Seamless BFD Application — Auto-bind tunnel
This chapter provides information about seamless BFD application — auto-bind tunnel.
Topics in this chapter include:
Applicability
This chapter was initially written based on SR OS Release 19.10.R3, but the MD-CLI in the current edition corresponds to SR OS Release 23.3.R3.
A prerequisite is to read the "Seamless BFD for SR-TE LSPs" chapter in the Segment Routing and PCE volume in the 7450 ESS, 7750 SR, and 7950 XRS MD-CLI Advanced Configuration Guide - Part I.
Overview
Bidirectional forwarding detection (BFD) is widely deployed in IP/MPLS networks to rapidly detect failures in the forwarding path between network elements.
Seamless BFD (S-BFD) is described in RFC 7880. S-BFD minimizes the time required to establish BFD sessions by removing the discovery of discriminators during the initial handshaking procedure, which contributes to its seamless operation. S-BFD relies on the fact that the discriminators needed to establish the BFD session are already known by the endpoints for each session, either through configuration or advertisement using unicast protocols.
S-BFD session establishment – continuity check shows the S-BFD session establishment between PE-1 and PE-4. The BFD discriminator used by the initiator is chosen by the system. On PE-1, the BFD (initiator) discriminator equals 123; on PE-4, the S-BFD (reflector) discriminator equals 524288. Through IGP advertisement or configuration, head-end router PE-1 is aware of the S-BFD discriminator of PE-4 (system ID 192.0.2.4; S-BFD discriminator 524288).
The state of the SR-TE LSP is linked to the state of the S-BFD session when failure action failover-or-down is configured. In the "Seamless BFD for SR-TE LSPs" chapter in the Segment Routing and PCE volume in the 7450 ESS, 7750 SR, and 7950 XRS MD-CLI Advanced Configuration Guide - Part I, one of the examples illustrates the use of S-BFD with failure action failover-or-down in an SR-TE LSP with a primary path and a standby secondary path. When a link or node fails on the primary path, the S-BFD session goes down and the head-end node switches to a standby path that is operationally up.
In this chapter, S-BFD is configured in an SR-TE LSP with primary path only. Services such as VPRNs or EVPNs may have auto-bind tunnel configured with multiple tunnel resolution protocols, such as SR-TE and SR-ISIS. SR-TE tunnels are preferred to SR-ISIS tunnels. When a link or node fails on the primary path, the S-BFD session goes operationally down and the SR-TE LSP goes operationally down, and is removed from the tunnel table. The head-end node reverts to the best preference tunnel that is up; in this case, an SR-ISIS tunnel.
Configuration
Example topology shows the example topology. The VPRN and EVPN services will be configured on PE-2 and PE-5.
Initial configuration
The initial configuration on the PEs includes:
Cards, MDAs, ports
Router interfaces
IS-IS as IGP (alternatively, OSPF can be used)
SR-ISIS enabled
Traffic engineering enabled on PE-2 and PE-5
The initial configuration on PE-2 is as follows:
# on PE-2:
configure {
router "Base" {
interface "int-PE-2-PE-3" {
port 1/1/c2/1:1000
ipv4 {
primary {
address 192.168.23.1
prefix-length 30
}
}
}
interface "int-PE-2-PE-4" {
port 1/1/c1/1:1000
ipv4 {
primary {
address 192.168.24.1
prefix-length 30
}
}
}
interface "system" {
ipv4 {
primary {
address 192.0.2.2
prefix-length 32
}
}
}
mpls-labels {
sr-labels {
start 32000
end 32999
}
}
isis 0 {
admin-state enable
advertise-router-capability area
traffic-engineering true
area-address [49.0001]
segment-routing {
admin-state enable
prefix-sid-range {
global
}
}
interface "int-PE-2-PE-3" {
interface-type point-to-point
}
interface "int-PE-2-PE-4" {
interface-type point-to-point
}
interface "system" {
ipv4-node-sid {
index 2
}
}
}
S-BFD configuration
For S-BFD, the reflector BFD discriminator values must be configured in the range from 524288 to 526335. On far-end node PE-5, the global S-BFD configuration is as follows. This S-BFD discriminator will be advertised by IGP.
