Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Supported Platforms

Example: Configuring MPLS Egress Protection for Layer 3 VPN Services

This example describes a local repair mechanism for protecting Layer 3 VPN services against egress provider edge (PE) router failure in a scenario where the customer edge (CE) routers are multihomed with more than one PE router.

The following terminology is used in this example:

  • Originator PE router—A PE router with protected routing instances or subnets that distributes the primary Layer 3 VPN router.
  • Backup PE router—A PE router that announces a backup Layer 3 VPN route.
  • Protector PE router—A router that cross-connects VPN labels distributed by the originator PE router to the labels originated by the backup PE router. The protector PE router can also be a backup PE router.
  • Transport LSP—An LDP-signaled label-switched path (LSP) for BGP next hops.
  • PLR—A router acting as the point of local repair (PLR) that can redirect Layer 3 VPN traffic to a protector PE router to enable fast restoration and reroute.
  • Loop-free alternate routes—A technology that essentially adds IP fast-reroute capability for the interior gateway protocol (IGP) by precomputing backup routes for all the primary routes of the IGP. In the context of this document, the IGP is IS-IS.
  • Multihoming—A technology that enables you to connect a CE device to multiple PE routers. In the event that a connection to the primary PE router fails, traffic can be automatically switched to the backup PE router.
  • Context identifier—An IPv4 address used to identify the VPN prefix that requires protection. The identifier is propagated to the PE and PLR core routers, making it possible for the protected egress PE router to signal the egress protection to the protector PE router.
  • Dual protection—A protection mechanism where two PE routers can simultaneously act as the primary PE router and the protector PE router for their respective context ID routes or next hops. For example, between the two PE routers PE1 and PE2, PE1 could be a primary PE router for context identifier 3.1.0.0 and protector for context identifier 4.1.0.0. Likewise, the PE2 router could be a protector for context identifier 3.1.0.0 and a primary PE router for context identifier 4.1.0.0.

This example contains the following topics:

Egress Protection for Layer 3 VPN Edge Protection Overview

Typically, Layer 3 VPN service restoration for multihomed customer edge (CE) routers depends on the ingress provider edge (PE) router to detect the egress PE link or node failure and switch traffic to the backup PE router. To achieve faster restoration, a protector mechanism for the PE router can be used to perform local restoration of the service immediately in case of an egress PE node failure. This mechanism requires the router at the point of local repair (PLR) to redirect VPN traffic to a protector PE router for fast reroute of traffic.

The following topology describes the concept of egress protection.

Figure 1: Sample Topology for Egress Protection

Sample Topology for Egress Protection

In this topology:

Router PE3 acts as the protector for the PE2 Layer 3 VPN routing instances or subnets.

The CE routers are part of a VPN where Router CE1 is multihomed with Router PE1 and Router PE2. Likewise, Router CE2 is multihomed with Routers PE2 and PE3.

Router PE1 can be the originator for the context identifier for Router CE1, while Router PE2 is the protector for that context identifier. Likewise, PE2 can be the originator for the context identifier for Router CE2, while Router PE3 is the protector for that context identifier.

The working path taken by Router PE4 might be through PLR>PE2 for both Router CE1 and Router CE2. The backup path for Router CE1 is through PLR>PE1. The backup path for Router CE2 is through PLR>PE3. Traffic flows through the working path under normal circumstances.

When Router PE4 detects a PE2 node or link failure, traffic is rerouted from the working path to the protected path. In the normal failover process, the detection of failure and the recovery rely on the control plane and is therefore relatively slow.

Typically, if there is a link or node failure in the core network, the egress PE router would have to rely on the ingress PE router to detect the failure and switch over to the backup path, because a local repair option for egress failure is not available.

To provide a local repair solution for the egress PE link or node failure, a mechanism known as egress protection can be used to repair and restore the connection quickly. If egress protection is configured, the PLR router detects the PE2 link or node failure and reroutes traffic through the protector Router PE3 using the backup LDP-signaled label-switched path (LSP). The PLR router uses per-prefix loop-free alternate routes to program the backup next hop through Router PE3, and traffic is forwarded to Routers CE1 and CE2 using the alternate paths. This restoration is done quickly after the PLR router detects the Router PE2 egress node or link failure.

The dual protection mechanism can also be used for egress protection where the two PE routers can simultaneously act as the primary PE router and the protector PE router for their respective context ID routes or next hops.

Router Functions

In Figure 1, the following routers perform the following functions:

Protected PE Router

The protected PE, PE2, performs the following functions:

  • Updates a context identifier for the BGP next hop for the Layer 3 VPN prefix.
  • Advertises the context identifier to the IS-IS domain.

