Related Documentation
- ACX, M, MX, T Series
- Example: Configuring Proxy BGP Route Target Filtering
- ACX, M, MX, PTX, T Series
- Configuring BGP Route Target Filtering for VPNs
Example: Configuring an Export Policy for BGP Route Target Filtering
This example shows how to configure an export routing policy for BGP route target filtering (also known as route target constrain, or RTC).
Requirements
This example uses the following hardware and software components:
- Four Juniper Networks devices that support BGP route target filtering.
- Junos OS Release 12.2 or later on one or more devices configured for proxy BGP route filtering. In this example, you explicitly configure proxy BGP route filtering on the route reflectors.
Before configuring an export policy for BGP route target filtering, make sure that you are familiar with and understand the following concepts:
- Layer 2 VPNs
- Layer 3 VPNs
- Route distinguishers
- Route targets
- BGP route target filtering
- BGP extended communities
Overview
BGP route target filtering allows you to reduce network resource consumption by distributing route target membership (RT membership) advertisements throughout the network. BGP uses the RT membership information to send VPN routes only to the devices that need them in the network. Similar to other types of BGP reachability, you can apply a routing policy to route target filtering routes to influence the network. When route target filtering is configured, restricting the flow of route target filtering routes also restricts the VPN routes that might be attracted by this RT membership. Configuring this policy involves:
- Creating a filter that defines the list of route target prefixes.
- Creating a policy to select a subset of the route target filters to use for BGP route target filtering.
To define the list of route target prefixes:
- You configure the rtf-prefix-list statement at the [edit policy-options] hierarchy level to specify the name of the route target prefix list and one or more route target prefixes to use. This configuration allows you to specify the incoming route target filtering routes that the device will use and then distribute them throughout the network.
To configure the routing policy and apply the route target prefix list to that policy, you can specify the following policy options:
- family route-target—(Optional) The route-target family match condition specifies matching BGP route target filtering routes. You define this criteria in the from statement. This example shows how to create an export policy using the family route-target match condition.
- protocol route-target—(Optional) The route-target
protocol match condition defines the criteria that an incoming route
must match. You define this criteria in the from statement.
This statement is primarily useful for restricting the policy to locally
generated route target filtering routes.
Note: When you use the show route table bgp.rtarget.0 command to view proxy BGP route target filtering routes, you will see the BGP protocol for received routes and the route target protocol routes for local route target filtering routes.
- rtf-prefix-list name—The rtf-prefix-list statement applies the list of route target prefixes that you already configured to the policy. You define this criteria in the from statement.
Topology Diagram
Figure 1 shows the topology used in this example.
Figure 1: BGP Route Target Filtering Export Policy Topology

In this example, BGP route target filtering is configured on the route reflectors (Device RR1 and Device RR2) and provider edge (PE) Device PE2. The other PE, Device PE1, does not support BGP route target filtering. Proxy BGP route target filtering is also configured on the peering sessions between the route reflectors and Device PE1 to minimize the number of VPN route updates processed by Device PE1. Device PE2 has four VPNs configured (vpn1, vpn2, vpn3, and vpn4), and Device PE1 has two VPNs configured (vpn1 and vpn2). In the sample topology, all devices participate in autonomous system (AS) 200, OSPF is the configured interior gateway protocol (IGP), and LDP is the signaling protocol used by the VPNs. In this example, we use static routes in the VPN routing and forwarding (VRF) instances to generate VPN routes. This is done in place of using a PE to customer edge (CE) protocol such as OSPF or BGP.
In this example, you further control the routes being advertised from Device PE2 to Device PE1 by configuring an export policy on Device PE2 to prevent vpn3 routes from being advertised to Device RR1. You create a policy that specifies the family route-target match condition, defines the list of route target prefixes, and applies the list of route target prefixes by defining the rtf-prefix-list criteria.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
Device PE1
Device RR1
Device RR2
Device PE2
Configuring Device PE1
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure Device PE1:
- Configure the interfaces.[edit interfaces]user@PE1# set ge-1/0/0 unit 0 description PE1-to-RR1user@PE1# set ge-1/0/0 unit 0 family inet address 10.49.0.1/30user@PE1# set ge-1/0/0 unit 0 family mplsuser@PE1#set ge-1/0/1 unit 0 description PE1-to-RR2user@PE1#set ge-1/0/1 unit 0 family inet address 10.49.10.1/30user@PE1# set ge-1/0/1 unit 0 family mpls
- Configure the route distinguisher and the AS number.[edit routing-options]user@PE1# set route-distinguisher-id 10.255.163.58user@PE1# set autonomous-system 200
- Configure LDP as the signaling protocol used by the VPN. [edit protocols ldp]user@PE1# set interface ge-1/0/0user@PE1# set interface ge-1/0/1
- Configure BGP.[edit protocols bgp group internal]user@PE1# set type internaluser@PE1# set local-address 10.255.163.58user@PE1# set neighbor 10.255.165.220 family inet-vpn unicastuser@PE1# set neighbor 10.255.165.28 family inet-vpn unicast
- Configure OSPF.[edit protocols ospf area 0.0.0.0]user@PE1# set interface ge-1/0/0user@PE1# set interface ge-1/0/1user@PE1# set interface lo0.0 passive
- Configure the VPN routing instances. [edit routing-instances vpn1]user@PE1# set instance-type vrfuser@PE1# set vrf-target target:200:100user@PE1# set routing-options static route 223.1.1.2/32 discard[edit routing-instances vpn2]user@PE1# set instance-type vrfuser@PE1# set vrf-target target:200:101user@PE1# set routing-options static route 223.2.2.2/32 discard
- If you are done configuring the device, commit the configuration.[edit]user@PE1# commit
Results
From configuration mode, confirm your configuration by entering the show interfaces, show protocols, show routing-options, and show routing-instances commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
Configuring Device RR1
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure Device RR1:
- Configure the interfaces.[edit interfaces]user@RR1# set ge-1/0/0 unit 0 description RR1-to-PE1user@RR1# set ge-1/0/0 unit 0 family inet address 10.49.0.2/30user@RR1# set ge-1/0/0 unit 0 family mplsuser@RR1# set ge-1/0/1 unit 0 description RR1-to-PE2user@RR1# set ge-1/0/1 unit 0 family inet address 10.50.0.2/30user@RR1# set ge-1/0/1 unit 0 family mpls
- Configure the route distinguisher and the AS number.[edit routing-options]user@RR1# set route-distinguisher-id 10.255.165.220user@RR1# set autonomous-system 200
- Configure LDP as the signaling protocol used by the VPN. [edit protocols ldp]user@RR1# set interface ge-1/0/0user@RR1# set interface ge-1/0/1
- Configure BGP.[edit protocols bgp group internal]user@RR1# set type internaluser@RR1# set local-address 10.255.165.220user@RR1# set cluster 1.1.1.1user@RR1# set neighbor 10.255.163.58 description vpn1-to-pe1 family inet-vpn unicastuser@RR1# set neighbor 10.255.168.42 description vpn1-to-pe2 family inet-vpn unicast
- Configure BGP route target filtering on the peering session
with Device PE2.[edit protocols bgp group internal]user@RR1# set neighbor 10.255.168.42 family route-target
- Configure proxy BGP route target filtering on the peering
session with Device PE1.[edit protocols bgp group internal]user@RR1# set neighbor 10.255.163.58 family route-target proxy-generate
- Configure OSPF.[edit protocols ospf area 0.0.0.0]user@RR1# set interface ge-1/0/0user@RR1# set interface ge-1/0/1user@RR1# set interface lo0.0 passive
- If you are done configuring the device, commit the configuration.[edit]user@RR1# commit
Results
From configuration mode, confirm your configuration by entering the show interfaces, show protocols, and show routing-options commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
Configuring Device RR2
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure Device RR2:
- Configure the interfaces.[edit interfaces]user@RR2# set ge-1/0/0 unit 0 description RR2-to-PE1user@RR2# set ge-1/0/0 unit 0 family inet address 10.49.10.2/30user@RR2# set ge-1/0/0 unit 0 family mplsuser@RR2# set ge-1/0/1 unit 0 description RR2-to-PE2user@RR2# set ge-1/0/1 unit 0 family inet address 10.50.10.2/30user@RR2# set ge-1/0/1 unit 0 family mpls
- Configure the route distinguisher and the AS number.[edit routing-options]user@RR2# set route-distinguisher-id 10.255.165.28user@RR2# set autonomous-system 200
- Configure LDP as the signaling protocol used by the VPN. [edit protocols ldp]user@RR2# set interface ge-1/0/0user@RR2# set interface ge-1/0/1
- Configure BGP.[edit protocols bgp group internal]user@RR2# set type internaluser@RR2# set local-address 10.255.165.28user@RR2# set cluster 1.1.1.1user@RR2# set neighbor 10.255.163.58 description vpn2-to-pe1 family inet-vpn unicastuser@RR2# set neighbor 10.255.168.42 description vpn2-to-pe2 family inet-vpn unicast
- Configure BGP route target filtering on the peering session
with Device PE2.[edit protocols bgp group internal]user@RR2# set neighbor 10.255.168.42 family route-target
- Configure proxy BGP route target filtering on the peering
session with Device PE1.[edit protocols bgp group internal]user@RR2# set neighbor 10.255.163.58 family route-target proxy-generate
- Configure OSPF.[edit protocols ospf area 0.0.0.0]user@RR2# set interface ge-1/0/0user@RR2# set interface ge-1/0/1user@RR2# set interface lo0.0 passive
- If you are done configuring the device, commit the configuration.[edit]user@RR2# commit
Results
