Saturday, March 8, 2014

BGP Outbound Route Filtering (ORF)

BGP is a very flexible routing protocol, some people prefer to call it policy-protocol since it’s power is derived from the capabilities of accepting, denying, altering and customizing prefixes. The amount of prefix that BGP can handle is tremendous, since the routing table of IPv4 internet is now close to the 400,000 routes and BGP is handling it just fine so far.
In normal operation, if BGP neighborship is established, the two neighbors sends all the best prefixes they have in their RIB to the other peer and it’s up to the other peer to accept or deny those prefixes, which can consume a lot of resources since that the receiving BGP peer has to go through those prefixes one by one and pick the prefixes to accept.
To overcome this, BGP ORF (Outbound Route Filtering) is a capability feature that is negotiated between two BGP peers when peering is being established to allow the prefix receiving BGP peer to request what the exact prefixes to be sent to it, which saves a lot of resources during the prefix exchange process.

Consider the following topology



R6 is in AS500 and advertising six prefixes to R7 in AS600.
By default, the routers exchange all prefixes then the receiving router starts to filter the unwanted prefixes.

Let’s check what R6 is sending

R6#show ip bgp neighbors 7.7.7.7 advertised-routes
BGP table version is 23, local router ID is 192.168.6.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Originating default network 0.0.0.0

   Network          Next Hop            Metric LocPrf Weight Path
*> 6.6.6.6/32       0.0.0.0                  0         32768 ?
*> 10.6.7.0/24      0.0.0.0                  0         32768 ?
*> 192.168.1.0      0.0.0.0                  0         32768 ?
*> 192.168.2.0      0.0.0.0                  0         32768 ?
*> 192.168.3.0      0.0.0.0                  0         32768 ?
*> 192.168.4.0      0.0.0.0                  0         32768 ?
*> 192.168.5.0      0.0.0.0                  0         32768 ?
*> 192.168.6.0      0.0.0.0                  0         32768 ?

