| Description | This article describes controlling the received IPv6 routes from BGP on the local device. |
| Scope | FortiGate. |
| Solution |
BGP Outbound Route Filtering (ORF) is utilized to minimize system resource consumption on firewalls that do not require the full routing table from their BGP neighbors.
Instead of accepting all routes and applying an inbound filter locally - which consumes memory and CPU resources - the ORF capability allows the firewall to dynamically request only the necessary routes from the neighbor.
This significantly reduces the processing overhead and improves efficiency by preventing unwanted routes from reaching the local device.
FGT1 (root) # show router bgp config router bgp
set as 65001
set router-id 10.5.201.84
config neighbor
edit "2001:db8:0:12::2"
set capability-orf6 receive <------
set soft-reconfiguration enable
set soft-reconfiguration6 enable
set remote-as 65002
next
end
config network6
edit 1
set prefix6 2001:db8:0:121::/64
next
edit 2
set prefix6 2001:db8:0:122::/64
next
edit 3
set prefix6 2001:db8:0:123::/64
next
end
FGT2 (root) # show router bgp
config router bgp
set as 65002
set router-id 10.5.201.23
config neighbor
edit "2001:db8:0:12::1"
set capability-orf6 send <-----
set soft-reconfiguration enable
set soft-reconfiguration6 enable
set prefix-list-in6 "Net_2001:db8:0:121::/64" <-----
set remote-as 65001
next
end
FGT2 (root) # show router prefix-list6
config router prefix-list6
edit "Net_2001:db8:0:121::/64"
config rule
edit 1
set prefix6 2001:db8:0:121::/64
unset ge
unset le
next
end
next
end
Routing Table Information Prior to Enabling ORF:
Before ORF is enabled, FGT1 advertises all available networks to FGT2, and FGT2 receives the complete set of advertised networks FGT1 (root) # get router info6 bgp neighbors 2001:db8:0:12::2 advertised-routes
VRF 0 BGP table version is 3, local router ID is 10.5.201.84
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 2001:db8:0:121::/64
2001:db8:0:12::1(fe80::262:6fff:fe73:5401)
100 32768 0 i <-/->
*> 2001:db8:0:122::/64
2001:db8:0:12::1(fe80::262:6fff:fe73:5401)
100 32768 0 i <-/->
*> 2001:db8:0:123::/64
2001:db8:0:12::1(fe80::262:6fff:fe73:5401)
100 32768 0 i <-/->
Total number of prefixes 3
FGT2 (root) # get router info6 bgp neighbors 2001:db8:0:12::1 received-routes
VRF 0 BGP table version is 4, local router ID is 10.5.201.23
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 2001:db8:0:121::/64
2001:db8:0:12::1(fe80::262:6fff:fe73:5401)
0 0 65001 i <-/->
*> 2001:db8:0:122::/64
2001:db8:0:12::1(fe80::262:6fff:fe73:5401)
0 0 65001 i <-/->
*> 2001:db8:0:123::/64
2001:db8:0:12::1(fe80::262:6fff:fe73:5401)
0 0 65001 i <-/->
Total number of prefixes 3
Routing table information after enabling ORF:
After enabling ORF, FGT1 advertises only the networks that are explicitly permitted by the ORF policy, ensuring that only the allowed routes are shared with FGT2. FGT1 (root) # get router info6 bgp neighbors 2001:db8:0:12::2 advertised-routes
VRF 0 BGP table version is 3, local router ID is 10.5.201.84
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 2001:db8:0:121::/64
2001:db8:0:12::1(fe80::262:6fff:fe73:5401)
100 32768 0 i <-/->
Total number of prefixes 1
FGT2 (root) # get router info6 bgp neighbors 2001:db8:0:12::1 received-routes
VRF 0 BGP table version is 2, local router ID is 10.5.201.23
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 2001:db8:0:121::/64
2001:db8:0:12::1(fe80::262:6fff:fe73:5401)
0 0 65001 i <-/->
Total number of prefixes 1
|
