Sunday, June 14, 2020

Segment Routing - Ti-LFA - Node Protection

In the previous post we have seen how does "Segment Routing - Ti-LFA - Adjacency Sid Protection - Link Protection" works when Segment Routing is enabled. The main advantage of using Ti-LFA link protection is that primary link is excluded during post convergence backup path calculations. Ti-LFA Link protection provides 50ms resilience during the time of failure of link. There might be possibility of link failure due to node failure but XR-11 will never come to know till IGP convergence is completed.

Now node xr-11 can calculate the backup path by using TI-LFA node protection which provides protection from neighbor node failures. The neighbor node (XR-1) is excluded during the post convergence backup path calculation.



As per previous post, Ti-LFA node protection is already configured and now we will be configuring Ti-LFA node protection.
       
router isis 1
  !
 interface GigabitEthernet0/0/0/0
  point-to-point
  address-family ipv4 unicast
   fast-reroute per-prefix
   fast-reroute per-prefix ti-lfa
   fast-reroute per-prefix tiebreaker node-protecting index 100 -> Ti-LFA Node Protection With Priority 100
   metric 500
  !
!
 interface GigabitEthernet0/0/0/1
  point-to-point
  address-family ipv4 unicast
   fast-reroute per-prefix
   fast-reroute per-prefix ti-lfa
   fast-reroute per-prefix tiebreaker node-protecting index 100 -> Ti-LFA Node Protection With Priority 100
   metric 500
  !


Point To Remember
Both link-protecting and node-protecting TI-LFA backup paths will be computed. If the priority(index) associated with the node-protecting tiebreaker is higher than any other tiebreakers, then node-protecting post-convergence backup paths will be selected, if it is available.


Verify below configuration which shows that node protection post-convergence backup is selected. Now instead XR-1, XR-6 is selected. For more details on PQ Node, refer to post "Segment Routing - Topology Independent LFA"
       
RP/0/0/CPU0:xrvr-11#show isis fast-reroute 1.1.1.12/32 detail
L2 1.1.1.12/32 [1020/115] medium priority
     via 99.1.11.1, GigabitEthernet0/0/0/0, xrvr-1, SRGB Base: 16000, Weight: 0
         Backup path: TI-LFA (node), via 99.5.11.5, GigabitEthernet0/0/0/1 xrvr-5, SRGB Base: 16000, Weight: 0
           P node: xrvr-5.00 [1.1.1.5], Label: ImpNull
           Q node: xrvr-6.00 [1.1.1.6], Label: 24001
           Prefix label: 16012
       P: No, TM: 1050, LC: No, NP: Yes, D: Yes, SRLG: No
     src xrvr-12.00-00, 1.1.1.12, prefix-SID index 12, R:0 N:1 P:0 E:0 V:0 L:0
RP/0/0/CPU0:xrvr-11#


Check the routing table to verify that backpath is installed or not:
       
RP/0/0/CPU0:xrvr-11#show route 1.1.1.12/32 detail
Routing entry for 1.1.1.12/32
  Known via "isis 1", distance 115, metric 1020, labeled SR, type level-2
  Installed May 30 17:49:13.744 for 00:04:26
  Routing Descriptor Blocks
    99.1.11.1, from 1.1.1.12, via GigabitEthernet0/0/0/0, Protected
      Route metric is 1020
      Label: 0x3e8c (16012)
      Tunnel ID: None
      Binding Label: None
      Extended communities count: 0
      Path id:1       Path ref count:0
      NHID:0x6(Ref:24)
      Backup path id:65
    99.5.11.5, from 1.1.1.12, via GigabitEthernet0/0/0/1, Backup (TI-LFA)
      Repair Node(s): 1.1.1.5, 1.1.1.6
      Route metric is 1050
      Labels: 0x100004 0x5dc1 0x3e8c (1048580 24001 16012)  -> 1048580 label is used for impicit null
      Tunnel ID: None
      Binding Label: None
      Extended communities count: 0
      Path id:65              Path ref count:1
      NHID:0x5(Ref:24)
  Route version is 0x3d (61)
  Local Label: 0x3e8c (16012)
  IP Precedence: Not Set
  QoS Group ID: Not Set
  Flow-tag: Not Set
  Fwd-class: Not Set
  Route Priority: RIB_PRIORITY_NON_RECURSIVE_MEDIUM (7) SVD Type RIB_SVD_TYPE_LOCAL
  Download Priority 1, Download Version 838
  No advertising protos.
RP/0/0/CPU0:xrvr-11#


Veriy CEF table and match the labels imposed with the above mentioned labels.
       
