Technical Tip: BGP ORF6 (Outbound Route Filtering) for IPv6 Networks
| Description | This article describes controlling the received IPv6 routes from BGP on the local device. |
| Scope | FortiGate. |
| Solution | BGP Outbound Route Filtering (ORF) is utilized to minimize system resource consumption on firewalls that do not require the full routing table from their BGP neighbors. Instead of accepting all routes and applying an inbound filter locally - which consumes memory and CPU resources - the ORF capability allows the firewall to dynamically request only the necessary routes from the neighbor. This significantly reduces the processing overhead and improves efficiency by preventing unwanted routes from reaching the local device. 
FGT1 (root) # show router bgp config router bgp set as 65001 set router-id 10.5.201.84 config neighbor edit "2001:db8:0:12::2" set capability-orf6 receive <------ set soft-reconfiguration enable set soft-reconfiguration6 enable set remote-as 65002 next end config network6 edit 1 set prefix6 2001:db8:0:121::/64 next edit 2 set prefix6 2001:db8:0:122::/64 next edit 3 set prefix6 2001:db8:0:123::/64 next end FGT2 (root) # show router bgp config router bgp set as 65002 set router-id 10.5.201.23 config neighbor edit "2001:db8:0:12::1" set capability-orf6 send <----- set soft-reconfiguration enable set soft-reconfiguration6 enable set prefix-list-in6 "Net_2001:db8:0:121::/64" <----- set remote-as 65001 next end FGT2 (root) # show router prefix-list6 config router prefix-list6 edit "Net_2001:db8:0:121::/64" config rule edit 1 set prefix6 2001:db8:0:121::/64 unset ge unset le next end next end Routing Table Information Prior to Enabling ORF: Before ORF is enabled, FGT1 advertises all available networks to FGT2, and FGT2 receives the complete set of advertised networks FGT1 (root) # get router info6 bgp neighbors 2001:db8:0:12::2 advertised-routes VRF 0 BGP table version is 3, local router ID is 10.5.201.84 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight RouteTag Path *> 2001:db8:0:121::/64 2001:db8:0:12::1(fe80::262:6fff:fe73:5401) 100 32768 0 i <-/-> *> 2001:db8:0:122::/64 2001:db8:0:12::1(fe80::262:6fff:fe73:5401) 100 32768 0 i <-/-> *> 2001:db8:0:123::/64 2001:db8:0:12::1(fe80::262:6fff:fe73:5401) 100 32768 0 i <-/-> Total number of prefixes 3 FGT2 (root) # get router info6 bgp neighbors 2001:db8:0:12::1 received-routes VRF 0 BGP table version is 4, local router ID is 10.5.201.23 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight RouteTag Path *> 2001:db8:0:121::/64 2001:db8:0:12::1(fe80::262:6fff:fe73:5401) 0 0 65001 i <-/-> *> 2001:db8:0:122::/64 2001:db8:0:12::1(fe80::262:6fff:fe73:5401) 0 0 65001 i <-/-> *> 2001:db8:0:123::/64 2001:db8:0:12::1(fe80::262:6fff:fe73:5401) 0 0 65001 i <-/-> Total number of prefixes 3 Routing table information after enabling ORF: After enabling ORF, FGT1 advertises only the networks that are explicitly permitted by the ORF policy, ensuring that only the allowed routes are shared with FGT2. FGT1 (root) # get router info6 bgp neighbors 2001:db8:0:12::2 advertised-routes VRF 0 BGP table version is 3, local router ID is 10.5.201.84 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight RouteTag Path *> 2001:db8:0:121::/64 2001:db8:0:12::1(fe80::262:6fff:fe73:5401) 100 32768 0 i <-/-> Total number of prefixes 1 FGT2 (root) # get router info6 bgp neighbors 2001:db8:0:12::1 received-routes VRF 0 BGP table version is 2, local router ID is 10.5.201.23 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight RouteTag Path *> 2001:db8:0:121::/64 2001:db8:0:12::1(fe80::262:6fff:fe73:5401) 0 0 65001 i <-/-> Total number of prefixes 1 |