Connectivity
This chapter introduces a brownfield network (contains legacy systems) that uses LDP at the edge, and that tunnels over an RSVP-TE-only core. The chapter’s first task is to introduce SR intelligently and deliberately; then it will look at the extent to which SR can subsume all label distribution responsibility.
Some of the functionality detailed here may not yet have become generally available by the time this book is published. Please contact your Juniper account manager for timelines.
Reachability
Essential connectivity in SR is achieved by advertising prefix and adjacency segments. These are denoted by segment identifiers (SID). Many other types of SIDs exist, each serving a different purpose, but these two suffice to establish basic reachability. The prefix, and its specialized node SID form, uniquely identifies a router in a given topology, reachable through a particular path-finding algorithm; the adjacency SID identifies a routed link to an IGP neighbor.
There are more segment types than there is room to discuss them. Anycast segments represent a shared prefix across nodes that could be used for simple, stateless load-sharing and redundancy. A Level 2 adjacency SID represents individual member links of a LAG bundle and is expected to be used to verify per-member-link OAM; its corollary is the adjacency set that bundles adjacencies into a single segment. Binding SIDs represent tunnels. Some of these SIDs are explored in detail in Observability chapter:Optimizability.
Some segments are directly advertised as labels, as in the case of adjacency SIDs; prefix and node SIDs are indirectly advertised as indexes into an SR Global Block (SRGB). The SRGB represents the label space that nodes use to refer to global segments. It is one reason SR does not need to advertise a label for each IGP-learned prefix. The SRGB is configurable, and ideally consistent across the SR domain.
There is at least one segment associated with an IPv4 prefix and possibly another for IPv6. Node segments are associated with the router’s loopback address. Indeed, the IPv4 and IPv6 node indexes are expected to be treated just as loopback address are – managed by the operator and unique per-node in an SR domain.
Adjacency segments default to being dynamically assigned labels with a pop, and forwarded via the corresponding IGP adjacency action. These are used for strict steering, including traffic protection. Unlike node SIDs, adjacency SIDs have the option to be locally or globally significant (albeit, globally significant adjacency SIDs are uncommon).
Strictly speaking, node SIDs are only globally consistent when all routers share a common SRGB. This is the recommended deployment mode. A globally consistent node SID greatly simplifies operations, including troubleshooting, as a given router is represented by an identical entry in the label forwarding information base (LFIB) of all other routers in the same SR domain.
Brownfields
Our example network is depicted in Figure 1. This is a common design for many carriers. Both Internet and VPN overlay service are delivered by the combination of LDP/RSVP-TE as label distribution protocols, and multi-area IS-IS as the IGP of choice.
Since our focus is the underlay, let Internet and L3VPN connectivity suffice as proof of our work. Of course, any MPLS service – 6PE, 6VPE, L2VPN, EVPN, et. al., – could be delivered over this same network.
To orient ourselves, let’s run a traceroute from the CE in New York (ce1.nyc) to Washington (ce1.iad).
For the sake of brevity, Washington, DC will be called Washington from now on.
Connectivity verification
user@ce1.nyc> traceroute 198.51.100.54 routing-instance svc-inet traceroute to 198.51.100.54 (198.51.100.54), 30 hops max, 40 byte packets 1 pe1.nyc-ge-0-0-10.1 (198.51.100.1) 2.427 ms 1.646 ms 3.676 ms 2 p2.nyc-ge-0-0-2.0 (192.0.2.7) 70.034 ms p1.nyc-ge-0-0-2.0 (192.0.2.5) 7.387 ms p2.nyc-ge-0-0-2.0 (192.0.2.7) 52.897 ms MPLS Label=119 CoS=0 TTL=1 S=1 3 p1.phl-ge-0-0-2.0 (192.0.2.21) 55.576 ms p2.ewr-ge-0-0-2.0 (192.0.2.17) 6.849 ms p1.phl-ge-0-0-2.0 (192.0.2.21) 80.628 ms MPLS Label=313824 CoS=0 TTL=1 S=0 MPLS Label=352896 CoS=0 TTL=1 S=1 4 p2.iad-ge-0-0-6.0 (192.0.2.28) 7.129 ms p1.iad-ge-0-0-5.0 (192.0.2.30) 80.143 ms 73.898 ms MPLS Label=352896 CoS=0 TTL=1 S=1 5 pe1.iad-ge-0-0-1.0 (192.0.2.36) 6.994 ms 8.681 ms 5.971 ms 6 ce1.iad-ge-0-0-4.0 (198.51.100.54) 8.125 ms 7.631 ms 10.807 ms
Note that the labels in use will change once SR starts to be used.
For now, let’s enable SR on pe1.nyc and carefully trace the changes to the control and forwarding planes.
Enabling SR on pe1.nyc
The SRGB is configured to range from 1000 to 1127, inclusive. Within that range, this router represents its IPv4 loopback address as 1001 (1000 + 1, its IPv4-index). Let’s confirm this to be the case.
