Community List Import Vrf

Scenario to validate BGP route filtering using community-lists combined with VRF route leaking. Verifies that routes advertised with specific BGP communities can be selectively imported into different VRFs using community-list matching in route-maps. Also tests dynamic reconfiguration of route-maps and community stripping to control route propagation.

Test BGP with community-list and import VRF

Description

Test to check BGP with community-list and import routes from another VRF

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.200.100/24
set protocols bgp 20 neighbor peer1 remote-address 10.215.200.101
set protocols bgp 20 neighbor peer1 remote-as 20
set protocols bgp 20 neighbor peer2 remote-address 10.215.200.102
set protocols bgp 20 neighbor peer2 remote-as 20
set protocols community-list standard 1 rule 1 action permit
set protocols community-list standard 1 rule 1 value '10:11'
set protocols community-list standard 2 rule 1 action permit
set protocols community-list standard 2 rule 1 value '10:22'
set protocols route-map RM1 rule 1 action permit
set protocols route-map RM1 rule 1 match community list 1
set protocols route-map RM2 rule 1 action permit
set protocols route-map RM2 rule 1 match community list 2
set protocols vrf VRF1 bgp 20 import route-map RM1
set protocols vrf VRF1 bgp 20 import vrf main
set protocols vrf VRF2 bgp 20 import route-map RM2
set protocols vrf VRF2 bgp 20 import vrf main
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf VRF1
set system vrf VRF2
set system vrf main

Step 2: Set the following configuration in DUT1 :

set interfaces ethernet eth0 address 10.215.200.101/24
set protocols bgp 20 neighbor peer remote-address 10.215.200.100
set protocols bgp 20 neighbor peer remote-as 20
set protocols bgp 20 redistribute static route-map RM
set protocols route-map RM rule 1 action permit
set protocols route-map RM rule 1 set community value '10:11'
set protocols static route 1.1.1.0/24 next-hop 10.215.200.51
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Set the following configuration in DUT2 :

set interfaces ethernet eth0 address 10.215.200.102/24
set protocols bgp 20 neighbor peer remote-address 10.215.200.100
set protocols bgp 20 neighbor peer remote-as 20
set protocols bgp 20 redistribute static route-map RM
set protocols route-map RM rule 1 action permit
set protocols route-map RM rule 1 set community value '10:22'
set protocols static route 2.2.2.0/24 next-hop 10.215.200.52
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 4: Run command protocols ip show route at DUT0 and check if output matches the following regular expressions:

B>.*1\.1\.1\.0\/24.*via 10.215.200\.51, eth0.*
B>.*2\.2\.2\.0\/24.*via 10.215.200\.52, eth0.*

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF default:
B>* 1.1.1.0/24 [200/0] via 10.215.200.51, eth0, weight 1, 00:00:03
B>* 2.2.2.0/24 [200/0] via 10.215.200.52, eth0, weight 1, 00:00:01
C>* 10.215.200.0/24 is directly connected, eth0, weight 1, 00:00:06
K * 10.215.200.0/24 [0/0] is directly connected, eth0, weight 1, 00:00:06
L>* 10.215.200.100/32 is directly connected, eth0, weight 1, 00:00:06

Step 5: Run command protocols vrf VRF1 ip show route at DUT0 and check if output matches the following regular expressions:

B>.*1\.1\.1\.0\/24.*via 10.215.200\.51, eth0.*

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF VRF1:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:06
B>* 1.1.1.0/24 [200/0] via 10.215.200.51, eth0 (vrf default), weight 1, 00:00:03
K>* 127.0.0.0/8 [0/0] is directly connected, VRF1, weight 1, 00:00:06

Step 6: Run command protocols vrf VRF2 ip show route at DUT0 and check if output matches the following regular expressions:

B>.*2\.2\.2\.0\/24.*via 10.215.200\.52, eth0.*

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF VRF2:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:06
B>* 2.2.2.0/24 [200/0] via 10.215.200.52, eth0 (vrf default), weight 1, 00:00:01
K>* 127.0.0.0/8 [0/0] is directly connected, VRF2, weight 1, 00:00:06

