So I eventually figured this out... for the router to apply the extended
community on inbound routes, one has to configure the export RT in the
VRF itself.
Originally, I had used only import and export maps, without defining the
RT explicitly in the VRF.
Turns out that even if you use import and export maps for fine-grained
community management, you still need to define the RT in the VRF. That
sort of acts like a "first step" in telling the router what communities
to allow, and then the import/export maps are the "second step" in
further being granular about what communities are allowed into and out
of the VRF.
This documentation is nowhere in the wild that I could find, but hope it
helps someone else that runs into the issue.
This is different from how Junos does it, where import/export maps can
be used without having to explicitly define the RT in the VRF.
Mark.
On 9/21/23 14:27, Mark Tinka wrote:
Hi all.
I have a simple inbound route-map on a VPNv4 PE-CE BGP session that
does the below:
route-map TEST deny 10
match rpki invalid
!
route-map TEST permit 20
match ip address prefix-list test-in
set metric 0
set local-preference 120
set extcommunity rt 65200:5
!
route-map TEST deny 65535
The outcome of that policy works correctly for setting MED to 0 and
LOCAL_PREF to 120.
However, I can't get it to set the extended RT community value to
65200:5. Nothing happens.
If I update that sequence with the below...
route-map TEST permit 20
match ip address prefix-list test-in
set metric 0
set local-preference 120
set community 65200:5
set extcommunity rt 65200:5
... the regular community value is applied to the route. Of course,
this does not work for me since I need the extended RT community
applied to the route for it work further down the core.
Am I doing something wrong, or is this a bug?
System is an ASR1002-X running IOS XE 17.03.04a.
For completeness, doing this on Junos works flawlessly.
All help appreciated. Thanks.
Mark.
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/