# on PE-5:
configure {
bfd {
seamless-bfd {
reflector "PE-5" {
admin-state enable
discriminator 524291
}
}
For S-BFD, a BFD template of type CPM-NP must be configured. On PE-2, the following BFD template is configured:
# on PE-2:
configure {
bfd {
bfd-template "bfd-cpm-np-1s" {
receive-interval 1000 # minimum value is 10 ms
transmit-interval 1000 # minimum value is 10 ms
type cpm-np
}
Even though CPM-NP BFD can use intervals of minimum 10 ms, the used example setup has its limitations. The nodes in the used example setup are sims and the simulation for CPM-NP or central BFD sessions has the limitation that intervals that are configured with a value smaller than 1000 ms are always negotiated to intervals of 1000 ms. To avoid confusion when the configured intervals differ from the negotiated intervals on sims, a BFD template with intervals of 1000 ms is configured and used in this chapter.
On PE-2, the preceding BFD template is applied in the following SR-TE LSP to PE-5. For SR-TE LSPs, the only allowed failure action is failover-or-down.
# on PE-2:
configure {
router "Base" {
mpls {
admin-state enable
path "empty" {
admin-state enable
}
lsp "LSP-PE-2-PE-5_empty_localCSPF" {
admin-state enable
type p2p-sr-te
to 192.0.2.5
path-computation-method local-cspf
bfd {
bfd-liveness true
bfd-template "bfd-cpm-np-1s"
failure-action failover-or-down
}
primary "empty" {
}
}
The following tunnel table on PE-2 shows that two tunnels are available toward PE-5: an SR-TE tunnel with tunnel ID 655362 and default preference 8, and an SR-ISIS tunnel with tunnel ID 524293 and default preference 11. The SR-TE tunnel with preference 8 is preferred to the SR-ISIS tunnel with preference 11.
[/]
A:admin@PE-2# show router tunnel-table 192.0.2.5/32
===============================================================================
IPv4 Tunnel Table (Router: Base)
===============================================================================
Destination Owner Encap TunnelId Pref Nexthop Metric
Color
-------------------------------------------------------------------------------
192.0.2.5/32 sr-te MPLS 655362 8 192.168.24.2 20
192.0.2.5/32 isis (0) MPLS 524293 11 192.168.23.2 20
-------------------------------------------------------------------------------
Flags: B = BGP or MPLS backup hop available
L = Loop-Free Alternate (LFA) hop available
E = Inactive best-external BGP route
k = RIB-API or Forwarding Policy backup hop
===============================================================================
The SR-TE LSP with tunnel ID 655362 is "LSP-PE-2-PE-5_empty_localCSPF":
[/]
A:admin@PE-2# show router mpls sr-te-lsp detail
===============================================================================
MPLS SR-TE LSPs (Originating) (Detail)
===============================================================================
Legend :
+ - Inherited
===============================================================================
-------------------------------------------------------------------------------
Type : Originating
-------------------------------------------------------------------------------
LSP Name : LSP-PE-2-PE-5_empty_localCSPF
LSP Type : SrTeLsp LSP Tunnel ID : 1
LSP Index : 65536 TTM Tunnel Id : 655362
From : 192.0.2.2
To : 192.0.2.5
Adm State : Up Oper State : Up
---snip---
The S-BFD session for the SR-TE LSP is up, as follows:
[/]
A:admin@PE-2# show router bfd seamless-bfd session
lsp-name "LSP-PE-2-PE-5_empty_localCSPF"
===============================================================================
Legend:
Session Id = Interface Name | LSP Name | Prefix | RSVP Sess Name | Service Id
wp = Working path pp = Protecting path
===============================================================================
BFD Session
===============================================================================
Session Id State Tx Pkts Rx Pkts
Rem Addr/Info/SdpId:VcId Multipl Tx Intvl Rx Intvl
Protocols Type LAG Port LAG ID
Loc Addr
-------------------------------------------------------------------------------
192.0.2.5/32 Up N/A N/A
192.0.2.5 3 1000 1000
mplsLsp cpm-np N/A N/A
192.0.2.2
-------------------------------------------------------------------------------
No. of BFD sessions: 1
===============================================================================
VPRN and EVPN services with auto-bind tunnel
Both VPRN "VPRN-1" and an EVPN VPLS "VPLS-2" will be configured on PE-2 and PE-5. For advertising VPN-IPv4 and EVPN routes, BGP is configured on PE-2 and PE-5 for the VPN-IPv4 and EVPN address families. Both VPRN "VPRN-1" and EVPN VPLS "VPLS-2" have auto-bind tunnel enabled with resolution filter allowing SR-ISIS and SR-TE.
