VMware NSX

 View Only
  • 1.  In route and out route filter

    Posted May 03, 2023 05:04 AM

     

     

    Dear Team,

     

    I'v seen In route and out route filter configured in customer environment, just wanted to know what exactly this option do and also need to know when to select what option? Could some throw some light on this. wh

     

    Screenshot 2023-05-03 at 10.29.42 AM.png

    Screenshot 2023-05-03 at 10.23.24 AM.png

     

    Thank you in advance

      



  • 2.  RE: In route and out route filter

    Posted May 03, 2023 07:23 AM

    Hi,

    Well, it depends on what you are trying to achieve. I have used out filter to configure AS-Path prepend for advertised routes & in filter for Local-Preference for learned routes.



  • 3.  RE: In route and out route filter

    Posted May 03, 2023 09:30 AM

    Thank you Shahab, could you please explain the same in simple english. Thank you..



  • 4.  RE: In route and out route filter

    Posted May 04, 2023 08:52 AM

    These filters we use for route manipulation. In my case, I wanted to influence incoming & outgoing traffic so that one datacenter should be active & another standby, therefore, I used AS-Path prepend & local preference. There are other use cases as well, for example, you want to block certain subnets to be advertised to your BGP peer.



  • 5.  RE: In route and out route filter
    Best Answer

    Posted May 06, 2023 04:54 PM

    This should be used in all production deployments involving NSX - at a minimum, it prevents NSX from distributing routes that it shouldn't. NSX is a participating member of a larger network and should abide by the "do no harm" standards that other networking gear does.

    For example, if a user creates a new segment with an IPv4 address of 10.0.0.1/24 and that prefix is used elsewhere, NSX should either intercept the request (this takes a lot of coding or "contain the damage" by preventing a bogus prefix from propagating to the wider network.

    The same can be done inbound if there's a complex routing configuration, but most aren't. At a minimum, I'd recommend having some kind of "sanity check" implemented here to make NSX more reliable.

    What I describe above is basically a minimum. This feature is incredibly powerful when trying to manipulate traffic flow, and is worth learning overall.

    A fun fact about NSX Edges - they use FRRouting, which requires a prefix-list or route-map to function - so NSX creates an "allow all" entry for you.