In a multitenant scenario, if DIA is implemented in the respective LAN VRs, the default behavior is to allow the inter VRF routing. This is because the LAN routes are also exported in BGP session between the transport VR and the tenant LAN VR due to the default configuration having accept in the peer/group policy in term Allow_All . This leads to transport VR also advertising the LAN routes of a tenant LAN to another tenant.

Bug ID #81516 opened to override the default behavior. Initially this fix is available in the release versa-flexvnf-20220730-150211-67ff6c7-21.2.3.  The fix is committed in the 21.2.3 GA June 2022 till Nov 2022   

However, in the subsequent hot fix release and the later GA releases the fix has been revoked due to collateral.  Hence the fix has been revoked with the hot fix release of 21.2.3 Image: versa-director-20221202-140822-ed54a78-21.2.3.bin and the subsequent GA releases. 

https://support.versa-networks.com/support/solutions/articles/23000024323

admin@Branch-01> show interfaces brief
NAME         MAC                OPER  ADMIN  TENANT  VRF                    IP
-----------------------------------------------------------------------------------------------
eth-0/0      0c:e0:b6:bd:00:00  up    up     0       global                 10.192.216.207/16
ptvi1537     n/a                up    up     2       Versa-Control-VR       12.0.0.8/32
tvi-0/2      n/a                up    up     -       -
tvi-0/2.0    n/a                up    up     2       Versa-Control-VR       12.0.0.21/32
tvi-0/3      n/a                up    up     -       -
tvi-0/3.0    n/a                up    up     2       Versa-Control-VR       12.0.0.20/32
tvi-0/602    n/a                up    up     -       -
tvi-0/602.0  n/a                up    up     2       Internet-Transport-VR  169.254.0.2/31
tvi-0/603    n/a                up    up     -       -
tvi-0/603.0  n/a                up    up     2       Versa-LAN-VR           169.254.0.3/31
vni-0/0      0c:e0:b6:bd:00:01  up    up     -       -
vni-0/0.0    0c:e0:b6:bd:00:01  up    up     2       Internet-Transport-VR  172.16.10.207/24
vni-0/1      0c:e0:b6:bd:00:02  up    up     -       -
vni-0/1.0    0c:e0:b6:bd:00:02  up    up     2       mpls-Transport-VR      172.16.20.207/24
vni-0/2      0c:e0:b6:bd:00:03  up    up     -       -
vni-0/2.0    0c:e0:b6:bd:00:03  up    up     2       Versa-LAN-VR           30.30.30.1/24  <<<

admin@Branch-01i> show bgp neighbor brief
routing-instance: Versa-Control-VR

Neighbor        V  MsgRcvd   MsgSent    Uptime     State/PfxRcd  PfxSent AS
12.0.0.8        4  840       259        01:46:40   29            6       64512

routing-instance: Internet-Transport-VR

Neighbor        V  MsgRcvd   MsgSent    Uptime     State/PfxRcd  PfxSent AS
169.254.0.3     4  249       252        01:46:55   1             1       64514

routing-instance: Versa-LAN-VR

Neighbor        V  MsgRcvd   MsgSent    Uptime     State/PfxRcd  PfxSent AS
169.254.0.2     4  251       251        01:46:55   1             1       64513

>>In the below output we can clearly see that the LAN route is advertised to the transport VR

admin@Branch-01> show route table ipv4.unicast advertising-protocol bgp neighbor-address 169.254.0.2

Routes for Routing instance : Internet-Transport-VR  AFI: ipv4  SAFI: unicast
% No entries found.

Routes for Routing instance : Versa-Control-VR  AFI: ipv4  SAFI: unicast
% No entries found.

Routes for Routing instance : Versa-LAN-VR  AFI: ipv4  SAFI: unicast

Prefix/Mask         Next-hop          MED  Lclpref  AS path
-----------         --------          ---  -------  -------
30.30.30.0/24       169.254.0.3       0    0        64514