# on PE-2:
configure {
router "Base" {
autonomous-system 64496
bgp {
vpn-apply-export true
vpn-apply-import true
rapid-withdrawal true
split-horizon true
rapid-update {
vpn-ipv4 true
evpn true
}
group "internal" {
peer-as 64496
family {
vpn-ipv4 true
evpn true
}
}
neighbor "192.0.2.5" {
group "internal"
}
}
}
service {
vpls "VPLS-2" {
admin-state enable
service-id 2
customer "1"
bgp 1 {
}
bgp-evpn {
evi 2
mpls 1 {
admin-state enable
auto-bind-tunnel {
resolution filter
resolution-filter {
sr-isis true
sr-te true
}
}
}
}
sap 1/1/c3/1:2 {
}
}
vprn "VPRN-1" {
admin-state enable
service-id 1
customer "1"
bgp-ipvpn {
mpls {
admin-state enable
route-distinguisher "64496:1"
vrf-target {
community "target:64496:1"
}
auto-bind-tunnel {
resolution filter
resolution-filter {
sr-isis true
sr-te true
}
}
}
}
interface "int-VPRN-1_PE-2_CE-11" {
mac 00:00:5e:00:53:11
ipv4 {
primary {
address 172.31.2.2
prefix-length 30
}
}
sap 1/1/c4/1:1 {
}
}
}
The following route table for VPRN "VPRN-1" on PE-2 shows that the SR-TE tunnel with tunnel ID 655362 is used toward next-hop 192.0.2.5:
[/]
A:admin@PE-2# show router 1 route-table
===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
172.31.2.0/30 Local Local 00h01m53s 0
int-VPRN-1_PE-2_CE-11 0
172.31.5.4/30 Remote BGP VPN 00h01m39s 170
192.0.2.5 (tunneled:SR-TE:655362) 20
-------------------------------------------------------------------------------
No. of Routes: 2
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
Likewise, for the EVPN service, the SR-TE tunnel with tunnel ID 655362 is used toward 192.0.2.5, as follows:
[/]
A:admin@PE-2# show service id 2 fdb detail
===============================================================================
Forwarding Database, Service 2
===============================================================================
ServId MAC Source-Identifier Type Last Change
Transport:Tnl-Id Age
-------------------------------------------------------------------------------
2 00:00:5e:00:53:12 sap:1/1/c3/1:2 L/0 07/05/23 15:17:23
2 00:00:5e:00:53:62 mpls-1: Evpn 07/05/23 15:17:23
192.0.2.5:524285
sr-te:655362
-------------------------------------------------------------------------------
No. of MAC Entries: 2
-------------------------------------------------------------------------------
Legend: L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf
===============================================================================
[/]
A:admin@PE-2# show router bgp next-hop evpn service-id 2
===============================================================================
BGP Router ID:192.0.2.2 AS:64496 Local AS:64496
===============================================================================
===============================================================================
BGP VPN Next Hop
===============================================================================
VPN Next Hop Owner
Autobind FibProg Reason
Labels (User-labels) FlexAlgo Metric
Admin-tag-policy (strict-tunnel-tagging) Last Mod.
-------------------------------------------------------------------------------
192.0.2.5 SR_TE
sr-isis sr-te Y
-- (3) -- 20
-- (N) 00h02m02s
-------------------------------------------------------------------------------
Next Hops : 1
===============================================================================
Failure of the SR-TE LSP
The following command shows that—without any failures—the primary path of the SR-TE LSP goes via PE-4:
[/]
A:admin@PE-2# show router mpls sr-te-lsp "LSP-PE-2-PE-5_empty_localCSPF" path detail
| match "Actual Hops" post-lines 3
Actual Hops :
192.168.24.2(192.0.2.4)(A-SID) Record Label : 524286
-> 192.168.45.2(192.0.2.5)(A-SID) Record Label : 524286
Primary path of SR-TE LSP via PE-4 shows the primary path of the SR-TE LSP.
S-BFD is configured in the SR-TE LSP with failure action failover-or-down. If the SR-TE LSP fails, the S-BFD session will go down and it will bring the SR-TE tunnel down. The next-hop 192.0.2.5 cannot be resolved using the SR-TE tunnel, so an SR-ISIS tunnel will be used instead.