Control plane: node SID verification
user@pe1.nyc> show isis overview Instance: master Router ID: 128.49.106.1 Hostname: pe1.nyc Sysid: 0128.0049.1061 Areaid: 49.0001 Adjacency holddown: enabled Maximum Areas: 3 LSP life time: 1200 Attached bit evaluation: enabled SPF delay: 200 msec, SPF holddown: 5000 msec, SPF rapid runs: 3 Overload bit at startup is set Overload high metrics: disabled Allow route leaking: disabled Allow internal prefix overloading: disabled Allow external prefix overloading: disabled IPv4 is enabled, IPv6 is enabled, SPRING based MPLS is enabled Traffic engineering: enabled Restart: Disabled Helper mode: Enabled Layer2-map: Disabled Source Packet Routing (SPRING): Enabled SRGB Config Range: SRGB Start-Label : 1000, SRGB Index-Range : 128 SRGB Block Allocation: Success SRGB Start Index : 1000, SRGB Size : 128, Label-Range: [ 1000, 1127 ] Node Segments: Enabled Ipv4 Index : 1, Ipv6 Index : 61 Post Convergence Backup: Disabled Level 1 Internal route preference: 15 External route preference: 160 Prefix export count: 0 Wide metrics are enabled Source Packet Routing is enabled Level 2 Internal route preference: 18 External route preference: 165 Prefix export count: 0 Wide metrics are enabled, Narrow metrics are enabled Source Packet Routing is enabled
Apart from the manually-configured node SID, let’s verify that adjacency SIDs have also been dynamically allocated.
Control plane: adjacency SID verification
user@pe1.nyc> show isis database pe1.nyc level 1 extensive IS-IS level 1 link-state database: pe1.nyc.00-00 Sequence: 0x496, Checksum: 0x981e, Lifetime: 771 secs IPV4 Index: 1 Node Segment Blocks Advertised: Start Index : 0, Size : 128, Label-Range: [ 1000, 1127 ] IS neighbor: p2.nyc.00 Metric: 10 Two-way fragment: p2.nyc.00-00, Two-way first fragment: p2.nyc.00-00 P2P IPv4 Adj-SID: 26, Weight: 0, Flags: --VL-- IS neighbor: p1.nyc.00 Metric: 10 Two-way fragment: p1.nyc.00-00, Two-way first fragment: p1.nyc.00-00 P2P IPv4 Adj-SID: 27, Weight: 0, Flags: --VL-- IP prefix: 128.49.106.1/32 Metric: 0 Internal Up Header: LSP ID: pe1.nyc.00-00, Length: 191 bytes Allocated length: 1492 bytes, Router ID: 128.49.106.1 Remaining lifetime: 771 secs, Level: 1, Interface: 0 Estimated free bytes: 1257, Actual free bytes: 1301 Aging timer expires in: 771 secs Protocols: IP, IPv6 Packet: LSP ID: pe1.nyc.00-00, Length: 191 bytes, Lifetime : 1198 secs Checksum: 0x981e, Sequence: 0x496, Attributes: 0x5 <L1 Overload=> NLPID: 0x83, Fixed length: 27 bytes, Version: 1, Sysid length: 0 bytes Packet type: 18, Packet version: 1, Max area: 0 TLVs: Area address: 49.0001 (3) LSP Buffer Size: 1492 Speaks: IP Speaks: IPV6 IP router id: 128.49.106.1 IP address: 128.49.106.1 Hostname: pe1.nyc Router Capability: Router ID 128.49.106.1, Flags: 0x00 SPRING Capability - Flags: 0xc0(I:1,V:1), Range: 128, SID-Label: 1000 SPRING Algorithm - Algo: 0 Extended IS Reachability TLV, Type: 22, Length: 80 IS extended neighbor: p2.nyc.00, Metric: default 10 SubTLV len: 29 IP address: 192.0.2.6 Neighbor’s IP address: 192.0.2.7 Local interface index: 336, Remote interface index: 334 P2P IPV4 Adj-SID - Flags:0x30(F:0,B:0,V:1,L:1,S:0,P:0), Weight:0, Label: 26 P2P IPv4 Adj-SID: 26, Weight: 0, Flags: --VL-- IS extended neighbor: p1.nyc.00, Metric: default 10 SubTLV len: 29 IP address: 192.0.2.4 Neighbor’s IP address: 192.0.2.5 Local interface index: 335, Remote interface index: 334 P2P IPV4 Adj-SID - Flags:0x30(F:0,B:0,V:1,L:1,S:0,P:0), Weight:0, Label: 27 P2P IPv4 Adj-SID: 27, Weight: 0, Flags: --VL-- IP extended prefix: 128.49.106.1/32 metric 0 up 14 bytes of subtlvs Administrative tag 1: 1111 Node SID, Flags: 0x40(R:0,N:1,P:0,E:0,V:0,L:0), Algo: SPF(0), Value: 1 No queued transmissions </L1
There is one adjacency SID to each of pe1.nyc’s IS-IS neighbors. Additionally, the node SID is highlighted as a sub-TLV of the IP-extended prefix TLV. The flags also clarify and contrast between the two SID types. ‘V’ indicates whether the subTLV carries a value (as in the case of an adjacency SID) or an index (as with a node SID). ‘L’ represents local vs. global significance. Finally, the ‘N’ flag states that a given prefix SID is more specifically a node SID as it is attached to the router’s loopback address.
Forwarding plane: PE1’s FIB
user@pe1.nyc> show route table mpls.0 protocol isis mpls.0: 21 destinations, 21 routes (21 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 26 *[L-ISIS/14] 00:44:02, metric 0 > to 192.0.2.7 via ge-0/0/2.0, Pop 26(S=0) *[L-ISIS/14] 00:02:40, metric 0 > to 192.0.2.7 via ge-0/0/2.0, Pop 27 *[L-ISIS/14] 00:44:02, metric 0 > to 192.0.2.5 via ge-0/0/1.0, Pop 27(S=0) *[L-ISIS/14] 00:02:40, metric 0 > to 192.0.2.5 via ge-0/0/1.0, Pop
L-ISIS stands for labeled IS-IS. The adjacency SIDs are installed in the FIB but the node SID seems to be missing. This is normal. Since the ‘P’ flag (PHP-off) was not set, this router does not expect to receive packets with the top label 1001. Instead, 1001 would be popped by its neighbors (once they are enabled for SR). This is analogous to implicit-null behavior used by traditional label distribution protocols.
