VMware Networking Community
MrVmware9423
Expert
Expert
‎05-02-2023 10:03 PM
Jump to solution

In route and out route filter

 

 

Dear Team,

 

I'v seen In route and out route filter configured in customer environment, just wanted to know what exactly this option do and also need to know when to select what option? Could some throw some light on this. wh

 

Screenshot 2023-05-03 at 10.29.42 AM.png

Screenshot 2023-05-03 at 10.23.24 AM.png

 

Thank you in advance

  

0 Kudos
1 Solution

Accepted Solutions
engyak
Enthusiast
Enthusiast
‎05-06-2023 09:54 AM
Jump to solution

This should be used in all production deployments involving NSX - at a minimum, it prevents NSX from distributing routes that it shouldn't. NSX is a participating member of a larger network and should abide by the "do no harm" standards that other networking gear does.

For example, if a user creates a new segment with an IPv4 address of 10.0.0.1/24 and that prefix is used elsewhere, NSX should either intercept the request (this takes a lot of coding or "contain the damage" by preventing a bogus prefix from propagating to the wider network.

The same can be done inbound if there's a complex routing configuration, but most aren't. At a minimum, I'd recommend having some kind of "sanity check" implemented here to make NSX more reliable.

What I describe above is basically a minimum. This feature is incredibly powerful when trying to manipulate traffic flow, and is worth learning overall.

A fun fact about NSX Edges - they use FRRouting, which requires a prefix-list or route-map to function - so NSX creates an "allow all" entry for you.

View solution in original post

4 Replies
ShahabKhan
VMware Employee
VMware Employee
‎05-03-2023 12:23 AM
Jump to solution

Hi,

Well, it depends on what you are trying to achieve. I have used out filter to configure AS-Path prepend for advertised routes & in filter for Local-Preference for learned routes.

MrVmware9423
Expert
Expert
‎05-03-2023 02:30 AM
Jump to solution

Thank you Shahab, could you please explain the same in simple english. Thank you..

0 Kudos
ShahabKhan
VMware Employee
VMware Employee
‎05-04-2023 01:52 AM
Jump to solution

These filters we use for route manipulation. In my case, I wanted to influence incoming & outgoing traffic so that one datacenter should be active & another standby, therefore, I used AS-Path prepend & local preference. There are other use cases as well, for example, you want to block certain subnets to be advertised to your BGP peer.

0 Kudos
engyak
Enthusiast
Enthusiast
‎05-06-2023 09:54 AM
Jump to solution

This should be used in all production deployments involving NSX - at a minimum, it prevents NSX from distributing routes that it shouldn't. NSX is a participating member of a larger network and should abide by the "do no harm" standards that other networking gear does.

For example, if a user creates a new segment with an IPv4 address of 10.0.0.1/24 and that prefix is used elsewhere, NSX should either intercept the request (this takes a lot of coding or "contain the damage" by preventing a bogus prefix from propagating to the wider network.

The same can be done inbound if there's a complex routing configuration, but most aren't. At a minimum, I'd recommend having some kind of "sanity check" implemented here to make NSX more reliable.

What I describe above is basically a minimum. This feature is incredibly powerful when trying to manipulate traffic flow, and is worth learning overall.

A fun fact about NSX Edges - they use FRRouting, which requires a prefix-list or route-map to function - so NSX creates an "allow all" entry for you.