Route Policy Action to Suppress BGP Route Installation
This chapter describes Route Policy Action to Suppress BGP Route Installation.
Topics in this chapter include:
Applicability
The information and MD-CLI configuration in this chapter are based on SR OS Release 20.5.R1. The route policy action to suppress BGP and BGP Labeled Unicast (BGP-LU) route installation in the route table and tunnel table associated with the BGP instance is supported in SR OS Release 19.10.R1and later.
Overview
In some deployments, a Route Reflector (RR) or PE router receives many BGP routes that must be re-advertised to other peers whereas these BGP routes do not need to be installed in the route table and Forwarding Information Base (FIB) of the RR or PE router. Network operators can suppress BGP route installation in the route table when they know that the router can forward the associated traffic anyway; for example, using a default or summary route. By suppressing BGP route installation, CPM memory is saved as well as FIB table space in the line cards.
The route-table-install false policy action only takes effect in BGP import policies and only for the IPv4, IPv6, label-IPv4, and label-IPv6 address families.
With this policy action in place, the following applies:
-
when a BGP unlabeled IPv4 or IPv6 route is received from a base router or VPRN BGP peer, the route is:
-
not installed in the Route Table Manager (RTM)
-
not downloaded to the IOMs for installation in the FIB tables
-
not available for CPM routing (for example, for control plane traffic)
-
not available to resolve other routes
-
-
when a BGP-LU IPv4 route is received from a base router or VPRN BGP peer, the route is:
-
not installed in the RTM and Tunnel Table Manager (TTM)
-
not downloaded to the IOMs for installation in the FIB tables
-
not available for CPM routing (for example, for control plane traffic)
-
not available as a tunnel to resolve other routes
Note:If the BGP-LU IPv4 route is re-advertised with a new next-hop, the route-table-install false policy action does not prevent a new Incoming Label Map (ILM) label from being allocated for the route and programmed into the ILM tables of the line cards.
-
-
when a BGP-LU IPv6 route is received from a base router BGP peer, the route is:
-
not installed in the RTM
-
not downloaded to the IOMs for installation in the FIB tables
-
not available for CPM routing (for example, for control plane traffic)
-
not available to resolve other routes
-
Usual BGP rules do not allow the advertising of inactive routes when advertise-inactive is not configured. However, routes marked by the route-table-install false policy action can be re-advertised, even if advertise-inactive is not configured toward the RIB-OUT peer and even if next-hop-self true is configured toward the RIB-OUT peer. Because of the latter, incorrect use of this feature can blackhole traffic.
The route-table-install false command at the BGP instance level does not allow a route to be advertised under next-hop-self conditions.
The route-table-install false policy action overrides the effect of the selective-label-ipv4-install true command. Even if a /32 BGP-LU route should be installed in the route table and tunnel table because it has a dependent service, the route-table-install false policy action suppresses the installation.
Configuration
Example topology shows the example topology for this feature.
The initial configuration on the nodes includes:
-
Cards, MDAs, ports
-
Router interfaces
-
SR-ISIS (on RR-2 and PE-3 in AS 64500)
An eBGP session is established between PE-1 in AS 64501 and RR-2 in AS 64500, and an iBGP session between RR-2 and PE-3 in AS 64500 with next-hop-self true. The BGP configuration on RR-2 is as follows:
# on RR-2:
configure {
router "Base" {
bgp {
split-horizon true
ebgp-default-reject-policy {
import true # default
export true # default
}
next-hop-resolution {
labeled-routes {
transport-tunnel {
family label-ipv4 {
resolution-filter {
ldp false
sr-isis true
}
}
}
}
}
group "eBGP" {
peer-as 64501
local-as {
as-number 64500
}
}
group "iBGP-IPv4" {
peer-as 64500
family {
ipv4 true
label-ipv4 true
}
cluster {
cluster-id 192.0.2.2
}
}
neighbor "192.0.2.3" {
group "iBGP-IPv4"
next-hop-self true
}
neighbor "192.168.12.1" {
group "eBGP"
next-hop-self true
family {
ipv4 true
label-ipv4 true