RP/0/0/CPU0:xrvr-11#show cef 1.1.1.12/32
Sat May 30 17:54:39.252 UTC
1.1.1.12/32, version 838, labeled SR, internal 0x1000001 0x81 (ptr 0xa12fcb8c) [2], 0x0 (0xa12e1cd4), 0xa28 (0xa18b61dc)
 Updated May 30 17:49:13.764
 local adjacency 99.1.11.1
 Prefix Len 32, traffic index 0, precedence n/a, priority 1
 Extensions: context-label:16012
   via 99.1.11.1/32, GigabitEthernet0/0/0/0, 11 dependencies, weight 0, class 0, protected [flags 0x400]
    path-idx 0 bkup-idx 1 NHID 0x0 [0xa18d05d0 0xa18d00e4]
    next hop 99.1.11.1/32
     local label 16012      labels imposed {16012}
   via 99.5.11.5/32, GigabitEthernet0/0/0/1, 11 dependencies, weight 0, class 0, backup (TI-LFA) [flags 0xb00]
    path-idx 1 NHID 0x0 [0xa15fd560 0xa15fd4a8]
    next hop 99.5.11.5/32, Repair Node(s): 1.1.1.5, 1.1.1.6        -> Verify Repair Nodes. Node 1 is not coming in the path
    local adjacency
     local label 16012      labels imposed {ImplNull 24001 16012}
RP/0/0/CPU0:xrvr-11#
With maximum of 3 transport labels, we can reach to the destination. Here is the beginning of my post. And here is the rest of it.
Click Here To Read Rest Of The Post...

Saturday, June 6, 2020

Segment Routing - Ti-LFA - Adjacency Sid Protection

Brief overview was shared in earlier post of "Segment Routing - Topology Independent LFA". In this post, I am showing some simulated results of per prefix Ti-LFA where in case of primary link failure, SR-MPLS with Ti-LFA enabled seamlessly re-route the destined traffic by excluding the direct link. If direct adjacent node need to be exclude from Ti-LFA calculation, it is called Ti-LFA node protection.

Below is SR-MPLS enabled topology used for simulation. XR-11 is sending traffic to loopback 1.1.1.12 (XR-12). There is no Ti-LFA configured on XR-11.



Verify that Ti-LFA is not configured
       
RP/0/0/CPU0:xrvr-11#show isis fast-reroute 1.1.1.12/32 detail
L2 1.1.1.12/32 [1020/115] medium priority
     via 99.1.11.1, GigabitEthernet0/0/0/0, xrvr-1, SRGB Base: 16000, Weight: 0
       No FRR backup        (Check here)
     src xrvr-12.00-00, 1.1.1.12, prefix-SID index 12, R:0 N:1 P:0 E:0 V:0 L:0
RP/0/0/CPU0:xrvr-11#


ISIS adjacency is configured for IPv4 and IPv6 address family.
       
RP/0/0/CPU0:xrvr-11#show isis adjacency systemid xrvr-1  detail
IS-IS 1 Level-2 adjacencies:
System Id      Interface        SNPA           State Hold Changed  NSF IPv4 IPv6
                                                                       BFD  BFD
xrvr-1         Gi0/0/0/0        *PtoP*         Up    21   00:08:59 Yes None None
  Area Address:           49.0001
  Neighbor IPv4 Address:  99.1.11.1*
  Adjacency SID:          24000           -> Adjacency SID for IPv4 address family. This is not protected, so no backup interface
  Non-FRR Adjacency SID:  24001
  Neighbor IPv6 Address:  fe80::f816:3eff:fe8b:9b27*
  Adjacency SID:          24002    -> Adjacency SID for IPv6 address family. This is not protected, so no backup interface
  Non-FRR Adjacency SID:  24003
  Topology:               IPv4 Unicast
  Topology:               IPv6 Unicast
RP/0/0/CPU0:xrvr-11#