Total number of prefixes 8

Looking at how R7 is handling those prefixes

R7# : TX IPv4 Unicast Mem global 10 1 6.6.6.6 Changing state from WAIT to ACTIVE (ready).
*Mar  8 11:45:10.171: BGP: TX IPv4 Unicast Mem global 10 1 6.6.6.6 No refresh required.
*Mar  8 11:45:10.171: BGP: TX IPv4 Unicast Top global Collection done on marker 1 after 0 net(s).
*Mar  8 11:45:10.195: BGP(0): 6.6.6.6 rcvd UPDATE w/ attr: nexthop 6.6.6.6, origin ?, metric 0, merged path 500, AS_PATH
*Mar  8 11:45:10.199: BGP(0): 6.6.6.6 rcvd 6.6.6.6/32
*Mar  8 11:45:10.203: BGP(0): 6.6.6.6 rcvd 192.168.1.0/24
*Mar  8 11:45:10.203: BGP(0): 6.6.6.6 rcvd 192.168.2.0/24
*Mar  8 11:45:10.207: BGP(0): 6.6.6.6 rcvd 192.168.3.0/24
*Mar  8 11:45:10.207: BGP(0): 6.6.6.6 rcvd 192.168.4.0/24
*Mar  8 11:45:10.211: BGP(0): 6.6.6.6 rcvd 192.168.5.0/24
*Mar  8 11:45:10.215: BGP(0): 6.6.6.6 rcvd 192.168.6.0/24
*Mar  8 11:45:10.215: BGP(0): 6.6.6.6 rcvd 10.6.7.0/24
*Mar  8 11:45:11.043: BGP(0): Revise route installing 1 of 1 routes for 6.6.6.6/32 -> 6.6.6.6(global) to main IP table
*Mar  8 11:45:11.047: BGP: TX IPv4 Unicast Net global 6.6.6.6/32 Changed.
*Mar  8 11:45:11.051: BGP: TX IPv4 Unicast Net global 6.6.6.6/32 RIB done.
*Mar  8 11:45:11.051: BGP(0): Revise route installing 1 of 1 routes for 10.6.7.0/24 -> 6.6.6.6(global) to main IP table
*Mar  8 11:45:11.051: BGP: TX IPv4 Unicast Net global 10.6.7.0/24 Changed.
*Mar  8 11:45:11.055: BGP: TX IPv4 Unicast Net global 10.6.7.0/24 RIB done.
*Mar  8 11:45:11.055: BGP(0): Revise route installing 1 of 1 routes for 192.168.1.0/24 -> 6.6.6.6(global) to main IP table
*Mar  8 11:45:11.055: BGP: TX IPv4 Unicast Net global 192.168.1.0/24 RIB done.
*Mar  8 11:45:11.055: BGP(0): Revise route installing 1 of 1 routes for 192.168.2.0/24 -> 6.6.6.6(global) to main IP table
*Mar  8 11:45:11.055: BGP: TX IPv4 Unicast Net global 192.168.2.0/24 RIB done.
*Mar  8 11:45:11.055: BGP(0): Revise route installing 1 of 1 routes for 192.168.3.0/24 -> 6.6.6.6(global) to main IP table
*Mar  8 11:45:11.055: BGP: TX IPv4 Unicast Net global 192.168.3.0/24 RIB done.
*Mar  8 11:45:11.055: BGP(0): Revise route installing 1 of 1 routes for 192.168.4.0/24 -> 6.6.6.6(global) to main IP table
*Mar  8 11:45:11.055: BGP: TX IPv4 Unicast Net global 192.168.4.0/24 RIB done.
*Mar  8 11:45:11.055: BGP(0): Revise route installing 1 of 1 routes for 192.168.5.0/24 -> 6.6.6.6(global) to main IP table
*Mar  8 11:45:11.055: BGP: TX IPv4 Unicast Net global 192.168.5.0/24 RIB done.
*Mar  8 11:45:11.055: BGP(0): Revise route installing 1 of 1 routes for 192.168.6.0/24 -> 6.6.6.6(global) to main IP table
*Mar  8 11:45:11.055: BGP: TX IPv4 Unicast Net global 192.168.6.0/24 RIB done.
*Mar  8 11:45:11.055: BGP: TX IPv4 Unicast Tab RIB walk done version 9, added 1 topologies.
*Mar  8 11:45:11.055: BGP: TX IPv4 Unicast Tab Ready in READ-WRITE.
*Mar  8 11:45:11.055: BGP(0): Revise route installing 1 of 1 routes for 6.6.6.6/32 -> 6.6.6.6(global) to main IP table
*Mar  8 11:45:11.055: BGP: TX IPv4 Unicast Net global 6.6.6.6/32 RIB done.
*Mar  8 11:45:11.059: BGP(0): Revise route installing 1 of 1 routes for 10.6.7.0/24 -> 6.6.6.6(global) to main IP table
*Mar  8 11:45:11.059: BGP: TX IPv4 Unicast Net global 10.6.7.0/24 RIB done.
*Mar  8 11:45:11.087: BGP: TX IPv4 Unicast Mem global 10 1 6.6.6.6 Send EOR.

Let’s set an inbound prefix-list filter on R7 to deny all prefixes except 192.168.1.0/24 through 192.168.3.0/24 and clear the session

R7#show run | i prefix-list
ip prefix-list ORF seq 5 permit 192.168.1.0/24
ip prefix-list ORF seq 10 permit 192.168.2.0/24
ip prefix-list ORF seq 15 permit 192.168.3.0/24
R7(config)#router bgp 600
R7(config-router)#neighbor 6.6.6.6 prefix-list ORF in