}
}
}
PE-1 exports BGP IPv4 and BGP-LU IPv4 routes to RR-2 shows that PE-1 advertises two BGP IPv4 routes and two BGP-LU IPv4 routes to RR-2:
-
BGP route 10.1.0.1/32 with community 1:1
-
BGP-LU route 10.2.0.1/32 with community 2:2
-
BGP route 10.131.0.1/32 without community
-
BGP-LU route 10.132.0.1/32 without community
On PE-1, the following export policies are applied for BGP neighbor 192.168.12.2:
# on PE-1:
configure {
policy-options {
community "1:1" {
member "1:1" { }
}
community "2:2" {
member "2:2" { }
}
prefix-list "10.1.0.0/16" {
prefix 10.1.0.0/16 type longer {
}
}
prefix-list "10.131.0.0/16" {
prefix 10.131.0.0/16 type longer {
}
}
prefix-list "10.132.0.0/16" {
prefix 10.132.0.0/16 type longer {
}
}
prefix-list "10.2.0.0/16" {
prefix 10.2.0.0/16 type longer {
}
}
policy-statement "export-10.1" {
entry 10 {
from {
prefix-list ["10.1.0.0/16"]
}
to {
protocol {
name [bgp]
}
}
action {
action-type accept
community {
add ["1:1"]
}
}
}
}
policy-statement "export-10.131" {
entry 10 {
from {
prefix-list ["10.131.0.0/16"]
}
to {
protocol {
name [bgp]
}
}
action {
action-type accept
}
}
}
policy-statement "export-10.132" {
entry 10 {
from {
prefix-list ["10.132.0.0/16"]
}
to {
protocol {
name [bgp-label]
}
}
action {
action-type accept
}
}
}
policy-statement "export-10.2" {
entry 10 {
from {
prefix-list ["10.2.0.0/16"]
}
to {
protocol {
name [bgp-label]
}
}
action {
action-type accept
community {
add ["2:2"]
}
}
}
}
}
router "Base" {
autonomous-system 64501
bgp {
split-horizon true
group "eBGP" {
peer-as 64500
local-as {
as-number 64501
}
}
neighbor "192.168.12.2" {
group "eBGP"
next-hop-self true
family {
ipv4 true
label-ipv4 true
}
export {
policy ["export-10.1" "export-10.2" "export-10.131" "export-10.132"]
}
}
}
Initially, RR-2 has no import policy matching any of these four routes. The following BGP routes are received on RR-2:
[]
A:admin@RR-2# show router bgp routes
===============================================================================
BGP Router ID:192.0.2.2 AS:64500 Local AS:64500
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
i 10.1.0.1/32 None None
192.168.12.1 None 0
64501 -
i 10.131.0.1/32 None None
192.168.12.1 None 0
64501 -
-------------------------------------------------------------------------------
Routes : 2
===============================================================================
By default, all eBGP routes are rejected because no import policy is configured (ebgp-default-reject-policy import true), so the routes get the flags ‟Invalid IGP Rejected”:
[]
A:admin@RR-2# show router bgp routes hunt | match "Flags"
Flags : Invalid IGP Rejected
Flags : Invalid IGP Rejected
The following BGP-LU routes are received on RR-2:
[]
A:admin@RR-2# show router bgp routes label-ipv4
===============================================================================
BGP Router ID:192.0.2.2 AS:64500 Local AS:64500
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
i 10.2.0.1/32 None None
192.168.12.1 None 0
64501 524287
i 10.132.0.1/32 None None
192.168.12.1 None 0
64501 524287
-------------------------------------------------------------------------------
Routes : 2
===============================================================================
These BGP-LU routes are also rejected, as follows:
[]
A:admin@RR-2# show router bgp routes label-ipv4 hunt | match "Flags"
Flags : Invalid IGP Rejected
Flags : Invalid IGP Rejected
None of these invalid routes is installed in the Routing Table Manager (RTM) and none of these routes will be re-advertised by RR-2 to PE-3.
route-table-install false policy action
On RR-2, an import policy is configured that only accepts and installs BGP routes with community "1:1" or "2:2"; all other routes match the policy default-action accept route-table-install false.
BGP IPv4 route 10.1.0.1/32 will be installed in the route table and the BGP-LU IPv4 route 10.131.0.1 will be installed in the route table and tunnel table. However, BGP IPv4 route 10.131.0.1/32 will not be installed in the route table and BGP-LU IPv4 route 10.132.0.1/32 will not be installed in the route table and tunnel table. Suppression of BGP route installation in the RTM and in the Tunnel Table Manager (TTM) can be done when the router has other ways of forwarding the associated traffic; in this example, via a static route 10.128.0.0/9.