Inter-area
Since none of the other routers are currently enabled for SR, pe1.nyc’s SIDs aren’t yet learned by area-external routers. Intra-area routers, such as pe2.nyc, learn but ignore them.
user@ce1.nyc> traceroute 198.51.100.54 routing-instance svc-inet traceroute to 198.51.100.54 (198.51.100.54), 30 hops max, 40 byte packets 1 pe1.nyc-ge-0-0-10.1 (198.51.100.1) 6.659 ms 2.265 ms 2.116 ms 2 p2.nyc-ge-0-0-2.0 (192.0.2.7) 8.626 ms 8.556 ms 13.895 ms MPLS Label=119 CoS=0 TTL=1 S=1 3 p2.ewr-ge-0-0-2.0 (192.0.2.17) 20.193 ms p1.phl-ge-0-0-2.0 (192.0.2.21) 18.045 ms 11.514 ms MPLS Label=313824 CoS=0 TTL=1 S=0 MPLS Label=352896 CoS=0 TTL=1 S=1 4 p1.iad-ge-0-0-5.0 (192.0.2.30) 10.881 ms 9.305 ms 8.683 ms MPLS Label=352896 CoS=0 TTL=1 S=1 5 pe1.iad-ge-0-0-1.0 (192.0.2.36) 8.032 ms pe1.iad-ge-0-0-2.0 (192.0.2.38) 8.232 ms pe1.iad-ge-0-0-1.0 (192.0.2.36) 7.529 ms 6 ce1.iad-ge-0-0-4.0 (198.51.100.54) 15.007 ms 10.747 ms 12.320 ms
Nothing has changed, as one would expect. Labeled IS-IS has a lower protocol preference than LDP or RSVP-TE, and requires operator intervention to start being used. No SR forwarding is taking place as our SR domain is an island of one, as shown in Figure 2. In the next section, we’ll configure node SIDs on all routers in New York (which also share a common IS-IS area), starting with the L1-L2 attached p1.nyc.
Enabling SR on p1.nyc
Control plane
Let’s verify what has changed more quickly and briefly this time. Abridged output will be shown to highlight points of interest indicated by ellipses (…).
user@p1.nyc> show isis database extensive p1.nyc IS-IS level 1 link-state database: p1.nyc.00-00 Sequence: 0x4b8, Checksum: 0x6c1a, Lifetime: 546 secs IPV4 Index: 3 Node Segment Blocks Advertised: Start Index : 0, Size : 128, Label-Range: [ 1000, 1127 ] IS neighbor: pe2.nyc.00 Metric: 10 Two-way fragment: pe2.nyc.00-00, Two-way first fragment: pe2.nyc.00-00 P2P IPv4 Adj-SID: 30, Weight: 0, Flags: --VL-- IS neighbor: pe1.nyc.00 Metric: 10 Two-way fragment: pe1.nyc.00-00, Two-way first fragment: pe1.nyc.00-00 P2P IPv4 Adj-SID: 31, Weight: 0, Flags: --VL-- IS neighbor: p2.nyc.00 Metric: 10 Two-way fragment: p2.nyc.00-00, Two-way first fragment: p2.nyc.00-00 P2P IPv4 Adj-SID: 32, Weight: 0, Flags: --VL-- ... TLVs: ... IP extended prefix: 128.49.106.3/32 metric 0 up 14 bytes of subtlvs Administrative tag 1: 1111 Node SID, Flags: 0x40(R:0,N:1,P:0,E:0,V:0,L:0), Algo: SPF(0), Value: 3 IS-IS level 2 link-state database: p1.nyc.00-00 Sequence: 0x758, Checksum: 0xc13, Lifetime: 967 secs IPV4 Index: 3 Node Segment Blocks Advertised: Start Index : 0, Size : 128, Label-Range: [ 1000, 1127 ] IS neighbor: p2.nyc.00 Metric: 999999 Two-way fragment: p2.nyc.00-00, Two-way first fragment: p2.nyc.00-00 P2P IPv4 Adj-SID: 33, Weight: 0, Flags: --VL-- IS neighbor: p1.ewr.00 Metric: 10 Two-way fragment: p1.ewr.00-00, Two-way first fragment: p1.ewr.00-00 P2P IPv4 Adj-SID: 29, Weight: 0, Flags: --VL-- IS neighbor: p1.phl.00 Metric: 10 Two-way fragment: p1.phl.00-00, Two-way first fragment: p1.phl.00-00 P2P IPv4 Adj-SID: 28, Weight: 0, Flags: --VL-- ... TLVs: ... IP extended prefix: 128.49.106.3/32 metric 0 up 14 bytes of subtlvs Administrative tag 1: 1111 Node SID, Flags: 0x40(R:0,N:1,P:0,E:0,V:0,L:0), Algo: SPF(0), Value: 3 IP extended prefix: 128.49.106.1/32 metric 10 up 14 bytes of subtlvs Administrative tag 1: 1111 Node SID, Flags: 0xe0(R:1,N:1,P:1,E:0,V:0,L:0), Algo: SPF(0), Value: 1
Two differences are apparent compared to pe1.nyc. As an area border router (ABR), p1.nyc not only advertises its own node SID into both the L1 and L2 areas, it also re-originates pe1.nyc’s node SID advertisement across areas. This allows global segments to be learned across IGP areas. The ‘R’ flag indicates this node SID is being re-advertised across areas/levels.