Step 7: Run command protocols vrf VRF1 ip show route at DUT0 and check if output does not match the following regular expressions:

B>.*2\.2\.2\.0\/24.*via 10.215.200\.52, eth0.*

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF VRF1:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:06
B>* 1.1.1.0/24 [200/0] via 10.215.200.51, eth0 (vrf default), weight 1, 00:00:03
K>* 127.0.0.0/8 [0/0] is directly connected, VRF1, weight 1, 00:00:06

Step 8: Run command protocols vrf VRF2 ip show route at DUT0 and check if output does not match the following regular expressions:

B>.*1\.1\.1\.0\/24.*via 10.215.200\.51, eth0.*

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF VRF2:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:06
B>* 2.2.2.0/24 [200/0] via 10.215.200.52, eth0 (vrf default), weight 1, 00:00:01
K>* 127.0.0.0/8 [0/0] is directly connected, VRF2, weight 1, 00:00:06

---

Dynamic reconfiguration of route-maps with route leaking between VRFs

Description

Test to check that routes are leaked properly after reconfiguring a route-map. The community of routes received from one peer is removed, so routes won’t be imported to another VRF.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.200.100/24
set protocols bgp 20 neighbor peer1 remote-address 10.215.200.101
set protocols bgp 20 neighbor peer1 remote-as 20
set protocols bgp 20 neighbor peer2 remote-address 10.215.200.102
set protocols bgp 20 neighbor peer2 remote-as 20
set protocols community-list standard 1 rule 1 action permit
set protocols community-list standard 1 rule 1 value '10:11'
set protocols community-list standard 2 rule 1 action permit
set protocols community-list standard 2 rule 1 value '10:22'
set protocols route-map RM1 rule 1 action permit
set protocols route-map RM1 rule 1 match community list 1
set protocols route-map RM2 rule 1 action permit
set protocols route-map RM2 rule 1 match community list 2
set protocols vrf VRF1 bgp 20 import route-map RM1
set protocols vrf VRF1 bgp 20 import vrf main
set protocols vrf VRF2 bgp 20 import route-map RM2
set protocols vrf VRF2 bgp 20 import vrf main
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf VRF1
set system vrf VRF2
set system vrf main

Step 2: Set the following configuration in DUT1 :

set interfaces ethernet eth0 address 10.215.200.101/24
set protocols bgp 20 neighbor peer remote-address 10.215.200.100
set protocols bgp 20 neighbor peer remote-as 20
set protocols bgp 20 redistribute static route-map RM
set protocols route-map RM rule 1 action permit
set protocols route-map RM rule 1 set community value '10:11'
set protocols static route 1.1.1.0/24 next-hop 10.215.200.51
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Set the following configuration in DUT2 :

set interfaces ethernet eth0 address 10.215.200.102/24
set protocols bgp 20 neighbor peer remote-address 10.215.200.100
set protocols bgp 20 neighbor peer remote-as 20
set protocols bgp 20 redistribute static route-map RM
set protocols route-map RM rule 1 action permit
set protocols route-map RM rule 1 set community value '10:22'
set protocols static route 2.2.2.0/24 next-hop 10.215.200.52
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 4: Run command protocols ip show route at DUT0 and check if output matches the following regular expressions:

B>.*1\.1\.1\.0\/24.*via 10.215.200\.51, eth0.*
B>.*2\.2\.2\.0\/24.*via 10.215.200\.52, eth0.*

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF default:
B>* 1.1.1.0/24 [200/0] via 10.215.200.51, eth0, weight 1, 00:00:02
B>* 2.2.2.0/24 [200/0] via 10.215.200.52, eth0, weight 1, 00:00:01
C>* 10.215.200.0/24 is directly connected, eth0, weight 1, 00:00:05
K * 10.215.200.0/24 [0/0] is directly connected, eth0, weight 1, 00:00:05
L>* 10.215.200.100/32 is directly connected, eth0, weight 1, 00:00:05