Verify MPLS forwarding. Most of the output is deleted for brevity
       
RP/0/0/CPU0:xrvr-11#show mpls forwarding
Local  Outgoing    Prefix             Outgoing     Next Hop        Bytes
Label  Label       or ID              Interface                    Switched
------ ----------- ------------------ ------------ --------------- ------------
16001  Pop         SR Pfx (idx 1)     Gi0/0/0/0    99.1.11.1       0
16002  16002       SR Pfx (idx 2)     Gi0/0/0/0    99.1.11.1       0
16003  16003       SR Pfx (idx 3)     Gi0/0/0/0    99.1.11.1       0
16004  16004       SR Pfx (idx 4)     Gi0/0/0/0    99.1.11.1       2553
16005  Pop         SR Pfx (idx 5)     Gi0/0/0/1    99.5.11.5       0
16006  16006       SR Pfx (idx 6)     Gi0/0/0/0    99.1.11.1       0
16007  16007       SR Pfx (idx 7)     Gi0/0/0/0    99.1.11.1       0
16012  16012       SR Pfx (idx 12)    Gi0/0/0/0    99.1.11.1       18048
16013  16013       SR Pfx (idx 13)    Gi0/0/0/0    99.1.11.1       0
24000  Pop         SR Adj (idx 1)     Gi0/0/0/0    99.1.11.1       0
24001  Pop         SR Adj (idx 3)     Gi0/0/0/0    99.1.11.1       0
24002  Pop         SR Adj (idx 1)     Gi0/0/0/0    fe80::f816:3eff:fe8b:9b27   \
                                                                   0
24003  Pop         SR Adj (idx 3)     Gi0/0/0/0    fe80::f816:3eff:fe8b:9b27   \
                                                                   0
RP/0/0/CPU0:xrvr-11#


Verify end to end path for XR-12
       
RP/0/0/CPU0:xrvr-11#traceroute 1.1.1.12
Tracing the route to 1.1.1.12
 1  99.1.11.1 [MPLS: Label 16012 Exp 0] 9 msec  9 msec  9 msec
 2  99.1.2.2 [MPLS: Label 16012 Exp 0] 9 msec  9 msec  9 msec
 3  99.2.3.3 [MPLS: Label 16012 Exp 0] 9 msec  9 msec  9 msec
 4  99.3.12.12 9 msec  9 msec  9 msec


Configure Ti-LFA for IPv4 address family only on XR-11:
       
router isis 1
  !
 interface GigabitEthernet0/0/0/0
  point-to-point
  address-family ipv4 unicast
   fast-reroute per-prefix
   fast-reroute per-prefix ti-lfa
   metric 500
  !
!
 interface GigabitEthernet0/0/0/1
  point-to-point
  address-family ipv4 unicast
   fast-reroute per-prefix
   fast-reroute per-prefix ti-lfa
   metric 500
  !


Once configured Ti-LFA, XR-11 will consider path via XR-5 in case failure between XR-11 and XR-1 as shown in the below topology.


