SD-WAN

Thank you so much Joe Sofia ! This makes a lot of sense.

Hi Justin. Below is an example of filtering routes advertised to our aggregation layer switch. I am only allowing the test subnet of 10.13.13.0/24 to be advertised from 128T inbound by the policy ""allow-test-prefix-only-to-agg"":

config authority routing policy allow-test-prefix-only-to-agg name    allow-test-prefix-only-to-agg

config authority routing policy allow-test-prefix-only-to-agg statement allow-10-13-13-0-24 name    allow-10-13-13-0-24

config authority routing policy allow-test-prefix-only-to-agg statement allow-10-13-13-0-24 condition address-prefix-filter-condition type      address-prefix-filter-condition

config authority routing policy allow-test-prefix-only-to-agg statement allow-10-13-13-0-24 condition address-prefix-filter-condition prefix-filter inet-lab-headend-to-agg

config authority routing policy allow-test-prefix-only-to-agg statement deny-all-else name  deny-all-else

config authority routing policy allow-test-prefix-only-to-agg statement deny-all-else policy reject

config authority router inet-lab-headend routing default-instance routing-protocol bgp description       ""Enable BGP on this Router""

config authority router inet-lab-headend routing default-instance routing-protocol bgp type           bgp

config authority router inet-lab-headend routing default-instance routing-protocol bgp local-as         65242

config authority router inet-lab-headend routing default-instance routing-protocol bgp route-selection-options external-compare-router-id false

config authority router inet-lab-headend routing default-instance routing-protocol bgp neighbor 10.254.245.89 neighbor-address      10.254.245.89

config authority router inet-lab-headend routing default-instance routing-protocol bgp neighbor 10.254.245.89 neighbor-as        65007

config authority router inet-lab-headend routing default-instance routing-protocol bgp neighbor 10.254.245.89 description        ""Paychex Aggregation Switch 1""

config authority router inet-lab-headend routing default-instance routing-protocol bgp neighbor 10.254.245.89 outbound-policy-advertise true

config authority router inet-lab-headend routing default-instance routing-protocol bgp neighbor 10.254.245.89 neighbor-policy outbound-policy-advertise true

config authority router inet-lab-headend routing default-instance routing-protocol bgp neighbor 10.254.245.89 neighbor-policy outbound-policy-transit  true

config authority router inet-lab-headend routing default-instance routing-protocol bgp neighbor 10.254.245.89 neighbor-policy outbound-policy      allow-test-prefix-only-to-agg

config authority router inet-lab-headend routing default-instance routing-protocol bgp neighbor 10.254.245.89 address-family ipv4-unicast afi-safi ipv4-unicast

config authority router inet-lab-headend routing default-instance routing-protocol bgp redistribute service protocol service

Hope this helps!!

I am currently testing this functionality. We are a dual carrier MPLS shop and we are testing 128T for our headend and branch router use. I need to filter out certain IP's so peering only forms on the respective carrier's node within the router. Each node within the router is handling a carrier link. This ensures paths are formed only over the WAN links each node is responsible for. I have a test lab set up that mimics dual carriers and a set of HA routers; 1 HA Pair emulating the branch and 1 emulating the headend. I'm using the new route map functionality that is in 3.2.2 to test the filtering of certain routes.

##Here's my filter and policy config:

config authority routing filter test-bgp-filter1 type prefix-filter

config authority routing filter test-bgp-filter1 name test-bgp-filter1

config authority routing filter test-bgp-filter1 rule deny-10-13-250-0-in name  deny-10-13-250-0-in

config authority routing filter test-bgp-filter1 rule deny-10-13-250-0-in filter accept

config authority routing filter test-bgp-filter1 rule deny-10-13-250-0-in prefix 10.13.250.0/30

config authority routing policy test-policy name    test-policy

config authority routing policy test-policy statement block-carrier-ip name    block-carrier-ip

config authority routing policy test-policy statement block-carrier-ip policy   reject

config authority routing policy test-policy statement block-carrier-ip condition address-prefix-filter-condition type      address-prefix-filter-condition

config authority routing policy test-policy statement block-carrier-ip condition address-prefix-filter-condition prefix-filter test-bgp-filter1

config authority routing policy test-policy statement accept-rest name accept-rest

#[#]? this is my BGP config

config authority router us6645ny_lab_headendrtr routing default-instance type       default-instance

config authority router us6645ny_lab_headendrtr routing default-instance routing-protocol bgp type      bgp

config authority router us6645ny_lab_headendrtr routing default-instance routing-protocol bgp local-as    65501

config authority router us6645ny_lab_headendrtr routing default-instance routing-protocol bgp address-family ipv4-unicast afi-safi ipv4-unicast

config authority router us6645ny_lab_headendrtr routing default-instance routing-protocol bgp neighbor 10.13.250.13 neighbor-address 10.13.250.13

config authority router us6645ny_lab_headendrtr routing default-instance routing-protocol bgp neighbor 10.13.250.13 neighbor-as    65400

config authority router us6645ny_lab_headendrtr routing default-instance routing-protocol bgp neighbor 10.13.250.13 local-as     65501

config authority router us6645ny_lab_headendrtr routing default-instance routing-protocol bgp neighbor 10.13.250.13 description    ""carrier 1""

config authority router us6645ny_lab_headendrtr routing default-instance routing-protocol bgp neighbor 10.13.250.13 address-family ipv4-unicast afi-safi   ipv4-unicast

config authority router us6645ny_lab_headendrtr routing default-instance routing-protocol bgp neighbor 10.13.250.13 address-family ipv4-unicast prefix-limit max-prefixes 3000

config authority router us6645ny_lab_headendrtr routing default-instance routing-protocol bgp neighbor 10.13.250.9 neighbor-address 10.13.250.9

config authority router us6645ny_lab_headendrtr routing default-instance routing-protocol bgp neighbor 10.13.250.9 neighbor-as    65300

config authority router us6645ny_lab_headendrtr routing default-instance routing-protocol bgp neighbor 10.13.250.9 local-as     65501

config authority router us6645ny_lab_headendrtr routing default-instance routing-protocol bgp neighbor 10.13.250.9 neighbor-policy inbound-policy test-policy

config authority router us6645ny_lab_headendrtr routing default-instance routing-protocol bgp neighbor 10.13.250.9 address-family ipv4-unicast afi-safi   ipv4-unicast

config authority router us6645ny_lab_headendrtr routing default-instance routing-protocol bgp neighbor 10.13.250.9 address-family ipv4-unicast prefix-limit max-prefixes 3000

So far things are working as expected.

Joe Sofia Thank you so much for the example using route-maps. It is really helpful as I am testing out using route-maps as well.

Would you happen to have any other examples you can show off?