BGP Add-Path Policy Control
This chapter provides information about BGP add-path policy control.
Topics in this chapter include:
Applicability
This chapter was initially based on SR OS Release 15.0.R4, but the CLI in the current edition corresponds to SR OS Release 22.10.R2.
Overview
BGP add-path allows for advertising multiple paths per prefix for faster convergence, load sharing, and reduction of routing churn. See the BGP Add-Path chapter for more information.
The BGP add-path policy control feature extends the functionality of BGP add-path, which was able to control the number of advertised paths per prefix per address family. This meant that all prefixes that belonged to an address family (such as IPv4, IPv6, and so on) were subject to the same sending limit imposed by the send <send-limit> command configured at the BGP instance, group, or neighbor level.
BGP add-path policy control adds the capability to configure the number of advertised paths on a per-prefix basis. The add-paths-send-limit route policy action allows overriding the sending limit in the bgp context for selected prefixes. This adds finer granularity to BGP add-path, where a global path limit is defined at the relevant BGP level and specific limits can be defined for exceptional prefixes at an import policy level.
A value between 1 and 16 is configurable for add-paths-send-limit.
BGP add-paths before policy control shows a topology for BGP add-paths before policy control.
In BGP add-paths before policy control, PE-2 receives two prefixes with three diverse paths from PE-1. PE-2 has a sending limit with a value of 3 configured at a BGP level that is applicable to PE-3. Therefore, PE-2 sends both prefixes with three different path IDs to PE-3.
BGP add-paths after policy control shows a topology for BGP add-paths after policy control.
In BGP add-paths after policy control, a BGP-import policy is applied on PE-2. The policy selectively applies a sending limit of 1 on the paths received for Prefix-2. Therefore, PE-2 sends only one path for Prefix-2 to PE-3, while the BGP level sending limit of 3 still applies for Prefix-1.
The policy action is only applicable for BGP-import policy and has no effect on BGP-export policy, VRF-import policy, or VRF-export policy. The reason for this is that the policy needs to be applied on the routes accepted into the RIB-IN, otherwise two or more paths may not be present.
The BGP-import policy does not match VPN-IP routes unless the vpn-apply-import command is configured in the BGP global base, group, or neighbor level.
The route policy only controls the number of advertised paths, not the set of paths.
Configuration
The following configuration examples are in this section:
BGP add-path for address family IPv4 without policy control
BGP add-path for address family IPv4 with policy control
BGP add-path for address family VPN-IPv4 with policy control
Example topology
Example topology - IPv4 shows the example topology used for the BGP add-path policy control feature for the IPv4 address family. The topology used is similar to the one in the BGP Add-Path chapter, with the following characteristics:
CE-4 in AS 64500 advertises both prefixes 10.1.0.0/16 and 10.2.0.0/16 to its eBGP peers PE-1 and PE-2 in AS 64496.
RR-5 is route reflector for all PEs in AS 64496.
add-path is configured on all PE routers and RR-5 with a sending limit of 2.
CE-6 in AS 64501 peers with PE-3 in AS 64496 and can send traffic to CE-4 in 64500.
Initial configuration
The initial configuration on all nodes includes:
Cards, MDAs, ports
Router interfaces
IS-IS as IGP on all interfaces within AS 64496 (alternatively, OSPF can be used)
LDP on all interfaces between the PEs in AS 64496, but not toward RR-5. LDP is used to create the transport tunnels that bind to the VPRN services in the VPN-IPv4 address family section.
