BGP Fast Reroute Policy Control

This chapter provides information about BGP Fast Reroute Policy Control.

Topics in this chapter include:

Applicability

This chapter was initially based on SR OS Release 15.0.R4, but the CLI in the current edition is based on SR OS Release 22.10.R2.

Overview

BGP Fast Reroute (FRR) allows for precomputing multiple redundant BGP paths in the control plane and installing backup routes in the forwarding plane via indirection techniques. See the BGP Fast Reroute chapter for more information.

The BGP FRR Policy Control feature allows for selectively applying FRR for designated BGP prefixes. This allows an operator to develop separate service and redundancy models for different customers or services. It also allows for using data path resources required for BGP FRR in a more efficient way.

The BGP FRR policy control feature includes the install-backup-path policy action command. This command is supported in the following configuration contexts:

[/]
A:admin@PE-3# tree flat detail | match install-backup-path
configure groups group <string> policy-options policy-statement <string> default-action install-backup-path <boolean>
configure groups group <string> policy-options policy-statement <string> entry <string | number> action install-backup-path <boolean>
configure groups group <string> policy-options policy-statement <string> named-entry <string> action install-backup-path <boolean>
configure policy-options policy-statement <string> default-action install-backup-path <boolean>
configure policy-options policy-statement <string> entry <number> action install-backup-path <boolean>
configure policy-options policy-statement <string> named-entry <string> action install-backup-path <boolean>

The install-backup-path command is effective when configured in BGP-import or VRF-import policies. In cases where this command is configured in an import policy applied in the global bgp context, the command applies to the following types of routes:

  • IPv4

  • IPv6

  • Label-IPv4

  • 6PE

  • VPN-IPv4 (only if vpn-apply-import is configured in BGP)

  • VPN-IPv6 (only if vpn-apply-import is configured in BGP)

Community addition on PE-1 and PE-2 shows an example of community addition. Two prefixes, 10.1.0.0/16 and 10.2.0.0/16, are advertised by CE-4 to both of its peers, PE-1 and PE-2. The administrator of AS 64496 wants to apply FRR only for the 10.2.0.0/16 prefix that will eventually be advertised to and used on PE-3, and not for 10.1.0.0/16. To facilitate this procedure, an import policy is applied on both PE-1 and PE-2 for routes advertised by CE-4 in AS 64500. The import policy selects and adds a community value of "1:1" to the 10.2.0.0/16 prefix. No community is applied to 10.1.0.0/16.

Figure 1. Community addition on PE-1 and PE-2

FRR policy on PE-3 shows the FRR import policy applied on PE-3 for the routes received from PE-1 and PE-2. The policy matches routes with a community value of "1:1" and instructs the router to calculate and install a backup path for those matching routes.

Figure 2. FRR policy on PE-3

Configuration

The following configuration examples are in this section:

  • BGP FRR for address family IPv4 without FRR policy

  • BGP FRR for address family IPv4 with FRR policy

  • BGP with FRR policy for address family VPN-IPv4 using global BGP policy and vpn-apply-import

  • BGP with FRR policy for address family VPN-IPv4 using VRF-import policy

BGP FRR policy control feature for address family IPv4

Figure 3 shows the example topology used for the BGP FRR Policy Control feature for the IPv4 address family. The topology is similar to the one in the BGP Add-Path chapter, with the following characteristics:

  • CE-4 in AS 64500 advertises both prefixes 10.1.0.0/16 and 10.2.0.0/16 to its eBGP peers PE-1 and PE-2 in AS 64496.

  • RR-5 is route reflector for all PEs in AS 64496.

  • Add-path is configured on all PE routers and RR-5 with a sending limit of 2.

  • CE-6 in AS 64501 peers with PE-3 in AS 64496 and can send traffic to CE-4 in 64500.

Figure 3. Example topology - IPv4

Initial configuration

The initial configuration on all nodes includes:

  • Cards, MDAs, ports

  • Router interfaces

  • IS-IS as IGP on all interfaces within AS 64496 (alternatively, OSPF can be used)

  • LDP on all interfaces between the PEs in AS 64496, but not toward RR-5. LDP is used to create the transport tunnels that are bound to the VPRN services in the VPN-IPv4 address family section.