Verify ISIS adjacency towards XR-1
       
RP/0/0/CPU0:xrvr-11#show isis adjacency systemid xrvr-1  detail
IS-IS 1 Level-2 adjacencies:
System Id      Interface        SNPA           State Hold Changed  NSF IPv4 IPv6
                                                                       BFD  BFD
xrvr-1         Gi0/0/0/0        *PtoP*         Up    26   00:16:29 Yes None None
  Area Address:           49.0001
  Neighbor IPv4 Address:  99.1.11.1*
  Adjacency SID:          24000 (protected)      -> Adjacency SID is protected
   Backup label stack:    [16001]   -> Adjacency SID 24000 is protected with 16001 backup
   Backup stack size:     1
   Backup interface:      Gi0/0/0/1              -> Now backup interface is showing
   Backup nexthop:        99.5.11.5   -> Next hop address is XR-5
   Backup node address:   1.1.1.1          -> Backup node is XR-1
  Non-FRR Adjacency SID:  24001         
  Neighbor IPv6 Address:  fe80::f816:3eff:fe8b:9b27*
  Adjacency SID:          24002                  -> We have configured Ti-LFA for IPv4. Still IPv6 traffic is not protected
  Non-FRR Adjacency SID:  24003
  Topology:               IPv4 Unicast
  Topology:               IPv6 Unicast
RP/0/0/CPU0:xrvr-11#


Verify Ti-LFA for XR-12 (show the below config - prefix-SID index 12)
       
RP/0/0/CPU0:xrvr-11#show isis fast-reroute 1.1.1.12/32 detail
L2 1.1.1.12/32 [1020/115] medium priority
     via 99.1.11.1, GigabitEthernet0/0/0/0, xrvr-1, SRGB Base: 16000, Weight: 0
       FRR backup via 99.5.11.5, GigabitEthernet0/0/0/1, xrvr-5, SRGB Base: 16000, Weight: 0, Metric: 1030
       P: No, TM: 1030, LC: No, NP: No, D: Yes, SRLG: Yes
     src xrvr-12.00-00, 1.1.1.12, prefix-SID index 12, R:0 N:1 P:0 E:0 V:0 L:0
RP/0/0/CPU0:xrvr-11#


Below output is showing that Gi0/0/0/0 is protected with Gi0/0/0/1. In case of failure of Gi0/0/0/0 link, XR-11 will add 16001 as outgoing label which is prefix sid of XR-1.
       
RP/0/0/CPU0:xrvr-11#show mpls forwarding labels 24000
Tue May 26 17:42:12.824 UTC
Local  Outgoing    Prefix             Outgoing     Next Hop        Bytes
Label  Label       or ID              Interface                    Switched
------ ----------- ------------------ ------------ --------------- ------------
24000  Pop         SR Adj (idx 1)     Gi0/0/0/0    99.1.11.1       0
       16001       SR Adj (idx 1)     Gi0/0/0/1    99.5.11.5       0            (!)
RP/0/0/CPU0:xrvr-11#


The above output can be cross verify by running below command.
       
RP/0/0/CPU0:xrvr-11#show mpls forwarding labels 24000 detail
Local  Outgoing    Prefix             Outgoing     Next Hop        Bytes
Label  Label       or ID              Interface                    Switched
------ ----------- ------------------ ------------ --------------- ------------
24000  Pop         SR Adj (idx 1)     Gi0/0/0/0    99.1.11.1       0
     Path Flags: 0x400 [  BKUP-IDX:1 (0xa18d01fc) ]
     Version: 120, Priority: 1
     Label Stack (Top -> Bottom): { Imp-Null }
     NHID: 0x0, Encap-ID: N/A, Path idx: 0, Backup path idx: 1, Weight: 500
     MAC/Encaps: 14/14, MTU: 1500
     Packets Switched: 0

     16001          SR Adj (idx 1)     Gi0/0/0/1    99.5.11.5       0            (!)
     Path Flags: 0x100 [  BKUP, NoFwd ]
     Version: 120, Priority: 1
     Label Stack (Top -> Bottom): { 16001 }   -> Backup label
     NHID: 0x0, Encap-ID: N/A, Path idx: 1, Backup path idx: 0, Weight: 500
     MAC/Encaps: 14/18, MTU: 1500
     Packets Switched: 0
     (!): FRR pure backup
RP/0/0/CPU0:xrvr-11#


Now finally verify the forwarding plane:
       