Protector PE Router

The protector PE router, PE3, performs the following functions:

  • Advertises the context identifier to the IS-IS domain with a high metric. The high IGP metric (configurable) along with the LDP label ensures that the PLR router uses the LDP-signaled backup LSP in the event of an egress PE router failure.
  • Builds a context-label table for route lookup and a backup forwarding table for the protected PE router (PE2).

    Note: The protector PE router should not be in the forwarding path to the primary PE router.

PLR Router

The router acting as the point of local repair (PLR) performs the following functions:

  • Computes per-prefix loop-free alternate routes. For this computation to work, the configuration of the node-link-protection statement and the backup-spf-options per-prefix-calculation statement is necessary at the [edit protocols isis] hierarchy level.
  • Installs backup next hops for the context identifier through the PE3 router (protector PE).
  • Detects PE router failure and redirects the transport LSP traffic to the protector.

Note: The PLR router must be directly connected to the protector router (in this case, PE3). If not, the loop-free alternate route cannot find the backup path to the protector.

Protector and Protection Models

Protector is a new role or function for the restoration of egress PE node failure. This role could be played by a backup egress PE router or any other node that participates in the VPN control plane for VPN prefixes that require egress node protection. There are two protection models based on the location and role of a protector:

  • Co-located protector—In this model, the protector PE router and the backup PE router configurations are done on the same router. The protector is co-located with the backup PE router for the protected prefix, and it has a direct connection to the multihomed site that originates the protected prefix. In the event of an egress PE failure, the protector receives traffic from the PLR router and routes the traffic to the multihomed site.
  • Centralized protector—In this model, the protector PE router and the backup PE router are different. The centralized protector might not have a direct connection to the multihomed site. In the event of an egress PE link or node failure, the centralized protector reroutes the traffic to the backup egress PE router with the VPN label advertised for the backup egress PE router that takes over the role of sending traffic to the multihomed site.

A network can use either of the protection models or a combination of both, depending on the requirement.

For more information about egress PE failure protection, see Internet draft draft-minto-2547-egress-node-fast-protection-00, 2547 egress PE Fast Failure Protection..

Example: Configuring Egress Protection for Layer 3 VPN Services

This example shows how to configure egress protection for fast restoration of Layer 3 VPN services.

Requirements

This example uses the following hardware and software components

  • MX Series 3D Universal Edge Routers
  • Tunnel PICs or the configuration of the Enhanced IP Network Services mode (using the network-services enhanced-ip statement at the [edit chassis] hierarchy level).
  • Junos OS Release 11.4R3 or later running on the devices

Before you begin:

  • Configure the device interfaces. See the Junos OS Network Interfaces Configuration Guide.
  • Configure the following routing protocols on all the PE and PLR routers.
    • MPLS, LSPs, and LDP. See the Junos OS MPLS Applications Configuration Guide.
    • BGP and IS-IS. See the Junos OS Routing Protocols Configuration Guide.
  • Configure Layer 3 VPNs. See the Junos OS VPNs Configuration Guide.

Overview

Typically, Layer 3 VPN service restoration, in case of egress PE router failure (for multihomed customer edge [CE] routers), depends on the ingress PE router to detect the egress PE node failure and switch traffic to the backup PE router for multihomed CE sites.

Junos OS Release 11.4R3 or later enables you to configure egress protection for Layer 3 VPN services that protects the services from egress PE node failure in a scenario where the CE site is multihomed with more than one PE router. The mechanism enables local repair to be performed immediately upon an egress node failure. The router acting as the point of local repair (PLR) redirects VPN traffic to a protector PE router for restoring service quickly, achieving fast protection that is comparable to MPLS fast reroute.

The statements used to configure egress protection are:

  • egress-protection—When configured at the [edit protocols mpls] hierarchy level, this statement specifies protector information and the context identifier for the Layer 3 VPN and edge protection virtual circuit:
    [edit protocols mpls]egress-protection {context-identifier context-id {primary | protector;metric igp-metric-value;}}

    When configured at the [edit protocols bgp group group-name family inet-vpn unicast], [edit protocols bgp group group-name family inet6-vpn unicast], or [edit protocols bgp group group-name family iso-vpn unicast] hierarchy levels, the egress-protection statement specifies the context identifier that enables egress protection for the configured BGP VPN network layer reachability information (NRLI).

    [edit protocols bgp]group internal {type internal;local-address ip-address;family <inet-vpn|inet6-vpn|iso-vpn> {unicast {egress-protection {context-identifier {context-id-ip-address;}}}}}

    When configured at the [edit routing-instances] hierarchy level, the egress-protection statement holds the context identifier of the protected PE router.

    This configuration must be done only in the primary PE router and is used for outbound BGP updates for the next hops.