Crucially, the ‘P’ flag is set on this re-advertised node SID, in stark contrast to p1.nyc’s own node SID. This signals to SR-capable neighbors that p1.nyc expects them to use the continue (swap) action and retain the top label which it interprets as a forwarding instruction to pe1.nyc.
Forwarding plane: P1’s FIB
We can confirm that p1.nyc has installed an entry for label 1001, which represents pe1.nyc’s node SID:
user@p1.nyc> show route table mpls.0 protocol isis mpls.0: 31 destinations, 31 routes (31 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 28 *[L-ISIS/14] 00:34:55, metric 0 > to 192.0.2.21 via ge-0/0/5.0, Pop 28(S=0) *[L-ISIS/14] 00:09:21, metric 0 > to 192.0.2.21 via ge-0/0/5.0, Pop 29 *[L-ISIS/14] 00:34:55, metric 0 > to 192.0.2.15 via ge-0/0/4.0, Pop 29(S=0) *[L-ISIS/14] 00:09:21, metric 0 > to 192.0.2.15 via ge-0/0/4.0, Pop 30 *[L-ISIS/14] 00:34:55, metric 0 > to 192.0.2.8 via ge-0/0/3.0, Pop 30(S=0) *[L-ISIS/14] 00:07:10, metric 0 > to 192.0.2.8 via ge-0/0/3.0, Pop 31 *[L-ISIS/14] 00:34:55, metric 0 > to 192.0.2.4 via ge-0/0/2.0, Pop 31(S=0) *[L-ISIS/14] 00:07:10, metric 0 > to 192.0.2.4 via ge-0/0/2.0, Pop 32 *[L-ISIS/14] 00:34:55, metric 0 > to 192.0.2.13 via ge-0/0/1.0, Pop 32(S=0) *[L-ISIS/14] 00:07:10, metric 0 > to 192.0.2.13 via ge-0/0/1.0, Pop 33 *[L-ISIS/14] 00:34:55, metric 0 > to 192.0.2.13 via ge-0/0/1.0, Pop 33(S=0) *[L-ISIS/14] 00:09:21, metric 0 > to 192.0.2.13 via ge-0/0/1.0, Pop 1001 *[L-ISIS/14] 00:34:55, metric 10 > to 192.0.2.4 via ge-0/0/2.0, Pop 1001(S=0) *[L-ISIS/14] 00:07:10, metric 10 > to 192.0.2.4 via ge-0/0/2.0, Pop
Not only can you see a pop (the MPLS forwarding plane’s version of continue) action for incoming label 1001, you can see pop actions for adjacency SID labels 28-33.
Forwarding plane: PE1’s FIB
user@pe1.nyc> show route protocol isis table mpls.0 mpls.0: 23 destinations, 23 routes (23 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 26 *[L-ISIS/14] 02:06:55, metric 0 > to 192.0.2.7 via ge-0/0/2.0, Pop 26(S=0) *[L-ISIS/14] 00:10:50, metric 0 > to 192.0.2.7 via ge-0/0/2.0, Pop 27 *[L-ISIS/14] 00:48:12, metric 0 > to 192.0.2.5 via ge-0/0/1.0, Pop 27(S=0) *[L-ISIS/14] 00:10:50, metric 0 > to 192.0.2.5 via ge-0/0/1.0, Pop 1003 *[L-ISIS/14] 00:35:14, metric 10 > to 192.0.2.5 via ge-0/0/1.0, Pop 1003(S=0) *[L-ISIS/14] 00:10:50, metric 10 > to 192.0.2.5 via ge-0/0/1.0, Pop
On pe1.nyc there is now a forwarding entry for label 1003, representing p1.nyc’s node SID.
Inter-area
Other than pe1.nyc, none of p1.nyc’s other neighbors are SR-enabled. All L2 neighbors learn about, but ignore, the segments.
Connectivity verification
user@ce1.nyc> traceroute 198.51.100.54 routing-instance svc-inet traceroute to 198.51.100.54 (198.51.100.54), 30 hops max, 40 byte packets 1 pe1.nyc-ge-0-0-10.1 (198.51.100.1) 3.118 ms 2.042 ms 1.803 ms 2 p2.nyc-ge-0-0-2.0 (192.0.2.7) 7.747 ms p1.nyc-ge-0-0-2.0 (192.0.2.5) 101.823 ms p2.nyc-ge-0-0-2.0 (192.0.2.7) 23.312 ms MPLS Label=119 CoS=0 TTL=1 S=1 3 p1.phl-ge-0-0-2.0 (192.0.2.21) 7.152 ms p2.ewr-ge-0-0-2.0 (192.0.2.17) 69.566 ms 67.497 ms MPLS Label=314 CoS=0 TTL=1 S=0 MPLS Label=355776 CoS=0 TTL=1 S=1 4 p1.iad-ge-0-0-5.0 (192.0.2.30) 11.528 ms 9.755 ms p2.iad-ge-0-0-6.0 (192.0.2.28) 6.276 ms MPLS Label=355776 CoS=0 TTL=1 S=1 5 pe1.iad-ge-0-0-1.0 (192.0.2.36) 5.667 ms 8.056 ms pe1.iad-ge-0-0-2.0 (192.0.2.38) 10.915 ms 6 ce1.iad-ge-0-0-4.0 (198.51.100.54) 169.285 ms 11.048 ms 9.896 ms
As unexciting as the lack of change in forwarding behavior may be, this is reassuring. Enabling SR has not inadvertently changed, let alone harmed, existing services. After all, a controlled deployment is preferred.
