OSPF Route Filtering NX-OS

We have a typical design with Nexus 7K Border-Leaf and a pair of NSX Edge Gateways enabled for Equal-Cost Multi-Path, and finally the Logical Router which is also enabled for ECMP.

thesetup

The issue I needed to resolve recently at a customer was to remove 0.0.0.0/0 from the OSPF routing table of the Border Leaf Cisco Nexus 7706’s.  This was being redistributed improperly by the NSX Edge Services Gateway (ESG).

brf-01-1

You see even if we do not enable default originate we still get the 0.0.0.0/0 because we told the ESG’s to redistribute static and connected.  In the NSX Edge when we select redistribute static the default route is advertised to the N7Ks and the DLR.

ospf-d  redist

Note: Redistribute Static is required to properly enable ECMP as we need all Edge devices to provide a default route to the Distributed Logical Router (LDR).

nsx-dlr

We attempted several methods before we found the golden ticket.  table-map

Table Map

A table map is a unique feature of NX-OS that allows the network administrator to filter routes or selectively modify the distance of the routes before the routes are sent to routing information base (RIB). The table map uses the route map to select routes based on a wide variety of parameters: metrics, level, type, next hop, outgoing interface, etc.

We used the following set of commands to setup filtering:

!
ip prefix-list nsx-routes seq 10 permit 10.0.100.0/24
ip prefix-list nsx-routes seq 20 permit 10.0.101.0/24
ip prefix-list nsx-routes seq 30 permit 10.0.102.0/24
ip prefix-list nsx-routes seq 40 permit 10.0.99.240/28
!
route-map ospf-in permit 10
match ip address prefix-list nsx-routes
!
router ospf 1
table-map ospf-in filter

Now we check the on the Nexus and voila we have it!

brf-01-2

Tagged with:

1 Comment

  • Hi,
    where you by any chance able to deny routing of 0.0.0.0/0 on the NSX edge and not the Nexus device? We have the same setup, but instead of Nexus-switches on the other end, we have another NSX Edge that is receiving the default route via OSPF.
    Shouldn’t it be possible by denying the prefix of 0.0.0.0/0 in the OSPF Redistribution menu?

Add Comment

Leave a Reply

Your email address will not be published. Required fields are marked *