Tag Archives: Outbound Router Filtering

BGP Outbound Route Filtering – ORF

When a customer connects a CE router to provider PE router for BGP peering, there are limited options for what routes a CE can receive from PE via BGP. Usually Service provider give the customer option of sending Full BGP table, just a default route, or some specific prefix such as default route + service provider’s locally originated prefix. Normally service provider do not want to implement complex outbound route filter policy for the customer. And customer implement a inbound route filter policy to receive prefix whatever they required.

From administrative point of view service provider is happy as they don’t have to worry about the change request coming from customer to add or remove the prefix in provider to customer advertisements.

Similarly, customer don’t have to submit a change request to service provider and can modify inbound filter policy as per their requirements.

But from a resources usage point of view this is not a optimal design. Provider router is still sending full bgp table (around 500k prefix) and customer router also process all of the BGP updates and ultimately just wanted to accept a few prefixes (sometime 1-2%) and deny all others.

Here, BGP Outbound Route Filtering capability plays a significant role to optimize this design without increasing the administrative overhead for service provider to make frequent changes for filtering prefix advertisements to the customer.

With BGP ORF capability, CE router tells dynamically PE Routers what outbound filter PE should use to advertise prefix to the CE.

Let’s configure this feature and see how it works. We will use following network topology for this discussion.

orf-topology

Here is the initial BGP configuration and status on both routers:

PE Router

- BGP Peering is UP between PE and CE Router
- PE is advertising full bgp table to CE

R2#sh run | s bgp
router bgp 200
 bgp log-neighbor-changes
 network 0.0.0.0
 network 2.2.1.0 mask 255.255.255.0
 network 2.2.2.0 mask 255.255.255.0
 network 2.2.3.0 mask 255.255.255.0
 network 2.2.4.0 mask 255.255.255.0
 network 2.2.5.0 mask 255.255.255.0
 neighbor 1.1.1.1 remote-as 100

R2#sh ip bgp sum | b Nei
Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
1.1.1.1         4          100       5       6        7    0    0 00:01:39        0

R2#sh ip bgp
BGP table version is 7, local router ID is 2.2.5.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          0.0.0.0                  0         32768 i
 *>  2.2.1.0/24       0.0.0.0                  0         32768 i
 *>  2.2.2.0/24       0.0.0.0                  0         32768 i
 *>  2.2.3.0/24       0.0.0.0                  0         32768 i
 *>  2.2.4.0/24       0.0.0.0                  0         32768 i
 *>  2.2.5.0/24       0.0.0.0                  0         32768 i

R2#sh ip bgp neighbors 1.1.1.1 advertised-routes
BGP table version is 7, local router ID is 2.2.5.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          0.0.0.0                  0         32768 i
 *>  2.2.1.0/24       0.0.0.0                  0         32768 i
 *>  2.2.2.0/24       0.0.0.0                  0         32768 i
 *>  2.2.3.0/24       0.0.0.0                  0         32768 i
 *>  2.2.4.0/24       0.0.0.0                  0         32768 i
 *>  2.2.5.0/24       0.0.0.0                  0         32768 i

Total number of prefixes 6

 

CE Router

- BGP Peering is UP between CE and PE Router
- CE is receiving full bgp table from PE

R1#sh run | s bgp
router bgp 100
 bgp log-neighbor-changes
 neighbor 1.1.1.2 remote-as 200

R1#sh ip bgp sum | b Nei
Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
1.1.1.2         4          200      12      12       19    0    0 00:07:35        6

R1#sh ip bgp
BGP table version is 19, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          1.1.1.2                  0             0 200 i
 *>  2.2.1.0/24       1.1.1.2                  0             0 200 i
 *>  2.2.2.0/24       1.1.1.2                  0             0 200 i
 *>  2.2.3.0/24       1.1.1.2                  0             0 200 i
 *>  2.2.4.0/24       1.1.1.2                  0             0 200 i
 *>  2.2.5.0/24       1.1.1.2                  0             0 200 i

Let’s first apply inbound filter on CE Router. CE want to accept below prefix only:

Default route + 2 specific prefix
0.0.0.0/0
2.2.1.0/24
2.2.2.0/24

R1#
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip prefix-list FILTER permit 0.0.0.0/0
R1(config)#ip prefix-list FILTER permit 2.2.1.0/24
R1(config)#ip prefix-list FILTER permit 2.2.2.0/24
R1(config)#
R1(config)#router bgp 100
R1(config-router)# neighbor 1.1.1.2 prefix-list FILTER in
R1(config-router)#
R1(config-router)#end
R1#
*Apr  8 12:09:58.667: %SYS-5-CONFIG_I: Configured from console by console
R1#clear ip bgp * soft
R1#sh ip bgp
BGP table version is 22, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          1.1.1.2                  0             0 200 i
 *>  2.2.1.0/24       1.1.1.2                  0             0 200 i
 *>  2.2.2.0/24       1.1.1.2                  0             0 200 i

 

it appears our requirement is fulfilled but there is something not optimal behind the scene. Let’s debug the BGP advertisements.

PE is still advertising full BGP table to CE.

R2#sh ip bgp neighbors 1.1.1.1 advertised-routes
BGP table version is 7, local router ID is 2.2.5.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          0.0.0.0                  0         32768 i
 *>  2.2.1.0/24       0.0.0.0                  0         32768 i
 *>  2.2.2.0/24       0.0.0.0                  0         32768 i
 *>  2.2.3.0/24       0.0.0.0                  0         32768 i
 *>  2.2.4.0/24       0.0.0.0                  0         32768 i
 *>  2.2.5.0/24       0.0.0.0                  0         32768 i

Total number of prefixes 6
We can see before accepting the required 3 prefixes in BGP table, CE router has processed all received prefixes from PE and denied the prefixes which are not permitted in the inbound prefix-list applied for neighbor 1.1.1.2 on CE router. Just imagine the resources usage if it was the actual full bgp table of 500K prefixes.

R1#debug ip bgp updates
BGP updates debugging is on for address family: IPv4 Unicast
R1#
R1#clear ip bgp 1.1.1.2
R1#
*Apr  8 12:15:10.551: BGP(0): no valid path for 0.0.0.0/0
*Apr  8 12:15:10.555: BGP(0): no valid path for 2.2.1.0/24
*Apr  8 12:15:10.559: BGP(0): no valid path for 2.2.2.0/24
*Apr  8 12:15:10.567: %BGP-5-ADJCHANGE: neighbor 1.1.1.2 Down User reset
*Apr  8 12:15:10.571: %BGP_SESSION-5-ADJCHANGE: neighbor 1.1.1.2 IPv4 Unicast topology base removed from session  User reset
*Apr  8 12:15:10.575: BGP: topo global:IPv4 Unicast:base Remove_fwdroute for 0.0.0.0/0
*Apr  8 12:15:10.583: BGP: topo global:IPv4 Unicast:base Remove_fwdroute for 2.2.1.0/24
*Apr  8 12:15:10.591: BGP: topo global:IPv4 Unicast:base Remove_fwdroute for 2.2.2.0/24
*Apr  8 12:15:10.883: %BGP-5-ADJCHANGE: neighbor 1.1.1.2 Up
*Apr  8 12:15:10.979: BGP(0): 1.1.1.2 rcvd UPDATE w/ attr: nexthop 1.1.1.2, origin i, metric 0, merged path 200, AS_PATH
*Apr  8 12:15:10.991: BGP(0): 1.1.1.2 rcvd 0.0.0.0/0
*Apr  8 12:15:10.995: BGP(0): 1.1.1.2 rcvd 2.2.1.0/24
*Apr  8 12:15:10.999: BGP(0): 1.1.1.2 rcvd 2.2.2.0/24
*Ap
R1#r  8 12:15:11.003: BGP(0): 1.1.1.2 rcvd 2.2.3.0/24 -- DENIED due to: distribute/prefix-list;
*Apr  8 12:15:11.007: BGP(0): 1.1.1.2 rcvd 2.2.4.0/24 -- DENIED due to: distribute/prefix-list;
*Apr  8 12:15:11.011: BGP(0): 1.1.1.2 rcvd 2.2.5.0/24 -- DENIED due to: distribute/prefix-list;
*Apr  8 12:15:11.015: BGP(0): Revise route installing 1 of 1 routes for 0.0.0.0/0 -> 1.1.1.2(global) to main IP table
*Apr  8 12:15:11.015: BGP(0): Revise route installing 1 of 1 routes for 2.2.1.0/24 -> 1.1.1.2(global) to main IP table
*Apr  8 12:15:11.019: BGP(0): Revise route installing 1 of 1 routes for 2.2.2.0/24 -> 1.1.1.2(global) to main IP table

R1#sh ip bgp
BGP table version is 34, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          1.1.1.2                  0             0 200 i
 *>  2.2.1.0/24       1.1.1.2                  0             0 200 i
 *>  2.2.2.0/24       1.1.1.2                  0             0 200 i

Let’s try BGP ORF feature now.

CE Router - R1

R1#
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip prefix-list FILTER permit 0.0.0.0/0
R1(config)#ip prefix-list FILTER permit 2.2.1.0/24
R1(config)#ip prefix-list FILTER permit 2.2.2.0/24
R1(config)#
R1(config)#router bgp 100
R1(config-router)#neighbor 1.1.1.2 capability orf prefix-list send
R1(config-router)# neighbor 1.1.1.2 prefix-list FILTER in
R1(config-router)#end
*Apr  8 12:22:38.879: %BGP-5-ADJCHANGE: neighbor 1.1.1.2 Down Capability changed
*Apr  8 12:22:38.883: %BGP_SESSION-5-ADJCHANGE: neighbor 1.1.1.2 IPv4 Unicast topology base removed from session  Capability changed
*Apr  8 12:22:39.391: %BGP-5-ADJCHANGE: neighbor 1.1.1.2 Up


PE Router - R2

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#router bgp 200
R2(config-router)#neighbor 1.1.1.1 capability orf prefix-list receive
R2(config-router)#
*Apr  8 12:26:25.267: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down Capability changed
*Apr  8 12:26:25.271: %BGP_SESSION-5-ADJCHANGE: neighbor 1.1.1.1 IPv4 Unicast topology base removed from session  Capability changed
*Apr  8 12:26:25.955: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up
R2(config-router)#
R2(config-router)#end
R2#

Verification:

CE Router (R1) has negotiated ORF capability with neighbor router (PE R2) and sent the prefix-list ORF to PE neighbor. 

R1#sh ip bgp neighbors 1.1.1.2

<snip>

 For address family: IPv4 Unicast
  Session: 1.1.1.2
  BGP table version 46, neighbor version 46/0
  Output queue size : 0
  Index 7, Advertise bit 0
  7 update-group member
  AF-dependant capabilities:
    Outbound Route Filter (ORF) type (128) Prefix-list:
      Send-mode: advertised
      Receive-mode: received
  Outbound Route Filter (ORF): sent;
  Incoming update prefix filter list is FILTER

<snip>
PE Router (R2) has negotiated ORF capability with neighbor router (CE R1) and received the prefix-list ORF from CE neighbor.

R2#sh ip bgp neighbors 1.1.1.1

<snip>

 For address family: IPv4 Unicast
  Session: 1.1.1.1
  BGP table version 7, neighbor version 7/0
  Output queue size : 0
  Index 7, Advertise bit 0
  7 update-group member
  AF-dependant capabilities:
    Outbound Route Filter (ORF) type (128) Prefix-list:
      Send-mode: received
      Receive-mode: advertised
  Outbound Route Filter (ORF): received (3 entries)

<snip> 


R2#sh ip bgp neighbors 1.1.1.1 received prefix-filter
Address family: IPv4 Unicast
ip prefix-list 1.1.1.1: 3 entries
   seq 5 permit 0.0.0.0/0
   seq 10 permit 2.2.1.0/24
   seq 15 permit 2.2.2.0/24
R2#

!! -- You can see there is no local prefix-list in running configuration of R2 --!!

R2#sh ip prefix-list
R2#

!! -- Now R2 is advertising only those prefixes to neighbor which are permitted in ORF prefix-list --!! 

R2#sh ip bgp neighbors 1.1.1.1 advertised-routes
BGP table version is 7, local router ID is 2.2.5.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          0.0.0.0                  0         32768 i
 *>  2.2.1.0/24       0.0.0.0                  0         32768 i
 *>  2.2.2.0/24       0.0.0.0                  0         32768 i

Total number of prefixes 3
Let's debug bgp updates on R1 to see what it is receiving.
It is receiving only required prefix from neighbor. There is no extra CPU resources used for processing unnecessary updates.

R1#debug ip bgp updates
BGP updates debugging is on for address family: IPv4 Unicast

R1#clear ip bgp 1.1.1.2
R1#
*Apr  8 13:10:36.119: BGP(0): no valid path for 0.0.0.0/0
*Apr  8 13:10:36.123: BGP(0): no valid path for 2.2.1.0/24
*Apr  8 13:10:36.123: BGP(0): no valid path for 2.2.2.0/24
*Apr  8 13:10:36.135: %BGP-5-ADJCHANGE: neighbor 1.1.1.2 Down User reset
*Apr  8 13:10:36.139: %BGP_SESSION-5-ADJCHANGE: neighbor 1.1.1.2 IPv4 Unicast topology base removed from session  User reset
*Apr  8 13:10:36.143: BGP: topo global:IPv4 Unicast:base Remove_fwdroute for 0.0.0.0/0
*Apr  8 13:10:36.147: BGP: topo global:IPv4 Unicast:base Remove_fwdroute for 2.2.1.0/24
*Apr  8 13:10:36.155: BGP: topo global:IPv4 Unicast:base Remove_fwdroute for 2.2.2.0/24
R1#
*Apr  8 13:10:37.291: %BGP-5-ADJCHANGE: neighbor 1.1.1.2 Up
*Apr  8 13:10:38.219: BGP(0): 1.1.1.2 rcvd UPDATE w/ attr: nexthop 1.1.1.2, origin i, metric 0, merged path 200, AS_PATH
*Apr  8 13:10:38.227: BGP(0): 1.1.1.2 rcvd 0.0.0.0/0
*Apr  8 13:10:38.231: BGP(0): 1.1.1.2 rcvd 2.2.1.0/24
*Apr  8 13:10:38.235: BGP(0): 1.1.1.2 rcvd 2.2.2.0/24
*Apr  8 13:10:38.239: BGP(0): Revise route installing 1 of 1 routes for 0.0.0.0/0 -> 1.1.1.2(global) to main IP table
*Apr  8 13:10:38.247: BGP(0): Revise route installing 1 of 1 routes for 2.2.1.0/24 -> 1.1.1.2(global) to main IP table
*Apr  8 13:10:38.247: BGP(0): Revise route installing 1 of 1 routes for 2.2.2.0/24 -> 1.1.1.2(global) to main IP table
R1#
In future, if CE want to receive one more prefix 2.2.3.0/24 from PE. CE just have to modify its prefix-list.

!!-- Existing prefix-list --!!
R1#sh ip prefix-list
ip prefix-list FILTER: 3 entries
   seq 5 permit 0.0.0.0/0
   seq 10 permit 2.2.1.0/24
   seq 15 permit 2.2.2.0/24
R1#
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip prefix-list FILTER seq 20 permit 2.2.3.0/24
R1(config)#
R1(config)#end
R1#
*Apr  8 13:15:03.579: %SYS-5-CONFIG_I: Configured from console by console

!!-- New prefix-list --!!
R1#sh ip prefix-list
ip prefix-list FILTER: 4 entries
   seq 5 permit 0.0.0.0/0
   seq 10 permit 2.2.1.0/24
   seq 15 permit 2.2.2.0/24
   seq 20 permit 2.2.3.0/24
R1#

R1#clear ip bgp 1.1.1.2 in ?
  prefix-filter  Push out prefix-list ORF and do inbound soft reconfig
  <cr>
R1#clear ip bgp 1.1.1.2 in prefix-filter


R2 has the updated prefix-filter now.

R2#sh ip bgp neighbors 1.1.1.1 received prefix-filter
Address family: IPv4 Unicast
ip prefix-list 1.1.1.1: 4 entries
   seq 5 permit 0.0.0.0/0
   seq 10 permit 2.2.1.0/24
   seq 15 permit 2.2.2.0/24
   seq 20 permit 2.2.3.0/24

R2 advertised prefixes based on the updated prefix-filter

R2#sh ip bgp neighbors 1.1.1.1 advertised-routes
BGP table version is 7, local router ID is 2.2.5.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          0.0.0.0                  0         32768 i
 *>  2.2.1.0/24       0.0.0.0                  0         32768 i
 *>  2.2.2.0/24       0.0.0.0                  0         32768 i
 *>  2.2.3.0/24       0.0.0.0                  0         32768 i

Total number of prefixes 4

R1 has the required prefixes in its BGP table. 

R1#sh ip bgp
BGP table version is 59, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          1.1.1.2                  0             0 200 i
 *>  2.2.1.0/24       1.1.1.2                  0             0 200 i
 *>  2.2.2.0/24       1.1.1.2                  0             0 200 i
 *>  2.2.3.0/24       1.1.1.2                  0             0 200 i