Seamless BFD Application — Auto-bind tunnel
This chapter provides information about seamless BFD application — auto-bind tunnel.
Topics in this chapter include:
Applicability
This chapter was initially written based on SR OS Release 19.10.R3, but the CLI in the current edition corresponds to SR OS Release 23.3.R3.
A prerequisite is to read the "Seamless BFD for SR-TE LSPs" chapter in the Segment Routing and PCE volume in the 7450 ESS, 7750 SR, and 7950 XRS Advanced Configuration Guide - Part I.
Overview
Bidirectional forwarding detection (BFD) is widely deployed in IP/MPLS networks to rapidly detect failures in the forwarding path between network elements.
Seamless BFD (S-BFD) is described in RFC 7880. S-BFD minimizes the time required to establish BFD sessions by removing the discovery of discriminators during the initial handshaking procedure, which contributes to its seamless operation. S-BFD relies on the fact that the discriminators needed to establish the BFD session are already known by the endpoints for each session, either through configuration or advertisement using unicast protocols.
S-BFD session establishment – continuity check shows the S-BFD session establishment between PE-1 and PE-4. The BFD discriminator used by the initiator is chosen by the system. On PE-1, the BFD (initiator) discriminator equals 123; on PE-4, the S-BFD (reflector) discriminator equals 524288. Through IGP advertisement or configuration, head-end router PE-1 is aware of the S-BFD discriminator of PE-4 (system ID 192.0.2.4; S-BFD discriminator 524288).
The state of the SR-TE LSP is linked to the state of the S-BFD session when failure action failover-or-down is configured. In the "Seamless BFD for SR-TE LSPs" chapter in the Segment Routing and PCE volume in the 7450 ESS, 7750 SR, and 7950 XRS Advanced Configuration Guide - Part I, one of the examples illustrates the use of S-BFD with failure action failover-or-down in an SR-TE LSP with a primary path and a standby secondary path. When a link or node fails on the primary path, the S-BFD session goes down and the head-end node switches to a standby path that is operationally up.
In this chapter, S-BFD is configured in an SR-TE LSP with primary path only. Services such as VPRNs or EVPNs may have auto-bind tunnel configured with multiple tunnel resolution protocols, such as SR-TE and SR-ISIS. SR-TE tunnels are preferred to SR-ISIS tunnels. When a link or node fails on the primary path, the S-BFD session goes operationally down and the SR-TE LSP goes operationally down, and is removed from the tunnel table. The head-end node reverts to the best preference tunnel that is up; in this case, an SR-ISIS tunnel.
Configuration
Example topology shows the example topology. The VPRN and EVPN services will be configured on PE-2 and PE-5.
Initial configuration
The initial configuration on the PEs includes:
Cards, MDAs, ports
Router interfaces
IS-IS as IGP (alternatively, OSPF can be used)
SR-ISIS enabled
Traffic engineering enabled on PE-2 and PE-5
The initial configuration on PE-2 is as follows:
# on PE-2:
configure
router Base
interface "int-PE-2-PE-3"
address 192.168.23.1/30
port 1/1/c2/1:1000
exit
interface "int-PE-2-PE-4"
address 192.168.24.1/30
port 1/1/c1/1:1000
exit
interface "system"
address 192.0.2.2/32
exit
mpls-labels
sr-labels start 32000 end 32999
exit
isis 0
area-id 49.0001
traffic-engineering
advertise-router-capability area
segment-routing
prefix-sid-range global
no shutdown
exit
interface "system"
ipv4-node-sid index 2
exit
interface "int-PE-2-PE-3"
interface-type point-to-point
exit
interface "int-PE-2-PE-4"
interface-type point-to-point
exit
no shutdown
exit
S-BFD configuration
For S-BFD, the reflector BFD discriminator values must be configured in the range from 524288 to 526335. On far-end node PE-5, the global S-BFD configuration is as follows. This S-BFD discriminator will be advertised by IGP.
# on PE-5:
configure
bfd
seamless-bfd
reflector "PE-5"
discriminator 524291
local-state up
no shutdown
exit
exit
For S-BFD, a BFD template of type CPM-NP must be configured. On PE-2, the following BFD template is configured:
# on PE-2:
configure
router Base
bfd
begin
bfd-template "bfd-cpm-np-1s"
type "cpm-np"
transmit-interval 1000 # minimum value is 10 ms
receive-interval 1000 # minimum value is 10 ms
exit
commit
Even though CPM-NP BFD can use intervals of minimum 10 ms, the used example setup has its limitations. The nodes in the used example setup are sims and the simulation for CPM-NP or central BFD sessions has the limitation that intervals that are configured with a value smaller than 1000 ms are always negotiated to intervals of 1000 ms. To avoid confusion when the configured intervals differ from the negotiated intervals on sims, a BFD template with intervals of 1000 ms is configured and used in this chapter.
