Understanding and configuring Rib Groups

Summary

RIB groups (or Routing Table Groups) are similar to the Auto Export feature, allowing a PE to share local routes across multiple VRFs (or RIBs).

The end goal of Auto Export and a Rib Group is the same however the latter is more flexible as it allows more specific configuration where by individual routes can be leaked between different VRFs based on configuration options and policy; this is more flexible and powerful than the more basic VRF import/export statements that Auto Export offers.

Rib Groups are also bound to specific routing protocols, static routes or directly connected routes, so by nature the policies for leaking routes are more structured and defined.

How to configure a Rib Group

The first configuration step should be applied at the global routing-options level to define a Rib Group name. Within that heirarchy statements are made to request which RIB (or VRF) routes are taken from and where they are placed. The “import-rib” statement is used for this by taking copies of routes from the first listed rib in the square brackets and placing those routes into the second listed rib in the square brackets.

Furthermore the optional import-policy statement allows the Rib Group to be linked to a policy that can be used to specify certain routes to be leaked; this is where the functionality of a Rib Group becomes more flexible, as Auto Export relies specifically on the policies applied within the VRF import/export statements; these statements are considered to be more fundamental to the structure of the wider VPN topology and therefore should be kept as simplistic as possible.

In the following configuration green-vpn-a.inet.0 will place a route into green-vpn-b.inet.0:

routing-options {
rib-groups {
green-a-to-b {
import-rib [ green-vpn-a.inet.0 green-vpn-b.inet.0 ];
import-policy rib-group-green-vpn-policy;
}
}
router-id 172.25.1.1;
autonomous-system 45501;
}

The import into green-vpn-a.inet.0 is also passed through a policy called rib-group-green-vpn-policy which has been explicitly configured to only leak a direct 1.1.1.1/32 route:

policy-options {
policy-statement rib-group-green-vpn-policy {
term a {
from {
protocol direct;
route-filter 1.1.1.1/32 exact accept;
}
}
term z {
then reject;
}
}
}

The Rib Group is then applied within the routing options hierarchy in the source VRF; which in this case is green-vpn-a. In addition to applying the rib group within the VRF the “interface-routes” statement is also added to instruct the PE to also copy directly connected routes within the source VRF that are associated as next hops to the routes being leaked. This is an important aspect of the configuration because without this statement the routes that are leaked would become hidden, because the protocol next-hop would not be available in the destination RIB.

Because rib groups operate at a protocol level the rib group must also be applied to the respective routing protocols that exist within the source VRF; this allows the routes to be ‘picked up’ from the source protocol and delivered into the rib group. In this configuration the rib group a-to-b is placed at the BGP inet unicast level and thus will match on all routes being received across this BGP neighbourship.

One important aspect of rib groups that differs from auto export is that the BGP split horizon rule is not considered when leaking routes. When configuring rib groups it’s considered best practice to change the vrf export policy on the destination table to stop the announcement of the leaked routes. This protects from any potential routing loops or sub optimal routing. It may not always be required, it depends on the VPN topology and requirements for applying route leaking.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16133&smlogin=true

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s