NSX-T BGP Filter

There are three steps to creating BGP filters in NSX-T:

  • Create an IP Prefix for “ANY” and each tenant subnet.
  • Create a IP Route Map
  • Apply the Route Map to the T0 Router Uplink

IP Prefix

An IP prefix list contains a single or multiple IP addresses that are assigned access permissions for route advertisement. If there are multiple IP addresses in this list are processed sequentially. IP prefix lists are referenced through route maps with in or out direction.

For example, you can add the IP address 172.16.10.0/24 to the IP prefix list and deny the route from being redistributed to the northbound router. This means that with the exception of the 172.16.10.0/24 IP address all other IP addresses are going to be shared the router.

You can also append an IP address with less-than-or-equal-to (le) and greater-than-or-equal-to (ge) modifiers to grant or limit route redistribution. For example, 192.168.100.3/27 ge 24 le 30 modifiers match subnet masks greater than or equal to 24-bits and less than or equal to 30-bits in length.

The default action for a route is Deny. When you create a prefix list to deny or permit specific routes, be sure to create an IP prefix with a blank network address and the Permit action if you want to permit all other routes.

Procedure

  • From your browser, log in to an NSX Manager at https://nsx-manager-ip-address.
  • Select Routing from the navigation panel.
  • Select the tier-0 logical router.
  • Click the Routing tab and select IP Prefix Lists from the drop-down menu.
  • Select Add.
  • Assign a name for the IP prefix list.
  • Click Insert Row to add a network address in the CIDR format. For example, 192.168.100.3/27.
  • Select Deny or Permit from the drop-down menu. You grant or deny each IP address from being advertised, depending on your requirement.
  • (Optional) Set a range of IP address numbers in the le or ge modifiers.
  • Click Save.
  • The newly created IP prefix list appears in the row.

Route Map

A route map consists of a sequence of IP prefix lists, BGP path attributes, and an associated action. The router scans the sequence for an IP address match. If there is a match, the router performs the action and scans no further.

Route maps can be referenced at the BGP neighbor level and route redistribution. When IP prefix lists are referenced in route maps and the route map action of permitting or denying is applied, the action specified in the route map sequence overrides the specification within the IP prefix list.

Procedure

  • From your browser, log in to an NSX Manager at https://nsx-manager-ip-address.
  • Select Routing from the navigation panel.
  • Select the tier-0 logical router.
  • Select Routing > Route Maps.
  • Click Add.
  • Enter a name and an optional description for the route map.
  • Click Add to add an entry in the route map.
  • Select one or more IP prefix lists.
  • (Optional) Set BGP attributes.
    • AS-path Prepend – Prepend a path with one or more AS (autonomous system) numbers to make the path longer and therefore less preferred.
    • MED – Multi-Exit Discriminator indicates to an external peer a preferred path to an AS.
    • Weight – Set a weight to influence path selection. The range is 0 – 65535.
    • Community – Specify a community using the aa:nn format, for example, 300:500. Or use the drop-down menu to select one of the following:
      • NO_EXPORT_SUBCONFED – Do not advertise to EBGP peers.
      • NO_ADVERTISE – Do not advertise to any peer.
      • NO_EXPORT – Do not advertise outside BGP confederation
  • In the Action column, select Permit or Deny. You can permit or deny IP addresses in the IP prefix lists from advertising their addresses.
  • Click Save.

Last step in the process is to apply the route map to the T0 router BGP Neighbour:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.