Route Advertisement rules containing overlapping subnets are not working as expected
search cancel

Route Advertisement rules containing overlapping subnets are not working as expected

book

Article ID: 409260

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Route Advertisement rules are being used at either a T0 or T1 logical router

  • For example, a DENY Route Advertisement rule for 10.0.0.0/8 is in place on a T1

    • An ALLOW Route Advertisement rule is created above the DENY rule for 10.x.x.30/32

  • Checking the T0 routing table, there is no 10.x.x.30/32 route advertised from the T1

Environment

VMware NSX

Cause

This is a known behavior in NSX where the processing order of route advertisement rules is not guaranteed.

The NSX worker component processes these rules on a "first match wins" basis.

Resolution

Workaround:

  • Subnets of the route advertisement rules should not be overlapping

  • Carve up the larger overlapping subnet DENY rule into smaller subnet DENY rules in order to control what routes need to be filtered and allowed

  • Delete larger overlapping subnet DENY rule and filter at T0 or at the physical top of rack switch
Powered by Wolken Software