I am goin to create a Topology Policy separately to achieve a route filtering requirement.
This post is also another example for Topology Policies just like the one I did for Traffic Manipulation using TLOCs. Following is the topology for the lab.
Following is the requirement of this lab.
Filter all 10.x.x.x routes from OMP routes. Site LAN switches should not know the inter-link subnets.
First let's see a routing table of a one site.
Yes it seems there are unwanted inter-link routes of 10.xxx which are learned via OSPF from vEdges which originally came from OMP.
Now navigate to Policy Configuration page to create a new policy.
Click on Add Policy.
For this one I am creating new Groups of Interests which are Site List which contains all the site IDs from 1 to 3 and a Prefix List. This can be done directly Custom Options button on the right side of the Policy Configuration Page and selecting Lists under Centralized Policy.
Add Topology and select Custom Control (Route & TLOC).
Hit + Sequence Type and select Route.
Hit + Sequence Rule
Match condition should be the created Site List "ALL-SITES" and another Match statement should be there under the same sequence for the Prefix List "InterLinks"
The Set condition should set the Action to Reject and Enabled.
**Also don't forget to select the Default Action under the Sequence to Accept and Enabled otherwise other traffic will be dropped.
Now Hit Next, No need to create Traffic rules as this is only a Topology Policy.
Now go to the Policy Application, there you will do the following configuration under CONTROL2 which is the Topology Policy name added to this Policy.
Outbound Site List should be selected only and it should be "ALL-SITES"
Now all done, Save the Policy and Activate it and let's check the routing tables.
Now will it be able to ping Site-2 LAN??
Important Note:-
I created this as a separate new Centralized Policy because I could not attach it to the previous one. The reason is that while applying this Topology Policy, it conflicts with the previous Topology Policy because of the Sites of Application. You cannot apply 2 Topologies in one Centralized Policy if the Applied Sites overlap. My Previous Policy's applied Site was Site-3 which is included in my new All-Sites Site List.
No comments:
Post a Comment