本指南介绍如何使用MX作为网关(gateway),为Tungsten Fabric(编者按:原文为Contrail,其开源版已更名为Tungsten Fabric,本文出现Contrail之处均以Tungsten Fabric替换)管理的overlay层提供external或underlay连接。
根据性能要求,网关可以连接到主干(spine)或叶子(leaf)。
在典型的IP结构中,所有叶子(leaves)、主干(spines)和网关(gateways)都使用eBGP来建立underlay连接。
对于iBGP,建议使用RR(路由反射器)以避免所有BGP节点之间的完全网状对等连接。
在每个MX上都会分配并派发环回地址(loopback address)。它用于控制节点的BGP对等,以及vRouter的隧道(tunneling)。Tungsten Fabric和环回地址之间的连接由underlay提供。
如果将单独的接口用于控制平面和数据平面,则当MX通告路由时,控制接口的地址将用作下一跳。要解决此问题,应将环回接口同时用于控制平面和数据平面。
set interfaces lo0 unit 0 family inet address 10.6.0.31/32
通常,网关具有一个全局唯一ASN。
set routing-options autonomous-system 64031
当Tungsten Fabric和网关位于不同的AS中时,将使用eBGP。
set protocols bgp group -contrail type external
set protocols bgp group -contrail multihop
set protocols bgp group -contrail local-address 10.6.0.31
set protocols bgp group -contrail keep all
set protocols bgp group -contrail family inet- unicast
set protocols bgp group -contrail family e signaling
set protocols bgp group -contrail family route-target
set protocols bgp group -contrail neighbor 10.6.11.1 peer-as 64512
当Tungsten Fabric和网关位于同一AS中时,将使用iBGP。
set protocols bgp group -contrail type internal
set protocols bgp group -contrail local-address 10.6.0.31
set protocols bgp group -contrail keep all
set protocols bgp group -contrail family inet- unicast
set protocols bgp group -contrail family e signaling
set protocols bgp group -contrail family route-target
set protocols bgp group -contrail neighbor 10.6.11.1
当网关全局ASN与Tungsten Fabric ASN不同时,可以使用local-as来启用iBGP。
set protocols bgp group -contrail type internal
set protocols bgp group -contrail local-address 10.6.0.31
set protocols bgp group -contrail local-as 64512
set protocols bgp group -contrail keep all
set protocols bgp group -contrail family inet- unicast
set protocols bgp group -contrail family e signaling
set protocols bgp group -contrail family route-target
set protocols bgp group -contrail neighbor 10.6.11.1 peer-as 64512
set protocols bgp group -contrail family inet- unicast
set protocols bgp group -contrail family e signaling
set protocols bgp group -contrail family route-target
Family“route-target”是用于优化的。在MX上进行配置时,如果存在VRF导入策略,MX将会发布route-target路由。在将VPN-IPv4路由发布给邻居之前,MX还会检查route-target路由表。如果该路由中的route-target未被邻居通告,则MX不会通告该路由。
如果控制平面和数据平面上的接口是分开的,则MX从Tungsten Fabric控制节点接收route-target路由。RT路由的下一跳是控制节点地址(在控制平面上)。MX会尝试解决数据平面上MPLS表(inet.3)中的下一跳,但是会失败。这样,RT路由不会生效,而会被隐藏。结果是MX没有发布路由。为了解决这个问题,可以在inet.3中添加静态路由,以使下一跳的控制接口可以被解析。然后,MX应用RT路由并发布路由。Tungsten Fabric没有此类问题,因为它不会尝试解析下一跳。
Tunnel service是必须要启用的。这里有一个示例。
set chassis fpc 0 pic 0 tunnel-services bandwidth 1g
对于L3VPN,在BGP收到INET-VPN路由并将其放在表bgp.l3.0中之后,它将为该路由寻找MPLS路径。BGP尝试解析表inet.3中的路由。如果成功,将创建GRE隧道并在inet.3中添加MPLS路由。否则,该路由将会被隐藏在bgp.l3.0中。
在启用隧道后,destination-networks的路由将被添加到inet.3中。这里是一个示例。
set routing-options dynamic-tunnels contrail source-address 10.6.0.31set routing-options dynamic-tunnels contrail greset routing-options dynamic-tunnels contrail destination-networks 10.6.11.0/24
source-address is the loopback address.