BGP is configured on all the nodes. CE-4 peers with PE-1 and PE-2 and exports prefixes 10.1.0.0/16 and 10.2.0.0/16 to both eBGP peers, as follows:
# on CE-4:
configure
router
autonomous-system 64500
bgp
rapid-withdrawal
split-horizon
group "eBGP"
export "export-bgp"
peer-as 64496
neighbor 172.16.14.1
exit
neighbor 172.16.24.1
exit
exit
no shutdown
exit
policy-options
begin
prefix-list "10.1.0.0/16"
prefix 10.1.0.0/16 longer
exit
prefix-list "10.2.0.0/16"
prefix 10.2.0.0/16 longer
exit
policy-statement "export-bgp"
entry 10
from
prefix-list "10.1.0.0/16"
exit
action accept
exit
exit
entry 20
from
prefix-list "10.2.0.0/16"
exit
action accept
exit
exit
exit
commit
exit
interface "int-loopback-1"
address 10.1.1.1/16
loopback
no shutdown
exit
interface "int-loopback-2"
address 10.2.1.1/16
loopback
no shutdown
exit
The BGP configuration on CE-6 is similar, except for the export policy.
PE-1 peers with CE-4 in AS 64500 and RR-5 in AS 64496. The BGP configuration on PE-1 is as follows:
# on PE-1:
configure
router
autonomous-system 64496
bgp
rapid-withdrawal
split-horizon
group "eBGP"
peer-as 64500
neighbor 172.16.14.2
exit
exit
group "iBGP"
next-hop-self
peer-as 64496
add-paths
ipv4 send 2 receive
exit
neighbor 192.0.2.5
exit
exit
no shutdown
exit
The BGP configuration on PE-2 and PE-3 is similar to that of PE-1.
RR-5 acts as a route reflector to all the PEs in AS 64500 with a cluster ID of 5.5.5.5. The configuration on RR-5 is as follows:
# on RR-5:
configure
router
autonomous-system 64500
bgp
rapid-withdrawal
split-horizon
group "iBGP"
cluster 5.5.5.5
peer-as 64496
add-paths
ipv4 send 2 receive
exit
neighbor 192.0.2.1
exit
neighbor 192.0.2.2
exit
neighbor 192.0.2.3
exit
exit
no shutdown
exit
BGP add-path for address family IPv4 without policy control
RR-5 receives both the 10.1.0.0/16 and 10.2.0.0/16 prefixes with two paths from PE-1 and PE-2:
*A:RR-5# show router bgp routes
===============================================================================
BGP Router ID:192.0.2.5 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
u*>i 10.1.0.0/16 100 None
192.0.2.1 2 10
64500 -
*i 10.1.0.0/16 100 None
192.0.2.2 2 10
64500 -
u*>i 10.2.0.0/16 100 None
192.0.2.1 1 10
64500 -
*i 10.2.0.0/16 100 None
192.0.2.2 1 10
64500 -
-------------------------------------------------------------------------------
Routes : 4
===============================================================================
RR-5 propagates these updates to its clients, for example to PE-3, as follows:
12 2023/01/25 17:04:01.502 CET MINOR: DEBUG #2001 Base Peer 1: 192.0.2.3
"Peer 1: 192.0.2.3: UPDATE
Peer 1: 192.0.2.3 - Send BGP UPDATE:
Withdrawn Length = 0
Total Path Attr Length = 41
Flag: 0x40 Type: 1 Len: 1 Origin: 0
Flag: 0x40 Type: 2 Len: 6 AS Path:
Type: 2 Len: 1 < 64500 >
Flag: 0x40 Type: 3 Len: 4 Nexthop: 192.0.2.1
Flag: 0x40 Type: 5 Len: 4 Local Preference: 100
Flag: 0x80 Type: 9 Len: 4 Originator ID: 192.0.2.1
Flag: 0x80 Type: 10 Len: 4 Cluster ID:
5.5.5.5
NLRI: Length = 14
10.1.0.0/16 Path-ID 9
