Exclude Routes from Redistributing into OMP
Available Languages
Introduction
This document describes how to exclude unwanted routes from being redistributed into Overlay Management Protocol (OMP).
Prerequisites
Requirements
Cisco recommends knowledge of these topics:
-
Cisco Software-Defined Wide Area Network (SD-WAN)
- Routing
Components Used
The information in this document is based on these software and hardware versions:
- Cisco vManage version 20.6.5.2
- Cisco WAN Edge Router 17.6.3a
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Configurations
By default Connected, Static, OSPF Inter Area as well OSPF Intra Area are redistributed into OMP.
Localized Policy + CLI Add-On Template
In this use case, you do not want to redistribute one of the connected routes in vrf 1. By default all connected routes are redistributed into OMP, this use case helps filter a particular connected prefix.
1. Localized policy
Create a new Prefix list under custom options of Localized policy: Prefix is required to know which route needs to be redistributed.
Create a route policy and apply it towards localized policy: Match the prefix created earlier and set action as Accept. Route policy is translated into route-map once it is pushed to WAN Edge device.
Default action must be Reject since the need is to redistribute the prefix that was created earlier.
Preview: This is how the configuration looks once localized policy is created.
2. Use CLI Add-On Template.
Ensure to create a CLI Add-On template to map the route-map created earlier under OMP, since there is no option to map it under OMP feature template.
Attach the created localized policy and CLI Add-On Template to Device Template.
CLI Add-On Template
1. In this use case, you want to redistribute an OSPF Internal route and not an OSPF External route. Be default, OSPF Internal routes are redistributed into OMP, this use case helps filter a particular OSPF prefix.
To limit only OSPF Internal routes on vrf 1 being redistributed to OMP, subject it to route-map, and define a route-map which matches on type OSPF internal. Route-map configuration is done via CLI Add-On template.
Attach CLI Add On Template to Device Template.
2. In this use case, you want to redistribute an OSPF External route and not an OSPF Internal route. By default, OSPF External routes are not redistributed into OMP, this use case helps filter a particular OSPF prefix.
To limit only OSPF external routes on vrf 1 being redistributed to OMP, subject it to route-map, and define a route-map which matches on type OSPF external. Route-map configuration is done via CLI Add-On template.
Attach CLI Add On Template to Device Template.
Centralized Control Policy
1. In this use case, you want a specific route 192.168.50.2/32 not to be received on two destination sites with Site ID 10 and 100.
Create site list under custom options of Centralized Policy: Site list is needed to know on which sites route must not be received.
Create a new Prefix list under custom options of Centralized policy: Prefix is required to know which route does not need to be received.
Create a topology under custom options of centralized policy with custom control (Route & TLOC).
Create a route policy and apply it towards centralized policy: Match the prefix created earlier and set action as Reject.
Default action must be Accept since only one route is not supposed to be received.
Need to apply this policy outbound for the given destination sites, since this direction is from vSmart perspective.
Preview: This is how the configuration looks once centralized policy is created.
2. Same use case can also be achieved if the control policy is applied inbound towards vSmart from source site 40.
Create site list under custom options of Centralized Policy: Site list is needed to know which site must not advertise the route.
You just need to change direction, and update site list while applying the policy.
Preview: This is how the configuration looks once centralized policy is created.
Verification
Localized policy + CLI Add on Template
Localized policy + CLI Add on Template:
Per default behavior, all connected routes are redistributed to OMP (Focus on 192.168.40.2).
cEdge_Site40#show sdwan omp routes
Generating output, this might take time, please wait ...
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
PATH ATTRIBUTE
VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE
--------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 10.10.10.2 123 1004 C,I,R installed 10.10.10.60 biz-internet ipsec -
1 172.20.0.0/24 10.10.10.2 124 1003 C,I,R installed 10.10.10.65 biz-internet ipsec -
1 192.168.40.2/32 0.0.0.0 68 1004 C,Red,R installed 10.10.10.40 biz-internet ipsec -
1 192.168.50.2/32 0.0.0.0 68 1004 C,Red,R installed 10.10.10.40 biz-internet ipsec -
cEdge_Site40#
Connected routes are in RIB.
cEdge_Site40#show ip route vrf 1
Routing Table: 1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is 10.10.10.60 to network 0.0.0.0
m* 0.0.0.0/0 [251/0] via 10.10.10.60, 20:25:46, Sdwan-system-intf
172.20.0.0/24 is subnetted, 1 subnets
m 172.20.0.0 [251/0] via 10.10.10.65, 20:25:46, Sdwan-system-intf
192.168.40.0/32 is subnetted, 1 subnets
C 192.168.40.2 is directly connected, Loopback1
192.168.50.0/32 is subnetted, 1 subnets
C 192.168.50.2 is directly connected, Loopback2
cEdge_Site40#
With show ip protocols vrf 1 command, you can check which routes are by default redistributed into OMP.