admin@Branch-01> show route routing-instance Versa-LAN-VR


Prot   Type  Dest Address/Mask   Next-hop        Age      Interface name     Nexthop name
----   ----  -----------------   --------        ---      --------------    ---------------
BGP    N/A   0.0.0.0/0           12.0.0.16       00:04:26 Indirect           Ind-Hub
BGP    N/A  +0.0.0.0/0           169.254.0.2     01:47:30 tvi-0/603.0
BGP    N/A  +20.20.20.0/24       12.0.0.16       01:43:59 Indirect           Ind-Hub
conn   N/A  +30.30.30.0/24       0.0.0.0         01:47:29 vni-0/2.0
local  N/A  +30.30.30.1/32       0.0.0.0         01:47:29 directly connected
conn   N/A  +169.254.0.2/31      0.0.0.0         01:47:52 tvi-0/603.0
local  N/A  +169.254.0.3/32      0.0.0.0         01:47:52 directly connected


admin@Branch-01> show route routing-instance Internet-Transport-VR


Prot   Type  Dest Address/Mask   Next-hop        Age      Interface name     Nexthop name
----   ----  -----------------   --------        ---      --------------    ---------------
static N/A  +0.0.0.0/0           172.16.10.254   01:47:36 vni-0/0.0
BGP    N/A  +30.30.30.0/24       169.254.0.3     01:47:35 tvi-0/602.0
conn   N/A  +169.254.0.2/31      0.0.0.0         01:47:58 tvi-0/602.0
local  N/A  +169.254.0.2/32      0.0.0.0         01:47:58 directly connected
conn   N/A  +172.16.10.0/24      0.0.0.0         01:47:36 vni-0/0.0
local  N/A  +172.16.10.207/32    0.0.0.0         01:47:36 directly connected

admin@Branch-01> show configuration routing-instances Versa-LAN-VR protocols bgp

    routing-peer-policy To_ST_DIA {
        term Allow_Local_LAN {
            match {
                community "(^|,)8009:8009($|,)";
            }
            action {
                reject;
            }
        }
        term Reject_Cloud_Routes {
            match {
                community .*8013:8013.*;
            }
            action {
                reject;
            }
        }
        term Allow_All {
            action {
                accept;   <<<<
            }
        }
    }

Solution:  In order to prevent the inter VRF communication, in the respect VRFs, modify the action from accept to reject: 

 virtual-routers->BGP-->peer/group policy-->To_ST_DIA -->(term) Allow_All -->change action from accept to reject.  

admin@Branch-01>

System message at 2023-07-10 02:35:05...

Commit performed by admin via ssh using netconf.

Now the route is not advertised to the transport VR from LAN and we dont see the route in the transport VR route table.

   
admin@Branch-01> show configuration routing-instances Versa-LAN-VR protocols bgp

 routing-peer-policy To_ST_DIA {
        term Allow_Local_LAN {
            match {
                community "(^|,)8009:8009($|,)";
            }
            action {
                            reject;
                rib-bgp-ecmp false;
            }
        }
        term Reject_Cloud_Routes {
            match {
                community .*8013:8013.*;
            }
            action {
                            reject;
                rib-bgp-ecmp false;
            }
        }
        term Allow_All {
            action {
                reject;

admin@Branch-01> show route table ipv4.unicast advertising-protocol bgp neighbor-address 169.254.0.2
Routes for Routing instance : Internet-Transport-VR  AFI: ipv4  SAFI: unicast
% No entries found.

Routes for Routing instance : Versa-Control-VR  AFI: ipv4  SAFI: unicast
% No entries found.

Routes for Routing instance : Versa-LAN-VR  AFI: ipv4  SAFI: unicast
% No entries found.

Routes for Routing instance : global  AFI: ipv4  SAFI: unicast
% No entries found.

Routes for Routing instance : mpls-Transport-VR  AFI: ipv4  SAFI: unicast
% No entries found.
[ok][2023-07-10 02:35:09]
admin@Branch-01> show route routing-instance Internet-Transport-VR


Routes for Routing instance : Internet-Transport-VR  AFI: ipv4  SAFI: unicast


Prot   Type  Dest Address/Mask   Next-hop        Age      Interface name     Nexthop name
----   ----  -----------------   --------        ---      --------------    ---------------
static N/A  +0.0.0.0/0           172.16.10.254   01:53:33 vni-0/0.0
conn   N/A  +169.254.0.2/31      0.0.0.0         01:53:55 tvi-0/602.0
local  N/A  +169.254.0.2/32      0.0.0.0         01:53:55 directly connected
conn   N/A  +172.16.10.0/24      0.0.0.0         01:53:34 vni-0/0.0
local  N/A  +172.16.10.207/32    0.0.0.0         01:53:34 directly connected