Outbound Route Filters

When implementing large-scale MPLS VPN networks, sites belonging to different customers might not be connected to all the PE routers in the MPLS VPN domain. The PE router in the MPLS VPN network can, therefore, conserve resources by importing only VPNv4 routes that are to be imported into VRF instances configured on the PE router. To enable such filtering of VPNv4 route information, the PE router must be capable of filtering MP-iBGP updates so that information pertaining to these superfluous routes is not received. The procedure for filtering routes based on the VRF configuration on the PE routers is called automatic route filtering. Automatic route filtering is enabled by default on all Cisco routers that are configured as PE routers. The exception is in the case of a PE router also performing the functions of a route-reflector. The route-reflector must be capable of receiving routes that might not be associated to any locally configured VRFs and reflect them to clients. Therefore, on a PE router functioning as a route-reflector, the automatic route filtering process is disabled to enable propagation of VPNv4 routes between route-reflector clients.

Automatic route filtering enables the PE router to reduce resource consumption by rejecting information not pertaining to the VRFs configured on the router. Automatic route filtering, however, does not avoid the superfluous routes from being received by the PE routers.

Outbound route filtering (ORF) enables a PE router to advertise to its peers, outbound route filters that peering PE routers can use while sending information to a PE router. The ORF feature on PE routers works in conjunction with the route-refresh BGP capability. The route-refresh BGP capability enables the PE router to request routing updates from its MP-iBGP peers after undergoing a configuration change. In the event of an addition, deletion, or modification of VRFs or their associated configurations on a PE router, the route-refresh capability enables the PE router to update its routing tables. The route-refresh feature is enabled by default on all Cisco routers configured for PE functionality. The ORF entries are exchanged during session establishment between two PE routers through the use of the BGP OPEN message as part of the route-refresh message. The format of a route-refresh message is shown in Figure 3-15.

In large networks, the PE router might receive updates and then filter a list of unwanted routes based on its local inbound route filter. The ORF feature enables a PE router to push its inbound route filter to a remote peer and apply a filter from a remote peer as its outbound route filter. ORFs can be either prefix-based or extended-community based in VPNv4 route filtering. The prefix-based ORF allows a PE to export and/or receive the inbound route filter information with a peer based on the prefix associated with the route. In the extended-community based ORF, the PE can export/receive inbound route filter based on the extended community attributes associated with a VPNv4 route. Because the RT values are coded as part of the extended-community attributes in VPNv4 routes, the ORF feature can be used to advertise a subset of RTs for which the PE router can receive VPNv4 routing information. This process essentially reduces the burden of superfluous routing information being propagated in the MP-iBGP backbone as the peering PE router does not send VPNv4 routes pertaining to the subset of RTs configured as part of the ORF.

Figure 3-16 shows the operation and sample configuration for implementation of a prefix-based ORF. PE1-AS1 is configured with an inbound prefix-list that is propagated using the ORF capability configuration to PE2-AS1. PE2-AS1 will not accept this filter if the command neighbor 10.10.10.1 capability orf prefix-list receive is configured under the VPNv4 address-family. The verification of the ORF application on PE2-AS1 is also illustrated in Figure 3-16 with the output of the show ip bgp neighbor command. The output of this command depicts the ORF has been received with two entries. Note that because this ORF applies only to VPNv4 routes learned from PE2-AS1, this will not affect regular IPv4 route exchanges between PE1-AS1 and PE2-AS1.

Figure 3-16. ORF Operation and Configuration

[View full size image]