cEdge_Site40#show ip protocols vrf 1
*** IP Routing is NSF aware ***
Routing Protocol is "omp"
Sending updates every 0 seconds
Invalid after 0 seconds, hold down 0, flushed after 0
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Redistributing: connected, static, nat-route
ospf 1 (internal)
Maximum path: 32
Routing for Networks:
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 251)
cEdge_Site40#
Here, 192.168.40.2 is not redistributed to OMP, after device template is pushed successfully. Since 192.168.50.2 is only allowed as part of the localized policy.
cEdge_Site40#show sdwan omp routes
Generating output, this might take time, please wait ...
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
PATH ATTRIBUTE
VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE
--------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 10.10.10.2 123 1004 C,I,R installed 10.10.10.60 biz-internet ipsec -
1 172.20.0.0/24 10.10.10.2 124 1003 C,I,R installed 10.10.10.65 biz-internet ipsec -
1 192.168.50.2/32 0.0.0.0 68 1004 C,Red,R installed 10.10.10.40 biz-internet ipsec -
cEdge_Site40#
Next output captures vrf 1 routing table and 192.168.40.2 is in RIB.
cEdge_Site40#show ip route vrf 1
Routing Table: 1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is 10.10.10.60 to network 0.0.0.0
m* 0.0.0.0/0 [251/0] via 10.10.10.60, 00:09:43, Sdwan-system-intf
172.20.0.0/24 is subnetted, 1 subnets
m 172.20.0.0 [251/0] via 10.10.10.65, 00:09:43, Sdwan-system-intf
192.168.40.0/32 is subnetted, 1 subnets
C 192.168.40.2 is directly connected, Loopback1
192.168.50.0/32 is subnetted, 1 subnets
C 192.168.50.2 is directly connected, Loopback2
cEdge_Site40#
CLI Add-On Template
Per current configuration, both OSPF External and Internal routes are redistributed into OMP.
cEdge_ospf#show sdwan omp routes 192.168.60.0/24
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
PATH ATTRIBUTE
VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE
--------------------------------------------------------------------------------------------------------------------------------------
1 192.168.60.0/24 0.0.0.0 75 1003 C,Red,R installed 10.10.10.100 gold ipsec -
cEdge_ospf#show sdwan omp routes 172.16.16.0/24
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
PATH ATTRIBUTE
VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE
--------------------------------------------------------------------------------------------------------------------------------------
1 172.16.16.0/24 0.0.0.0 75 1003 C,Red,R installed 10.10.10.100 gold ipsec -
cEdge_ospf#
Next output captures vrf 1 ospf routing table and both OSPF External and Internal route is in RIB.
cEdge_ospf#show ip route vrf 1 ospf
Routing Table: 1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is 10.10.10.60 to network 0.0.0.0
172.16.0.0/24 is subnetted, 1 subnets
O E2 172.16.16.0 [110/20] via 192.168.70.3, 00:14:04, GigabitEthernet0/0/1
O IA 192.168.60.0/24 [110/2] via 192.168.70.3, 01:07:51, GigabitEthernet0/0/1
cEdge_ospf#
1. After filtering with route-map to redistribute just internal routes, OSPF external route is no longer redistributed into OMP.
cEdge_ospf#show sdwan omp routes 172.16.16.0/24
% No such element exists.
cEdge_ospf#show sdwan omp routes 192.168.60.0/24
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
PATH ATTRIBUTE
VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE
--------------------------------------------------------------------------------------------------------------------------------------
1 192.168.60.0/24 0.0.0.0 75 1003 C,Red,R installed 10.10.10.100 gold ipsec -
cEdge_ospf
Next output captures vrf 1 ospf routing table and both OSPF External and Internal route is in RIB.
cEdge_ospf#show ip route vrf 1 ospf
Routing Table: 1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is 10.10.10.60 to network 0.0.0.0
172.16.0.0/24 is subnetted, 1 subnets
O E2 172.16.16.0 [110/20] via 192.168.70.3, 00:09:12, GigabitEthernet0/0/1
O IA 192.168.60.0/24 [110/2] via 192.168.70.3, 01:02:59, GigabitEthernet0/0/1
cEdge_ospf#
2. After filtering with route-map to redistribute just external routes, OSPF internal route is no longer redistributed into OMP.
cEdge_ospf#show sdwan omp routes 192.168.60.0/24
% No such element exists.