*Mar  8 12:37:09.239: BGP(0): 6.6.6.6 rcvd 6.6.6.6/32 -- DENIED due to: distribute/prefix-list;
*Mar  8 12:37:09.243: BGP(0): 6.6.6.6 rcvd 192.168.1.0/24
*Mar  8 12:37:09.247: BGP(0): 6.6.6.6 rcvd 192.168.2.0/24
*Mar  8 12:37:09.247: BGP(0): 6.6.6.6 rcvd 192.168.3.0/24
*Mar  8 12:37:09.251: BGP(0): 6.6.6.6 rcvd 192.168.4.0/24 -- DENIED due to: distribute/prefix-list;
*Mar  8 12:37:09.255: BGP(0): 6.6.6.6 rcvd 192.168.5.0/24 -- DENIED due to: distribute/prefix-list;
*Mar  8 12:37:09.255: BGP(0): 6.6.6.6 rcvd 192.168.6.0/24 -- DENIED due to: distribute/prefix-list;
*Mar  8 12:37:09.255: BGP(0): 6.6.6.6 rcvd 10.6.7.0/24 -- DENIED due to: distribute/prefix-list;
*Mar  8 12:37:10.047: BGP: TX IPv4 Unicast Net global 192.168.1.0/24 Changed.
*Mar  8 12:37:10.047: BGP: TX IPv4 Unicast Net global 192.168.2.0/24 Changed.
*Mar  8 12:37:10.047: BGP: TX IPv4 Unicast Net global 192.168.3.0/24 Changed.
*Mar  8 12:37:10.047: BGP(0): Revise route installing 1 of 1 routes for 192.168.1.0/24 -> 6.6.6.6(global) to main IP table
*Mar  8 12:37:10.051: BGP: TX IPv4 Unicast Net global 192.168.1.0/24 RIB done.
*Mar  8 12:37:10.055: BGP(0): Revise route installing 1 of 1 routes for 192.168.2.0/24 -> 6.6.6.6(global) to main IP table
*Mar  8 12:37:10.055: BGP: TX IPv4 Unicast Net global 192.168.2.0/24 RIB done.
*Mar  8 12:37:10.055: BGP(0): Revise route installing 1 of 1 routes for 192.168.3.0/24 -> 6.6.6.6(global) to main IP table
*Mar  8 12:37:10.055: BGP: TX IPv4 Unicast Net global 192.168.3.0/24 RIB done.

You can see that R7 is going to filter the prefixes one by one, now imagine that with the full 400,000 prefixes Internet Routing-Table. Not cool.

Now, Let’s enable the ORF on R6 and R7

R7(config)#router bgp 600
R7(config-router)#neighbor 6.6.6.6 capability orf prefix-list both

*Mar  8 12:08:18.983: BGP: TX IPv4 Unicast Mem global 12 1 6.6.6.6 Defered policy change (ORF use) while member is ACTIVE.
*Mar  8 12:08:18.987: BGP: TX IPv4 Unicast Mem global 12 1 6.6.6.6 Changing state from ACTIVE to BLOCKED (delayed config change).
*Mar  8 12:08:18.991: BGP: TX IPv4 Unicast Mem global 12 1 6.6.6.6 Progress position with version 44 (needs full).
*Mar  8 12:08:18.991: BGP: TX IPv4 Unicast Mem global 12 1 6.6.6.6 Removing from group (0 members left).
*Mar  8 12:08:18.995: BGP: TX IPv4 Unicast Rpl global 12 1 Deleted.
*Mar  8 12:08:18.995: BGP: TX IPv4 Unicast Rpl global 12 1 Releasing net bitfield index 0 (1 nets marked).
*Mar  8 12:08:18.995: BGP: TX IPv4 Unicast Wkr global 12 Cur Stop.
*Mar  8 12:08:18.995: BGP: TX IPv4 Unicast Wkr global 12 Cur Blocked (not in list).
*Mar  8 12:08:18.995: BGP: TX IPv4 Unicast Grp global 12 Deleted.
*Mar  8 12:08:18.999: BGP: TX IPv4 Unicast Tab Start reclaiming advertised bits.
*Mar  8 12:08:19.003: BGP: TX IPv4 Unicast Net global 6.6.6.6/32 Clearing bits.
*Mar  8 12:08:19.003: BGP: TX IPv4 Unicast Net global 10.6.7.0/24 Clearing bits.
*Mar  8 12:08:19.003: BGP: TX IPv4 Unicast Net global 192.168.1.0/24 Clearing bits.
*Mar  8 12:08:19.003: BGP: TX IPv4 Unicast Net global 192.168.2.0/24 Clearing bits.
*Mar  8 12:08:19.003: BGP: TX IPv4 Unicast Net global 192.168.3.0/24 Clearing bits.
*Mar  8 12:08:19.003: BGP: TX IPv4 Unicast Net global 192.168.4.0/24 Clearing bits.
*Mar  8 12:08:19.003: BGP: TX IPv4 Unicast Net global 192.168.5.0/24 Clearing bits.
*Mar  8 12:08:19.003: BGP: TX IPv4 Unicast Net global 192.168.6.0/24 Clearing bits.
*Mar  8 12:08:19.003: BGP: TX IPv4 Unicast Tab Done reclaiming advertised bits.