10.2.0.0/16 Path-ID 12
"6 2023/01/25 17:03:34.502 CET MINOR: DEBUG #2001 Base Peer 1: 192.0.2.3
"Peer 1: 192.0.2.3: UPDATE
Peer 1: 192.0.2.3 - Send BGP UPDATE:
Withdrawn Length = 0
Total Path Attr Length = 41
Flag: 0x40 Type: 1 Len: 1 Origin: 0
Flag: 0x40 Type: 2 Len: 6 AS Path:
Type: 2 Len: 1 < 64500 >
Flag: 0x40 Type: 3 Len: 4 Nexthop: 192.0.2.2
Flag: 0x40 Type: 5 Len: 4 Local Preference: 100
Flag: 0x80 Type: 9 Len: 4 Originator ID: 192.0.2.2
Flag: 0x80 Type: 10 Len: 4 Cluster ID:
5.5.5.5
NLRI: Length = 14
10.1.0.0/16 Path-ID 3
10.2.0.0/16 Path-ID 4
"PE-3 receives both prefixes in its BGP routing table with two different paths (also, optionally, has ECMP and BGP multipath enabled as described in the BGP Add-Path chapter):
# on PE-3:
configure
router
ecmp 2
bgp
multi-path
maximum-paths 2
exit
*A:PE-3# show router bgp routes
===============================================================================
BGP Router ID:192.0.2.3 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
u*>i 10.1.0.0/16 100 None
192.0.2.1 9 10
64500 -
u*>i 10.1.0.0/16 100 None
192.0.2.2 3 10
64500 -
u*>i 10.2.0.0/16 100 None
192.0.2.1 12 10
64500 -
u*>i 10.2.0.0/16 100 None
192.0.2.2 4 10
64500 -
-------------------------------------------------------------------------------
Routes : 4
===============================================================================
BGP add-path for address family IPv4 with policy control
The following policy is enabled on RR-5, which limits the number of advertised paths for prefix 10.2.0.0/16 to one:
# on RR-5
configure
router
policy-options
begin
prefix-list "10.2.0.0/16"
prefix 10.2.0.0/16 longer
exit
policy-statement "import-add-path"
entry 10
from
prefix-list "10.2.0.0/16"
exit
action accept
add-paths-send-limit 1
exit
exit
exit
commit
exit
bgp
group "iBGP"
import "import-add-path"
exit
RR-5 sends the following withdrawal message to PE-3:
1 2023/01/25 17:07:53.502 CET MINOR: DEBUG #2001 Base Peer 1: 192.0.2.3
"Peer 1: 192.0.2.3: UPDATE
Peer 1: 192.0.2.3 - Send BGP UPDATE:
Withdrawn Length = 7
10.2.0.0/16 Path-ID 4
Total Path Attr Length = 0
"PE-3 deletes the route with Path-ID 12 for prefix 10.2.0.0/16:
*A:PE-3# show router bgp routes
===============================================================================
BGP Router ID:192.0.2.3 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
u*>i 10.1.0.0/16 100 None
192.0.2.1 9 10
64500 -
u*>i 10.1.0.0/16 100 None
192.0.2.2 3 10
64500 -
u*>i 10.2.0.0/16 100 None
192.0.2.1 12 10
64500 -
-------------------------------------------------------------------------------
Routes : 3
===============================================================================
BGP add-path for address family VPN-IPv4 with policy control
Example topology - VPN-IPv4 shows the example topology used for the BGP add-path policy control feature for VPN-IPv4 route family. The topology used is similar to the one used in the BGP Add-Path chapter. CE-4 exports both prefixes 172.31.1.0/24 and 172.31.2.0/24 to VPRN 1 on PE-1 and PE-2.
