Route-Reflector-Allow-Outbound-Policy

Scenario to verify BGP route-reflector allow-outbound-policy parameter.

By default, a Route Reflector does not apply outbound route-maps to routes it reflects to its iBGP clients. This is because reflected routes should maintain their original attributes to ensure consistent routing decisions across the network. The route-reflector allow-outbound-policy parameter changes this behavior, allowing the RR to apply export route-maps to reflected routes.

This is useful in scenarios where the RR needs to modify attributes like MED, community, or AS-path prepend for routes being reflected to specific clients. In this test, DUT0 acts as a Route Reflector for DUT1 and DUT2. DUT1 announces a route, and DUT0 has an export route-map configured toward DUT2 that sets MED to 500. Without the allow-outbound-policy parameter, the route-map is ignored. With it enabled, the MED modification takes effect on the reflected route.

Test BGP Route Reflector Allow Outbound Policy

Description

This test demonstrates the effect of route-reflector allow-outbound-policy on Route Reflector behavior. DUT0 (RR) has an export route-map configured toward DUT2 that sets MED to 500. Without allow-outbound-policy, the route-map is ignored and the reflected route from DUT1 reaches DUT2 with its original MED (0). After enabling allow-outbound-policy, the route-map is applied and DUT2 receives the route with MED 500.

Scenario

Note

First we configure the Route Reflector with an export route-map but without allow-outbound-policy. The route-map sets MED to 500, but it should NOT be applied to reflected routes by default.

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.10.0.1/24
set interfaces ethernet eth1 address 20.20.0.1/24
set protocols bgp 100 neighbor client1 remote-address 10.10.0.2
set protocols bgp 100 neighbor client1 remote-as 100
set protocols bgp 100 neighbor client1 route-reflector-client
set protocols bgp 100 neighbor client2 nexthop-self force
set protocols bgp 100 neighbor client2 remote-address 20.20.0.2
set protocols bgp 100 neighbor client2 remote-as 100
set protocols bgp 100 neighbor client2 route-map export SET-MED
set protocols bgp 100 neighbor client2 route-reflector-client
set protocols route-map SET-MED rule 1 action permit
set protocols route-map SET-MED rule 1 set metric 500
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 1.1.1.1/24
set interfaces ethernet eth0 address 10.10.0.2/24
set protocols bgp 100 neighbor rr remote-address 10.10.0.1
set protocols bgp 100 neighbor rr remote-as 100
set protocols bgp 100 redistribute connected
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Set the following configuration in DUT2 :

set interfaces ethernet eth1 address 20.20.0.2/24
set protocols bgp 100 neighbor rr remote-address 20.20.0.1
set protocols bgp 100 neighbor rr remote-as 100
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Attention

Verify iBGP sessions establish between DUT0 (RR) and both clients.

Step 4: Run command protocols bgp show ip summary at DUT0 and check if output matches the following regular expressions:

10.10.0.2.*Established[\s\S]+20.20.0.2.*Established

Show output

IPv4 Unicast Summary:
BGP router identifier 20.20.0.1, local AS number 100 VRF default vrf-id 0
BGP table version 2
RIB entries 3, using 384 bytes of memory
Peers 2, using 47 KiB of memory

Neighbor        LocalAddr       V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down        State   PfxRcd   PfxSnt Desc
10.10.0.2       10.10.0.1       4        100         5         5        2    0    0 00:00:02  Established        2        2 FRRouting/10.4.1
20.20.0.2       20.20.0.1       4        100         3         4        2    0    0 00:00:01  Established        0        2 FRRouting/10.4.1

Total number of neighbors 2

Attention

Verify DUT2 receives the reflected route 1.1.1.0/24.

Step 5: Run command protocols bgp show ip at DUT2 and check if output matches the following regular expressions:

1.1.1.0/24

Show output

BGP table version is 2, local router ID is 20.20.0.2, vrf id 0
Default local pref 100, local AS 100
local address -
Status codes:  s suppressed, d damped, h history, u unsorted, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>i 1.1.1.0/24       20.20.0.1                0    100      0 ?
 *>i 10.10.0.0/24     20.20.0.1                0    100      0 ?

Displayed 2 routes and 2 total paths

Note

Without allow-outbound-policy, the export route-map is NOT applied to reflected routes. The route should have MED 0 (default) instead of 500.

Step 6: Run command protocols bgp show ip 1.1.1.0/24 at DUT2 and check if output matches the following regular expressions:

metric 0

Show output

BGP routing table entry for 1.1.1.0/24, version 1
Paths: (1 available, best #1, table default)
  Not advertised to any peer
  Local
    20.20.0.1 from 20.20.0.1 (10.10.0.2)
      Origin incomplete, metric 0, localpref 100, valid, internal, best (First path received)
      Originator: 10.10.0.2, Cluster list: 20.20.0.1
      Last update: Thu Mar  5 14:58:52 2026

Note

Now we enable allow-outbound-policy so the export route-map applies to reflected routes.

Step 7: Modify the following configuration lines in DUT0 :

set protocols bgp 100 parameters route-reflector allow-outbound-policy

Attention

Verify iBGP sessions remain established after configuration change.

Step 8: Run command protocols bgp show ip summary at DUT0 and check if output matches the following regular expressions:

10.10.0.2.*Established[\s\S]+20.20.0.2.*Established

Show output

IPv4 Unicast Summary:
BGP router identifier 20.20.0.1, local AS number 100 VRF default vrf-id 0
BGP table version 2
RIB entries 3, using 384 bytes of memory
Peers 2, using 47 KiB of memory

Neighbor        LocalAddr       V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down        State   PfxRcd   PfxSnt Desc
10.10.0.2       10.10.0.1       4        100         5         8        2    0    0 00:00:03  Established        2        2 FRRouting/10.4.1
20.20.0.2       20.20.0.1       4        100         3         8        2    0    0 00:00:02  Established        0        2 FRRouting/10.4.1

Total number of neighbors 2

Attention

Verify DUT2 now receives the reflected route with MED 500 applied by the export route-map.

Step 9: Run command protocols bgp show ip 1.1.1.0/24 at DUT2 and check if output matches the following regular expressions:

metric 500

Show output

BGP routing table entry for 1.1.1.0/24, version 3
Paths: (1 available, best #1, table default)
  Not advertised to any peer
  Local
    20.20.0.1 from 20.20.0.1 (10.10.0.2)
      Origin incomplete, metric 500, localpref 100, valid, internal, best (First path received)
      Originator: 10.10.0.2, Cluster list: 20.20.0.1
      Last update: Thu Mar  5 14:58:53 2026

---