RP/0/0/CPU0:xrvr-11#show cef 1.1.1.12/32 detail
1.1.1.12/32, version 112, labeled SR, internal 0x1000001 0x81 (ptr 0xa12e5a7c) [2], 0x0 (0xa12ca878), 0xa28 (0xa18b607c)
 Updated May 26 15:27:01.779
 local adjacency 99.1.11.1
 Prefix Len 32, traffic index 0, precedence n/a, priority 1
 Extensions: context-label:16012           -> Check the special label
  gateway array (0xa122fdb4) reference count 21, flags 0xa00068, source rib (7), 0 backups
                [8 type 5 flags 0x8401 (0xa15618c0) ext 0x0 (0x0)]
  LW-LDI[type=5, refc=3, ptr=0xa12ca878, sh-ldi=0xa15618c0]
  gateway array update type-time 1 May 26 15:27:01.779
    via 99.1.11.1/32, GigabitEthernet0/0/0/0, 9 dependencies, weight 0, class 0, protected [flags 0x400]
    path-idx 0 bkup-idx 1 NHID 0x0 [0xa18d00e4 0x0]
    next hop 99.1.11.1/32
     local label 16012      labels imposed {16012}
   via 99.5.11.5/32, GigabitEthernet0/0/0/1, 9 dependencies, weight 0, class 0, backup (Local-LFA) [flags 0x300]
    path-idx 1 NHID 0x0 [0xa15fd4a8 0x0]
    next hop 99.5.11.5/32
    local adjacency
     local label 16012      labels imposed {16012}
    Hash  OK  Interface                 Address
    0     Y   GigabitEthernet0/0/0/0    99.1.11.1
RP/0/0/CPU0:xrvr-11#


Now shutdown the link between XR-11 and XR-1 and check the backup path
       
RP/0/0/CPU0:xrvr-11#traceroute 1.1.1.12
Tracing the route to 1.1.1.12
 1  99.5.11.5 [MPLS: Label 16012 Exp 0] 39 msec  9 msec  9 msec
 2  99.1.5.1 [MPLS: Label 16012 Exp 0] 9 msec  9 msec  9 msec
 3  99.1.2.2 [MPLS: Label 16012 Exp 0] 9 msec  9 msec  9 msec
 4  99.2.3.3 [MPLS: Label 16012 Exp 0] 9 msec  9 msec  9 msec
 5  99.3.12.12 9 msec  9 msec  9 msec
RP/0/0/CPU0:xrvr-11#

Click Here To Read Rest Of The Post...

Sunday, May 31, 2020

Segment Routing - Topology Independent LFA

Combination of segment routing and Loop Free Alternate is known as Topology Independent LFA or Ti-LFA. The main reason for configuring LFA is to provide the protection against the destination prefixes. In case of failure of primary link, source node calculates the backup the path as described in the "Loop Free Alternate: IP Fast Reroute (FRR)". The biggest disadvantage of the existing RSVP-TE-Fast reroute, Loop Free Alternate (LFA) and remote LFA, which has seen wide adoption can't guarantee 100% coverage for all failure scenarios. As per the RFC 6571, section 4.3, simulation results proves that LFA provides average 89% coverage across various topologies.

Below are the various types of issues which can be seen with Loop Free Alternate(LFA) and Remote Loop Free Alternate(rLFA)

1. LFA has issue with topology more than 3 nodes. With 3 nodes topology it perfectly works good. If the topology has more than 3 nodes, micro loop can occur as per shown in the image.
2. Micro-Loop avoidance can be taken care by finding PQ node as per RFC 7490. XR-1 will create T-LDP session with XR-3, XR-3 has the best path to XR-5 via XR-4.
3. Now increase the metric to 100 between XR-3 and XR-4. In this case, if XR-1 creates T-LDP session XR-3, XR-3 will again finds XR-1 as best and forward the traffic back to XR-3. This will be same as of micro loop.
Implementing Segment Routing with Topology Independent LFA (TI-LFA) provides 100% loop-free guaranteed coverage against any link, SRLG and node failure. Ti-LFA protects both labelled as well as unlabelled traffic. Stay tuned for the upcoming post (Segment Routing - Ti-LFA - Adjacency Sid Protection) how Ti-LFA solves the above issues by leveraging Segment Routing.

Click Here To Read Rest Of The Post...