On PE-2, the preceding BFD template is applied in the following SR-TE LSP to PE-5. For SR-TE LSPs, the only allowed failure action is failover-or-down.
# on PE-2:
configure
router Base
mpls
path "empty"
no shutdown
exit
lsp "LSP-PE-2-PE-5_empty_localCSPF" sr-te
to 192.0.2.5
path-computation-method local-cspf
bfd
bfd-template "bfd-cpm-np-1s"
bfd-enable
failure-action failover-or-down
exit
primary "empty"
exit
no shutdown
exit
no shutdown
The following tunnel table on PE-2 shows that two tunnels are available toward PE-5: an SR-TE tunnel with tunnel ID 655362 and default preference 8, and an SR-ISIS tunnel with tunnel ID 524293 and default preference 11. The SR-TE tunnel with preference 8 is preferred to the SR-ISIS tunnel with preference 11.
*A:PE-2# show router tunnel-table 192.0.2.5/32
===============================================================================
IPv4 Tunnel Table (Router: Base)
===============================================================================
Destination Owner Encap TunnelId Pref Nexthop Metric
Color
-------------------------------------------------------------------------------
192.0.2.5/32 sr-te MPLS 655362 8 192.168.24.2 20
192.0.2.5/32 isis (0) MPLS 524293 11 192.168.23.2 20
-------------------------------------------------------------------------------
Flags: B = BGP or MPLS backup hop available
L = Loop-Free Alternate (LFA) hop available
E = Inactive best-external BGP route
k = RIB-API or Forwarding Policy backup hop
===============================================================================
The SR-TE LSP with tunnel ID 655362 is "LSP-PE-2-PE-5_empty_localCSPF":
*A:PE-2# show router mpls sr-te-lsp detail
===============================================================================
MPLS SR-TE LSPs (Originating) (Detail)
===============================================================================
Legend :
+ - Inherited
===============================================================================
-------------------------------------------------------------------------------
Type : Originating
-------------------------------------------------------------------------------
LSP Name : LSP-PE-2-PE-5_empty_localCSPF
LSP Type : SrTeLsp LSP Tunnel ID : 1
LSP Index : 65536 TTM Tunnel Id : 655362
From : 192.0.2.2
To : 192.0.2.5
Adm State : Up Oper State : Up
---snip---
The S-BFD session for the SR-TE LSP is up, as follows:
*A:PE-2# show router bfd seamless-bfd session
lsp-name "LSP-PE-2-PE-5_empty_localCSPF"
===============================================================================
Legend:
Session Id = Interface Name | LSP Name | Prefix | RSVP Sess Name | Service Id
wp = Working path pp = Protecting path
===============================================================================
BFD Session
===============================================================================
Session Id State Tx Pkts Rx Pkts
Rem Addr/Info/SdpId:VcId Multipl Tx Intvl Rx Intvl
Protocols Type LAG Port LAG ID
Loc Addr
-------------------------------------------------------------------------------
192.0.2.5/32 Up N/A N/A
192.0.2.5 3 1000 1000
mplsLsp cpm-np N/A N/A
192.0.2.2
-------------------------------------------------------------------------------
No. of BFD sessions: 1
===============================================================================
VPRN and EVPN services with auto-bind tunnel
Both VPRN "VPRN-1" and an EVPN VPLS "VPLS-2" will be configured on PE-2 and PE-5. For advertising VPN-IPv4 and EVPN routes, BGP is configured on PE-2 and PE-5 for the VPN-IPv4 and EVPN address families. Both VPRN "VPRN-1" and EVPN VPLS "VPLS-2" have auto-bind tunnel enabled with resolution filter allowing SR-ISIS and SR-TE.
