BGP Route Filtering in NSX-T

In last post of my NSX-T 3.0 series, I briefly talked about Route Re-Distribution feature. In this post I will try to explain it in more detail. We will learn when this feature should be used and when not.

If you have missed my NSX-T 3.0 series, here are the links to the same:

1: NSX-T Management & Control Plane Setup

2: Uplink Profiles in NSX-T

3: Transport Zones & Transport Node Profiles

4: NSX-T Data Plane Setup

5: Configure Logical Routing in NSX-T

Let’s get started.

When a Tier-1 GW is attached to a Tier-0 GW, a router link between the 2 gateways is created automatically. You can consider this link as transit segment which connects T1 GW with T0.

Default address space that get assigned on this transit subnet is 100.64.0.0/16. Router ports on T0 & T1 get IP address 100.64.0.0/31 & 100.64.0.1/31 respectively.

 

A tier-0 gateway in active-active mode supports inter-SR (service router) iBGP. In active-active mode, the SR components form an internal connection between each other over a pre-defined NSX managed subnet 169.254.0.128/25. Since these subnets are directly connected to Tier-0, these will be redistributed to upstream router if we have Route Re-distribution configured and connected subnets selected.

Advertising such subnets doesn’t makes sense in a multi-tenant environment where multiple T1 GW are connected to T0. To filter such subnets, we can make use of IP Prefix lists. Prefix list can be used when defining BGP filters (In & Out).

Lets dive into lab and create a prefix list and deny propagating system generated subnets to upstream router. 

Edit settings of T0 gateway and expand routing section

Click on number beside IP Prefix Lists to launch Set Prefix List wizard.

Click on Add IP Prefix List button.

Provide a name for the prefix list and click on Set to add the subnets/action.

In Set Prefixes wizard, click on Add Prefix to specify the subnet and action associated with that subnet. 

Important: Once you have added all those subnets which you don’t want to advertise to upstream router, add a permit any rule to allow rest of the subnets, otherwise none of the segments will be advertised as default action is deny.

Click on Apply button to finish set prefix wizard.

Click on Save & Close button to complete the process.

Now we will add this prefix list in BGP configuration to stop T0 from advertising the defined subnets to upstream router.

Expand BGP section and click on number beside BGP Neighbors. 

Edit settings of the BGP neighbor.

Under neighbor configuration, click on Route Filter.

Click on Configure Out Filter.

Select the Prefix list which you created earlier and click on save.

Now if you check routing table on upstream router, you will not see filtered transit subnets.

BGP route filtering can be really helpful if you have mix workloads running in NSX-T environment. For e.g you can restrict dev/test subnets from advertising to upstream routers as you might need to reach to outside world from test/dev machines.

And that’s it for this post. 

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing 🙂

Leave a ReplyCancel reply