这是表inet.3中GRE隧道路由的示例。
10.6.11.4/32 (1 entry, 1 announced)
*Tunnel Preference: 300
Next hop type: Router, Next hop index: 0
Address: 0xd7a9210
Next-hop reference count: 3
Next hop: via gr-0/0/0.32769, selected
Session Id: 0x0
State:
Local AS: 64031
Age: 10
Validation State: unverified
Task: DYN_TUNNEL
Announcement bits (2): 0-Resolve tree 1 1-Resolve_IGP_FRR task
AS path: I
这是动态隧道数据库。
> show dynamic-tunnels database
*- Signal Tunnels #- PFE-down
Table: inet.3
Destination-network: 10.6.11.0/24
Tunnel to: 10.6.11.1/32 State: Up (expires in 00:06:58 seconds)
Reference count: 0
Next-hop type: gre
Source address: 10.6.0.31
Next hop: gr-0/0/10.32769
State: Up
Tunnel to: 10.6.11.7/32 State: Up
Reference count: 2
Next-hop type: gre
Source address: 10.6.0.31
Next hop: gr-0/0/10.32770
State: Up
UDP隧道更适合于负载均衡。
set routing-options dynamic-tunnels contrail source-address 10.6.0.31
set routing-options dynamic-tunnels contrail udp
set routing-options dynamic-tunnels contrail destination-networks 10.6.11.0/24
这是表inet.3中UDP隧道路由的示例。
10.6.11.4/32 (1 entry, 1 announced)
*Tunnel Preference: 300
Next hop type: Tunnel Composite, Next hop index: 0
Address: 0xd7a87f0
Next-hop reference count: 2
Tunnel type: UDP, Reference count: 5, nhid: 0
Destination address: 10.6.11.4, Source address: 10.6.0.31
State:
Local AS: 64031
Age: 24:46
Validation State: unverified
Task: DYN_TUNNEL
Announcement bits (2): 0-Resolve tree 1 1-Resolve_IGP_FRR task
AS path: I
当路由从VRF导出到Tungsten Fabric时,需要添加策略(policy)来附加到封装属性(community)。
set policy-options policy-statement vrf-export-provider-1 term t1 then community add provider-1
set policy-options policy-statement vrf-export-provider-1 term t1 then community add encap-udp
set policy-options policy-statement vrf-export-provider-1 term t1 then accept
set policy-options community provider-1 members target:64512:101
set policy-options community encap-udp members encapsulation:64512:13
RI的vrf类型用于保留L3路由。
set routing-instances provider-1 instance-type vrf
set routing-instances provider-1 interface lo0.11
set routing-instances provider-1 route-distinguisher 64512:101
set routing-instances provider-1 vrf-target target:64512:101;
set routing-instances provider-1 vrf-table-label
(略)
-unicast target:64512:101, Address: 0xd7a8e40
Address Family: l3, Flags: 0x4, References: 0
Export RIB: l3.0
Import RIB: bgp.l3.0
Secondary Import RIB: provider-1.inet.0
这是表bgp.l3.0中的INET-VPN路由示例。它是由BGP从Tungsten Fabric上通告的;路由标识符10.6.11.4:2由vRouter的IP地址和vRouter分配的ID组成;从Tungsten Fabric控制节点10.6.11.1发布;下一跳是通过动态GRE隧道接口gr-0/0/0.32769;MPLS标签为25。
10.6.11.4:2:172.16.11.3/32
*[BGP/170] 00:03:11, MED 100, localpref 100, from 10.6.11.1
AS path: 64512 ?, validation-state: unverified
> via gr-0/0/0.32769, Push 25
该路由将转换为INET路由并放置在VRF中。
172.16.11.3/32 *[BGP/170] 02:35:37, MED 100, localpref 100, from 10.6.11.1
AS path: 64512 ?, validation-state: unverified
> via gr-0/0/0.32769, Push 25
要从VRF导出路由,根据导出策略,该路由将从INET转换为INET-VPN,放入表bgp.l3.0中,然后由BGP导出。MPLS标签将分配给在表mpls.0中的INET-VPN路由。
这是VRF中的环回接口,如表bgp.l3.0所示。
64512:101:172.16.11.250/32
*[Direct/0] 00:43:14
> via lo0.11
The route is advertised with MPLS label 300624 showing by "show route advertising-protocol bgp 10.6.11.1 detail".