Enabling SR on the remaining New York routers
Control plane
At this point you should know what to expect. Two new node SIDs would be advertised into the L1 area; pe2.nyc’s node SID would be re-advertised by both p1.nyc and p2.nyc into the L2 subdomain. Like pe1. nyc’s before it, it would be ignored by the non-SR enabled L2 routers for now. Let’s see:
user@p2.nyc> show isis database p2.nyc extensive IS-IS level 1 link-state database: p2.nyc.00-00 Sequence: 0x4a3, Checksum: 0x28ab, Lifetime: 851 secs IPV4 Index: 2 Node Segment Blocks Advertised: Start Index : 0, Size : 128, Label-Range: [ 1000, 1127 ] IS neighbor: pe2.nyc.00 Metric: 10 Two-way fragment: pe2.nyc.00-00, Two-way first fragment: pe2.nyc.00-00 P2P IPv4 Adj-SID: 265, Weight: 0, Flags: --VL-- IS neighbor: pe1.nyc.00 Metric: 10 Two-way fragment: pe1.nyc.00-00, Two-way first fragment: pe1.nyc.00-00 P2P IPv4 Adj-SID: 266, Weight: 0, Flags: --VL-- IS neighbor: p1.nyc.00 Metric: 10 Two-way fragment: p1.nyc.00-00, Two-way first fragment: p1.nyc.00-00 P2P IPv4 Adj-SID: 267, Weight: 0, Flags: --VL-- ... TLVs: ... IP extended prefix: 128.49.106.2/32 metric 0 up 14 bytes of subtlvs Administrative tag 1: 1111 Node SID, Flags: 0x40(R:0,N:1,P:0,E:0,V:0,L:0), Algo: SPF(0), Value: 2 IS-IS level 2 link-state database: p2.nyc.00-00 Sequence: 0x4a0, Checksum: 0x8f75, Lifetime: 851 secs IPV4 Index: 2 Node Segment Blocks Advertised: Start Index : 0, Size : 128, Label-Range: [ 1000, 1127 ] IS neighbor: p1.nyc.00 Metric: 999999 Two-way fragment: p1.nyc.00-00, Two-way first fragment: p1.nyc.00-00 P2P IPv4 Adj-SID: 268, Weight: 0, Flags: --VL-- IS neighbor: p2.ewr.00 Metric: 10 Two-way fragment: p2.ewr.00-00, Two-way first fragment: p2.ewr.00-00 P2P IPv4 Adj-SID: 264, Weight: 0, Flags: --VL-- IS neighbor: p2.phl.00 Metric: 10 Two-way fragment: p2.phl.00-00, Two-way first fragment: p2.phl.00-00 P2P IPv4 Adj-SID: 263, Weight: 0, Flags: --VL-- ... TLVs: ... IP extended prefix: 128.49.106.2/32 metric 0 up 14 bytes of subtlvs Administrative tag 1: 1111 Node SID, Flags: 0x40(R:0,N:1,P:0,E:0,V:0,L:0), Algo: SPF(0), Value: 2 IP extended prefix: 128.49.106.0/32 metric 10 up 14 bytes of subtlvs Administrative tag 1: 1111 Node SID, Flags: 0xe0(R:1,N:1,P:1,E:0,V:0,L:0), Algo: SPF(0), Value: 0 IP extended prefix: 128.49.106.1/32 metric 10 up 14 bytes of subtlvs Administrative tag 1: 1111 Node SID, Flags: 0xe0(R:1,N:1,P:1,E:0,V:0,L:0), Algo: SPF(0), Value: 1 IP extended prefix: 128.49.106.3/32 metric 10 up 14 bytes of subtlvs Administrative tag 1: 1111 Node SID, Flags: 0xe0(R:1,N:1,P:1,E:0,V:0,L:0), Algo: SPF(0), Value: 3
This should now be familiar, there are adjacency SIDs for each IS-IS neighbor (SR-capable or not), as well as node SIDs (re-advertised in all cases but one) for all SR-capable routers.
Connectivity verification
user@ce1.nyc> traceroute 198.51.100.54 routing-instance svc-inet traceroute to 198.51.100.54 (198.51.100.54), 30 hops max, 40 byte packets 1 pe1.nyc-ge-0-0-10.1 (198.51.100.1) 27.852 ms 38.214 ms 2.399 ms 2 p2.nyc-ge-0-0-2.0 (192.0.2.7) 8.883 ms p1.nyc-ge-0-0-2.0 (192.0.2.5) 7.776 ms p2.nyc-ge-0-0-2.0 (192.0.2.7) 6.584 ms MPLS Label=119 CoS=0 TTL=1 S=1 3 p1.phl-ge-0-0-2.0 (192.0.2.21) 6.929 ms p2.ewr-ge-0-0-2.0 (192.0.2.17) 7.092 ms 8.230 ms MPLS Label=314 CoS=0 TTL=1 S=0 MPLS Label=355776 CoS=0 TTL=1 S=1 4 p1.iad-ge-0-0-5.0 (192.0.2.30) 7.097 ms 6.988 ms p2.iad-ge-0-0-6.0 (192.0.2.28) 7.142 ms MPLS Label=355776 CoS=0 TTL=1 S=1 5 pe1.iad-ge-0-0-1.0 (192.0.2.36) 6.132 ms pe1.iad-ge-0-0-2.0 (192.0.2.38) 8.677 ms 5.444 ms 6 ce1.iad-ge-0-0-4.0 (198.51.100.54) 11.672 ms 9.005 ms 7.873 ms
Finally you can confirm no change to traffic forwarding.