# on RR-2:
configure {
policy-options {
community "1:1" {
member "1:1" { }
}
community "2:2" {
member "2:2" { }
}
policy-statement "bgp-install-1:1-2:2" {
entry 10 {
from {
community {
name "1:1"
}
}
action {
action-type accept
}
}
entry 20 {
from {
community {
name "2:2"
}
}
action {
action-type accept
}
}
default-action {
action-type accept
route-table-install false
}
}
}
router "Base"
bgp {
group "eBGP" {
peer-as 64501
local-as {
as-number 64500
}
}
neighbor "192.168.12.1" {
group "eBGP"
next-hop-self true
family {
ipv4 true
label-ipv4 true
}
import {
policy ["bgp-install-1:1-2:2"]
}
}
}
static-routes {
route 10.128.0.0/9 route-type unicast {
next-hop "192.168.12.1" {
admin-state enable
}
}
}
With this import policy, BGP route 10.1.0.1/32 is active, but route 10.131.0.1/32 is inactive, as follows:
[]
A:admin@RR-2# show router bgp routes
===============================================================================
BGP Router ID:192.0.2.2 AS:64500 Local AS:64500
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
u*>i 10.1.0.1/32 None None
192.168.12.1 None 0
64501 -
*>i 10.131.0.1/32 None None
192.168.12.1 None 0
64501 -
-------------------------------------------------------------------------------
Routes : 2
===============================================================================
In a similar way, BGP-LU IPv4 route 10.2.0.1/32 is active, but route 10.132.0.1/32 is inactive:
[]
A:admin@RR-2# show router bgp routes label-ipv4
===============================================================================
BGP Router ID:192.0.2.2 AS:64500 Local AS:64500
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
u*>i 10.2.0.1/32 None None
192.168.12.1 None 0
64501 524287
*>i 10.132.0.1/32 None None
192.168.12.1 None 0
64501 524287
-------------------------------------------------------------------------------
Routes : 2
===============================================================================
BGP route 10.131.0.1/32 and BGP-LU route 10.132.0.1/32 have the flag "Disable-RTM-Install" set, but both routes are advertised to the RIB-OUT peer PE-3, as follows:
[]
A:admin@RR-2# show router bgp routes hunt
===============================================================================
BGP Router ID:192.0.2.2 AS:64500 Local AS:64500
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
-------------------------------------------------------------------------------
RIB In Entries
-------------------------------------------------------------------------------
Network : 10.1.0.1/32
Nexthop : 192.168.12.1
---snip---
Community : 1:1
---snip---
Flags : Used Valid Best IGP
---snip---
Network : 10.131.0.1/32
Nexthop : 192.168.12.1
---snip---
Community : No Community Members
---snip---
Flags : Valid Best IGP Disable-RTM-Install
---snip---
-------------------------------------------------------------------------------
RIB Out Entries
-------------------------------------------------------------------------------
Network : 10.1.0.1/32
Nexthop : 192.0.2.2
---snip---
Community : 1:1
---snip---
Network : 10.131.0.1/32
Nexthop : 192.0.2.2
---snip---
Community : No Community Members
---snip---
[]
A:admin@RR-2# show router bgp routes label-ipv4 hunt
===============================================================================
BGP Router ID:192.0.2.2 AS:64500 Local AS:64500
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP Routes
===============================================================================
-------------------------------------------------------------------------------
RIB In Entries
-------------------------------------------------------------------------------
Network : 10.2.0.1/32
Nexthop : 192.168.12.1
---snip---
Community : 2:2
---snip---
Flags : Used Valid Best IGP
---snip---
Network : 10.132.0.1/32
Nexthop : 192.168.12.1
---snip---
Community : No Community Members
---snip---
Flags : Valid Best IGP Disable-RTM-Install
---snip---
-------------------------------------------------------------------------------
RIB Out Entries
-------------------------------------------------------------------------------
Network : 10.2.0.1/32
Nexthop : 192.0.2.2
---snip---
Community : 2:2
---snip---
Network : 10.132.0.1/32
Nexthop : 192.0.2.2
---snip---
Community : No Community Members
---snip---
On RR-2, the route table only has one BGP route and one BGP-LU route, as follows:
[]
A:admin@RR-2# show router route-table protocol bgp
===============================================================================
Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
10.1.0.1/32 Remote BGP 00h13m48s 170
192.168.12.1 0
-------------------------------------------------------------------------------
No. of Routes: 1
[]
A:admin@RR-2# show router route-table protocol bgp-label
===============================================================================
Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
10.2.0.1/32 Remote BGP_LABEL 00h13m48s 170
192.168.12.1 0
-------------------------------------------------------------------------------
No. of Routes: 1
On RR-2, the FIB contains BGP route 10.1.0.1/32, BGP-LU route 10.2.0.1/32, and static route 10.128.0.0/9:
[]
A:admin@RR-2# show router fib 1 ip-prefix-prefix-length 10.0.0.0/8 longer
===============================================================================
FIB Display
===============================================================================
Prefix [Flags] Protocol
NextHop
-------------------------------------------------------------------------------
10.1.0.1/32 BGP
192.168.12.1 (int-RR-2-PE-1)
10.2.0.1/32 BGP_LABEL
192.168.12.1 (int-RR-2-PE-1)
10.128.0.0/9 STATIC
192.168.12.1 (int-RR-2-PE-1)
-------------------------------------------------------------------------------
Total Entries : 3
-------------------------------------------------------------------------------
===============================================================================
