Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos] When using L3VPN VRF instance-import will not allow to commit

1

0

Article ID: KB36976 KB Last Updated: 20 May 2021Version: 1.0
Summary:

The instance-import stanza is not allowed to commit when using instance-type as Virtual Routing Forwarding (VRF). This article clarifies that instance-import is not supported on Junos OS and describes the correct way to apply route leaking from a VRF instance to the main one.

Symptoms:

When customers try to leak routes from a VRF into the global routing table by using instance-import, the configuration does not commit.

Example

root@MX-re0# show routing-instances
L3VPN-TEST {
    routing-options {
        instance-import ABC;
    }
    instance-type vrf;  >>>>> Not working on VRF instance type
    route-distinguisher 123:123;
}

[edit routing-instances L3VPN-TEST]
root@MX-re0# top show policy-options policy-statement ABC
term 1 {
    from {
        instance L3VPN-TEST;
        protocol direct;
    }
    then accept;
}
term 2 {
    then reject;
} 
[edit routing-instances L3VPN-TEST]
root@MX-re0# top show routing-options
static {
    route 192.168.1.0/24 reject;
}
route-distinguisher-id 200.0.0.1;
autonomous-system 64512;
instance-import ABC;  <<<<<<<<<<<<<<<

[edit routing-instances L3VPN-TEST]
root@MX-re0# commit confirmed
error: [edit routing-options instance-import]
policy references a vpn instance
error: configuration check-out failed
Cause:

The instance-import configuration stanza is not allowed when the instance-type is VRF. Similarly, instance-import into the primary routing table is also not allowed if the instance being imported is a VRF. VRF only accepts rib-group or auto-export features. instance-import only applies for Virtual Router instances.

Solution:

For L3VPN, you must use RIB groups or auto-export as shown below. instance-import is allowed only for VR instances.

routing-options {

    rib-groups {
inet-access {
     import-rib inet.0;
}
    }
}

routing-instances {
    VPN-A {
routing-options {
     auto-export {
         family inet {
      unicast {
          rib-group inet-access;
      }
  }
     }
}
    } 

To leak L3VPN routes from VRF to the main instance, perform the following steps:

  1. Configure rib-group in the global routing-options.

  2. Define a policy statement to match only on the desired network segment.

  3. In the routing-instance, apply the rib-group and policy to protocol BGP.

One such example is given below:

Note: If your design requires that routes are learned only from a PE-CE BGP session, you will need to extend the BGP route installation to copy routes not only into vpna.inet.0, but also to inet.0.

[edit]
routing-options {
   rib-groups {
      test {
         import-rib [ vpna.inet.0 inet.0 ];
      }
   }
}

[edit]
routing-instances {
   vpna {
      instance-type vrf;
      interface xe-1/0/0.0;
      route-distinguisher 10.255.14.175:3;
      vrf-import vpna-import;
      vrf-export vpna-export;
      protocols {
         bgp {
            group vpna-site1 {
            family inet {
               unicast {
                  rib-group test;
               }
            }
            peer-as 1;
            neighbor 192.168.197.141;
         }
     }
}

If you applied the rib-group to [edit routing-instances vpna routing-options interface-routes], this would take any directly-connected interface routes in the vpna instance and send them into the rib-group. 

interface-routes {
rib-group inet test;

Remember that there are multiple ways to use rib-groups and what is given here is only one example.

For more information about the rib-groups functionality, see KB16133 - [Junos] What is the use of RIB groups and how are they used?

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search