该路由用MPLS标签300624发布,通过 “show route advertising-protocol bgp 10.6.11.1 detail”可以显示细节。
* 64512:101:172.16.11.250/32 (1 entry, 1 announced)
BGP group -contrail type External
Route Distinguisher: 64512:101
VPN Label: 300624
Nexthop: Self
Flags: Nexthop Change
AS path: [64031] I
MPLS标签在表mpls.0中分配。
300624 *[VPN/170] 00:55:34
receive table provider-1.inet.0, Pop
使用vrf-target,可以创建隐式导入和导出策略。
set routing-instances provider-1 instance-type vrf
set routing-instances provider-1 vrf-table-label
set routing-instances provider-1 vrf-target target:64512:101;
隐式导入策略将导入带有community“target:64540:100”的路由。其结果是,从Tungsten Fabric虚拟网络中发布的带有“target:64540:100”的路由,被导入到此RI中。
> show policy __vrf-import-5b4s37-166-internal__
Policy __vrf-import-5b4s37-166-internal__:
Term unnamed:
from community __vrf-community-5b4s37-166-common-internal__ [target:64540:100 ]
then accept
Term unnamed:
then reject
隐式导出策略将导出带有community“target:64540:100”的路由。其结果是,路由被发布到Tungsten Fabric,并导入到带有“target:64540:100”的虚拟网络中。
> show policy __vrf-export-5b4s37-166-internal__
Policy __vrf-export-5b4s37-166-internal__:
Term unnamed:
then community + __vrf-community-5b4s37-166-common-internal__ [target:64540:100 ] accept
策略可被显式定义为导入和导出路由。在此示例中,从Tungsten Fabric虚拟网络中发布的带有“target:64540:91”和“target:64540:92”的路由被导入RI。RI中的路由使用“target:64540:91”和“target:64540:92”进行通告,并导入到两个虚拟网络中。
set policy-options policy-statement provider-1-export term t1 then community add provider-1
set policy-options policy-statement provider-1-export term t1 then accept
set policy-options policy-statement provider-1-import term t1 from community provider-1
set policy-options policy-statement provider-1-import term t1 from community ext-host
set policy-options policy-statement provider-1-import term t1 then accept
set policy-options community ext-host members target:64510:101
set policy-options community provider-1 members target:64512:101
set routing-instances provider-1 instance-type vrf
set routing-instances provider-1 interface lo0.11
set routing-instances provider-1 route-distinguisher 64512:101
set routing-instances provider-1 vrf-table-label
set routing-instances provider-1 vrf-import provider-1-import
set routing-instances provider-1 vrf-export provider-1-export
这里想说的是——
有两个工作选项:
详细信息请见以下各小节内容。
逻辑隧道用于连接master路由实例和VRF路由实例。根据使用情况,这是可选的。由于带宽限制,必须检查需求和特定硬件上的隧道带宽,以此来做出决定。
这是在逻辑隧道上使用静态路由的示例。
set chassis fpc 0 pic 0 tunnel-services
set interfaces lt-0/0/0 unit 100 encapsulation frame-relay
set interfaces lt-0/0/0 unit 100 dlci 10
set interfaces lt-0/0/0 unit 100 peer-unit 200
set interfaces lt-0/0/0 unit 100 family inet
set interfaces lt-0/0/0 unit 200 encapsulation frame-relay
set interfaces lt-0/0/0 unit 200 dlci 10
set interfaces lt-0/0/0 unit 200 peer-unit 100
set interfaces lt-0/0/0 unit 200 family inet
set routing-options static route 172.16.11.0/24 next-hop lt-0/0/0.100
set routing-instances provider-1 interface lt-0/0/0.200
set routing-instances provider-1 routing-options static route 0.0.0.0/0 next-hop lt-0/0/0.200
这里是一个示例,使用聚合路由在VRF和master之间配置BGP对等。
set chassis fpc 0 pic 0 tunnel-services
set interfaces lt-0/0/0 unit 100 encapsulation frame-relay
set interfaces lt-0/0/0 unit 100 dlci 10
set interfaces lt-0/0/0 unit 100 peer-unit 200
set interfaces lt-0/0/0 unit 100 family inet address 192.168.200.0/31
set interfaces lt-0/0/0 unit 200 encapsulation frame-relay
set interfaces lt-0/0/0 unit 200 dlci 10
set interfaces lt-0/0/0 unit 200 peer-unit 100
set interfaces lt-0/0/0 unit 200 family inet address 192.168.200.1/31
set protocols bgp group vrf type internal
set protocols bgp group vrf local-address 192.168.200.0
set protocols bgp group vrf keep all
set protocols bgp group vrf family inet unicast
set protocols bgp group vrf export provider-1-export