And let’s do the same on R6

R6(config)#router bgp 500
R6(config-router)#neighbor 7.7.7.7 capability orf prefix-list both

Clearing the session would help in this stage

Since the debug output will be too big, I’ve omitted some stuff

R7#clear ip bgp 6.6.6.6
*Mar  8 12:17:30.339: BGP: 6.6.6.6 active OPEN has CAPABILITY code: 130, length 7
*Mar  8 12:17:30.339: BGP: 6.6.6.6 active OPEN has ORF CAP for afi/safi: 1/1
*Mar  8 12:17:30.339: BGP: 6.6.6.6 active OPEN has Prefixlist ORF capability as BOTH for afi/safi: 1/1
*Mar  8 12:17:30.339: BGP: 6.6.6.6 active rcvd OPEN w/ optional parameter type 2 (Capability) len 6
*Mar  8 12:17:30.339: BGP: 6.6.6.6 active OPEN has CAPABILITY code: 65, length 4
*Mar  8 12:17:30.339: BGP: 6.6.6.6 active OPEN has 4-byte ASN CAP for: 500
*Mar  8 12:17:30.339: BGP: nbr global 6.6.6.6 neighbor does not have IPv4 MDT topology activated
*Mar  8 12:17:30.339: BGP: 6.6.6.6 active rcvd OPEN w/ remote AS 500, 4-byte remote AS 500
*Mar  8 12:17:31.307: BGP(0): 6.6.6.6 rcvd UPDATE w/ attr: nexthop 6.6.6.6, origin ?, metric 0, merged path 500, AS_PATH
*Mar  8 12:17:31.311: BGP(0): 6.6.6.6 rcvd 192.168.1.0/24
*Mar  8 12:17:31.315: BGP: TX IPv4 Unicast Net global 192.168.1.0/24 Changed.
*Mar  8 12:17:31.315: BGP(0): 6.6.6.6 rcvd 192.168.2.0/24
*Mar  8 12:17:31.319: BGP: TX IPv4 Unicast Net global 192.168.2.0/24 Changed.
*Mar  8 12:17:31.319: BGP(0): 6.6.6.6 rcvd 192.168.3.0/24
*Mar  8 12:17:31.323: BGP: TX IPv4 Unicast Net global 192.168.3.0/24 Changed.
*Mar  8 12:17:31.327: BGP(0): Revise route installing 1 of 1 routes for 192.168.1.0/24 -> 6.6.6.6(global) to main IP table
*Mar  8 12:17:31.331: BGP: TX IPv4 Unicast Net global 192.168.1.0/24 RIB done.
*Mar  8 12:17:31.331: BGP(0): Revise route installing 1 of 1 routes for 192.168.2.0/24 -> 6.6.6.6(global) to main IP table
*Mar  8 12:17:31.331: BGP: TX IPv4 Unicast Net global 192.168.2.0/24 RIB done.
*Mar  8 12:17:31.331: BGP(0): Revise route installing 1 of 1 routes for 192.168.3.0/24 -> 6.6.6.6(global) to main IP table
*Mar  8 12:17:31.331: BGP: TX IPv4 Unicast Net global 192.168.3.0/24 RIB done.
*Mar  8 12:17:31.331: BGP: TX IPv4 Unicast Tab RIB walk done version 69, added 1 topologies.
*Mar  8 12:17:31.331: BGP_Router: unhandled major event code 128, minor 0
*Mar  8 12:17:31.355: BGP: TX IPv4 Unicast Tab Executing.
*Mar  8 12:17:31.355: BGP: TX IPv4 Unicast Tab Generation completed.
*Mar  8 12:17:37.367: BGP: TX IPv4 Unicast Tab RIB walk done version 69, added 1 topologies.

