Routing
Routing

Route filtering to limit routes injected into forwarding routing instance

08.22.16   |  
‎08-22-2016 03:04 PM

I have a forwarding type routing instance set up for traffic going to our Internet based web filtering service. A policy statement controls the routes that go into that routing instance which are the routes associated with the two GRE tunnels connected to the web filtering service. I set up an ip monitoring policy that checks to see when the Internet is down, if so, I want it to inject a priority default route into the web filtering routing instance that sends all traffic over our private network to HQ. I got that to work by adding the interface associated with the private network to the policy statment. Doing that also adds all our OSPF routes to the virtual router. I'd like to add the static route and nothing else; however, whenever I limit the policy statement to static routes not only do all the OSPF routes go away but the static route injected by the IP monitoring also disappears from the routing table and becomes a hidden route marked unusable. Is there a way to have only the default route injected and nothing else?

 

Thanks!

mdhtbm

 

2 REPLIES
Routing

Re: Route filtering to limit routes injected into forwarding routing instance

08.22.16   |  
‎08-22-2016 05:02 PM

Hi,

Are you using rib-groups for the route exchange?

Can you share your configuration for better understanding.

 

Cheers,

Ashvin

Highlighted
Routing

Re: Route filtering to limit routes injected into forwarding routing instance

08.23.16   |  
‎08-23-2016 02:22 PM

No rib groups, just a policy import statement.

 

Here is the policy import statement with the static route rule. This results in neither the static route from ip monitoring nor the OSPF routes ending up in the routing table.

 

policy-statement zScaler-import {
term allow {
from {
instance master;
interface [ gr-0/0/0.0 gr-0/0/0.1 ];
}
then accept;
}
term allow-trust {
from {
instance master;
protocol static;
interface vlan.0;
inactive: route-filter 0.0.0.0/0 exact;
}
then accept;
}
term reject {
then reject;
}

If I take out the "protocol static" option I get the ip monitoring route but also all the OSPF routes which I'm trying to avoid.

 

Here are the IP monitoring policy that should be applying but isn't:

policy internet-failover {
match {
rpm-probe internet;
}
then {
preferred-route {
routing-instances zScaler-vr {
route 0.0.0.0/0 {
next-hop 10.18.255.9;
metric 3;
}
}

Here is what the routing table looks like with the above policy statement:

 

zScaler-vr.inet.0: 3 destinations, 6 routes (3 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/4] 1d 00:08:22, metric2 0
> to 172.17.194.134 via gr-0/0/0.1
[Static/5] 1d 00:35:15
> to 172.17.194.130 via gr-0/0/0.0
[Static/200] 1d 00:35:15
> to 172.17.194.134 via gr-0/0/0.1
172.17.194.128/30 *[Direct/0] 1d 00:35:15
> via gr-0/0/0.0
172.17.194.132/30 *[Direct/0] 1d 00:35:15
> via gr-0/0/0.1

 

e130326@BMD_AlbuquerqueFW> show route hidden

inet.0: 322 destinations, 323 routes (322 active, 0 holddown, 0 hidden)

public-vr.inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)

zScaler-vr.inet.0: 3 destinations, 6 routes (3 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 [Static/3] 1d 00:15:18
Unusable