All this work to no end? Hardly. It has been proven that enabling the SR control plane does not force an operator to immediately utilize its forwarding plane. Indeed, this is likely to be the first step in any migration to SR – control plane verification coupled with continued service assurance.
Switching to SR
SR is now enabled throughout New York. All it will take to make the adjustment is a protocol preference on an ingress router. So far we have been testing forwarding between CEs in New York and Washington. Since our SR domain is constrained to the former, let’s quickly verify connectivity between CEs within the region.
Connectivity verification
user@ce1.nyc> traceroute routing-instance svc-inet 198.51.100.0 traceroute to 198.51.100.0 (198.51.100.0), 30 hops max, 40 byte packets 1 pe2.nyc-ge-0-0-10.1 (198.51.100.3) 235.860 ms 226.521 ms 69.491 ms 2 p1.nyc-ge-0-0-3.0 (192.0.2.9) 11.960 ms 4.510 ms p2.nyc-ge-0-0-3.0 (192.0.2.11) 4.477 ms MPLS Label=257 CoS=0 TTL=1 S=1 3 pe1.nyc-ge-0-0-1.0 (192.0.2.4) 3.625 ms 4.503 ms pe1.nyc-ge-0-0-2.0 (192.0.2.6) 5.833 ms 4 ce1.nyc-ge-0-0-1.1 (198.51.100.0) 6.088 ms 6.480 ms 7.580 ms
None of the SR labels are in use. This makes sense since pe2.nyc, the ingress router, continues to prefer LDP-learned next hops when doing BGP service route resolution.
Control plane
Let’s verify the service route and its next hop on ingress PE:
user@pe2.nyc> show route 198.51.100.0 active-path extensive inet.0: 30 destinations, 37 routes (30 active, 0 holddown, 0 hidden) 198.51.100.0/31 (2 entries, 1 announced) ... Indirect next hops: 1 Protocol next hop: 128.49.106.1 Metric: 1 Indirect next hop: 0xba57f80 1048577 INH Session ID: 0x165 Indirect path forwarding next hops: 2 Next hop type: Router Next hop: 192.0.2.9 via ge-0/0/1.0 weight 0x1 Session Id: 0x0 Next hop: 192.0.2.11 via ge-0/0/2.0 weight 0x1 Session Id: 0x0 user@pe2.nyc> show route 128.49.106.1 table inet.3 inet.3: 8 destinations, 11 routes (8 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 128.49.106.1/32 *[LDP/9] 00:54:50, metric 1 to 192.0.2.9 via ge-0/0/1.0, Push 18 > to 192.0.2.11 via ge-0/0/2.0, Push 257 [L-ISIS/14] 00:54:29, metric 20 to 192.0.2.9 via ge-0/0/1.0, Push 1001 > to 192.0.2.11 via ge-0/0/2.0, Push 1001 user@pe2.nyc> show isis adjacency Interface System L State Hold (secs) SNPA ge-0/0/1.0 p1.nyc 1 Up 26 ge-0/0/2.0 p2.nyc 1 Up 26 user@pe2.nyc> show ldp database | match “put|128.49.106.1/32” Input label database, 128.49.106.0:0--128.49.106.2:0 257 128.49.106.1/32 ...
The BGP route we’re tracing is learned with a protocol next hop of 128.49.106.1 – this is pe1.nyc’s loop-back address. A label is associated with this forwarding equivalence class (FEC) from both LDP and SR (L-ISIS stands for labeled IS-IS) neighbors. The former has a superior protocol preference, leading to the pe2.nyc imposing the LDP-learned label 257 from its chosen neighbor (p2.nyc).
Since ECMP is in effect, pe2.nyc could equally as well have pushed label 18 which is advertised by p1.nyc for the same FEC. This is a forwarding plane decision. It is a result of hashing incoming packet headers and using the result to select a single outbound path on a per-flow basis.
To make the change, let’s improve the protocol preference for L-ISIS on pe2.nyc.
Prefer SR for intra-region traffic originating at pe2.nyc
Control plane: confirm pe2.nyc performs route resolution using SR instead of LDP
user@pe2.nyc> show route 128.49.106.1 table inet.3 inet.3: 8 destinations, 11 routes (8 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 128.49.106.1/32 *[L-ISIS/8] 00:00:41, metric 20 to 192.0.2.9 via ge-0/0/1.0, Push 1001 > to 192.0.2.11 via ge-0/0/2.0, Push 1001 [LDP/9] 01:10:36, metric 1 to 192.0.2.9 via ge-0/0/1.0, Push 18 > to 192.0.2.11 via ge-0/0/2.0, Push 257
The protocol next hop now prefers the SR divined label (1001, pe1.nyc’s node SID). This should have (finally!) affected the forwarding plane.