    [edit routing-instance]routing-instance-name {egress-protection {context-identifier {context-id-ip-address;}}}

    Configuring the context-identifier statement at the [edit routing-instances routing-instance-name] hierarchy level provides customer edge VRL-level context ID granularity for each VRF instance.

  • context-identifier—This statement specifies an IPV4 address used to define the pair of PE routers participating in the egress protection LSP. The context identifier is used to assign an identifier to the protector PE router. The identifier is propagated to the other PE routers participating in the network, making it possible for the protected egress PE router to signal the egress protection LSP to the protector PE router.

Configuration

CLI Quick Configuration

Note: This example only shows sample configuration that is relevant to configuring egress PE protection for Layer 3 VPN services on the protected router, PE2, the protector router, PE3, and the PLR router.

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

PE2 (Protected PE Router)

set protocols mpls interface allset protocols mpls interface fxp0.0 disableset protocols mpls egress-protection context-identifier 66.6.6.6 primaryset protocols bgp group ibgp type internalset protocols bgp group ibgp local-address 10.255.245.194set protocols bgp group ibgp family inet-vpn unicast egress-protection context-identifier 66.6.6.6

PE3 (Protector PE Router)

set protocols mpls interface allset protocols mpls interface fxp0.0 disableset protocols mpls egress-protection context-identifier 66.6.6.6 protectorset protocols bgp group ibgp type internalset protocols bgp group ibgp local-address 10.255.245.196set protocols bgp group ibgp family inet-vpn unicast egress-protection keep-import remote-vrfset policy-options policy-statement remote-vrf from community rsite1set policy-options policy-statement remote-vrf from community rsite24set policy-options policy-statement remote-vrf then acceptset policy-options community rsite1 members target:1:1set policy-options community rsite24 members target:100:1023

PLR Router

set protocols mpls interface allset protocols mpls interface fxp0.0 disableset protocols isis level 1 disableset protocols isis interface all node-link-protectionset protocols isis backup-spf-options per-prefix-calculationset protocols ldp track-igp-metricset protocols ldp interface allset protocols ldp interface fxp0.0 disable

Configuring the Protected PE Router (PE2)

Step-by-Step Procedure

To configure the protected PE router, PE2:

  1. Configure MPLS on the interfaces.
    [edit protocols mpls]user@PE2# set interface alluser@PE2#set interface fxp0.0 disable
  2. Configure egress protection and the context identifier.

    Note: The context identifier type must be set to primary.

    [edit protocols mpls]user@PE2# set egress-protection context-identifier 66.6.6.6 primary
  3. Configure egress protection for the configured BGP NRLI.

    Note: The context identifier configured at the [edit protocols bgp group group-name family inet-vpn] hierarchy level should match the context identifier configured at the [edit protocols mpls] hierarchy level.

    [edit protocols bgp]user@PE2# set group ibgp type internaluser@PE2# set group ibgp local-address 10.255.245.194user@PE2# set group ibgp family inet-vpn unicast egress-protection context-identifier 66.6.6.6

    Note: Configuring the context-identifier at the [edit routing-instances routing-instance-name] hierarchy level provides CE VRF-level context-id granularity for each virtual routing and forwarding (VRF) instance.

  4. After you are done configuring the device, commit the configuration.
    [edit]user@PE2# commit

Results

Confirm your configuration by issuing the show protocols command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

user@PE2# show protocolsmpls {interface all;interface fxp0.0 {disable;}egress-protection {context-identifier 66.6.6.6 {primary;}}}bgp {group ibgp {type internal;local-address 10.255.245.194;family inet-vpn {unicast {egress-protection {context-identifier {66.6.6.6;}}}}}}

Configuring the Protector PE Router (PE3)

Step-by-Step Procedure

To configure the protector PE router, PE3:

  1. Configure MPLS on the interfaces.
    [edit protocols mpls]user@PE3# set interface alluser@PE3#set mpls interface fxp0.0 disable
  2. Configure egress protection and the context identifier.
    [edit protocols mpls]user@PE3#set egress-protection context-identifier 66.6.6.6 protector
  3. Configure IPv4 Layer 3 VPN NRLI parameters.
    [edit protocols bgp]user@PE3# set group ibgp type internaluser@PE3# set group ibgp local-address 10.255.245.196user@PE3# set group ibgp family inet-vpn unicast egress-protection keep-import remote-vrf
  4. Configure routing policy options.
    [edit policy-options]user@PE3# set policy-statement remote-vrf from community rsite1user@PE3# set policy-statement remote-vrf from community rsite24user@PE3# set policy-statement remote-vrf then acceptuser@PE3# set community rsite1 members target:1:1user@PE3# set community rsite24 members target:100:1023
  5. After you are done configuring the device, commit the configuration.
    [edit]user@PE3# commit

