Hi Everyone - this is a continuation of my post on /r/juniper but some things have changed so starting a new one here..
I am trying to achieve multi-tenancy with amazon VPNs. This usually means overlapping subnets between accounts (ex: two accounts can both have VPC's configured with 10.0.0.0/16 + I use 10.0.0.0/16 internally). It has been my understanding so far that ultimately I am going to have NAT them to something that I can control but my main issue right now is I am trying to advertise routes on the VRF tunnels back to amazon that I have received from my upstream SRX650
Hopefully this graphic can shed some light: https://i.imgur.com/6UebBYo.png
My SRX650 is my main router. My SRX650 advertises routes to "APPNET" via BGP to my VSRX. I then use export policies for controlling which routes are advertised to which VRF and subsequently amazon accounts, however, no matter what my export policy is, the routes are never re-advertised even if I set an open accept. RIB groups and VRF export/import are new to me and I have tried hard on understanding it and doing but the docs assume a higher level of knowledge than I currently have. I also realize I could use OSPF for local advertisement as well but I know BGP more so I took the route I knew. I have tried routing-options instance-import MYNET-SVC-VR1 which didnt work error stated cannot set instance-import on VPN VRF.
Can anyone tldr some config for what I am trying to achieve? tldr; I need easy way to re-advertise received routes on inet.0 back through a VRF. I know I need rib groups or vrf-import/export but cant seem to figure out logistics of the configuration. Config below
routing-options { static { route 0.0.0.0/0 next-hop 172.31.255.243; route 192.168.1.0/24 { discard; install; } } auto-export; } policy-options { prefix-list mynet-amazon-test { 0.0.0.0/0; 192.168.1.0/24; } prefix-list CLIENT-AMZ-ACCT1-BGP-MYNETPREFIX { 10.98.39.96/28; 10.98.39.112/28; } policy-statement CLIENT-AMZ-ACCT1-BGP-EXPORT-POLICY { term 1 { from { instance MYNET-SVC-VR1; prefix-list CLIENT-AMZ-ACCT1-BGP-MYNETPREFIX; } then accept; } } policy-statement MYNET-SRX650-BGP-POLICY { term 1 { then accept; } term 2 { then reject; } } policy-statement mynet-amazon-bgp-policy { term 1 { inactive: from { protocol static; prefix-list mynet-amazon-test; } then accept; } inactive: term 2 { then reject; } } } routing-instances { CLIENT-AMZ-ACCT1-VR1 { instance-type vrf; interface st0.3; interface st0.4; route-distinguisher 1103:9999; vrf-target target:1103:9999; vrf-table-label; protocols { bgp { group CLIENT-AMZ-ACCT1-EBG { type external; advertise-inactive; neighbor 169.254.47.121 { hold-time 30; export CLIENT-AMZ-ACCT1-BGP-EXPORT-POLICY; peer-as 7224; local-as 65000; } neighbor 169.254.45.45 { hold-time 30; export CLIENT-AMZ-ACCT1-BGP-EXPORT-POLICY; peer-as 7224; local-as 65000; } } } } } MYNET-SVC-VR1 { instance-type virtual-router; interface reth1.0; routing-options { auto-export; } protocols { bgp { group MYNET-SRX650-BGP { neighbor 172.28.255.243 { hold-time 30; export MYNET-SRX650-BGP-POLICY; peer-as 65001; local-as 65000; } } } } } VR1 { instance-type vrf; inactive: interface reth0.0; interface st0.1; interface st0.2; route-distinguisher 7224:1000; vrf-target target:7224:1000; vrf-table-label; routing-options { static { route 192.168.1.0/24 discard; route 0.0.0.0/0 next-table inet.0; } } protocols { bgp { group ebgp { type external; advertise-inactive; neighbor 169.254.46.225 { hold-time 30; export mynet-amazon-bgp-policy; peer-as 7224; local-as 65000; } neighbor 169.254.44.153 { hold-time 30; export mynet-amazon-bgp-policy; peer-as 7224; local-as 65000; } } } } } }
No comments:
Post a Comment