set protocols bgp group vrf neighbor 192.168.200.1
set policy-options policy-statement provider-1-export term t1 then community add provider-1
set policy-options policy-statement provider-1-export term t1 then accept
set policy-options policy-statement provider-1-aggregate-export term 1 from protocol aggregate
set policy-options policy-statement provider-1-aggregate-export term 1 from route-filter 172.16.11.0/24 exact
set policy-options policy-statement provider-1-aggregate-export term 1 then next-hop self
set policy-options policy-statement provider-1-aggregate-export term 1 then accept
set policy-options community provider-1 members target:64512:101
set routing-instances provider-1 instance-type vrf
set routing-instances provider-1 interface lt-0/0/0.200
set routing-instances provider-1 route-distinguisher 64512:101
set routing-instances provider-1 vrf-import provider-1-import
set routing-instances provider-1 vrf-export provider-1-export
set routing-instances provider-1 routing-options aggregate route 172.16.11.0/24
set routing-instances provider-1 protocols bgp group master type internal
set routing-instances provider-1 protocols bgp group master local-address 192.168.200.1
set routing-instances provider-1 protocols bgp group master keep all
set routing-instances provider-1 protocols bgp group master family inet unicast
set routing-instances provider-1 protocols bgp group master export provider-1-aggregate-export
set routing-instances provider-1 protocols bgp group master neighbor 192.168.200.0
可以将路由表指定为路由下一跳。从概念上讲,可以像下面的示例一样,在inet.0和vrf.inet.0之间控制流量。
90aa13ec-7906-4de8-9333-d9f504574c44-image.png
该解决方案的问题在于它将导致路由循环。例如,172.16.11.9的流量被导向vrf.inet.0。如果没有任何特定的路由解析,它将通过默认路由返回到inet.0。为了避免这种路由循环,Junos不允许进行这种配置。
Junos也不允许配置第三张表(the third table)。
RIB组通常用于泄漏路由表之间的路由。从概念上讲,可以创建一个RIB组以将INET路由从vrf.inet.0导入到inet.0,同时可以创建另一个RIB组以将INET路由从inet.0导入到vrf.inet.0。
set routing-options rib-groups provider-1-master import-rib provider-1.inet.0
set routing-options rib-groups provider-1-master import-rib inet.0
set routing-options rib-groups master-provider-1 import-rib inet.0
set routing-options rib-groups master-provider-1 import-rib provider-1.inet.0
set protocols bgp group corp type external
set protocols bgp group corp family inet unicast rib-group master-provider-1
set protocols bgp group corp export direct
set protocols bgp group corp neighbor 10.6.30.1 peer-as 64041
set routing-instances provider-1 instance-type vrf
set routing-instances provider-1 route-distinguisher 64512:101
set routing-instances provider-1 vrf-import provider-1-import
set routing-instances provider-1 vrf-export provider-1-export
set routing-instances provider-1 vrf-table-label
set routing-instances provider-1 routing-options auto-export family inet unicast rib-group provider-1-master
此配置将路由从inet.0泄漏到.inet.0。但是从另一种角度来看,自Tungsten Fabric接收而来的路由,不会从.inet.0泄漏到inet.0,原因是Junos的设计。这些路由已经从bgp.13.0中泄漏,因此.inet.0是这些路由的辅助RIB。辅助RIB中的路由不会再次泄漏。
对于ingress流量,由于Junos不会泄漏从VRF到master的overlay/32路由,因此有两个选择。
在VRF中添加生成(聚合)路由,并使用RIB组泄漏从vrf.inet.0到inet.0的聚合路由。
set routing-options rib-groups provider-1-master import-rib provider-1.inet.0
set routing-options rib-groups provider-1-master import-rib inet.0
set routing-options rib-groups provider-1-master import-policy provider-1-master-import
set routing-instances provider-1 instance-type vrf
set routing-instances provider-1 route-distinguisher 64512:101
set routing-instances provider-1 vrf-target target:64512:101
set routing-instances provider-1 vrf-table-label
set routing-instances provider-1 routing-options static route 0.0.0.0/0 next-table inet.0
set routing-instances provider-1 routing-options generate route 172.16.11.0/24 next-table provider-1.inet.0
