BGP Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Release

VPN route limit on route reflectors

Updated: February 28, 2026

Want to summarize with AI?

On this page

Overview

Per-VPN configuration
Selective route dropping
How the route count mechanism works
Guidelines and limitations of VPN route limit
Configure VPN route limit

Overview

Explains configuring route reflectors to limit the number of routes accepted per VPN to optimize resource usage and maintain performance.

The VPN route limit is a feature that

allows you to configure Route Reflectors (RRs) to retain only a certain number of unique network entries for each VPN
defines this limit by a set of Route Targets (RTs) associated with the VPN, and
ensures the resources of the RR are used efficiently.

Per-VPN configuration

You can set the maximum number of routes an RR accepts from a particular VPN. This ensures the resources of the RR are used efficiently. This limit can be configured for each VPN. Each VPN can have a unique limit based on its individual requirements.

Selective route dropping

When the number of routes configured for a VPN reaches the limit, the RR drops all later routes learned from that VPN. This drop action is specific to the VPN that has exceeded its limit, and it does not affect other VPNs or active BGP sessions.

How the route count mechanism works

Summary

The key components involved in the process are:

BGP: Maintains a route count for each unique set of RTs.
Route Reflector (RR): Accepts or drops paths based on the route count and limit.
Route Target (RT)-set: A unique set of RTs associated with a VPN.
Prefixes: Network entries with at least one path tagged with a corresponding RT-set.
Inbound Route Policy Language (RPL) policy: Evaluates incoming paths and sets the RT-set limit.

BGP maintains a route count for each unique set of Route Targets (RTs) to determine route acceptance or dropping based on a configured VPN route limit.

Workflow

These stages describe how the route count mechanism works.

BGP maintains a route count for each unique set of RTs. This count reflects the number of prefixes that have at least one path tagged with the corresponding RT-set.
The count increments by one for each prefix. This occurs regardless of the number of paths sharing the same RT-set.
When BGP receives a path from a neighbor, it evaluates the path against the inbound RPL policy.
The inbound RPL sets an RT-set limit for the path.
BGP checks the current count for the RT-set.
If the count is below the limit, or if the prefix already has a path with the same RT-set, BGP accepts the path.
Otherwise, BGP drops the path.
If the number of routes configured for a VPN reaches the limit, the RR drops all subsequent routes learned from that VPN. This drop action is specific to the VPN that exceeded its limit. It does not affect other VPNs or active BGP sessions.
In scenarios with multiple RRs, a path accepted by one RR results in identical paths from other RRs also being accepted. This promotes network consistency.

Result

BGP consistently manages VPN routes on RRs, ensuring efficient resource use and adherence to configured limits.

Guidelines and limitations of VPN route limit

Guidelines for VPN route limit configuration

Recommendation: Configure the VPN route limit to be twenty percent higher than the expected scale, for example, 1000 routes instead of 833. This protects the Route Reflector (RR) and Provider Edge (PE) devices.

Note

When the VPN route limit is reached, the routes from a neighbor may vary if the neighbor experiences a flap. This happens because route dropping depends entirely on the order in which routes are received.

Limitations of VPN route limit

When the VPN route limit feature is enabled, active and standby RRs may have different prefixes and paths. This happens because active and standby RRs receive updates independently. The RRs do not guarantee the sequence of prefixes. Therefore, Non-Stop Routing (NSR) is not supported with the VPN Route Limit feature.
If you modify the policy to reduce the VPN route limit, for example, from 200 to 50 routes, the system enforces the updated limit exclusively on single path networks. Networks with multiple paths are not subject to this new route limit. All existing paths are maintained regardless of the reduced threshold.
For the same RT-set, if the route limit is not the same due to differing route policies for different neighbors, the routing behavior is nondeterministic.

Configure VPN route limit

To configure a VPN route limit on RRs to control the number of unique network entries for each VPN.

This task helps manage RR resources efficiently by preventing an excessive number of routes from a particular VPN.

Procedure

	1.	Enable BGP routing. Example: `Router(config)# router bgp 100`
	2.	Configure a route policy. Example: `Router(config-bgp)# neighbor 10.1.1.1 Router(config-bgp-nbr)# use neighbor-group RRC Router(config-bgp-nbr)# address-family vpnv4 unicast Router(config-bgp-nbr-af)# route-policy vpn-route-limit-policy Router(config-bgp-nbr-af)# exit Router(config-bgp-nbr)# address-family vpnv6 unicast Router(config-bgp-nbr-af)# route-policy vpn-route-limit-policy`
	3.	Run the set rt-set route-limit limit-value command in route-policy configuration mode to configure the VPN route limit. Example: `Router# config Router(config)# route-policy vpn-route-limit-policy Router(config-rpl)# if extcommunity rt matches-any (111:1) then Router(config-rpl-if)# set rt-set route-limit 5 Router(config-rpl-if)# else Router(config-rpl-else)# set rt-set route-limit 6 Router(config-rpl-else)# endif Router(config-rpl)# end-policy`
	4.	Run the show bgp vpnv4 unicast rt-set or show bgp vpnv4 unicast path rt-set command to verify the configuration. `Router# show bgp vpnv4 unicast rt-set BGP router identifier 10.3.3.3, local AS number 100 BGP generic scan interval 300 secs Non-stop routing is enabled BGP table state: Active Table ID: 0xe0000000 RD version: 4 BGP main routing table version 4 BGP NSR Initial initsync version 3 (Reached) BGP scan interval 60 secs Identifier Route Count RT-Set 1 10 111:1` Router# show bgp vpnv4 unicast path-rt-set BGP router identifier 10.3.3.3, local AS number 100 BGP generic scan interval 300 secs Non-stop routing is enabled BGP table state: Active Table ID: 0x0 RD version: 1269777764 BGP main routing table version 124757 BGP NSR Initial initsync version 3 (Reached) BGP scan interval 60 secs Status codes: s suppressed, d damped, h history, * valid, > best i - internal, r RIB-failure, S stale, N Nexthop-discard Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop RT-set ID Route Count Route Distinguisher: 100:1 >i51.0.90.0/24 1.1.1.1 1 10 >i51.0.91.0/24 1.1.1.1 1 10

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

VPN route limit on route reflectors

Overview

Per-VPN configuration

Selective route dropping

How the route count mechanism works

Summary

Workflow

Result

Guidelines and limitations of VPN route limit

Guidelines for VPN route limit configuration

Limitations of VPN route limit

Configure VPN route limit

Procedure

Example:

Example:

Example:

Need help?