Connectivity verification: intra-NY traffic is SR-switched
user@ce1.nyc> traceroute routing-instance svc-inet 198.51.100.0 traceroute to 198.51.100.0 (198.51.100.0), 30 hops max, 40 byte packets 1 pe2.nyc-ge-0-0-10.1 (198.51.100.3) 2.903 ms 3.001 ms 1.934 ms 2 p2.nyc-ge-0-0-3.0 (192.0.2.11) 5.263 ms p1.nyc-ge-0-0-3.0 (192.0.2.9) 35.811 ms 87.604 ms MPLS Label=1001 CoS=0 TTL=1 S=1 3 pe1.nyc-ge-0-0-1.0 (192.0.2.4) 188.617 ms 47.428 ms 8.965 ms 4 ce1.nyc-ge-0-0-1.1 (198.51.100.0) 10.858 ms 5.580 ms 5.275 ms
Note the change in the label pushed by pe2.nyc from 257 to 1001. This confirms traffic in the SR domain is now exercising the LSP woven by segments. Just to make sure all extra-regional traffic remains unaffected by the protocol preference change on pe2.nyc, a trace to the cross-country destination in Washington, remains traditionally label-switched.
Connectivity verification: extra-NY traffic still uses LDP
user@ce1.nyc> traceroute 198.51.100.54 routing-instance svc-inet traceroute to 198.51.100.54 (198.51.100.54), 30 hops max, 40 byte packets 1 pe2.nyc-ge-0-0-10.1 (198.51.100.3) 49.540 ms 78.154 ms 68.680 ms 2 p1.nyc-ge-0-0-3.0 (192.0.2.9) 62.733 ms 64.765 ms p2.nyc-ge-0-0-3.0 (192.0.2.11) 64.562 ms MPLS Label=119 CoS=0 TTL=1 S=1 3 p1.phl-ge-0-0-2.0 (192.0.2.21) 60.903 ms 6.794 ms p2.ewr-ge-0-0-2.0 (192.0.2.17) 33.531 ms MPLS Label=314 CoS=0 TTL=1 S=0 MPLS Label=355776 CoS=0 TTL=1 S=1 4 p2.iad-ge-0-0-6.0 (192.0.2.28) 6.553 ms p1.iad-ge-0-0-5.0 (192.0.2.30) 96.063 ms 67.346 ms MPLS Label=352896 CoS=0 TTL=1 S=1 5 pe1.iad-ge-0-0-2.0 (192.0.2.38) 8.891 ms pe1.iad-ge-0-0-1.0 (192.0.2.36) 6.837 ms 6.421 ms 6 ce1.iad-ge-0-0-4.0 (198.51.100.54) 30.158 ms 108.181 ms 84.979 ms
Now that we are convinced there is no discontinuity of service as a result of our actions, let’s mirror pe2. nyc’s SR preference on all New York routers. The configuration is identical:
At this point, the New York routers prefer SR to LDP for next-hop resolution to other New York routers. Routers outside the region remain without SR and traffic continues to be forwarded without disruption.
Class of Service Preservation
Now that our island is functional, let’s take a brief look at how SR supports networks that offer strict SLAs around uptime and class of service (CoS). A widely deployed technique is to disable penultimate hop popping (PHP) in favor of ultimate hop pop-like (UHP) behavior. Since SR does not directly advertise node SIDs as labels, it uses flags to request UHP behavior from upstream routers. Let’s enable UHP on pe1.nyc and review the change to its neighbors’ FIB.
Enable explicit-null UHP behavior on egress router pe1.nyc
Control plane: verify the change in pe1.nyc’s IS-IS LSP
user@pe1.nyc> show isis database pe1.nyc extensive IS-IS level 1 link-state database: pe1.nyc.00-00 Sequence: 0x4d4, Checksum: 0x4f97, Lifetime: 1195 secs IPV4 Index: 1 ... IP extended prefix: 128.49.106.1/32 metric 0 up \ 14 bytes of subtlvs Administrative tag 1: 1111 Node SID, Flags: 0x70(R:0,N:1,P:1,E:1,V:0,L:0), Algo: SPF(0), Value: 1
In contrast with earlier output, pe1.nyc now advertises its
node SID with both the ‘P’
(PHP-Off, or disable PHP) and ‘E’
(enable explicit-null, or use reserved label 0) flags set.
This leads its neighbors, p1.nyc and p2.nyc, to use the continue (swap) instead of the next (pop) action for label 1001 (pe1.nyc’s node index is 1, and the network uses a common SRGB of 1K as discussed earlier). There is no change to pe2.nyc’s FIB. It is not directly connected to pe1.nyc. PHP and UHP behaviors are only relevant for the immediately upstream routers.
Forwarding plane: verify pe1.nyc neighbors’ FIB
user@p1.nyc> show route label 1001 mpls.0: 35 destinations, 35 routes (35 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 1001 *[L-ISIS/8] 00:04:03, metric 10 > to 192.0.2.4 via ge-0/0/2.0, Swap 0 1001(S=0) *[L-ISIS/8] 00:04:03, metric 10 > to 192.0.2.4 via ge-0/0/2.0, Pop user@p2.nyc> show route label 1001 mpls.0: 40 destinations, 40 routes (40 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 1001 *[L-ISIS/8] 00:04:05, metric 10 > to 192.0.2.6 via ge-0/0/2.0, Swap 0 1001(S=0) *[L-ISIS/8] 00:04:05, metric 10 > to 192.0.2.6 via ge-0/0/2.0, Pop user@pe2.nyc> show route label 1001 mpls.0: 26 destinations, 26 routes (26 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 1001 *[L-ISIS/8] 09:14:56, metric 20 to 192.0.2.9 via ge-0/0/1.0, Swap 1001 > to 192.0.2.11 via ge-0/0/2.0, Swap 1001
Both p1 and p2 are now swapping label 1001 with label 0, which is the well-known IPv4 explicit null label. This label ensures the MPLS traffic class (previously also known as experimental bits) is consistently copied to the last hop router. At that last hop, label 0 is popped and an IPv4 lookup occurs. The existence of label 0 has enabled CoS transparency and preservation.