set routing-instances provider-1 routing-options auto-export family inet unicast rib-group provider-1-master
将带有下一表(next-table)的静态路由添加到master中的vrf.inet.0。
set routing-options static route 172.16.11.0/24 next-table provider-1.inet.0
建议使用选项2。
请注意,需要为路由协议更新导出策略,以通告此类静态路由。
对于egress流量,这里有两个选择。
将带有下一表(next-table)的静态路由添加到VRF中的inet.0。
set routing-instances provider-1 routing-options static route 0.0.0.0/0 next-table inet.0
这里的问题是,如果它是如上所述的默认路由,则会导致路由循环。例如,到172.16.11.5/32的ingress流量在vrf.int.0中并不存在,但它将在master和VRF之间循环。使用特定的路由可以避免路由循环,但这不是动态的并且不能扩展。
master中路由协议接收到的路由泄漏到VRF。
set protocols bgp group corp type external
set protocols bgp group corp family inet unicast rib-group bgp-corp-provider-1
set protocols bgp group corp export direct
set protocols bgp group corp neighbor 10.6.30.1 peer-as 64041
set routing-options rib-groups bgp-corp-provider-1 import-rib inet.0
set routing-options rib-groups bgp-corp-provider-1 import-rib provider-1.inet.0
同样,由于Junos的限制,泄漏到VRF(辅助RIB)中的路由无法发布给Tungsten Fabric。解决方案是添加默认拒绝路由。
set routing-instances provider-1 routing-options static route 0.0.0.0/0 reject
作为结论,这里是解决方案。
附录A.1是完整的配置。
请注意,这不适用于MPLSoUDP。
此解决方案是,使用转发过滤器(forwarding filter)将ingress流量引导到VRF RI,并使用带有下一表(next-table)的静态路由将egress流量引导到master RI。
该解决方案有两个问题。
由于Junos中的某些问题,它不适用于MPLSoUDP。
要向外部发布路由,必须添加指向网关本身的路由。Ingress流量将首先到达过滤器,因此静态路由仅用于通告目的,对流量没有影响。
附录A.2是一个示例配置。
请注意,由于Family route-target,在Tungsten Fabric中,对于暴露的VN,必须将远程VRF RT配置为导入RT。否则,网关将不会从远程VRF发布INET-VPN路由。
Tungsten Fabric中的路由有以下的community。
根据使用情况(例如去往外部集群或另一个Tungsten Fabric集群的路由),这些community可能需要清理,也可能不需要。
附录A.2中的配置是清理community的一个示例。
单个网关可以支持多个集群,它们本应该具有不同的ASN。
set version 18.3R1.9
set chassis fpc 0 pic 0 tunnel-services
set interfaces ge-0/0/0 mac 52:54:00:8c:f9:2b
set interfaces ge-0/0/0 unit 0 family inet address 10.6.30.2/30
set interfaces ge-0/0/1 mac 52:54:00:c4:ee:41
set interfaces ge-0/0/1 unit 0 family inet address 10.6.20.1/30
set interfaces fxp0 unit 0 family inet address 10.6.8.31/24
set interfaces lo0 unit 0 family inet address 10.6.0.31/32
set interfaces lo0 unit 11 family inet address 172.16.11.250/32
set interfaces lo0 unit 12 family inet address 172.16.12.250/32
set routing-options interface-routes rib-group inet master-direct-vrf
set routing-options static route 172.16.11.0/24 next-table provider-1.inet.0
set routing-options static route 172.16.12.0/24 next-table provider-2.inet.0
set routing-options rib-groups bgp-corp-vrf import-rib inet.0
set routing-options rib-groups bgp-corp-vrf import-rib provider-1.inet.0
set routing-options rib-groups bgp-corp-vrf import-rib provider-2.inet.0
set routing-options rib-groups master-direct-vrf import-rib inet.0
set routing-options rib-groups master-direct-vrf import-rib provider-1.inet.0
set routing-options rib-groups master-direct-vrf import-rib provider-2.inet.0
set routing-options rib-groups master-direct-vrf import-policy rib-import-master-vrf
set routing-options route-distinguisher-id 10.6.0.31
set routing-options autonomous-system 64031
set routing-options dynamic-tunnels contrail source-address 10.6.0.31
set routing-options dynamic-tunnels contrail gre
set routing-options dynamic-tunnels contrail destination-networks 10.6.11.0/24
set protocols bgp group corp type external
set protocols bgp group corp family inet unicast rib-group bgp-corp-vrf
set protocols bgp group corp export direct
set protocols bgp group corp neighbor 10.6.30.1 peer-as 64041
set protocols bgp group fabric type external
set protocols bgp group fabric family inet unicast
set protocols bgp group fabric export direct
set protocols bgp group fabric neighbor 10.6.20.2 peer-as 64011
set protocols bgp group -contrail type external
set protocols bgp group -contrail multihop