During the open message, the ORF capability was negotiated and settled between R6 and R7.  After that, you can see that R7 received only three routes and didn’t have to deny anything else. Let’s see R6 logs

*Mar  8 13:52:03.571: BGP: TX IPv4 Unicast Wkr global 13 Cur Attr change from 0x0 to 0x68911F60.
*Mar  8 13:52:03.571: BGP: TX IPv4 Unicast Wkr global 13 Cur Net 6.6.6.6/32 Skipped.
*Mar  8 13:52:03.575: BGP: TX IPv4 Unicast Rpl global 13 1 Net 192.168.1.0/24 Set advertised bit (total 1).
*Mar  8 13:52:03.575: BGP: TX IPv4 Unicast Wkr global 13 Cur Net 192.168.1.0/24 Formatted.
*Mar  8 13:52:03.579: BGP: TX IPv4 Unicast Rpl global 13 1 Net 192.168.2.0/24 Set advertised bit (total 2).
*Mar  8 13:52:03.583: BGP: TX IPv4 Unicast Wkr global 13 Cur Net 192.168.2.0/24 Formatted.
*Mar  8 13:52:03.583: BGP: TX IPv4 Unicast Rpl global 13 1 Net 192.168.3.0/24 Set advertised bit (total 3).
*Mar  8 13:52:03.583: BGP: TX IPv4 Unicast Wkr global 13 Cur Net 192.168.3.0/24 Formatted.
*Mar  8 13:52:03.583: BGP: TX IPv4 Unicast Wkr global 13 Cur Net 192.168.4.0/24 Skipped.
*Mar  8 13:52:03.583: BGP: TX IPv4 Unicast Wkr global 13 Cur Net 192.168.5.0/24 Skipped.
*Mar  8 13:52:03.583: BGP: TX IPv4 Unicast Wkr global 13 Cur Net 192.168.6.0/24 Skipped.
*Mar  8 13:52:03.583: BGP: TX IPv4 Unicast Wkr global 13 Cur Net 10.6.7.0/24 Skipped.
*Mar  8 13:52:03.583: BGP: TX IPv4 Unicast Wkr global 13 Cur Reached marker with version 29.
*Mar  8 13:52:03.583: BGP: TX IPv4 Unicast Top global No attributes with modified nets.
*Mar  8 13:52:03.583: BGP: TX IPv4 Unicast Wkr global 13 Cur Replicating.
*Mar  8 13:52:03.583: BGP: TX IPv4 Unicast Wkr global 13 Cur Done (end of list), processed 1 attr(s), 3/8 net(s).
*Mar  8 13:52:03.583: BGP: TX IPv4 Unicast Grp global 13 Checking EORs (0/1).

From the output above, you can see that R6 didn’t set the advertisement bit for any prefix except those who were requested from R7’s ORF prefix-list. This can drastically decrease the amount time, memory and processing for BGP routers.