gurfins blog

Filtering redistribution through route-maps

Post Views: 3

I recently ran into a case where a customer wanted to be able to monitor their primary and secondary WAN-links in order to determine if they are up. We owned the primary WAN-link, which served the primary router at the site. The secondary link was a DIA running DMVPN across the interwebz.

In order for them to have an IP-address that they can ping to ensure reachability from the CE-router to our PE-router we needed to setup a loopback which was not redistributed into the L3VPN for the customer. To allow the loopback to be reachable from the CE but not redistributed into the MPLS core, I specified a route-map on the BGP redistribution command.

In this specific instance the customer and I found a different solution to their problem but I still wanted to test this filtering, so I set it up in my homelab.

Above you can see the setup. Loopback1 is connected and should be redistributed to the route-reflector, while loopback2 should not be allowed into the VPNv4 route-table. All the configuration will be done on the PE-router here, but this will of course propagate across the VPNv4 network and effect the routes on the RR.

We start by configuring a prefix-list, which will determine which prefixes will be allowed to be redistributed into the VPNv4 table:

ip prefix-list ALLOW_REDISTRIBUTE seq 10 deny 169.254.99.2/32
ip prefix-list ALLOW_REDISTRIBUTE seq 100000000 permit 0.0.0.0/0 le 32

Sequence 10 in this prefix-list will de used to deny the prefix of loopback2, while sequence 100000000 will allow all prefixes in the 0.0.0.0/0 network with CIDR number which is equal to or less than 32 – basically all prefixes. The reason for doing it this way, in stead of explicitly allowing only the loopback1 prefix in the route-map and denying everything else, is that this allows colleagues to create new interfaces and have them be redistributed into the VPNv4 table automatically – less headaches for colleagues = more better. I would also set the description on the loopback interface to indicate that this loopback is special and is not allowed into the customer L3VPN.

Next we need to create our route-map, which in our case, is very simple:

route-map ALLOW_REDISTRIBUTE_RM permit 10
 match ip address prefix-list ALLOW_REDISTRIBUTE

And finally we will need to apply the route-map to the VPNv4 instance:

router bgp 1
 !
 address-family ipv4 vrf 1337
  redistribute connected route-map ALLOW_REDISTRIBUTE_RM

It’s worth noting that if you make changes to the prefix-list, these changes will be applied by themselves, but the changes may take a few seconds to actually take effect.

Leave a Reply

Your email address will not be published. Required fields are marked *