BGP is configured on all the nodes. CE-4 peers with PE-1 and PE-2 and exports prefixes 10.1.0.0/16 and 10.2.0.0/16 to both eBGP peers, as follows:

# on CE-4:
configure {
    policy-options {
        prefix-list "10.1.0.0/16" {
            prefix 10.1.0.0/16 type longer {
            }
        }
        prefix-list "10.2.0.0/16" {
            prefix 10.2.0.0/16 type longer {
            }
        }
        policy-statement "export-bgp" {
            entry 10 {
                from {
                    prefix-list ["10.1.0.0/16"]
                }
                action {
                    action-type accept
                }
            }
            entry 20 {
                from {
                    prefix-list ["10.2.0.0/16"]
                }
                action {
                    action-type accept
                }
            }
        }
    }
    router "Base" {
        autonomous-system 64500
        bgp {
            rapid-withdrawal true
            split-horizon true
            ebgp-default-reject-policy {
                import false
                export false
            }
            group "eBGP" {
                export {
                    policy ["export-bgp"]
                }
                peer-as 64496
            }
            neighbor "172.16.14.1" {
                group "eBGP"
            }
            neighbor "172.16.24.1" {
                group "eBGP"
            }
        }
    }

CE-4 also has configured the following loopback interfaces:

# on CE-4:
configure {
    router "Base" {
        interface "int-loopback-1" {
            ipv4 {
                primary {
                    address 10.1.1.1
                    prefix-length 16
                }
            }
            loopback
        }
        interface "int-loopback-2" {
            ipv4 {
                primary {
                    address 10.2.1.1
                    prefix-length 16
                }
            }
            loopback
        }

The BGP configuration on CE-6 is similar, except for the export policy.

PE-1 peers with CE-4 in AS 65400 and RR-5 in AS 64496. The BGP configuration on PE-1 is as follows:

# on PE-1:
configure {
    router "Base" {
        autonomous-system 64496
        bgp {
            rapid-withdrawal true
            split-horizon true
            ebgp-default-reject-policy {
                import false
                export false
            }
            group "eBGP" {
                peer-as 64500
            }
            neighbor "172.16.14.2" {
                group "eBGP"
            }
            group "iBGP" {
                next-hop-self true
                peer-as 64496
                add-paths {
                    ipv4 {
                        send 2
                        receive true
                    }
                }
            }
            neighbor "192.0.2.5" {
                group "iBGP"
            }

The BGP configuration on PE-2 and PE-3 is similar to PE-1.

RR-5 acts as a route reflector to all the PEs in AS 64500 with a cluster ID of 5.5.5.5. The BGP configuration on RR-5 is as follows:

# on RR-5:
configure {
    router "Base" {
        autonomous-system 64496
        bgp {
            rapid-withdrawal true
            split-horizon true
            ebgp-default-reject-policy {
                import false
                export false
            }
            group "iBGP" {
                cluster {
                    cluster-id 5.5.5.5
                }
                peer-as 64496
                add-paths {
                    ipv4 {
                        send 2
                        receive true
                    }
                }
            }
            neighbor "192.0.2.1" {
                group "iBGP"
            }
            neighbor "192.0.2.2" {
                group "iBGP"
            }
            neighbor "192.0.2.3" {
                group "iBGP"
            }

BGP FRR for address family IPv4 without FRR policy

PE-3 receives both prefixes from PE-1 and PE-2 via RR-5, but only uses the one from PE-1 (Nexthop: 192.0.2.1).

[/]
A:admin@PE-3# show router bgp routes
===============================================================================
 BGP Router ID:192.0.2.3        AS:64496       Local AS:64496      
===============================================================================
 Legend -
 Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
                 l - leaked, x - stale, > - best, b - backup, p - purge
 Origin codes  : i - IGP, e - EGP, ? - incomplete

===============================================================================
BGP IPv4 Routes
===============================================================================
Flag  Network                                            LocalPref   MED
      Nexthop (Router)                                   Path-Id     IGP Cost
      As-Path                                                        Label
-------------------------------------------------------------------------------
u*>i  10.1.0.0/16                                        100         None
      192.0.2.1                                          10          10
      64500                                                          -
*i    10.1.0.0/16                                        100         None
      192.0.2.2                                          3           10
      64500                                                          -
u*>i  10.2.0.0/16                                        100         None
      192.0.2.1                                          11          10
      64500                                                          -
*i    10.2.0.0/16                                        100         None
      192.0.2.2                                          4           10
      64500                                                          -
-------------------------------------------------------------------------------
Routes : 4
===============================================================================

