Configuring BGP Route Target Filtering for VPNs
BGP route target filtering allows you to distribute VPN routes to only the routers that need them. In VPN networks without BGP route target filtering configured, BGP distributes all VPN routes to all VPN peer routers.
For more information about BGP route target filtering, see RFC 4684, Constrained Route Distribution for Border Gateway Protocol/MultiProtocol Label Switching (BGP/MPLS) Internet Protocol (IP) Virtual Private Networks (VPNs).
The following sections provide an overview of BGP route target filtering and how to configure it for VPNs:
BGP Route Target Filtering Overview
PE routers, unless they are configured as route reflectors or are running an EBGP session, discard any VPN routes that do not include a route target extended community as specified in the local VRF import policies. This is the default behavior of the Junos OS.
However, unless it is explicitly configured not to store VPN routes, any router configured either as a route reflector or border router for a VPN address family must store all of the VPN routes that exist in the service provider’s network. Also, though PE routers can automatically discard routes that do not include a route target extended community, route updates continue to be generated and received.
By reducing the number of routers receiving VPN routes and route updates, BGP route target filtering helps to limit the amount of overhead associated with running a VPN. BGP route target filtering is most effective at reducing VPN-related administrative traffic in networks where there are many route reflectors or AS border routers that do not participate in the VPNs directly (not acting as PE routers for the CE devices).
BGP route target filtering uses standard UPDATE messages to distributes route target extended communities between routers. The use of UPDATE messages allows BGP to use its standard loop detection mechanisms, path selection, policy support, and database exchange implementation.
Configuring BGP Route Target Filtering for VPNs
BGP route target filtering is enabled through the exchange of
the route-target
address family, stored in the bgp.rtarget.0
routing table. Based on the route-target
address family,
the route target NLRI (address family indicator [AFI]=1, subsequent
AFI [SAFI]=132) is negotiated with its peers.
On a system that has locally configured VRF instances, BGP automatically
generates local routes corresponding to targets referenced in the vrf-import
policies.
To configure BGP route target filtering, include the family route-target
statement:
family route-target { advertise-default; external-paths number; prefix-limit number; }
For a list of hierarchy levels at which you can include this statement, see the statement summary section for this statement.
The advertise-default
, external-paths
,
and prefix-limit
statements affect the BGP route target
filtering configuration as follows:
The
advertise-default
statement causes the router to advertise the default route target route (0:0:0/0) and suppress all routes that are more specific. This can be used by a route reflector on BGP groups consisting of neighbors that act as PE routers only. PE routers often need to advertise all routes to the route reflector.Suppressing all route target advertisements other than the default route reduces the amount of information exchanged between the route reflector and the PE routers. The Junos OS further helps to reduce route target advertisement overhead by not maintaining dependency information unless a nondefault route is received.
The
external-paths
statement (which has a default value of 1) causes the router to advertise the VPN routes that reference a given route target. The number you specify determines the number of external peer routers (currently advertising that route target) that receive the VPN routes.The
prefix-limit
statement limits the number of prefixes that can be received from a peer router.
The route-target
, advertise-default
, and external-path
statements affect the RIB-OUT state and must
be consistent between peer routers that share the same BGP group.
The prefix-limit
statement affects the receive side only
and can have different settings between different peer routers in
a BGP group.