Before proceeding, note that UHP is also enabled on pe2.nyc.
Traffic Protection and Restoration
Packet networks have long been able to deliver protection within 50ms of failure, crossing the bar set by SONET/SDH networks. IP-based fast reroute (FRR) is available for LDP as loop-free alternate (LFA) and remote LFA (rLFA). In turn, RSVP-TE has rich mechanisms in place to protect against loss of link, node, or fate-sharing resources identified as shared-risk link groups (SRLG).
Neither approach is without its caveats. LFA is topology-dependent in its ability to provide protection; rLFA improves on this at the expense of added targeted LDP session state and complexity. RSVP-TE has the most thorough feature set, which depends on additional signaling and state maintenance of bypass and detour LSPs.
SR’s ability to source route, explicitly steering, and lack of transit control plane state lends itself well to establishing costless local protection paths. As long as there is physical redundancy in a topology, Topology-Independent Loop-free Alternate (TI-LFA) will find alternate routes. It can reroute around protected links, nodes, or locally-defined fate-sharing groups. Another improvement over erstwhile protection technologies is that TI-LFA protection paths are also ECMP-capable.
TI-LFA protection is local to the point of local repair (PLR). The backup paths are pre-computed but not pre-signaled. There is no singular merge point (MP) as each release point can be per-prefix optimized. The pre-computed paths prune or heavily cost out the protected resource from the topology in order to calculate post-IGP-convergence path(s). A failure of the protected resource results in a single update of the data plane, combining both local and global repair into one step.
Let’s enable link protection on p1.nyc and observe the resulting change on its SR neighbors.
Enable TI-LFA link protection for all level 1 links on p1.nyc
Control plane: verify p1.nyc is announcing its adjacency SIDs as protection-eligible
user@p1.nyc> show isis database extensive p1.nyc level 1 IS-IS level 1 link-state database: p1.nyc.00-00 Sequence: 0x510, Checksum: 0x192f, Lifetime: 1078 secs IPV4 Index: 3 Node Segment Blocks Advertised: Start Index : 0, Size : 128, Label-Range: [ 1000, 1127 ] IS neighbor: pe2.nyc.00 Metric: 10 Two-way fragment: pe2.nyc.00-00, Two-way first fragment: pe2.nyc.00-00 P2P IPv4 Adj-SID: 47, Weight: 0, Flags: -BVL-- IS neighbor: pe1.nyc.00 Metric: 10 Two-way fragment: pe1.nyc.00-00, Two-way first fragment: pe1.nyc.00-00 P2P IPv4 Adj-SID: 48, Weight: 0, Flags: -BVL-- IS neighbor: p2.nyc.00 Metric: 10 Two-way fragment: p2.nyc.00-00, Two-way first fragment: p2.nyc.00-00 P2P IPv4 Adj-SID: 35, Weight: 0, Flags: -BVL—
The ‘B’ flag signals that p1.nyc considers these adjacency SIDs candidates for protection. Let’s look at one of these in detail – SID 47, which represents the link to pe2.nyc.
Forwarding plane: verify p1.nyc has installed backup paths for protection-eligible SIDs
user@p1.nyc> show route label 47 extensive mpls.0: 35 destinations, 35 routes (35 active, 0 holddown, 0 hidden) … Next hop: 192.0.2.8 via ge-0/0/3.0 weight 0x1, selected Label operation: Pop … Next hop: 192.0.2.13 via ge-0/0/1.0 weight 0xf000 Label operation: Swap 1000 user@p1.nyc> show isis adjacency Interface System L State Hold (secs) SNPA ge-0/0/1.0 p2.nyc 3 Up 23 ... ge-0/0/3.0 pe2.nyc 1 Up 20
There are two unequal next hops, the latter newly added as a backup. Note that p1.nyc’s computed backup to reach pe2.nyc, avoiding the protected ge-0/0/3 link, is via p2.nyc. The primary action for incoming label 47 would be to pop and send directly to pe2.nyc. The backup action is to swap it for pe2.nyc’s node SID (label 1000) and send to p2.nyc, as shown in Figure 3. At that router, the label is swapped for 0, as a result of pe2.nyc advertising its reachability via explicit-null.
Forwarding plane: verify p2.nyc acts as a transit router on this stateless protection path
user@p2.nyc> show route label 1000 mpls.0: 37 destinations, 37 routes (37 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 1000 *[L-ISIS/8] 12:18:02, metric 10 > to 192.0.2.10 via ge-0/0/3.0, Swap 0 1000(S=0) *[L-ISIS/8] 00:03:43, metric 10 > to 192.0.2.10 via ge-0/0/3.0, Pop
This concludes the first leg: SR is enabled and in active use, albeit in a contained part of the network. There is reachability, and the ability to preserve CoS markings, as well as offer stateless traffic protection and restoration.
The next step is to broach SR into the rest of the network.