NSX-T - BGP Route Filtering and Route Aggregation
- Hammad Alam
- Jul 3, 2019
- 3 min read
Goal:
Keep the global route redistribution options enabled while selectively filter routes being advertised from NSX-T to Physical.
Setup Details
2 NSX-T ENs (5.5.5.2 and 5.5.5.3) in Active/Standby with eBGP configured to a Cumulus Border Leaf (5.5.5.1). Following are the routes being advertised by NSX to physical.
en1(tier0_sr)> get bgp neighbor 5.5.5.1 advertised-routes
Status flags: * - best, I - internal
Origin flags: I - IGP, E - EGP, ! - incomplete
Network Next Hop LocPrf MED AS Path
2.2.2.0/29 5.5.5.2 0 0 65300 !
2.2.2.8/29 5.5.5.2 0 0 65300 !
2.2.2.64/27 5.5.5.2 0 0 65300 !
2.3.0.0/24 5.5.5.2 0 0 65300 !
2.4.0.0/24 5.5.5.2 0 0 65300 !
23.23.23.10/32 5.5.5.2 0 0 65300 !
23.23.23.201/32 5.5.5.2 0 0 65300 !
23.23.23.202/32 5.5.5.2 0 0 65300 !
23.23.23.203/32 5.5.5.2 0 0 65300 !
23.23.23.204/32 5.5.5.2 0 0 65300 !
23.23.23.205/32 5.5.5.2 0 0 65300 !
23.23.23.206/32 5.5.5.2 0 0 65300 !
23.23.23.207/32 5.5.5.2 0 0 65300 !
23.23.23.208/32 5.5.5.2 0 0 65300 !
172.16.0.0/24 5.5.5.2 0 0 65300 !
172.16.1.0/24 5.5.5.2 0 0 65300 !
172.16.2.0/24 5.5.5.2 0 0 65300 !
172.16.3.0/24 5.5.5.2 0 0 65300 !
172.16.4.0/24 5.5.5.2 0 0 65300 !
2.2.2.x, 2.3.x.x and 2.4.x.x are networks on T1 router that were manually created. I want these to be advertised out
23.23.23.x are the LB, SNAT and DNAT IPs that I want to be advertised
172.16.x.x are my Kubernetes POD networks that I DO NOT want to be advertised.
In NSX IPAM, I have provided a block of 172.16.0.0/16 from which /24 subnets will be automatically provisioned for each Kubernetes Namespace.
I do not want to manually deny each subnet but cover the whole /16 to be not advertised out.
Solution
a. Enable the Global option at the T0
b. Create IP Prefix lists.
You need one IP Prefix list for the 172.16.0.0/16 networks and one for ANY network
c. Create a Route Map with the deny Prefix list first followed by the ANY Permit
d. Last step is to go to the BGP Neighbor → Edit → Address Families and apply the Route Map on the Out Route Map
Lets look at the routes being advertised again:
en1(tier0_sr)> get bgp neighbor 5.5.5.1 advertised-routesStatus flags: * - best, I - internalOrigin flags: I - IGP, E - EGP, ! - incomplete Network Next Hop LocPrf MED AS Path 2.2.2.0/29 5.5.5.2 0 0 65300 ! 2.2.2.8/29 5.5.5.2 0 0 65300 ! 2.2.2.64/27 5.5.5.2 0 0 65300 ! 2.3.0.0/24 5.5.5.2 0 0 65300 ! 2.4.0.0/24 5.5.5.2 0 0 65300 ! 23.23.23.10/32 5.5.5.2 0 0 65300 ! 23.23.23.201/32 5.5.5.2 0 0 65300 ! 23.23.23.202/32 5.5.5.2 0 0 65300 ! 23.23.23.203/32 5.5.5.2 0 0 65300 ! 23.23.23.204/32 5.5.5.2 0 0 65300 ! 23.23.23.205/32 5.5.5.2 0 0 65300 ! 23.23.23.206/32 5.5.5.2 0 0 65300 ! 23.23.23.207/32 5.5.5.2 0 0 65300 ! 23.23.23.208/32 5.5.5.2 0 0 65300 !Added Step with Route Aggregation
As you can see above that 23.23.23.x is advertising /32s. The routing table can be further optimized by sending a summary for this route.
Navigate to the BGP Config and hit the Global Edit Button
Add the Prefix that you want to advertise with Summary Only set to Yes
en1> vrf 11en1(tier0_sr)> get bgp neighbor 5.5.5.1 advertised-routesStatus flags: * - best, I - internalOrigin flags: I - IGP, E - EGP, ! - incomplete Network Next Hop LocPrf MED AS Path 2.2.2.0/29 5.5.5.2 0 0 65300 ! 2.2.2.8/29 5.5.5.2 0 0 65300 ! 2.2.2.64/27 5.5.5.2 0 0 65300 ! 2.3.0.0/24 5.5.5.2 0 0 65300 ! 2.4.0.0/24 5.5.5.2 0 0 65300 ! 23.23.23.0/24 5.5.5.2 0 0 65300 !As you can see that now only 23.23.23.0/24 is being advertised out.
VMware Blogs: https://blogs.vmware.com/customer-experience-and-success/feeds/hammad-alam
Comments