The following configuration is applied on PE-3 to enable BGP FRR:

# on PE-3:
configure {
    router "Base" {
        bgp {
            backup-path ipv4

PE-3 calculates and marks BGP routes from PE-2 as backup routes in the BGP routing table:

[/]
A:admin@PE-3# show router bgp routes
===============================================================================
 BGP Router ID:192.0.2.3        AS:64496       Local AS:64496      
===============================================================================
 Legend -
 Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
                 l - leaked, x - stale, > - best, b - backup, p - purge
 Origin codes  : i - IGP, e - EGP, ? - incomplete

===============================================================================
BGP IPv4 Routes
===============================================================================
Flag  Network                                            LocalPref   MED
      Nexthop (Router)                                   Path-Id     IGP Cost
      As-Path                                                        Label
-------------------------------------------------------------------------------
u*>i  10.1.0.0/16                                        100         None
      192.0.2.1                                          10          10
      64500                                                          -
ub*i  10.1.0.0/16                                        100         None
      192.0.2.2                                          3           10
      64500                                                          -
u*>i  10.2.0.0/16                                        100         None
      192.0.2.1                                          11          10
      64500                                                          -
ub*i  10.2.0.0/16                                        100         None
      192.0.2.2                                          4           10
      64500                                                          -
-------------------------------------------------------------------------------
Routes : 4
===============================================================================

PE-3 installs BGP routes from PE-2 as backup routes in its route table:

[/]
A:admin@PE-3# show router route-table 10.0.0.0/8 longer alternative

===============================================================================
Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags]                            Type    Proto     Age        Pref
      Next Hop[Interface Name]                                   Metric    
      Alt-NextHop                                                Alt-      
                                                                 Metric    
-------------------------------------------------------------------------------
10.1.0.0/16                                   Remote  BGP       00h02m47s  170
       192.168.13.1                                                 10
10.1.0.0/16 (Backup)                          Remote  BGP       00h02m47s  170
       192.168.23.1                                                 10
10.2.0.0/16                                   Remote  BGP       00h02m47s  170
       192.168.13.1                                                 10
10.2.0.0/16 (Backup)                          Remote  BGP       00h02m47s  170
       192.168.23.1                                                 10
-------------------------------------------------------------------------------
No. of Routes: 4
Flags: n = Number of times nexthop is repeated
       Backup = BGP backup route
       LFA = Loop-Free Alternate nexthop
       S = Sticky ECMP requested
===============================================================================

BGP FRR for address family IPv4 with FRR policy

The global BGP FRR activation command enabled on PE-3 in the previous step is removed from the configuration:

# on PE-3:
configure {
    router "Base" {
        bgp {
            backup-path delete ipv4

The following command output on PE-3 shows no community values attached to the prefix 10.2.0.0/16 advertised by PE-1 and PE-2:

[/]
A:admin@PE-3# show router bgp routes 10.2.0.0/16 detail | match '^Nexthop|Community'
Nexthop        : 192.0.2.1
Community      : No Community Members
Nexthop        : 192.0.2.1
Community      : No Community Members
Nexthop        : 192.0.2.2
Community      : No Community Members
Nexthop        : 192.0.2.2
Community      : No Community Members

The following policy is configured on PE-1 and PE-2 to add the BGP community "1:1" to the prefix 10.2.0.0/16 advertised by CE-4:

# on PE-1 and PE-2:
configure {
    policy-options {
        community "1:1" {
            member "1:1" { }
        }
        prefix-list "10.2.0.0/16" {
            prefix 10.2.0.0/16 type longer {
            }
        }
        policy-statement "add-bgp-community" {
            entry 10 {
                from {
                    prefix-list ["10.2.0.0/16"]
                }
                action {
                    action-type accept
                    community {
                        add ["1:1"]
                    }
                }
            }
        }

The policy is applied as a BGP-import policy on PE-1 and PE-2 for the eBGP group:

# on PE-1, PE-2:
configure {
    router "Base" {
        bgp {
            group "eBGP" {
                import {
                    policy ["add-bgp-community"]

PE-3 now shows the community value associated with prefix 10.2.0.0/16 as applied and advertised by PE-1 and PE-2:

[/]
A:admin@PE-3# show router bgp routes 10.2.0.0/16 detail | match '^Nexthop|Community'
Nexthop        : 192.0.2.1
Community      : 1:1
Nexthop        : 192.0.2.1
Community      : 1:1
Nexthop        : 192.0.2.2
Community      : 1:1
Nexthop        : 192.0.2.2
Community      : 1:1