VPRN 1 is configured on all PEs in AS 64496. The configuration of VPRN 1 is similar on all PEs; for example, for PE-1, the VPRN configuration is as follows:
# on PE-1:
configure
service
vprn 1 name "VPRN 1" customer 1 create
autonomous-system 64496
route-distinguisher 64496:1
auto-bind-tunnel
resolution any
exit
vrf-target target:64496:1
interface "int-PE-1-CE-4-VPRN1" create
address 172.16.114.1/30
sap 1/1/c1/2:1 create
exit
exit
bgp
split-horizon
group "eBGP-1"
peer-as 64500
neighbor 172.16.114.2
exit
exit
no shutdown
exit
no shutdown
On the CEs, the configuration is either in the base routing instance, with additional router interfaces and BGP neighbors, or in a VPRN. In this example, the following VPRN is configured on CE-4:
# on CE-4:
configure
service
vprn 1 name "VPRN 1" customer 1 create
autonomous-system 64500
route-distinguisher 64500:1
interface "int-CE-4-PE-1-VPRN1" create
address 172.16.114.2/30
sap 1/1/c1/1:1 create
exit
exit
interface "int-CE-4-PE-2-VPRN1" create
address 172.16.124.2/30
sap 1/1/c1/2:1 create
exit
exit
interface "loopback1-VPRN1" create
address 172.31.1.1/24
loopback
exit
interface "loopback2-VPRN1" create
address 172.31.2.1/24
loopback
exit
bgp
split-horizon
group "eBGP-1"
export "export-VPRN1"
peer-as 64496
neighbor 172.16.114.1
exit
neighbor 172.16.124.1
exit
exit
no shutdown
exit
no shutdown
The export policy to export prefixes 172.31.1.0/24 and 172.31.2.0/24 is defined as follows:
# on CE-4:
configure
router
policy-options
begin
prefix-list "172.31.0.0/16"
prefix 172.31.0.0/16 longer
exit
policy-statement "export-VPRN1"
entry 10
from
prefix-list "172.31.0.0/16"
exit
action accept
exit
exit
exit
commit
The configuration on CE-6 is similar, but no prefix is exported from CE-6.
For all BGP speakers in AS 64496, BGP must be configured for address family VPN-IPv4 as well as for IPv4, as follows:
# on PE-1, PE-2, PE-3, RR-5:
configure
router
bgp
group "iBGP"
family ipv4 vpn-ipv4BGP add-path cannot be enabled in the bgp context within a VPRN. However, it can be enabled in the base routing instance for address family VPN-IPv4. This is done on all PEs and RR-5 at group level with the following configuration:
# on PE-1, PE-2, PE-3, RR-5:
configure
router
bgp
group "iBGP"
add-paths
vpn-ipv4 send 2 receive
exit
The BGP configuration on PE-1 is as follows:
# on PE-1:
configure
router
bgp
rapid-withdrawal
split-horizon
group "eBGP"
peer-as 64500
neighbor 172.16.14.2
exit
exit
group "iBGP"
family ipv4 vpn-ipv4
next-hop-self
peer-as 64496
add-paths
ipv4 send 2 receive
vpn-ipv4 send 2 receive
exit
neighbor 192.0.2.5
exit
exit
no shutdown
exit
With add-path enabled for address family VPN-IPv4, PE-1 and PE-2 advertise their routes for prefixes 172.31.1.0/24 and 172.31.2.0/24 as VPN-IPv4 routes to RR-5. RR-5 advertises both routes to its other RR clients. PE-3 receives two VPN-IPv4 routes for each of the prefixes 172.31.1.0/24 and 172.31.2.0/24, as follows:
*A:PE-3# show router bgp routes 172.31.0.0/16 vpn-ipv4 longer
===============================================================================
BGP Router ID:192.0.2.3 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP VPN-IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
u*>i 64496:1:172.31.1.0/24 100 None
192.0.2.1 19 10
64500 524284
u*>i 64496:1:172.31.1.0/24 100 None
192.0.2.2 4 10
64500 524284
u*>i 64496:1:172.31.2.0/24 100 None
192.0.2.1 18 10
64500 524284
u*>i 64496:1:172.31.2.0/24 100 None
192.0.2.2 5 10
64500 524284
-------------------------------------------------------------------------------
Routes : 4
===============================================================================
All routes are used because of the ECMP setting in VPRN 1:
# on PE-3:
configure
service
vprn "VPRN 1"
ecmp 2Alternatively, BGP FRR can be enabled for VPRN 1, as described in the BGP Add-Path chapter.