set protocols bgp group -contrail local-address 10.6.0.31
set protocols bgp group -contrail keep all
set protocols bgp group -contrail family inet- unicast
set protocols bgp group -contrail family route-target
set protocols bgp group -contrail neighbor 10.6.11.1 peer-as 64512
set policy-options policy-statement direct term t1 from protocol direct
set policy-options policy-statement direct term t1 from protocol aggregate
set policy-options policy-statement direct term t1 then accept
set policy-options policy-statement direct term t2 from protocol static
set policy-options policy-statement direct term t2 from route-filter 172.16.11.0/24 exact
set policy-options policy-statement direct term t2 then accept
set policy-options policy-statement direct term t3 from protocol static
set policy-options policy-statement direct term t3 from route-filter 172.16.12.0/24 exact
set policy-options policy-statement direct term t3 then accept
set policy-options policy-statement rib-import-master-vrf term t2 from protocol direct
set policy-options policy-statement rib-import-master-vrf term t2 then accept
set policy-options policy-statement rib-import-master-vrf term end then reject
set policy-options policy-statement vrf-export-provider-1 term t1 then community add provider-1
set policy-options policy-statement vrf-export-provider-1 term t1 then accept
set policy-options policy-statement vrf-export-provider-1 term end then reject
set policy-options policy-statement vrf-export-provider-2 term t1 then community add provider-2
set policy-options policy-statement vrf-export-provider-2 term t1 then accept
set policy-options policy-statement vrf-export-provider-2 term end then reject
set policy-options policy-statement vrf-import-provider-1 term t1 from community provider-1
set policy-options policy-statement vrf-import-provider-1 term t1 from community ext-host
set policy-options policy-statement vrf-import-provider-1 term t1 then accept
set policy-options policy-statement vrf-import-provider-1 term end then reject
set policy-options policy-statement vrf-import-provider-2 term t1 from community provider-2
set policy-options policy-statement vrf-import-provider-2 term t1 from community ext-host
set policy-options policy-statement vrf-import-provider-2 term t1 then accept
set policy-options policy-statement vrf-import-provider-2 term end then reject
set policy-options community all-encaps members encapsulation:*:*
set policy-options community all-origin-vns members 0x8071:*:*
set policy-options community all-security-groups members 0x8004:*:*
set policy-options community encap-udp members encapsulation:64512:13
set policy-options community ext-host members target:64510:101
set policy-options community provider-1 members target:64512:101
set policy-options community provider-2 members target:64512:102
set routing-instances provider-1 instance-type vrf
set routing-instances provider-1 interface lo0.11
set routing-instances provider-1 route-distinguisher 64512:101
set routing-instances provider-1 vrf-import vrf-import-provider-1
set routing-instances provider-1 vrf-export vrf-export-provider-1
set routing-instances provider-1 vrf-table-label
set routing-instances provider-1 routing-options static route 0.0.0.0/0 reject
set routing-instances provider-2 instance-type vrf
set routing-instances provider-2 interface lo0.12
set routing-instances provider-2 route-distinguisher 64512:102
set routing-instances provider-2 vrf-import vrf-import-provider-2
set routing-instances provider-2 vrf-export vrf-export-provider-2
set routing-instances provider-2 vrf-table-label
set routing-instances provider-2 routing-options static route 0.0.0.0/0 reject
set version 18.3R1.9
set chassis fpc 0 pic 0 tunnel-services