The following policy is configured on PE-3 to selectively install a backup path only for prefixes with a community value equal to "1:1":

# on PE-3:
configure {
    policy-options {
        community "1:1" {
            member "1:1" { }
        }
        policy-statement "policy-bgp-frr-import" {
            entry 10 {
                from {
                    community {
                        name "1:1"
                    }
                }
                action {
                    action-type accept
                    install-backup-path true
                }
            }
        }

The policy is applied on PE-3 to selectively install a backup path only for prefixes with a community value equal to "1:1":

# on PE-3:
configure {
    router "Base" {
        bgp {
            group "iBGP" {
                import {
                    policy ["policy-bgp-frr-import"]

The following command output shows PE-3 has calculated a BGP FRR path only for prefix 10.2.0.0/16 indicated by the "b" (backup) flag:

[/]
A:admin@PE-3# show router bgp routes
===============================================================================
 BGP Router ID:192.0.2.3        AS:64496       Local AS:64496      
===============================================================================
 Legend -
 Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
                 l - leaked, x - stale, > - best, b - backup, p - purge
 Origin codes  : i - IGP, e - EGP, ? - incomplete

===============================================================================
BGP IPv4 Routes
===============================================================================
Flag  Network                                            LocalPref   MED
      Nexthop (Router)                                   Path-Id     IGP Cost
      As-Path                                                        Label
-------------------------------------------------------------------------------
u*>i  10.1.0.0/16                                        100         None
      192.0.2.1                                          10          10
      64500                                                          -
*i    10.1.0.0/16                                        100         None
      192.0.2.2                                          3           10
      64500                                                          -
u*>i  10.2.0.0/16                                        100         None
      192.0.2.1                                          11          10
      64500                                                          -
ub*i  10.2.0.0/16                                        100         None
      192.0.2.2                                          4           10
      64500                                                          -
-------------------------------------------------------------------------------
Routes : 4
===============================================================================

The following command output shows PE-3 has installed a backup route only for prefix 10.2.0.0/16 in its route table:

[/]
A:admin@PE-3# show router route-table 10.0.0.0/8 longer alternative

===============================================================================
Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags]                            Type    Proto     Age        Pref
      Next Hop[Interface Name]                                   Metric    
      Alt-NextHop                                                Alt-      
                                                                 Metric    
-------------------------------------------------------------------------------
10.1.0.0/16                                   Remote  BGP       00h09m48s  170
       192.168.13.1                                                 10
10.2.0.0/16                                   Remote  BGP       00h01m12s  170
       192.168.13.1                                                 10
10.2.0.0/16 (Backup)                          Remote  BGP       00h01m12s  170
       192.168.23.1                                                 10
-------------------------------------------------------------------------------
No. of Routes: 3
Flags: n = Number of times nexthop is repeated
       Backup = BGP backup route
       LFA = Loop-Free Alternate nexthop
       S = Sticky ECMP requested
===============================================================================

BGP with FRR policy for address family VPN-IPv4 using global BGP policy

Example topology - VPN-IPv4 shows the example topology used to illustrate the BGP FRR policy control feature for the VPN-IPv4 route family. CE-4 exports both prefixes 172.31.1.0/24 and 172.31.2.0/24 to VPRN 1 on PE-1 and PE-2.

Figure 4. Example topology - VPN-IPv4

VPRN 1 is configured on all PEs in AS 64496. The configuration of VPRN 1 is similar on all PEs; for example, for PE-1, the VPRN configuration is as follows:

# on PE-1:
configure {
    service {
        vprn "VPRN 1" {
            customer "1"
            service-id 1
            autonomous-system 64496
            interface "int-PE-1-CE-4-VPRN1" {
                ipv4 {
                    primary {
                        address 172.16.114.1
                        prefix-length 30
                    }
                }
                sap 1/1/c1/2:1 {
                }
            }
            bgp {
                split-horizon true
                ebgp-default-reject-policy {
                    import false
                    export false
                }
                group "eBGP-1" {
                    peer-as 64500
                }
                neighbor "172.16.114.2" {
                    group "eBGP-1"
                }
            }
            bgp-ipvpn {
                mpls {
                    admin-state enable
                    route-distinguisher "64496:1"
                    vrf-target {
                        community "target:64496:1"
                    }
                    auto-bind-tunnel {
                        resolution any
                    }
                }
            }
            admin-state enable