cEdge_ospf#show sdwan omp routes 172.16.16.0/24
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
PATH ATTRIBUTE
VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE
--------------------------------------------------------------------------------------------------------------------------------------
1 172.16.16.0/24 0.0.0.0 75 1003 C,Red,R installed 10.10.10.100 gold ipsec -
cEdge_ospf#
Next output captures vrf 1 OSPF routing table and both OSPF External and Internal route is in RIB.
cEdge_ospf#show ip route vrf 1 ospf
Routing Table: 1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is 10.10.10.60 to network 0.0.0.0
172.16.0.0/24 is subnetted, 1 subnets
O E2 172.16.16.0 [110/20] via 192.168.70.3, 00:02:16, GigabitEthernet0/0/1
O IA 192.168.60.0/24 [110/2] via 192.168.70.3, 00:56:03, GigabitEthernet0/0/1
cEdge_ospf#
Centralized Control Policy
By default, all connected routes are redistributed in OMP from Site 40 (Focus on 192.168.50.2/32).
cEdge_Site40#show sdwan running-config | i site
site-id 40
cEdge_Site40#show sdwan omp routes 192.168.50.2/32
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
PATH ATTRIBUTE
VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE
--------------------------------------------------------------------------------------------------------------------------------------
1 192.168.50.2/32 0.0.0.0 68 1004 C,Red,R installed 10.10.10.40 biz-internet ipsec -
cEdge_Site40#
Site 10 and Site 100 receive the route from OMP.
cEdge_Site10#show sdwan running-config | i site
site-id 10
cEdge_Site10#show sdwan omp routes 192.168.50.2/32
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
PATH ATTRIBUTE
VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE
--------------------------------------------------------------------------------------------------------------------------------------
1 192.168.50.2/32 10.10.10.2 32 1004 C,I,R installed 10.10.10.40 biz-internet ipsec -
cEdge_Site10#
cEdge_ospf#show sdwan running-config | i site
site-id 100
cEdge_ospf#show sdwan omp routes 192.168.50.2/32
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
PATH ATTRIBUTE
VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE
--------------------------------------------------------------------------------------------------------------------------------------
1 192.168.50.2/32 10.10.10.2 73 1004 C,I,R installed 10.10.10.40 biz-internet ipsec -
cEdge_ospf#
1. After centralized policy is pushed to vSmart, Site 40 is still redistributing 192.168.50.2 into OMP and vSmart is receiving it.
cEdge_Site40#show sdwan running-config | i site
site-id 40
cEdge_Site40#show sdwan omp routes 192.168.50.2/32
Generating output, this might take time, please wait ...
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
PATH ATTRIBUTE
VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE
--------------------------------------------------------------------------------------------------------------------------------------
1 192.168.50.2/32 0.0.0.0 68 1004 C,Red,R installed 10.10.10.40 biz-internet ipsec -
cEdge_Site40#
rcdn_lab_vSmart# show omp routes 192.168.50.2/32
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
PATH ATTRIBUTE
VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE
--------------------------------------------------------------------------------------------------------------------------------------
1 192.168.50.2/32 10.10.10.40 68 1004 C,R installed 10.10.10.40 biz-internet ipsec -
rcdn_lab_vSmart#
However, Site 10 and 100 do not receive that particular route.
cEdge_Site10#show sdwan running-config | i site
site-id 10
cEdge_Site10#show sdwan omp routes 192.168.50.2/32
% No such element exists.
cEdge_Site10#
cEdge_ospf#show sdwan running-config | i site
site-id 100
cEdge_ospf#show sdwan omp routes 192.168.50.2/32
% No such element exists.
cEdge_ospf#
2. After centralized policy is pushed to vSmart, Site 40 is still redistributing 192.168.50.2 into OMP, but vSmart is rejecting it, making it invalid.
rcdn_lab_vSmart# show omp routes 192.168.50.2/32
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
PATH ATTRIBUTE
VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE
--------------------------------------------------------------------------------------------------------------------------------------
1 192.168.50.2/32 10.10.10.40 68 1004 Rej,R,Inv installed 10.10.10.40 biz-internet ipsec -
rcdn_lab_vSmart#
Site 10 and 100 do not receive that particular route.
cEdge_Site10#show sdwan running-config | i site
site-id 10
cEdge_Site10#show sdwan omp routes 192.168.50.2/32
% No such element exists.
cEdge_Site10#
cEdge_ospf#show sdwan running-config | i site
site-id 100
cEdge_ospf#show sdwan omp routes 192.168.50.2/32
% No such element exists.
cEdge_ospf#
Related Information
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
20-Jul-2023 |
Initial Release |
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)