Step 5: Run command protocols vrf VRF1 ip show route at DUT0 and check if output matches the following regular expressions:

B>.*1\.1\.1\.0\/24.*via 10.215.200\.51, eth0.*

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF VRF1:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:06
B>* 1.1.1.0/24 [200/0] via 10.215.200.51, eth0 (vrf default), weight 1, 00:00:03
K>* 127.0.0.0/8 [0/0] is directly connected, VRF1, weight 1, 00:00:06

Step 6: Run command protocols vrf VRF2 ip show route at DUT0 and check if output matches the following regular expressions:

B>.*2\.2\.2\.0\/24.*via 10.215.200\.52, eth0.*

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF VRF2:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:06
B>* 2.2.2.0/24 [200/0] via 10.215.200.52, eth0 (vrf default), weight 1, 00:00:02
K>* 127.0.0.0/8 [0/0] is directly connected, VRF2, weight 1, 00:00:06

Step 7: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.200.100/24
set protocols bgp 20 neighbor peer1 remote-address 10.215.200.101
set protocols bgp 20 neighbor peer1 remote-as 20
set protocols bgp 20 neighbor peer1 route-map import IMPORT
set protocols bgp 20 neighbor peer2 remote-address 10.215.200.102
set protocols bgp 20 neighbor peer2 remote-as 20
set protocols community-list standard 1 rule 1 action permit
set protocols community-list standard 1 rule 1 value '10:11'
set protocols community-list standard 2 rule 1 action permit
set protocols community-list standard 2 rule 1 value '10:22'
set protocols route-map IMPORT rule 1 action permit
set protocols route-map IMPORT rule 1 set comm-list 1 delete
set protocols route-map RM1 rule 1 action permit
set protocols route-map RM1 rule 1 match community list 1
set protocols route-map RM2 rule 1 action permit
set protocols route-map RM2 rule 1 match community list 2
set protocols vrf VRF1 bgp 20 import route-map RM1
set protocols vrf VRF1 bgp 20 import vrf main
set protocols vrf VRF2 bgp 20 import route-map RM2
set protocols vrf VRF2 bgp 20 import vrf main
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf VRF1
set system vrf VRF2
set system vrf main

Step 8: Run command protocols ip show route at DUT0 and check if output matches the following regular expressions:

B>.*1\.1\.1\.0\/24.*via 10.215.200\.51, eth0.*
B>.*2\.2\.2\.0\/24.*via 10.215.200\.52, eth0.*

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF default:
B>* 1.1.1.0/24 [200/0] via 10.215.200.51, eth0, weight 1, 00:00:00
B>* 2.2.2.0/24 [200/0] via 10.215.200.52, eth0, weight 1, 00:00:03
C>* 10.215.200.0/24 is directly connected, eth0, weight 1, 00:00:07
K * 10.215.200.0/24 [0/0] is directly connected, eth0, weight 1, 00:00:07
L>* 10.215.200.100/32 is directly connected, eth0, weight 1, 00:00:07

Step 9: Run command protocols vrf VRF1 ip show route at DUT0 and check if output does not match the following regular expressions:

B>.*1\.1\.1\.0\/24.*via 10.215.200\.51, eth0.*

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF VRF1:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:07
K>* 127.0.0.0/8 [0/0] is directly connected, VRF1, weight 1, 00:00:07

Step 10: Run command protocols vrf VRF2 ip show route at DUT0 and check if output matches the following regular expressions:

B>.*2\.2\.2\.0\/24.*via 10.215.200\.52, eth0.*

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF VRF2:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:07
B>* 2.2.2.0/24 [200/0] via 10.215.200.52, eth0 (vrf default), weight 1, 00:00:01
K>* 127.0.0.0/8 [0/0] is directly connected, VRF2, weight 1, 00:00:07

---