In NSX BGP filters work like access lists for route advertisements (prefixes). The NSX BGP filters are prefix lists which work very similarly to firewall access lists. A prefix list contains one or more ordered entries which are processed sequentially. For each prefix entry you can specify inbound or outbound filters to allow certain routes to be advertised to or from the Edge Services Gateway/Distributed Logical Router.
For example you to want to prevent a route for 10.0.0.0/24 from being advertised in BGP from the NSX Edge Services Gateway.
- Select the BGP neighbor you want to filter traffic for.
- Select the direction to indicate whether you are filtering traffic to or from the neighbor.
- Select the action to indicate whether you are allowing or denying traffic.
- Type the network in CIDR format that you want to filter to or from the neighbor.
- Type the IP prefixes that are to be filtered and click OK.
- Click Publish Changes.
The above configuration prevents the 10.0.0.0/24 from being advertised in BGP to that specific neighbor.
In most NSX configurations we want the default route (0.0.0.0/0) to be advertised to the NSX Edge Services Gateway for a Tenant to create access to the Internet. Below is an example how the filter is configured to permit that prefix.
Note that we can also use the IP Prefix GE (greater than or equal to) and IP Prefix LE (less than or equal to) in BGP filters. The previous example allows the exact prefix 0.0.0.0/0. To allow a range of prefixes to be advertised we can use the IP Prefix GE and LE fields.
Without these, an entry will match an exact prefix. For example 192.168.0.0/24. The LE parameter can be included to match all more-specific prefixes within a parent prefix up to a certain length. For example, 10.0.0.0/24 LE 30 will match 10.0.0.0/24 and all prefixes in that prefix with a length of 30 or less.
The IP Prefix GE parameter works similarly to LE but in the opposite direction; it specifies a minimum prefix length whereas LE specifies a maximum length. For example, 10.0.0.0/8 GE 16 will match all prefixes within the 10.0.0.0/8 network that are at least 16 bits in length. The length specified by GE should naturally be longer than the length of the initial prefix as it is impossible to match anything larger than the initial prefix.
A more specif example is that we use the IP Prefix LE and GE in for example: 10.0.0.0/8 GE 16 LE 24 will match all prefixes within the 10.0.0.0/8 network having a mask both greater than or equal to 16 bits, and less than or equal to 24 bits in length. For instance, 10.1.0.0/18 would be matched, because its length is between 16 and 24 (inclusive), but 10.16.0.0/12 or 10.32.1.128/25 would not be matched.
Prefix lists take some getting used to, but are very useful for creating routing policies within NSX configuration once you’ve gotten the hang of them.