Implementing outbound route filtering in BGP
The BGP Prefix Based Outbound Route Filtering feature uses Border Gateway Protocol (BGP) outbound route filter (ORF) send and receive capabilities to minimize the number of BGP updates that are sent between BGP peers. Configuring this feature can help reduce the amount of system resources required for generating and processing routing updates by filtering out unwanted routing updates at the source.
This cool feature could be very useful when a Customer router is filtering and receiving the FULL Internet routing table that could be heavy as 200 MB, with over 300,000 prefixes. This way the router will not have so many processing of the filtered routes and free up a lot of system resources. In our example we have a couple of routers in a simple isp-customer PE-CE network topology.
I will configure a simple BGP peering topology between the PE and the CE router. The CE router will receive the default route from the ISP router. The Customer router does not need the full BGP routing table, maybe it is a stub router, or the default route is enough for all the Internet information the customer wants. So in order to fulfill that scenario a prefix list should be created to filter out the unnecessary routes. Before I applied a prefix list let us look at the BGP table of the CE router. The routes installed are simulated from the loopbacks address. This could also be a full Internet routing table in a production enviroment.
Now let us finish the peering and create a filter to chose only a couple of networks and a default route.
CE
router bgp 65535
no synchronization
bgp router-id 2.2.2.2
bgp log-neighbor-changes
neighbor 192.168.1.2 remote-as 999
neighbor 192.168.1.2 prefix-list ISP_IN in
no auto-summary
ip prefix-list ISP_IN seq 10 permit 0.0.0.0/0
ip prefix-list ISP_IN seq 20 permit 10.10.10.0/24
ip prefix-list ISP_IN seq 30 permit 20.20.20.0/24
PE
router bgp 999
no synchronization
bgp router-id 1.1.1.1
bgp log-neighbor-changes
redistribute connected
neighbor 192.168.1.1 remote-as 65535
neighbor 192.168.1.1 default-originate
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Null0
The filters are now working fine on the CE router. The BGP RIB is now much smaller and the CE router has only the desired routes we have assigned to him.
CE#sh ip bgp
BGP table version is 25, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 192.168.1.2 0 0 999 i
*> 10.10.10.0/24 192.168.1.2 0 0 999 ?
*> 20.20.20.0/24 192.168.1.2 0 0 999 ?
But what happens under the hood can be seen on the DEBUG BGP updates output. The router is denying all other routes from the PE router. In our case this is not a big problem because of the smaller RIB table, but if we could have the FULL Internet routing table this list could be very long and CPU intensive.
The CE router is generating a DENIED message for every prefix the is not destined for the routing table. This messages generating has very CPU intensive task issuing for the router, and this is why we should try he outbound route filtering.
Outbound route filtering is a dynamic mechanism. It mean it should be configured on both the routers. As we have seen , the CE router is filtering the routes he is receiving from the PE routes. When we have ORF in place the CE router can send dynamic ORF messages to the BGP PE speaking router, that will inform the PE router which updates should be sent over the peer connection. This means that the CE router is telling the PE router how to perform an outbound filtering for his routing table.
To implement it we can use two simple commands under the BGP process of the PE and CE routers.
CE(config-router)#neighbor 192.168.1.2 capability orf prefix-list send
PE(config-router)#neighbor 192.168.1.1 capability orf prefix-list receive
To verify the BPG neighbor capabilities of the CE router:
AF-dependant capabilities:
Outbound Route Filter (ORF) type (128) Prefix-list:
Send-mode: advertised
Receive-mode: received
Outbound Route Filter (ORF): sent;
Incoming update prefix filter list is ISP_IN
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 0 3 (Consumes 156 bytes)
Prefixes Total: 0 4
Implicit Withdraw: 0 1
Explicit Withdraw: 0 0
Used as bestpath: n/a 3
Used as multipath: n/a 0
We did not create a prefix filter on the PE router for the 3 routes the CE is interested, but if we do a show output of received information from the CE router we can verify that the we have the current prefix list.
PE#sh ip bgp neighbors 192.168.1.1 received prefix-filter
Address family: IPv4 Unicast
ip prefix-list 192.168.1.1: 3 entries
seq 10 permit 0.0.0.0/0
seq 20 permit 10.10.10.0/24
seq 30 permit 20.20.20.0/24
The final verification is to see once more debug on the CE router. We should verify if the ORF is downsizing the DENIED messages on the CE router for the denied prefixes.
First look at this debug, we can see that now the CE router is only receiving the PREFIXES that it requested. No extra overhead BGP update traffic is getting into the RIB of the CE router. This is greatly reducing the convergence time and offloading the CPU usage.
If wee need to add more routes to the BGP routing table of the CE router, we can use a route refresh with the inbound prefix filter.
CE#clear ip bgp 999 in prefix-filter
On further more granular use of the ORF one can look into the Cisco guid on the web.
Feel free to comment.
No comments:
Post a Comment