On the CEs, the configuration is either in the base routing instance, with additional router interfaces and BGP neighbors, or in a VPRN. In this example, the following VPRN is configured on CE-4:

# on CE-4:
    service {
        vprn "VPRN 1" {
            customer "1"
            service-id 1
            autonomous-system 64500
            interface "int-CE-4-PE-1-VPRN1" {
                ipv4 {
                    primary {
                        address 172.16.114.2
                        prefix-length 30
                    }
                }
                sap 1/1/c1/1:1 {
                }
            }
            interface "int-CE-4-PE-2-VPRN1" {
                ipv4 {
                    primary {
                        address 172.16.124.2
                        prefix-length 30
                    }
                }
                sap 1/1/c1/2:1 {
                }
            }
            interface "loopback1-VPRN1" {
                ipv4 {
                    primary {
                        address 172.31.1.1
                        prefix-length 24
                    }
                }
                loopback true
            }
            interface "loopback2-VPRN1" {
                ipv4 {
                    primary {
                        address 172.31.2.1
                        prefix-length 24
                    }
                }
                loopback true
            }
            bgp {
                split-horizon true
                ebgp-default-reject-policy {
                    import false
                    export false
                }
                group "eBGP-1" {
                    export {
                        policy ["export-VPRN1"]
                    }
                    peer-as 64496
                }
                neighbor "172.16.114.1" {
                    group "eBGP-1"
                }
                neighbor "172.16.124.1" {
                    group "eBGP-1"
                }
            }
            bgp-ipvpn {
                mpls {
                    admin-state enable
                    route-distinguisher "64500:1"
                }
            }
            admin-state enable

The export policy to export prefixes 172.31.1.0/24 and 172.31.2.0/24 is defined as follows:

# on CE-4:
configure {
    policy-options {
        prefix-list "172.31.0.0/16" {
            prefix 172.31.0.0/16 type longer {
            }
        }
        policy-statement "export-VPRN1" {
            entry 10 {
                from {
                    prefix-list ["172.31.0.0/16"]
                }
                action {
                    action-type accept
                }
            }
        }

The VPRN configuration on CE-6 is similar, but no prefix is exported from CE-6.

For all BGP speakers in AS 64496, BGP must be configured for address family VPN-IPv4 as well as for IPv4, as follows:

# on PE-1, PE-2, PE-3, RR-5:
configure {
    router "Base" {
        bgp {
            group "iBGP" {
                family {
                    ipv4 true
                    vpn-ipv4 true
                }

BGP add-path cannot be enabled in the bgp context within a VPRN. However, it can be enabled in the base routing instance for address family VPN-IPv4. This is done on all PEs and RR-5 at group level with the following command:

# on PE-1, PE-2, PE-3, RR-5:
configure {
    router "Base" {
        bgp {
            group "iBGP" {
                add-paths {
                    vpn-ipv4 {
                        send 2
                        receive true
                    }

The BGP configuration on PE-1 is as follows:

# on PE-1:
configure {
    router "Base" {
        bgp {
            rapid-withdrawal true
            split-horizon true
            ebgp-default-reject-policy {
                import false
                export false
            }
            group "eBGP" {
                peer-as 64500
                import {
                    policy ["add-bgp-community"]
                }
            }
            group "iBGP" {
                next-hop-self true
                peer-as 64496
                family {
                    ipv4 true
                    vpn-ipv4 true
                }
                add-paths {
                    ipv4 {
                        send 2
                        receive true
                    }
                    vpn-ipv4 {
                        send 2
                        receive true
                    }
                }
            }
            neighbor "172.16.14.2" {
                group "eBGP"
            }
            neighbor "192.0.2.5" {
                group "iBGP"
            }

With add-path enabled for address family VPN-IPv4, PE-1 and PE-2 will advertise their routes for prefixes 172.31.1.0/24 and 172.31.2.0/24 as VPN-IPv4 routes to RR-5. RR-5 will advertise both routes to its other RR clients. PE-3 receives two VPN-IPv4 routes for each of the prefixes 172.31.1.0/24 and 172.31.2.0/24, as follows:

[/]
A:admin@PE-3# show router bgp routes 172.31.0.0/16 vpn-ipv4 longer
===============================================================================
 BGP Router ID:192.0.2.3        AS:64496       Local AS:64496      
===============================================================================
 Legend -
 Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
                 l - leaked, x - stale, > - best, b - backup, p - purge
 Origin codes  : i - IGP, e - EGP, ? - incomplete