# on PE-2:
configure
router Base
autonomous-system 64496
bgp
vpn-apply-import
vpn-apply-export
rapid-withdrawal
split-horizon
rapid-update vpn-ipv4 evpn
group "internal"
family vpn-ipv4 evpn
peer-as 64496
neighbor 192.0.2.5
exit
exit
exit
exit
service
vprn 1 name "VPRN-1" customer 1 create
interface "int-VPRN-1_PE-2_CE-11" create
address 172.31.2.2/30
mac 00:00:5e:00:53:11
sap 1/1/c4/1:1 create
exit
exit
bgp-ipvpn
mpls
auto-bind-tunnel
resolution-filter
sr-isis
sr-te
exit
resolution filter
exit
route-distinguisher 64496:1
vrf-target target:64496:1
no shutdown
exit
exit
no shutdown
exit
vpls 2 name "VPLS-2" customer 1 create
bgp
exit
bgp-evpn
evi 2
mpls bgp 1
auto-bind-tunnel
resolution-filter
sr-isis
sr-te
exit
resolution filter
exit
no shutdown
exit
exit
stp
shutdown
exit
sap 1/1/c3/1:2 create
no shutdown
exit
no shutdown
exit
The following route table for VPRN "VPRN-1" on PE-2 shows that the SR-TE tunnel with tunnel ID 655362 is used toward next-hop 192.0.2.5:
*A:PE-2# show router 1 route-table
===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
172.31.2.0/30 Local Local 00h00m15s 0
int-VPRN-1_PE-2_CE-11 0
172.31.5.4/30 Remote BGP VPN 00h00m09s 170
192.0.2.5 (tunneled:SR-TE:655362) 20
-------------------------------------------------------------------------------
No. of Routes: 2
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
Likewise, for the EVPN service, the SR-TE tunnel with tunnel ID 655362 is used toward 192.0.2.5, as follows:
*A:PE-2# show service id 2 fdb detail
===============================================================================
Forwarding Database, Service 2
===============================================================================
ServId MAC Source-Identifier Type Last Change
Transport:Tnl-Id Age
-------------------------------------------------------------------------------
2 00:00:5e:00:53:12 sap:1/1/c3/1:2 L/0 07/05/23 07:41:50
2 00:00:5e:00:53:62 mpls-1: Evpn 07/05/23 07:41:50
192.0.2.5:524284
sr-te:655362
-------------------------------------------------------------------------------
No. of MAC Entries: 2
-------------------------------------------------------------------------------
Legend: L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf
===============================================================================
*A:PE-2# show router bgp next-hop evpn service-id 2
===============================================================================
BGP Router ID:192.0.2.2 AS:64496 Local AS:64496
===============================================================================
===============================================================================
BGP VPN Next Hop
===============================================================================
VPN Next Hop Owner
Autobind FibProg Reason
Labels (User-labels) FlexAlgo Metric
Admin-tag-policy (strict-tunnel-tagging) Last Mod.
-------------------------------------------------------------------------------
192.0.2.5 SR_TE
sr-isis sr-te Y
-- (3) -- 20
-- (N) 00h00m33s
-------------------------------------------------------------------------------
Next Hops : 1
===============================================================================
Failure of the SR-TE LSP
The following command shows that—without any failures—the primary path of the SR-TE LSP goes via PE-4:
*A:PE-2# show router mpls sr-te-lsp "LSP-PE-2-PE-5_empty_localCSPF" path detail
| match "Actual Hops" post-lines 3
Actual Hops :
192.168.24.2(192.0.2.4)(A-SID) Record Label : 524286
-> 192.168.45.2(192.0.2.5)(A-SID) Record Label : 524286
Primary path of SR-TE LSP via PE-4 shows the primary path of the SR-TE LSP.
S-BFD is configured in the SR-TE LSP with failure action failover-or-down. If the SR-TE LSP fails, the S-BFD session will go down and it will bring the SR-TE tunnel down. The next-hop 192.0.2.5 cannot be resolved using the SR-TE tunnel, so an SR-ISIS tunnel will be used instead.
On PE-4, port 1/1/c1/1 to PE-5 is disabled to emulate a failure in the primary path of the SR-TE LSP, as follows:
# on PE-4:
configure
port 1/1/c1/1 # port to PE-5
shutdown
exit
Remote failure in the primary path of the SR-TE LSP shows that a remote failure occurs in the primary path of the SR-TE LSP.
