I'm working in my lab to test some config for an L3out where I need to restrict the importing of routes received to only routes that are tagged with certain communities. I'd like to have my config double checked to make sure I'm applying my config in the correct locations. Unfortunately, I don't have anything connected to the fabric that I can setup peering with so that I can test the actual operation of these configs. So far I've done the following:
- Created a Match Rule under Policies > Protocol > Match Rules and specified my Match Community Terms
- Created a Route Map for Route Control and referenced the Match Rule created above under Policies > Protocol > Route Maps for Route Control
- Applied the Route map for route control under the BGP Peer as Route Import Policy
Hi @MPT3
We have tested your configuration in the lab and it is working as intended, you will be only allowing prefixes to be installed on the ACI that matches the community number added in the match rule.
Please find below a snapshots from our lab for verifications.
N3K switch:
----------
BGP configuration
router bgp 65001
address-family ipv4 unicast
vrf salhmoud-L3
address-family ipv4 unicast
network 13.0.0.0/24
network 14.0.0.0/24 route-map salhmoud <--------- Here we are setting the community for this specific route
neighbor 10.0.0.2 remote-as 65000
update-source Ethernet1/14
address-family ipv4 unicast
send-community
send-community extended
N3k-2# show route-map salhmoud
route-map salhmoud, permit, sequence 10
Match clauses:
ip address (access-lists): salhmoud
Set clauses:
community 65001:300 <--------------- This is the community number we used
Also we can see the effect under the advertised route on the N3K.
N3k-2# show bgp ipv4 unicast 13.0.0.0/24 detail vrf salhmoud-L3
BGP routing table information for VRF salhmoud-L3, address family IPv4 Unicast
BGP routing table entry for 13.0.0.0/24, version 11
Paths: (1 available, best #1)
Flags: (0x8000002) (high32 00000000) on xmit-list, is not in urib
Advertised path-id 1
Path type: local, path is valid, is best path
AS-Path: NONE, path locally originated
0.0.0.0 (metric 0) from 0.0.0.0 (10.0.0.1)
Origin IGP, MED not set, localpref 100, weight 32768
Path-id 1 advertised to peers:
10.0.0.2
N3k-2# show bgp ipv4 unicast 14.0.0.0/24 detail vrf salhmoud-L3
BGP routing table information for VRF salhmoud-L3, address family IPv4 Unicast
BGP routing table entry for 14.0.0.0/24, version 45
Paths: (1 available, best #1)
Flags: (0x8000002) (high32 00000000) on xmit-list, is not in urib
Advertised path-id 1
Path type: local, path is valid, is best path
AS-Path: NONE, path locally originated
0.0.0.0 (metric 0) from 0.0.0.0 (10.0.0.1)
Origin IGP, MED not set, localpref 100, weight 32768
Community: 65001:300 <------------ BGP is setting the community when advertised
Path-id 1 advertised to peers:
10.0.0.2
======================================================================================================
ACI:
----
We added the community number under the Match Community Term for the Match Rules
Then we applied this rule under Route Maps for Route Control
Lastly we applied this route map under BGP neighbor inside our L3out
You can see the below routes being installed under the Leaf that we used to build the BGP neighborship with.
Leaf3# show ip route vrf Salhmoud-BGP:Salhmoud-BGP-VRF
IP Route Table for VRF "Salhmoud-BGP:Salhmoud-BGP-VRF"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
1.1.1.1/32, ubest/mbest: 2/0, attached, direct
*via 1.1.1.1, lo7, [0/0], 02:40:08, local, local
*via 1.1.1.1, lo7, [0/0], 02:40:08, direct
10.0.0.0/30, ubest/mbest: 1/0, attached, direct
*via 10.0.0.2, eth1/6, [0/0], 00:02:08, direct
10.0.0.2/32, ubest/mbest: 1/0, attached
*via 10.0.0.2, eth1/6, [0/0], 00:02:08, local, local
11.0.0.0/24, ubest/mbest: 1/0, attached, direct, pervasive
*via 10.0.104.65%overlay-1, [1/0], 01:59:31, static
11.0.0.1/32, ubest/mbest: 1/0, attached, pervasive
*via 11.0.0.1, vlan2, [0/0], 01:59:31, local, local
12.0.0.0/24, ubest/mbest: 1/0, attached, direct, pervasive
*via 10.0.104.65%overlay-1, [1/0], 02:24:16, static
12.0.0.1/32, ubest/mbest: 1/0, attached, pervasive
*via 12.0.0.1, vlan2, [0/0], 02:26:29, local, local
14.0.0.0/24, ubest/mbest: 1/0 <-------------- The only route installed via BGP (Matches our community number)
*via 10.0.0.1%Salhmoud-BGP:Salhmoud-BGP-VRF, [20/0], 00:01:54, bgp-65000, external, tag 65001
I hope you find this helpful for your configuration in the live environment, please feel free to reach out for any further questions.
