Routing
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Contributor
Posts: 10
Registered: ‎12-20-2013
0 Kudos

Route filtering to limit routes injected into forwarding routing instance

I have a forwarding type routing instance set up for traffic going to our Internet based web filtering service. A policy statement controls the routes that go into that routing instance which are the routes associated with the two GRE tunnels connected to the web filtering service. I set up an ip monitoring policy that checks to see when the Internet is down, if so, I want it to inject a priority default route into the web filtering routing instance that sends all traffic over our private network to HQ. I got that to work by adding the interface associated with the private network to the policy statment. Doing that also adds all our OSPF routes to the virtual router. I'd like to add the static route and nothing else; however, whenever I limit the policy statement to static routes not only do all the OSPF routes go away but the static route injected by the IP monitoring also disappears from the routing table and becomes a hidden route marked unusable. Is there a way to have only the default route injected and nothing else?

 

Thanks!

mdhtbm

 

Distinguished Expert
Posts: 554
Registered: ‎08-15-2012
0 Kudos

Re: Route filtering to limit routes injected into forwarding routing instance

Hi,

Are you using rib-groups for the route exchange?

Can you share your configuration for better understanding.

 

Cheers,

Ashvin

Contributor
Posts: 10
Registered: ‎12-20-2013
0 Kudos

Re: Route filtering to limit routes injected into forwarding routing instance

No rib groups, just a policy import statement.

 

Here is the policy import statement with the static route rule. This results in neither the static route from ip monitoring nor the OSPF routes ending up in the routing table.

 

policy-statement zScaler-import {
term allow {
from {
instance master;
interface [ gr-0/0/0.0 gr-0/0/0.1 ];
}
then accept;
}
term allow-trust {
from {
instance master;
protocol static;
interface vlan.0;
inactive: route-filter 0.0.0.0/0 exact;
}
then accept;
}
term reject {
then reject;
}

If I take out the "protocol static" option I get the ip monitoring route but also all the OSPF routes which I'm trying to avoid.

 

Here are the IP monitoring policy that should be applying but isn't:

policy internet-failover {
match {
rpm-probe internet;
}
then {
preferred-route {
routing-instances zScaler-vr {
route 0.0.0.0/0 {
next-hop 10.18.255.9;
metric 3;
}
}

Here is what the routing table looks like with the above policy statement:

 

zScaler-vr.inet.0: 3 destinations, 6 routes (3 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/4] 1d 00:08:22, metric2 0
> to 172.17.194.134 via gr-0/0/0.1
[Static/5] 1d 00:35:15
> to 172.17.194.130 via gr-0/0/0.0
[Static/200] 1d 00:35:15
> to 172.17.194.134 via gr-0/0/0.1
172.17.194.128/30 *[Direct/0] 1d 00:35:15
> via gr-0/0/0.0
172.17.194.132/30 *[Direct/0] 1d 00:35:15
> via gr-0/0/0.1

 

e130326@BMD_AlbuquerqueFW> show route hidden

inet.0: 322 destinations, 323 routes (322 active, 0 holddown, 0 hidden)

public-vr.inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)

zScaler-vr.inet.0: 3 destinations, 6 routes (3 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 [Static/3] 1d 00:15:18
Unusable