The S-BFD session goes operationally down, as follows:
*A:PE-2# show router bfd seamless-bfd session lsp-path detail prefix 192.0.2.5/32
===============================================================================
BFD Session
===============================================================================
Prefix : 192.0.2.5/32
Local Address : 192.0.2.2
LSP Name : LSP-PE-2-PE-5_empty_localCSPF
LSP Index : 65536 Path LSP ID : 51200
Fec Type : srTe
Oper State : Down Protocols : mplsLsp
Last Up Time : 0d 00:04:45 Up Transitions : 1
Down Time : 0d 00:00:01 Down Transitions : 1
Version Mismatch : 0
Forwarding Information
Local Discr : 1 Local State : Down
Local Diag : 1 (Detect time expired)
Local Mode : Demand
Local Min Tx : 1000 Local Mult : 3
Last Sent (ms) : 0 Local Min Rx : 0
Type : cpm-np
Remote : Unheard Remote Discr : 524291
===============================================================================
===============================================================================
When the S-BFD session goes down, the SR-TE LSP goes operationally down, as follows:
*A:PE-2# show router mpls sr-te-lsp
===============================================================================
MPLS SR-TE LSPs (Originating)
===============================================================================
LSP Name Tun Protect Adm Opr
To Id Path
-------------------------------------------------------------------------------
LSP-PE-2-PE-5_empty_localCSPF 1 N/A Up Dwn
192.0.2.5
-------------------------------------------------------------------------------
LSPs : 1
===============================================================================
Because the SR-TE tunnel is operationally down, the only available tunnel to 192.0.2.5 is the SR-ISIS tunnel, as follows:
*A:PE-2# show router tunnel-table 192.0.2.5/32
===============================================================================
IPv4 Tunnel Table (Router: Base)
===============================================================================
Destination Owner Encap TunnelId Pref Nexthop Metric
Color
-------------------------------------------------------------------------------
192.0.2.5/32 isis (0) MPLS 524293 11 192.168.23.2 20
-------------------------------------------------------------------------------
Flags: B = BGP or MPLS backup hop available
L = Loop-Free Alternate (LFA) hop available
E = Inactive best-external BGP route
k = RIB-API or Forwarding Policy backup hop
===============================================================================
The route table for VPRN "VPRN-1" shows that an SR-ISIS tunnel is used toward next-hop 192.0.2.5:
*A:PE-2# show router 1 route-table
===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
172.31.2.0/30 Local Local 00h01m43s 0
int-VPRN-1_PE-2_CE-11 0
172.31.5.4/30 Remote BGP VPN 00h00m13s 170
192.0.2.5 (tunneled:SR-ISIS:524293) 20
-------------------------------------------------------------------------------
No. of Routes: 2
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
Likewise, the FDB for the EVPN VPLS "VPLS-2" shows that an SR-ISIS tunnel with tunnel ID 524293 is used toward next-hop 192.0.2.5:
*A:PE-2# show service id 2 fdb detail
===============================================================================
Forwarding Database, Service 2
===============================================================================
ServId MAC Source-Identifier Type Last Change
Transport:Tnl-Id Age
-------------------------------------------------------------------------------
2 00:00:5e:00:53:12 sap:1/1/c3/1:2 L/0 07/05/23 07:41:50
2 00:00:5e:00:53:62 mpls-1: Evpn 07/05/23 07:41:50
192.0.2.5:524284
isis:524293
-------------------------------------------------------------------------------
No. of MAC Entries: 2
-------------------------------------------------------------------------------
Legend: L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf
===============================================================================
SR-TE LSP reconnects after retry timer expires
When the SR-TE LSP retry timer expires, the primary path is recalculated and it will go via PE-3 (192.0.2.3), as follows:
*A:PE-2# show router mpls sr-te-lsp "LSP-PE-2-PE-5_empty_localCSPF" path detail
| match "Actual Hops" post-lines 3
Actual Hops :
192.168.23.2(192.0.2.3)(A-SID) Record Label : 524287
-> 192.168.35.2(192.0.2.5)(A-SID) Record Label : 524286
SR-TE LSP reconnects after retry timer expires show that the primary path of the SR-TE tunnel goes via PE-3.
The tunnel table shows two tunnels to 192.0.2.5: one SR-TE tunnel with tunnel ID 655362 and one SR-ISIS tunnel with tunnel ID 524293:
*A:PE-2# show router tunnel-table 192.0.2.5/32
===============================================================================
IPv4 Tunnel Table (Router: Base)
===============================================================================
Destination Owner Encap TunnelId Pref Nexthop Metric
Color
-------------------------------------------------------------------------------
192.0.2.5/32 sr-te MPLS 655362 8 192.168.23.2 20
192.0.2.5/32 isis (0) MPLS 524293 11 192.168.23.2 20
-------------------------------------------------------------------------------
Flags: B = BGP or MPLS backup hop available
L = Loop-Free Alternate (LFA) hop available
E = Inactive best-external BGP route
k = RIB-API or Forwarding Policy backup hop
===============================================================================
Again, the SR-TE LSP will be preferred to the SR-ISIS LSP and both VPRN "VPRN-1" and EVPN VPLS "VPLS-2" will use the SR-TE tunnel to 192.0.2.5.
Conclusion
S-BFD can be used to determine the state of SR-TE LSPs that only have a primary path. The resiliency is at the service level for VPRN and EVPN services with auto-bind tunnel where several resolution protocols are configured and SR-TE has the lowest preference. When the S-BFD session for the SR-TE tunnel goes operationally down, the SR-TE tunnel goes operationally down. The VPRN and EVPN services will then use the best tunnel that is available; in this example, an SR-ISIS tunnel.