From configuration mode, confirm your configuration by entering the show interfaces, show protocols, and show routing-options commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
Configuring Device PE2
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure Device PE2:
- Configure the interfaces.[edit interfaces]user@PE2# set ge-1/0/0 unit 0 description PE2-to-RR1user@PE2# set ge-1/0/0 unit 0 family inet address 10.50.0.1/30user@PE2# set ge-1/0/0 unit 0 family mplsuser@PE2#set ge-1/0/1 unit 0 description PE2-to-RR2user@PE2#set ge-1/0/1 unit 0 family inet address 10.50.10.2/30user@PE2# set ge-1/0/1 unit 0 family mpls
- Configure the route distinguisher and the AS number.[edit routing-options]user@PE2# set route-distinguisher-id 10.255.168.42user@PE2# set autonomous-system 200
- Configure LDP as the signaling protocol used by the VPN. [edit protocols ldp]user@PE2# set interface ge-1/0/0user@PE2# set interface ge-1/0/1
- Configure BGP.[edit protocols bgp group internal]user@PE2# set type internaluser@PE2# set local-address 10.255.168.42user@PE2# set family inet-vpn unicastuser@PE2# set family route-targetuser@PE2# set neighbor 10.255.165.220user@PE2# set neighbor 10.255.165.28
- Configure OSPF.[edit protocols ospf area 0.0.0.0]user@PE2# set interface ge-1/0/0user@PE2# set interface ge-1/0/1user@PE2# set interface lo0.0 passive
- Configure the VPN routing instances. [edit routing-instances vpn1]user@PE2# set instance-type vrfuser@PE2# set vrf-target target:200:100user@PE2# set routing-options static route 223.1.1.2/32 discard[edit routing-instances vpn2]user@PE2# set instance-type vrfuser@PE2# set vrf-target target:200:101user@PE2# set routing-options static route 223.2.2.2/32 discard[edit routing-instances vpn3]user@PE2# set instance-type vrfuser@PE2# set vrf-target target:200:103user@PE2# set routing-options static route 223.3.3.3/32 discard[edit routing-instances vpn4]user@PE2# set instance-type vrfuser@PE2# set vrf-target target:200:104user@PE2# set routing-options static route 223.4.4.4/32 discard
- Configure and apply the export routing policy.[edit policy-options]user@PE2# set rtf-prefix-list exclude-103 200:200:103/96[edit policy-options policy-statement filter-rtc]user@PE2# set from family route-targetuser@PE2# set from rtf-prefix-list exclude-103user@PE2# set then reject[edit protocols bgp group internal]user@PE2# set neighbor 10.255.165.220 export filter-rtc
- If you are done configuring the device, commit the configuration.[edit]user@PE2# commit
Results
From configuration mode, confirm your configuration by entering the show interfaces, show protocols, show policy-options, show routing-options, and show routing-instances commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
Verification
Confirm that the configuration is working properly.
- Verifying the Route Target Filtering Routes in the bgp.rtarget.0 Routing Table for Device RR1
- Verifying the Route Target Filtering Routes in the bgp.rtarget.0 Routing Table for Device RR2
Verifying the Route Target Filtering Routes in the bgp.rtarget.0 Routing Table for Device RR1
Purpose
Verify that the route prefix for vpn3 is not in Device RR1’s bgp.rtarget.0 table. Since an export policy on Device PE2 was applied to prevent the advertisement of vpn3 routes to Device RR1, Device RR1 should not receive those advertisements.
Action
From operational mode, enter the show route advertising-protocol bgp 10.255.165.220 table bgp.rtarget.0 command.
user@PE2# show route advertising-protocol bgp 10.255.165.220 table bgp.rtarget.0
bgp.rtarget.0: 4 destinations, 11 routes (4 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path 200:200:100/96 * Self 100 I 200:200:101/96 * Self 100 I 200:200:104/96 * Self 100 I
Meaning
The bgp.rtartget.0 table does not display 200:200:103/96, which is the route prefix for vpn3. That means the export policy was applied correctly.
Verifying the Route Target Filtering Routes in the bgp.rtarget.0 Routing Table for Device RR2
Purpose
Verify that the route prefix for vpn3 is in Device RR2’s bgp.rtarget.0 table. Since an export policy was not applied on Device PE2 to prevent the advertisement of vpn3 routes to Device RR2, Device RR2 should receive advertisements from all of the VPNs.
Action
From operational mode, enter the show route advertising-protocol bgp 10.255.165.28 table bgp.rtarget.0 command.
user@PE2# show route advertising-protocol bgp 10.255.165.28 table bgp.rtarget.0
bgp.rtarget.0: 4 destinations, 11 routes (4 active, 0 holddown, 0 hidden) (4 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path 200:200:100/96 * Self 100 I 200:200:101/96 * Self 100 I 200:200:103/96 * Self 100 I 200:200:104/96 * Self 100 I
Meaning
The bgp.rtartget.0 table displays the route prefixes for all of the VPNs.
Related Documentation
- ACX, M, MX, T Series
- Example: Configuring Proxy BGP Route Target Filtering
- ACX, M, MX, PTX, T Series
- Configuring BGP Route Target Filtering for VPNs
Published: 2012-11-29
Related Documentation
- ACX, M, MX, T Series
- Example: Configuring Proxy BGP Route Target Filtering
- ACX, M, MX, PTX, T Series
- Configuring BGP Route Target Filtering for VPNs