Solved: Re: SD-WAN Static Route Filtering

andre.ortega · ‎08-03-2020

Hello there,

I'd like to filter a specific static route (service side). This route should be announced only for a site and not to all others.

How could I do that?

I am using cEdges in vManage mode.

Regards.

Kanan Huseynli · ‎08-05-2020

Hi,

even there was localized policy for static, you still can't archive that. By localized policy you may filter for all or allow for all from router point of view. Because router has only one peer which is vSmart, you should allow route to be advertised if one of remote routers should reach each.

Now, let's return to answer. Yes, you can use centralized control policy:

Configuration>Policies>Centralized Policy>(Look right top of section)

Custom Options(centralized policy)>Lists>Prefix>New Prefix List>(define prefix X for network you want filter)

Custom Options(centralized policy)>Lists>Prefix>Site List>(define site list Y which includes sites where you don't want to send prefix X)

Custom Options(centralized policy)>Topology>Custom Control(define name Z)>Sequence Type>Route>Sequence Rule>Match Prefix List(prefix X defined before)> Action reject> Default Action>Accept

Configuration>Policies>Centralized Policy>Add Policy> (skip section group of interest, we already defined them >list X,Y)>

Next>

Topology>Import Existing Topology>Custom Topology> (choose policy with above defined name Z)&Import>

Next>(skip section Configure Traffic Rules, this is for central data policy, not control policy)>

Next>

Give Policy Name>Policy Application>(under policy named Z) New Site List>(Choose site list Y with outbound direction)

Note that: X,Y,Z are arbitrary names, I just tried to make config more understandable, hierarchical.

PrefixList X and SiteList Y are ,in general, named "lists" which is used in policy to define objects.

Policy (here topology policy) Z is like route map in legacy network.

Policy Application is actually applied/ active policy. Think like, applying policy (Z) in OMP for sites (Y) in outbound direction.

In two words, we defined prefix list X which matches route(s) to filter. We created policy Z that denies(action:reject) prefix list X (routes matched by it). We activated/applied policy by policy application choosing Z as policy and applying it to site defined by site list Y in outbound direction.

Regards,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

Kanan Huseynli · ‎08-03-2020

Hi,

as I understand you have one branch router where static route is written. But you want only one of other sites (not all) to get this route yes? if yes, then you can do centralized control plane policy so that vSMART(s) may only advertise that route to specific remote branch, not all.

Since, OMP is running only between routers and vsmart (not between routers), you can enforce filtering/change only on vsmart.

HTH,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

andre.ortega · ‎08-03-2020

Hi Kanan,
Yes, you understood. And I know that we could (theoretically) use the centralized policy, however I dont know how to do that.
Could you tell me what option to use? The steps?

When we want to filter routes from a routing protocolo we have to use a route template (OSPF/EIGRP) and point the policy filter (localized), but I dont see how to do that for static route.

Kanan Huseynli · ‎08-05-2020

Hi,

even there was localized policy for static, you still can't archive that. By localized policy you may filter for all or allow for all from router point of view. Because router has only one peer which is vSmart, you should allow route to be advertised if one of remote routers should reach each.

Now, let's return to answer. Yes, you can use centralized control policy:

Configuration>Policies>Centralized Policy>(Look right top of section)

Custom Options(centralized policy)>Lists>Prefix>New Prefix List>(define prefix X for network you want filter)

Custom Options(centralized policy)>Lists>Prefix>Site List>(define site list Y which includes sites where you don't want to send prefix X)

Custom Options(centralized policy)>Topology>Custom Control(define name Z)>Sequence Type>Route>Sequence Rule>Match Prefix List(prefix X defined before)> Action reject> Default Action>Accept

Configuration>Policies>Centralized Policy>Add Policy> (skip section group of interest, we already defined them >list X,Y)>

Next>

Topology>Import Existing Topology>Custom Topology> (choose policy with above defined name Z)&Import>

Next>(skip section Configure Traffic Rules, this is for central data policy, not control policy)>

Next>

Give Policy Name>Policy Application>(under policy named Z) New Site List>(Choose site list Y with outbound direction)

Note that: X,Y,Z are arbitrary names, I just tried to make config more understandable, hierarchical.

PrefixList X and SiteList Y are ,in general, named "lists" which is used in policy to define objects.

Policy (here topology policy) Z is like route map in legacy network.

Policy Application is actually applied/ active policy. Think like, applying policy (Z) in OMP for sites (Y) in outbound direction.

In two words, we defined prefix list X which matches route(s) to filter. We created policy Z that denies(action:reject) prefix list X (routes matched by it). We activated/applied policy by policy application choosing Z as policy and applying it to site defined by site list Y in outbound direction.

Regards,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

andre.ortega · ‎08-05-2020

Thanks Kanan, I understood your explanation and it helped a lot.
Actually I have already created the policy, and it looks exactly how you described.
I am just waiting the maintanance window to apply.
One more time, thanks.

andre.ortega · ‎08-05-2020

Just one thing about localized policy: I was thinking about filtering the incoming update based on prefix.

I could apply this policy on specific sites and reject specific prefixes. Do you believe it is possible? Would you have an exemplo?

PS: The problem is solved, now it is just curiosite.

Kanan Huseynli · ‎08-05-2020

You may do by localized control policy in service side. Actually, there is no OMP config/policy in localized policy, you still get all routes advertised by vSMART. However, you may do route policy (exactly route map we use in redistribute statements) and do filtering while redistributing routes from OMP to OSPF/BGP.

Just FYI regarding centralized policy: you may do only one inbound and one outbound central policy for site(s). So, your central policy must be designed like so that you may easily change(add and/or delete) something when you want.

Example: you have two independent topologies topology A (change prefix C) and B (change prefix D). You can't apply both topology for outbound (or inbound) direction for the same site (even you may have different site lists, but both covers the same site). vSmart rejects such policy.

Regards,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Aye-Htun · ‎06-02-2022

This is a very good post. Thank you for that. I've got it working using your instruction. Only one small correction, the rule has to be inbound and not outbound.