0/2.0      65002 ?
* 20.0.16.0/24       B 170        100            >so-5/0/2.0      65002 ?
* 100.0.0.0/24       B 170        100            >172.168.1.2     65001 ?
* 100.0.1.0/24       B 170        100            >172.168.1.2     65001 ?
* 100.0.2.0/24       B 170        100            >172.168.1.2     65001 ?
* 100.0.3.0/24       B 170        100            >172.168.1.2     65001 ?
* 100.0.4.0/24       B 170        100            >172.168.1.2     65001 ?
* 100.0.5.0/24       B 170        100            >172.168.1.2     65001 ?
* 100.0.6.0/24       B 170        100            >172.168.1.2     65001 ?
* 100.0.7.0/24       B 170        100            >172.168.1.2     65001 ?
* 100.0.8.0/24       B 170        100            >172.168.1.2     65001 ?
* 100.0.9.0/24       B 170        100            >172.168.1.2     65001 ?
* 172.168.1.0/30     D   0                       >ge-3/1/7.0   
* 172.168.1.1/32     L   0                        Local

[edit]
User1@router1# run show route table VPNA.inet6.0 terse   

VPNA.inet6.0: 20 destinations, 20 routes (20 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

A Destination        P Prf   Metric 1   Metric 2  Next hop        AS path
* 5555::c000:1/128   B 170        100            >cafe:1890:5000:30d4::2 64612 ?
* 5555::c000:2/128   B 170        100            >cafe:1890:5000:30d4::2 64612 ?
* 5555::c000:3/128   B 170        100            >cafe:1890:5000:30d4::2 64612 ?
* 5555::c000:4/128   B 170        100            >cafe:1890:5000:30d4::2 64612 ?
* 5555::c000:5/128   B 170        100            >cafe:1890:5000:30d4::2 64612 ?
* 5555::c000:6/128   B 170        100            >cafe:1890:5000:30d4::2 64612 ?
* 5555::c000:7/128   B 170        100            >cafe:1890:5000:30d4::2 64612 ?
* 5555::c000:8/128   B 170        100            >cafe:1890:5000:30d4::2 64612 ?
* 5555::c000:9/128   B 170        100            >cafe:1890:5000:30d4::2 64612 ?
* 5555::c000:a/128   B 170        100            >cafe:1890:5000:30d4::2 64612 ?
* 6666::c000:1/128   B 170        100            >so-5/0/2.0      65002 ?
* 6666::c000:2/128   B 170        100            >so-5/0/2.0      65002 ?
* 6666::c000:3/128   B 170        100            >so-5/0/2.0      65002 ?
* 6666::c000:4/128   B 170        100            >so-5/0/2.0      65002 ?
* 6666::c000:5/128   B 170        100            >so-5/0/2.0      65002 ?
* 6666::c000:6/128   B 170        100            >so-5/0/2.0      65002 ?
  cafe:1890:5000:30d4::/64
*                    D   0                       >ge-3/1/7.0   
  cafe:1890:5000:30d4::1/128
*                    L   0                        Local
* fe80::/64          D   0                       >ge-3/1/7.0   
  fe80::290:69ff:fe71:7da0/128
*                    L   0                        Local
For more information about Routing-options and RIB Maximum prefixes in Routing-Instances, refer to the Protocol-Independent Routing Properties Feature Guide
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search