On RR-2, the tunnel table contains a BGP tunnel toward destination 10.2.0.1/32, but no tunnel toward destination 10.132.0.1/32, as follows:
[]
A:admin@RR-2# show router tunnel-table protocol bgp
===============================================================================
IPv4 Tunnel Table (Router: Base)
===============================================================================
Destination Owner Encap TunnelId Pref Nexthop Metric
Color
-------------------------------------------------------------------------------
10.2.0.1/32 bgp MPLS 262145 12 192.168.12.1 1000
-------------------------------------------------------------------------------
Flags: B = BGP or MPLS backup hop available
L = Loop-Free Alternate (LFA) hop available
E = Inactive best-external BGP route
k = RIB-API or Forwarding Policy backup hop
===============================================================================
RR-2 advertises both the active and the inactive/suppressed routes to RIB-OUT peer PE-3. The result is that, on PE-3, the route table contains both BGP routes and both BGP-LU routes:
[]
A:admin@PE-3# show router route-table protocol bgp
===============================================================================
Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
10.1.0.1/32 Remote BGP 00h11m38s 170
192.168.23.1 10
10.131.0.1/32 Remote BGP 00h11m38s 170
192.168.23.1 10
-------------------------------------------------------------------------------
No. of Routes: 2
[]
A:admin@PE-3# show router route-table protocol bgp-label
===============================================================================
Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
10.2.0.1/32 Remote BGP_LABEL 00h11m38s 170
192.0.2.2 (tunneled:SR-ISIS:0) 10
10.132.0.1/32 Remote BGP_LABEL 00h11m38s 170
192.0.2.2 (tunneled:SR-ISIS:0) 10
-------------------------------------------------------------------------------
No. of Routes: 2
route-table-install false command
The route-table-install false command in the BGP global context is mainly used for off-path route reflectors that do not participate in traffic forwarding.
This section describes the route-table-install false command in the general bgp context, in combination with the route-table-install false parameter, which is part of the policy framework (action or default-action).
The route-table-install false command in the general BGP context is configured as follows:
# on RR-2:
configure {
router "Base" {
bgp {
route-table-install false
}
The rest of the BGP configuration (including import policy) remains unchanged.
This route-table-install false command applies to all received BGP routes, so none of the BGP and BGP-LU routes received from PE-1 will be installed in the RTM and TTM. Therefore, all BGP and BGP-LU routes are inactive (in this example, the second route was already inactive because of the import policy).
[]
A:admin@RR-2# show router bgp routes
===============================================================================
BGP Router ID:192.0.2.2 AS:64500 Local AS:64500
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
*>i 10.1.0.1/32 None None
192.168.12.1 None 0
64501 -
*>i 10.131.0.1/32 None None
192.168.12.1 None 0
64501 -
-------------------------------------------------------------------------------
Routes : 2
===============================================================================
[]
A:admin@RR-2# show router bgp routes label-ipv4
===============================================================================
BGP Router ID:192.0.2.2 AS:64500 Local AS:64500
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
*>i 10.2.0.1/32 None None
192.168.12.1 None 0
64501 524287
*>i 10.132.0.1/32 None None
192.168.12.1 None 0
64501 524287
-------------------------------------------------------------------------------
Routes : 2
===============================================================================
When a BGP route is suppressed because of a route-table-install false general BGP command match, no flag is added. The "Disable-RTM-Install" flag is only present for the route when the route-table-install false policy action is matched. The following output shows that the first route did not get an additional flag:
[]
A:admin@RR-2# show router bgp routes hunt | match Flags
Flags : Valid Best IGP #for BGP route 10.1.0.1/32
Flags : Valid Best IGP Disable-RTM-Install #for BGP-LU route 10.131.0.1/32
[]
A:admin@RR-2# show router bgp routes label-ipv4 hunt | match Flags
Flags : Valid Best IGP #for BGP route 10.2.0.1/32
Flags : Valid Best IGP Disable-RTM-Install #for BGP-LU route 10.132.0.1/32
When the route-table-install false command is configured and next-hop-self true is configured toward the RIB-OUT peer, no BGP routes can be advertised for routes that are not installed in the RTM. In this example, the RIB-OUT toward PE-3 remains empty, as follows (the total number of routes equals the number of routes in the RIB-IN):
[]
A:admin@RR-2# show router bgp routes hunt | match "RIB Out Entries"
pre-lines 2 post-lines 50
-------------------------------------------------------------------------------
RIB Out Entries
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Routes : 2
===============================================================================
[]
A:admin@RR-2# show router bgp routes label-ipv4 hunt | match "RIB Out Entries"
pre-lines 2 post-lines 50
-------------------------------------------------------------------------------
RIB Out Entries
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Routes : 2
===============================================================================
Conclusion
The route-table-install false policy action in a BGP import policy allows the marking of a route with a "Disable-RTM-Install" flag and still re-advertises this route to RIB-OUT peers, even when next-hop-self true is configured. Other routers in the network can install these routes in the route table and FIB.