Results

Confirm your configuration by issuing the show protocols and the show policy-options commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

user@PE3# show protocolsmpls {interface all;interface fxp0.0 {disable;}egress-protection {context-identifier 66.6.6.6 {protector;}}}bgp {group ibgp {type internal;local-address 10.255.245.196;family inet-vpn {unicast {egress-protection {keep-import remote-vrf;}}}}}
user@PE3# show policy-optionspolicy-statement remote-vrf {from community [ rsite1 rsite24 ];then accept;}community rsite1 members target:1:1;community rsite24 members target:100:1023;

Configuring the PLR Router

Step-by-Step Procedure

To configure the router acting as the point of local repair (PLR):

  1. Configure MPLS on the interfaces.
    [edit protocols mpls]user@PLR# set interface alluser@PLR# set interface fxp0.0 disable
  2. Configure per-prefix-LFA calculation along with link protection.
    [edit protocols isis]user@PLR# set backup-spf-options per-prefix-calculationuser@PLR# set level 1 disableuser@PLR# set interface all node-link-protectionuser@PLR# set interface fxp0.0 disable
  3. Configure LDP to use the interior gateway protocol (IGP) route metric instead of the default LDP route metric (the default LDP route metric is 1).
    [edit protocols ldp]user@PLR# set track-igp-metricuser@PLR# set interface alluser@PLR# set interface fxp0.0 disable

Results

Confirm your configuration by issuing the show protocols command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

user@PLR# show protocolsmpls {interface all;interface fxp0.0 {disable;}}isis {backup-spf-options per-prefix-calculation;level 1 disable;interface all {node-link-protection;}}ldp {track-igp-metric;interface all;interface fxp0.0 {disable;}}

Verification

Confirm that the configuration is working properly.

Verifying Egress Protection Details

Purpose

Check the egress protection configuration.

Action

user@PE3> show mpls egress-protection details
Instance                 Type      Protection-Type       
rsite1                  remote-vrf  Protector           
  RIB __66.6.6.6-rsite1__.inet.0, Context-Id 66.6.6.6, Enhanced-lookup 
  Route Target 1:1
rsite24                 remote-vrf  Protector           
  RIB __66.6.6.6-rsite24__.inet.0, Context-Id 66.6.6.6, Enhanced-lookup 
  Route Target 100:1023

Meaning

Instance indicates the routing-instance name. Type shows the type of the VRF. It can be either local-vrf or remote-vrf. RIB (routing information base) indicates the edge-protection created routing table. Context-Id shows the context ID associated with the RIB. Route Target shows the route target associated with the routing instance.

Verifying Routing Instances

Purpose

Verify the routing instances.

Action

user@PE3> show route instance site1 detail
site1:
  Router ID: 1.5.0.1
  Type: vrf               State: Active        
  Interfaces:
    lt-1/3/0.8
  Route-distinguisher: 10.255.255.11:150
  Vrf-import: [ site1-import ]
  Vrf-export: [ __vrf-export-site1-internal__ ]
  Vrf-export-target: [ target:100:250 ]
  Fast-reroute-priority: low
  Vrf-edge-protection-id:  66.6.6.6 
  Tables:
    site1.inet.0           : 27 routes (26 active, 0 holddown, 0 hidden)
    site1.iso.0            : 0 routes (0 active, 0 holddown, 0 hidden)
    site1.inet6.0          : 0 routes (0 active, 0 holddown, 0 hidden)
    site1.mdt.0            : 0 routes (0 active, 0 holddown, 0 hidden)

Meaning

Vrf-edge-protection-id shows the egress protection configured in the protector PE router with the routing instance.

Verifying BGP NRLI

Purpose

Check the details of the BGP VPN network layer reachability information.

Action

user@PE3> show bgp neighbor
Peer: 10.255.55.1+179 AS 65535 Local: 10.255.22.1+59264 AS 65535
  Type: Internal    State: Established    Flags: <ImportEval Sync>
  Last State: OpenConfirm   Last Event: RecvKeepAlive
  Last Error: None
  Options: <Preference LocalAddress KeepAll AddressFamily Rib-group Refresh>
  Address families configured: inet-vpn-unicast
  Local Address: 10.255.22.1 Holdtime: 90 Preference: 170
  NLRI configured with egress-protection: inet-vpn-unicast
  Egress-protection NLRI inet-vpn-unicast, keep-import: [ VPN-A-remote ]
  Number of flaps: 0

Meaning

NLRI configured with egress-protection shows the BGP family configured with egress protection. egress-protection NLRI inet-vpn-unicast, keep-import: [remote-vrf] shows the egress protection routing policy for the BGP group.

Published: 2012-06-27

Supported Platforms

Published: 2012-06-27

Previous Page Next Page