===============================================================================
BGP VPN-IPv4 Routes
===============================================================================
Flag  Network                                            LocalPref   MED
      Nexthop (Router)                                   Path-Id     IGP Cost
      As-Path                                                        Label
-------------------------------------------------------------------------------
u*>i  64496:1:172.31.1.0/24                              100         None
      192.0.2.1                                          21          10
      64500                                                          524283
*>i   64496:1:172.31.1.0/24                              100         None
      192.0.2.2                                          9           10
      64500                                                          524283
u*>i  64496:1:172.31.2.0/24                              100         None
      192.0.2.1                                          20          10
      64500                                                          524283
*>i   64496:1:172.31.2.0/24                              100         None
      192.0.2.2                                          10          10
      64500                                                          524283
-------------------------------------------------------------------------------
Routes : 4
===============================================================================

The following policy is configured on PE-1 and PE-2 to include the community value "1:1" to prefix 172.31.2.0/24, as well as to the VPRN route target 64496:1 within entry 10. All the other routes are tagged with only the VPRN route target 64496:1 in entry 20.

# on PE-1 and PE-2:
configure {
    policy-options {
        community "1:1" {
            member "1:1" { }
        }
        community "target:64496:1" {
            member "target:64496:1" { }
        }
        prefix-list "172.31.2.0/24" {
            prefix 172.31.2.0/24 type longer {
            }
        }
        policy-statement "policy-export-VPRN1" {
            entry 10 {
                from {
                    prefix-list ["172.31.2.0/24"]
                }
                action {
                    action-type accept
                    community {
                        add ["1:1" "target:64496:1"]
                    }
                }
            }
            entry 20 {
                from {
                }
                action {
                    action-type accept
                    community {
                        add ["target:64496:1"]
                    }
                }
            }
        }

The policy is applied as a VRF-export policy in VPRN 1 on PE-1 and PE-2:

# on PE-1, PE-2:
configure {
    service {
        vprn "VPRN 1" {
            bgp-ipvpn {
                mpls {
                    admin-state enable
                    vrf-export {
                        policy ["policy-export-VPRN1"]

On PE-3, prefix 172.31.1.0/24 is received with the community value of the VPRN route target only:

[/]
A:admin@PE-3# show router bgp routes 172.31.1.0/24 vpn-ipv4 hunt | match "Community"
Community      : target:64496:1
Community      : target:64496:1

However, prefix 172.31.2.0/24 is received with both community values "1:1" and "target:64496:1" from PE-1 and PE-2:

[/]
A:admin@PE-3# show router bgp routes 172.31.2.0/24 vpn-ipv4 hunt | match "Community"
Community      : 1:1 target:64496:1
Community      : 1:1 target:64496:1

The following command is applied on PE-3 to make the policy named "policy-bgp-frr-import", configured in the previous section for IPv4 routes, effective also on VPN-IPv4 routes:

# on PE-3:
configure {
    router "Base" {
        bgp {
            vpn-apply-import true

PE-3 now has a BGP backup path only for prefix 172.31.2.0/24, as indicated by the "b" (backup) flag:

[/]
A:admin@PE-3# show router bgp routes 172.31.0.0/16 vpn-ipv4 longer
===============================================================================
 BGP Router ID:192.0.2.3        AS:64496       Local AS:64496      
===============================================================================
 Legend -
 Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
                 l - leaked, x - stale, > - best, b - backup, p - purge
 Origin codes  : i - IGP, e - EGP, ? - incomplete

===============================================================================
BGP VPN-IPv4 Routes
===============================================================================
Flag  Network                                            LocalPref   MED
      Nexthop (Router)                                   Path-Id     IGP Cost
      As-Path                                                        Label
-------------------------------------------------------------------------------
u*>i  64496:1:172.31.1.0/24                              100         None
      192.0.2.1                                          21          10
      64500                                                          524283
*>i   64496:1:172.31.1.0/24                              100         None
      192.0.2.2                                          9           10
      64500                                                          524283
u*>i  64496:1:172.31.2.0/24                              100         None
      192.0.2.1                                          20          10
      64500                                                          524283
ub*>i 64496:1:172.31.2.0/24                              100         None
      192.0.2.2                                          10          10
      64500                                                          524283
-------------------------------------------------------------------------------
Routes : 4
===============================================================================

