Hi,
I had similiar problems a while ago when we tried to leak routes from inet.0 into a VPN Instance. This works fine on a router which is not a RR (so no bgp.l3vpn.0). As soon as you add RR to that scenario it will no longer announce the leaked routes via L3VPN and/or leak/export them to bgp.l3vpn.0

The reason for it not working is that routes are only allowed to be "leaked" once in Junos architecture. In Scenario b they would need to be exported/leaked twice before being send out to L3VPN peers.

Our workaround back in the day was a BGP Session between inet.0 and vpn.inet.0 via lt- interface + BGP Policy to rewrite next-hop directly to inet.0. This way the routes are exchanged via the lt- but forwarding is done directly. Not sure if that is feasible/applicable for your scenario.

can't find
Theirs is this split horizon rule in VPNs,
If VPN-A leaks prefix X to VPN-B then VPN-B should not advertise this prefix
X to other PEs.
-because if you'd allow this to happen then VPN-A and VPN-B could
potentially both advertise prefix X -what would the receiving PEs think then
-did prefix X come from VPN-A or VPN-B? should I overwrite the RTs/label for
the prefix? As you can see it would create a mayhem at the receiving end.

Now, this Downstream HUB VRF feature with "no-vrf-advertise" allows you to
break this split-horizon rule if you pinky swear that VPN-A will never
advertise prefix X to any other PE.
This way then VPN-B would become the solely advertiser of prefix X to the
rest of the PEs, hence no loops are possible.
-although the feature description seems to suggest that one can leak VPN-A's
prefix into multiple local PE VPNs -which potentially leads to the same
problem outlined above.
-so hopefully there are controls in Junos allowing you to import routes from
VPN-A only to one downstream hub VRF.

Introducing Cisco style VPNs into the mix,
My understanding is that the Junos feature "advertise-from-main-vpn-tables"
-is how VPN routing works in all Cisco platforms.
I haven't yet played with this feature so don't know if it allows VPNs to
exchange prefixes with one another cisco-style i.e. via the MP-BGP table on
a common PE, or whether the junos-style direct inter-VRF route leaking is
maintained and used instead.
However if the former is the case and VPNs are allowed to exchange routes
between each other (a free trade) via the MP-BGP table, then I can see how
the controls of Downstream HUB feature might get circumvented -as the MP-BGP
table would not enforce any such rules as to which VRF can or can not leak a
given prefix to other VRFs -other than based on matching RTs.

And I think that's the reason why the "Downstream HUB VRF" feature is
disabled in presence of "advertise-from-main-vpn-tables" feature.
Just thinking out loud.

adam

netconsultings.com
::carrier-class solutions for the telecommunications industry::

_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

I guess you have an explicit match for those routes in your VRF export policy for the downstream VRF instance ?
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp