[Contents] [Prev] [Next] [Index] [Report an Error]

Constraining Route Distribution with Route-Target Filtering

In typical BGP configurations, you can use cooperative route filtering to reduce the amount of processing required for inbound BGP updates and the amount of BGP control traffic generated by BGP updates. Cooperative route filtering works by having the remote peer install a BGP speaker’s inbound route filter as its own outbound route filter. This filtering causes the remote peer to advertise only those routes that the local peer can accept.

For BGP/MPLS VPNs, route-target filtering is a better approach. Route-target filtering controls the distribution of BGP routes based on the VPNS (indicated by the route-target extended communities) to which peer routers belong. PE routers use the MP_REACH_NLRI and MP_UNREACH_NLRI attributes in BGP updates to exchange information about each router’s route-target membership.

The PE router subsequently advertises VPN NLRI—the routing information carried in MP-BGP update messages—only to peers that are members of a route target that is associated with the VPN route. The VPN routes flow in the opposite direction to the route-target membership information.

Route-target filtering works across multiple ASs and with asymmetric VPN topologies, such as a hub-and-spoke. Route-target filtering can reduce the size of the BGP routing table in PE routers, as well as the amount of VPN NLRI exchange traffic between routes in the VPN. Route-target filtering also reduces router memory requirements by reducing the amount of routing information stored and propagated. For example, route reflectors scale according to the total number of VPN routes present in their network. With route-target filtering, you can reduce the scaling requirements of the reflectors by restricting the number of VPN routes they must process to only those VPN routes actually used by the route reflector clients.

Applications such as BGP/MPLS VPNs, VPLS L2VPNs, and VPWS L2VPNs all use route targets as part of their route reachability information, and can therefore employ route-target filtering and potentially accrue the benefits of reduced traffic and smaller routing tables.

Exchanging Route-Target Membership Information

BGP peers exchange route-target membership information in the following sequence:

When the BGP peers negotiate the BGP multiprotocol extensions capability during the establishment of a BGP session, they indicate support for the route-target address family by including the (AFI, SAFI) value pair for the route-target membership NLRI (RT-MEM-NLRI) attribute. This pair has an AFI value of 1 and a SAFI value of 132.
If the capability is successfully negotiated, BGP speaker Router A expresses its interest in a VPN route target by advertising to its peers the RT-MEM-NLRI attribute that contains the particular route target. This attribute is represented as a prefix in the following format:
AS number:route-target extended community/prefix length
- AS number—Number of the originating AS
- route-target extended community—Two-part number identifying the route target extended community. Consists of number1:number2, where:
  - number1—Autonomous system (AS) number or an IP address
  - number2—Unique integer; 32 bits if number1 is an AS number; 16 bits if number1 is an IP address
- prefix length—Length of the prefix. A prefix less than 32 or greater than 96 is invalid. However, the prefix for the Default-RT-MEM-NLRI attribute is an exception to this rule. For the Default-RT-MEM-NLRI attribute, 0 is a valid prefix length.
For example, 100:100:53/36 is a valid RT--MEM-NLRI.
Remote peers of Router A use the route-target membership advertised by Router A to filter their VPN routes that are outbound to Router A. A peer advertises a VPN route to Router A only when one of the following conditions is true
- Router A advertised a default route-target membership.
- Router A advertised membership in any of the route targets associated with the VPN route.
Router A then receives and processes the RT-MEM-NLRI attributes sent by its peers to determine which VPN routes it advertises to the peers.

BGP speakers advertise and withdraw the RT-MEM-NLRI attribute in MP-BGP update messages. BGP speakers ignore RT-MEM-NLRI attributes received from peers that have not successfully negotiated this capability with the speaker.

If dynamic negotiation for the route-refresh capability is enabled, BGP negotiates the route-refresh capability for the RT-MEM-AFI-SAFI address family when a peer is activated in that family. As a consequence, you can use the clear ip bgp soft command to refresh the RT-MEM-NLRI routes in the BGP speaker’s Adj-RIBs-Out table.

The usefulness of BGP VPN route-target filtering depends on the sparseness of route target membership among the VPN sites. In configurations where VPNs are members of many route target communities—that is, route target membership is dense—the amount of VPN NLRI exchange traffic is about the same regardless of whether route-target filtering is configured.

Receiving and Sending RT-MEM-NLRI Routing Updates

RT-MEM-NLRI routing updates are processed in the following sequence:

During the initial RT-MEM-NLRI route exchange that takes place when a session with a peer is being brought up, BGP sends an End-of-RIB marker for RT-MEM-AFI-SAFI that signals it has finished advertising route-target membership information.
Remote peers interpret the End-of-RIB marker for RT-MEM-AFI-SAFI to mean that the BGP speaker has advertised all of its route target-memberships. If the BGP speaker does not receive an End-of-RIB marker for RT-MEM-AFI-SAFI from a remote BGP peer in the context of the route-target address family, by default the local BGP speaker waits for 60 seconds before timing out.
The BGP speaker then starts advertising its VPN routes. The routes are passed through the outbound route-target membership filters for that peer.
When a BGP speaker receives a RT-MEM-NLRI update message, it re-evaluates the advertisement status of VPN routes that match the corresponding route target in the peer's Adj-RIBS-Out table. This can result in an incremental update that advertises or withdraws some routes for the VPN.

You can use the bgp wait-on-end-of-rib command to specify how long BGP waits for the End-ofRIB marker from route-target peers.

When the route-refresh capability has been negotiated for the route-target address family. BGP handles route-refresh messages for the RT-MEM-AFI-SAFI by resending all RT-MEM-NLRI routes to the remote peer

You can use the neighbor maximum-prefix command to specify the maximum number of prefixes that the speaker can receive from a BGP peer.

Route-target filtering generally follows the standard BGP rules for route advertisement to determine when to advertise RT-MEM-NLRI prefixes that have been received from BGP peers. Table 61 lists the destinations that the prefixes are advertised to based on their source. In this table, client-to-client reflection is enabled and the source and destination peers are not the same.

Table 61: Route-Target Filtering Advertisement Rules for Routes Received from Peers

Routes Received From	Advertise to IBGP Route Reflector Client?	Advertise to IBGP Route Reflector Nonclient?	Advertise to EBGP Peer?	Advertise to EBGP Confederation Peer?
IBGP route reflector client	Yes	Yes	Yes	Yes
IBGP route reflector nonclient	Yes	No	Yes	Yes
EBGP peer	Yes	Yes	Yes	Yes
EBGP confederation peer	Yes	Yes	Yes	Yes

Advertising to IBGP clients varies from the standard advertisement rules in terms of path attribute modifications. When locally originated RT-MEM-NLRI routes are advertised to IBGP route reflector clients, BGP does the following:

Sets the originator ID as the router ID of the advertising router.
Sets the next hop as the local address of the session.

This behavior is useful when the route reflector does not advertise the Default-RT-MEM-NLRI route.

When locally originated RT-MEM-NLRI routes are advertised to IBGP route reflector nonclients, the route from the client is advertised to the nonclient peer when the best path route is advertised by a nonclient but an alternative route from a client exists. This behavior signals the client’s interest in the route target routes that were not selected as the best path.

You cannot filter RT-MEM-NLRI routes with inbound policies or outbound policies, because policy items cannot currently match a RT-MEM-NLRI prefix (origin AS number:route target). However, you can filter route-target filtering routes with policies that include items that match on other BGP attributes, such as the extended community attached to the route-target filtering route.

bgp wait-on-end-of-rib

Use to configure how long BGP waits to receive End-of-RIB markers from route-target address family peers.
The wait interval applies to all route-target address family peers.
This command takes effect immediately.
Examplehost1(config-router)#address-family route-target signaling host1(config-router-af)#bgp wait-on-end-of-rib 360
Use the no version to restore the default wait interval, 60 seconds.
See bgp wait-on-end-of-rib.

neighbor maximum-prefix

Use to control how many prefixes can be received from a neighbor.
If you specify a BGP peer group by using the peerGroupName argument, all the members of the peer group inherit the characteristic configured with this command unless it is overridden for a specific peer.
By default, BGP checks the maximum prefix limit only against accepted routes. You can specify the strict keyword to force BGP to check the maximum prefix against all received routes. The accepted and received routes will likely differ when you have configured inbound soft reconfiguration and route filters for incoming traffic.
This command takes effect immediately. To prevent a peer from continually flapping, when it goes to state idle because the maximum number of prefixes has been reached, the peer stays in state idle until you use the clear ip bgp command to issue a hard clear.
Examplehost1(config-router)#address-family route-target signaling host1(config-router-af)#neighbor maximum-prefix 10.1.2.3 100
Use the no version to remove the maximum number of prefixes.
See neighbor maximum-prefix.

Conditions for Advertising RT-MEM-NLRI Routes

The following conditions must be met for routes in the route-target address family to be advertised to a BGP peer:

The BGP peers have successfully negotiated the route-target address family.
The import route-target list for the IPv4 VRF is not empty or is transitioning to empty.

In a VRF, a RT-MEM-NLRI attribute represented by (origin AS number:route target) is advertised for every route target added to the VRF's route target import list when the preceding conditions have been met.

A withdrawal for the RT-MEM-NLRI attribute is generated when the route target is removed from this VRF's import list.

Advertising a Default Route

You can configure BGP to send a default route to indicate that the speaker accepts routes for any VPNs associated with any route target. For example, this might be desirable for a route reflector advertising to one of its PE router clients, or when a VPN provider is migrating the network to route-target filtering but one or more PEs in the provider's network do not support this feature.

When you configure the default route, the RT-MEM-NLRI attribute contains 0:0:0/0 as the Default-RT-MEM-NLRI. This 4-byte prefix contains only the local (origin) AS number field, set to zero.

By default, BGP does not generate or advertise the Default-RT-MEM-NLRI route. You can use the default-information originate command to generate the Default-RT-MEM-NLRI route and send it to all peers. You can use the neighbor default-originate command generate the route and send it to a particular peer group. The configuration must be the same for all members of the peer group.

A BGP speaker sends the Default-RT-MEM-NLRI route only to the peers with which it has negotiated the route-target filtering capability. Any other peers are considered to be unaware of this capability and have no use for that route.

default-information originate

Use in the route-target address family to cause a BGP speaker (the local router) to send the Default-RT-MEM-NLRI route (0:0:0/0) to all peers for use as a default route.
Use the route-map keyword to specify outbound route maps to apply to the default route. The route map can modify the attributes of the default route.
This command takes effect immediately. However, if the contents of the route map specified with this command change, the new route map may or may not take effect immediately. If the disable-dynamic-redistribute command has been configured, you must issue the clear ip bgp redistribution command to apply the changed route map.
Outbound policy configured for the neighbor (using the neighbor route-map out command) is applied to default routes that are advertised because of the default-information originate command.
Policy specified by a route map with the default-information originate command is applied at the same time as the policy for redistributed routes, before any outbound policy for peers.
Examplehost1(config-router)#router address-family route-target host1(config-router-af)#default-information originate
Use the no version to restore the default, preventing the redistribution of default routes.
See default-information originate.

neighbor default-originate

Use in the route-target address family to cause a BGP speaker (the local router) to send the Default-RT-MEM-NLRI route (0:0:0/0) to a peer group for use as a default route.
Use the route-map keyword to specify outbound route maps to apply to the default route. The route map can modify the attributes of the default route.
If you specify a BGP peer group by using the peerGroupName argument, all the members of the peer group inherit the characteristic configured with this command. You cannot override the characteristic for a specific member of the peer group.
Outbound policy configured for the neighbor (using the neighbor route-map out command) is not applied to default routes that are advertised because of the neighbor default-originate command.
This command takes effect immediately.
Examplehost1(config)#router bgp 100 host1(config-router)#router address-family route-target host1(config-router-af)#neighbor default-originate
Use the no version to prevent the default route from being advertised by BGP. Use the default version to remove the explicit configuration from the peer or peer group and reestablish inheritance of the feature configuration.
See neighbor default-originate.

Route Selection When Route-Target Filtering Is Enabled

When route-target filtering is enabled for a peer, BGP applies outbound filters to initially prevent the speaker from advertising any VPN routes to the peer.

If the BGP speaker subsequently receives a Default-MEM-NLRI route from a peer, BGP applies outbound filters for the peer to prevent route-target filtering from suppressing any VPN routes sent to the peer.

BGP follows the standard route selection process to find the route-target filtering best path for RT-MEM-NLRI routes received from other autonomous systems. The selection is based on the AS path and other MP-NLRI path-attributes attached to the route.

The route-target membership information, which includes the route target and the originator AS number, enables BGP speakers to use the standard path selection rules to remove duplicate, less-preferred paths from the total set of paths to route-target membership peers.

For RT-MEM-NLRI routes that originated within the local AS and are received from an IBGP peer, BGP considers the route-target filtering best path to be the set of all available IBGP paths for the RT-MEM-NLRI prefix. BGP then sets outbound route filters so that VPN routes that match the route target are sent to all IBGP peers that advertised the RT-MEM-NLRI route. This behavior does not affect how the BGP speaker in turn advertises the RT-MEM-NLRI routes.

When BGP selects a RT-MEM-NLRI route from a peer as the best path for the RT-MEM-NLRI prefix, BGP modifies the outbound filters to enable the speaker to advertise to that peer all VPN routes that correspond to that route target. These filters affect the subsequent calculation of the peer's Adj-RIBs-Out entries.

EBGP confederation peers are treated as IBGP peers when the BGP speaker is selecting the route-target filtering best path. When the BGP speaker advertises routes, then the EBGP confederation peers are treated normally, as EBGP peers.

You can control the maximum number of received EBGP best paths that are considered for path selection. The external-paths command limits external route target membership, thus controlling the number of EBGP peers that receive the route target VPN routes referenced by the RT-MEM-NLRI route. BGP ignores routes received from the peer after the limit specified with the external paths command is reached.

Configuring Route-Target Filtering

To configure route-target filtering:

Enable the BGP routing process in the specified AS.
The AS number identifies the PE router to other BGP routers.
host1(config)#router bgp 738
Configure the peers for the BGP speaker. Use neighbor commands to specify the PE router peers to which BGP advertises routes and to configure any additional BGP attributes.host1(config-router)#neighbor 10.2.2.2 remote-as 45 host1(config-router)#neighbor 10.2.2.2 update-source loopback 0 host1(config-router)#neighbor 10.2.2.2 next-hop-self
Create the route-target address family to configure the router to use BGP signaling to exchange the RT-MEM-NLRI attribute with peer routers.
Optionally, you can use the signaling keyword with the address-family command when you configure the route-target address family to specify BGP signaling of reachability information. Currently, you can omit the signaling keyword with no adverse effects.
host1(config-router)#address-family route-target signaling
Activate the neighbors that routes of the route-target address family are exchanged with for this BGP session. The neighbors must first be created in the default IPv4 unicast address family.host1(config-router-af)#neighbor 10.2.2.2 activate host1(config-router-af)#neighbor 10.2.2.2 next-hop-self
(Optional) Configure BGP to send a Default-MEM-NLRI route for all peers in the address family or for a specific peer or peer group in the address family.host1(config-router-af)#default-information originate or host1(config-router-af)#neighbor 10.2.2.2 default-originate
Set the maximum number of received external BGP paths that can be accepted for route-target signaling. host1(config-router-af)#external-paths 2
Configure any additional address family parameters desired for the session.

external-paths

Use to set the maximum number of received external BGP best paths allowed for route-target signaling.
Specify a value in the range 1–255; the default value is 1.
This command takes effect immediately; it does not bounce the session.
This command applies to only the route-target address family.
Example 1host1(config-router)#external-paths 45
Example 2host1:vr1(config-router-af)#external-paths 45
Use the no version to restore the default value, 1.
See external-paths.

[Contents] [Prev] [Next] [Index] [Report an Error]