PE-3 has installed a backup route only for prefix 172.31.2.0/24 in its VPRN route table:

[/]
A:admin@PE-3# show router 1 route-table 172.31.0.0/16 longer alternative

===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags]                            Type    Proto     Age        Pref
      Next Hop[Interface Name]                                   Metric    
      Alt-NextHop                                                Alt-      
                                                                 Metric    
-------------------------------------------------------------------------------
172.31.1.0/24                                 Remote  BGP VPN   00h01m47s  170
       192.0.2.1 (tunneled)                                         10
172.31.2.0/24                                 Remote  BGP VPN   00h01m47s  170
       192.0.2.1 (tunneled)                                         10
172.31.2.0/24 (Backup)                        Remote  BGP VPN   00h01m47s  170
       192.0.2.2 (tunneled)                                         10
-------------------------------------------------------------------------------
No. of Routes: 3
Flags: n = Number of times nexthop is repeated
       Backup = BGP backup route
       LFA = Loop-Free Alternate nexthop
       S = Sticky ECMP requested
===============================================================================

BGP with FRR policy for address family VPN-IPv4 using VRF-import policy

The vpn-apply-import command enabled in the previous section is removed from the BGP configuration on PE-3:

# on PE-3:
configure {
    router "Base" {
        bgp {
            delete vpn-apply-import

PE-3 removes the backup path for prefix 172.31.2.0/24:

[/]
A:admin@PE-3# show router 1 route-table 172.31.0.0/16 longer alternative

===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags]                            Type    Proto     Age        Pref
      Next Hop[Interface Name]                                   Metric    
      Alt-NextHop                                                Alt-      
                                                                 Metric    
-------------------------------------------------------------------------------
172.31.1.0/24                                 Remote  BGP VPN   00h01m36s  170
       192.0.2.1 (tunneled)                                         10
172.31.2.0/24                                 Remote  BGP VPN   00h01m36s  170
       192.0.2.1 (tunneled)                                         10
-------------------------------------------------------------------------------
No. of Routes: 2
Flags: n = Number of times nexthop is repeated
       Backup = BGP backup route
       LFA = Loop-Free Alternate nexthop
       S = Sticky ECMP requested
===============================================================================

The following policy is configured to selectively apply FRR for prefixes with a matching community value equal to "1:1" and "target:64496:1" on PE-3:

# on PE-3:
configure {
    policy-options {
        community "1:1" {
            member "1:1" { }
        }
        community "target:64496:1" {
            member "target:64496:1" { }
        }
        policy-statement "policy-import-VPRN1" {
            entry 10 {
                from {
                    community {
                        expression "[target:64496:1] AND [1:1]"
                    }
                }
                action {
                    action-type accept
                    install-backup-path true
                }
            }
            default-action {
                action-type accept
            }
        }

The policy is applied as a VRF-import policy in VPRN 1 on PE-3:

# on PE-3:
configure {
    service {
        vprn "VPRN 1" {
            bgp-ipvpn {
                mpls {
                    admin-state enable
                    vrf-import {
                        policy ["policy-import-VPRN1"]

PE-3 again installs a backup path only for prefix 172.31.2.0/24 and not for 172.31.1.0/24:

[/]
A:admin@PE-3# show router 1 route-table 172.31.0.0/16 longer alternative

===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags]                            Type    Proto     Age        Pref
      Next Hop[Interface Name]                                   Metric    
      Alt-NextHop                                                Alt-      
                                                                 Metric    
-------------------------------------------------------------------------------
172.31.1.0/24                                 Remote  BGP VPN   00h01m42s  170
       192.0.2.1 (tunneled)                                         10
172.31.2.0/24                                 Remote  BGP VPN   00h01m42s  170
       192.0.2.1 (tunneled)                                         10
172.31.2.0/24 (Backup)                        Remote  BGP VPN   00h01m42s  170
       192.0.2.2 (tunneled)                                         10
-------------------------------------------------------------------------------
No. of Routes: 3
Flags: n = Number of times nexthop is repeated
       Backup = BGP backup route
       LFA = Loop-Free Alternate nexthop
       S = Sticky ECMP requested
===============================================================================

Conclusion

The BGP FRR policy control feature allows for selectively applying FRR for designated prefixes. The feature brings more flexibility and granularity to the BGP FRR implementation.