To limit the advertisement of prefix 172.31.2.0/24 to a single path, the following route policy is configured on RR-5:
# on RR-5:
configure
router
policy-options
begin
prefix-list "172.31.2.0/24"
prefix 172.31.2.0/24 longer
exit
policy-statement "import-add-path"
entry 20
from
prefix-list "172.31.2.0/24"
exit
action accept
add-paths-send-limit 1
exit
exit
exit
commit
The policy entry for prefix 172.31.2.0/24 can be configured in a new policy-statement or be added to an existing BGP policy (used for the previous IPv4 add-path policy section, for example).
If this is a new policy-statement, apply the policy in the group "iBGP" context on RR-5:
# on RR-5:
configure
router
bgp
group "iBGP"
import "import-add-path"At this point, PE-3 still has two paths for each of the prefixes:
*A:PE-3# show router bgp routes 172.31.0.0/16 vpn-ipv4 longer
===============================================================================
BGP Router ID:192.0.2.3 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP VPN-IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
u*>i 64496:1:172.31.1.0/24 100 None
192.0.2.1 19 10
64500 524284
u*>i 64496:1:172.31.1.0/24 100 None
192.0.2.2 4 10
64500 524284
u*>i 64496:1:172.31.2.0/24 100 None
192.0.2.1 18 10
64500 524284
u*>i 64496:1:172.31.2.0/24 100 None
192.0.2.2 5 10
64500 524284
-------------------------------------------------------------------------------
Routes : 4
===============================================================================
The following configuration is applied on RR-5 to make the BGP policy effective for VPN-IPV4 routes:
# on RR-5:
configure
router
bgp
vpn-apply-importUpon application of this configuration, RR-5 sends the following withdrawal to PE-3:
43 2023/01/25 17:12:57.502 CET MINOR: DEBUG #2001 Base Peer 1: 192.0.2.3
"Peer 1: 192.0.2.3: UPDATE
Peer 1: 192.0.2.3 - Send BGP UPDATE:
Withdrawn Length = 0
Total Path Attr Length = 26
Flag: 0x90 Type: 15 Len: 22 Multiprotocol Unreachable NLRI:
Address Family VPN_IPV4
172.31.2.0/24 RD 64496:1 Label 0 (Raw label 0x1) Path-ID 5
"PE-3 now has a single route for prefix 172.31.2.0/24 in its BGP routing table:
*A:PE-3# show router bgp routes 172.31.0.0/16 vpn-ipv4 longer
===============================================================================
BGP Router ID:192.0.2.3 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP VPN-IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
u*>i 64496:1:172.31.1.0/24 100 None
192.0.2.1 19 10
64500 524284
u*>i 64496:1:172.31.1.0/24 100 None
192.0.2.2 4 10
64500 524284
u*>i 64496:1:172.31.2.0/24 100 None
192.0.2.1 18 10
64500 524284
-------------------------------------------------------------------------------
Routes : 3
===============================================================================
PE-3 has installed a single route for prefix 172.31.2.0/24 in its VPRN route table:
*A:PE-3# show router 1 route-table 172.31.0.0/16 longer
===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
172.31.1.0/24 Remote BGP VPN 00h02m43s 170
192.0.2.1 (tunneled) 10
172.31.1.0/24 Remote BGP VPN 00h02m43s 170
192.0.2.2 (tunneled) 10
172.31.2.0/24 Remote BGP VPN 00h01m14s 170
192.0.2.1 (tunneled) 10
-------------------------------------------------------------------------------
No. of Routes: 3
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
Conclusion
The BGP add-path policy control feature allows BGP speakers to advertise multiple distinct paths for the same prefix. The potential benefits of using BGP add-path policy control are increased granularity and flexibility in advertising multiple paths to BGP neighbors.