set interfaces ge-0/0/0 mac 52:54:00:8c:f9:2b
set interfaces ge-0/0/0 unit 0 family inet address 10.6.30.2/30
set interfaces ge-0/0/1 mac 52:54:00:c4:ee:41
set interfaces ge-0/0/1 unit 0 family inet address 10.6.20.1/30
set interfaces fxp0 unit 0 family inet address 10.6.8.31/24
set interfaces lo0 unit 0 family inet address 10.6.0.31/32
set routing-options route-distinguisher-id 10.6.0.31
set routing-options autonomous-system 64031
set routing-options dynamic-tunnels contrail source-address 10.6.0.31
set routing-options dynamic-tunnels contrail gre
set routing-options dynamic-tunnels contrail destination-networks 10.6.11.0/24
set routing-options dynamic-tunnels contrail destination-networks 10.6.0.0/16
set protocols bgp group corp type external
set protocols bgp group corp family inet unicast
set protocols bgp group corp export direct
set protocols bgp group corp neighbor 10.6.30.1 peer-as 64041
set protocols bgp group fabric type external
set protocols bgp group fabric family inet unicast
set protocols bgp group fabric export direct
set protocols bgp group fabric neighbor 10.6.20.2 peer-as 64011
set protocols bgp group -contrail type external
set protocols bgp group -contrail multihop
set protocols bgp group -contrail local-address 10.6.0.31
set protocols bgp group -contrail keep all
set protocols bgp group -contrail family inet- unicast
set protocols bgp group -contrail family route-target
set protocols bgp group -contrail neighbor 10.6.11.1 peer-as 64512
set protocols bgp group -external type external
set protocols bgp group -external multihop
set protocols bgp group -external local-address 10.6.0.31
set protocols bgp group -external keep all
set protocols bgp group -external family inet- unicast
set protocols bgp group -external family route-target
set protocols bgp group -external export -external-export
set protocols bgp group -external neighbor 10.6.0.41 peer-as 64041
set policy-options policy-statement direct term t1 from protocol direct
set policy-options policy-statement direct term t1 then accept
set policy-options policy-statement provider-1-export term t1 then accept
set policy-options policy-statement provider-1-import term t1 from community provider-1
set policy-options policy-statement provider-1-import term t1 from community ext-host
set policy-options policy-statement provider-1-import term t1 then accept
set policy-options policy-statement -external-export term t1 from community provider-1
set policy-options policy-statement -external-export term t1 then community add ext-host
set policy-options policy-statement -external-export term t1 then community delete all-encaps
set policy-options policy-statement -external-export term t1 then community delete all-security-groups
set policy-options policy-statement -external-export term t1 then community delete all-origin-vns
set policy-options policy-statement -external-export term t1 then accept
set policy-options community all-encaps members encapsulation:*:*
set policy-options community all-origin-vns members 0x8071:*:*
set policy-options community all-security-groups members 0x8004:*:*
set policy-options community ext-host members target:64510:101
set policy-options community provider-1 members target:64512:101
set firewall family inet filter to-vrf term 1 from destination-address 172.16.11.0/24
set firewall family inet filter to-vrf term 1 then routing-instance provider-1
set firewall family inet filter to-vrf term default then accept
set routing-instances provider-1 instance-type vrf
set routing-instances provider-1 route-distinguisher 64512:101
set routing-instances provider-1 vrf-import provider-1-import
set routing-instances provider-1 vrf-export provider-1-export