On PE-4, port 1/1/c1/1 to PE-5 is disabled to emulate a failure in the primary path of the SR-TE LSP, as follows:
# on PE-4:
configure {
port 1/1/c1/1 { # port to PE-5
admin-state disable
Remote failure in the primary path of the SR-TE LSP shows that a remote failure occurs in the primary path of the SR-TE LSP.
The S-BFD session goes operationally down, as follows:
[/]
A:admin@PE-2# show router bfd seamless-bfd session lsp-path detail prefix 192.0.2.5/32
===============================================================================
BFD Session
===============================================================================
Prefix : 192.0.2.5/32
Local Address : 192.0.2.2
LSP Name : LSP-PE-2-PE-5_empty_localCSPF
LSP Index : 65536 Path LSP ID : 4096
Fec Type : srTe
Oper State : Down Protocols : mplsLsp
Last Up Time : 0d 00:04:14 Up Transitions : 1
Down Time : 0d 00:00:01 Down Transitions : 1
Version Mismatch : 0
Forwarding Information
Local Discr : 1 Local State : Down
Local Diag : 1 (Detect time expired)
Local Mode : Demand
Local Min Tx : 1000 Local Mult : 3
Last Sent (ms) : 0 Local Min Rx : 0
Type : cpm-np
Remote : Unheard Remote Discr : 524291
===============================================================================
===============================================================================
When the S-BFD session goes down, the SR-TE LSP goes operationally down, as follows:
[/]
A:admin@PE-2# show router mpls sr-te-lsp
===============================================================================
MPLS SR-TE LSPs (Originating)
===============================================================================
LSP Name Tun Protect Adm Opr
To Id Path
-------------------------------------------------------------------------------
LSP-PE-2-PE-5_empty_localCSPF 1 N/A Up Dwn
192.0.2.5
-------------------------------------------------------------------------------
LSPs : 1
===============================================================================
Because the SR-TE tunnel is operationally down, the only available tunnel to 192.0.2.5 is the SR-ISIS tunnel, as follows:
[/]
A:admin@PE-2# show router tunnel-table 192.0.2.5/32
===============================================================================
IPv4 Tunnel Table (Router: Base)
===============================================================================
Destination Owner Encap TunnelId Pref Nexthop Metric
Color
-------------------------------------------------------------------------------
192.0.2.5/32 isis (0) MPLS 524293 11 192.168.23.2 20
-------------------------------------------------------------------------------
Flags: B = BGP or MPLS backup hop available
L = Loop-Free Alternate (LFA) hop available
E = Inactive best-external BGP route
k = RIB-API or Forwarding Policy backup hop
===============================================================================
The route table for VPRN "VPRN-1" shows that an SR-ISIS tunnel is used toward next-hop 192.0.2.5:
[/]
A:admin@PE-2# show router 1 route-table
===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
172.31.2.0/30 Local Local 00h03m17s 0
int-VPRN-1_PE-2_CE-11 0
172.31.5.4/30 Remote BGP VPN 00h00m12s 170
192.0.2.5 (tunneled:SR-ISIS:524293) 20
-------------------------------------------------------------------------------
No. of Routes: 2
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
Likewise, the FDB for the EVPN VPLS "VPLS-2" shows that an SR-ISIS tunnel with tunnel ID 524293 is used toward next-hop 192.0.2.5:
[/]
A:admin@PE-2# show service id 2 fdb detail
===============================================================================
Forwarding Database, Service 2
===============================================================================
ServId MAC Source-Identifier Type Last Change
Transport:Tnl-Id Age
-------------------------------------------------------------------------------
2 00:00:5e:00:53:12 sap:1/1/c3/1:2 L/60 07/05/23 15:17:23
2 00:00:5e:00:53:62 mpls-1: Evpn 07/05/23 15:17:23
192.0.2.5:524285
isis:524293
-------------------------------------------------------------------------------
No. of MAC Entries: 2
-------------------------------------------------------------------------------
Legend: L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf
===============================================================================
SR-TE LSP reconnects after retry timer expires
When the SR-TE LSP retry timer expires, the primary path is recalculated and it will go via PE-3 (192.0.2.3), as follows:
[/]
A:admin@PE-2# show router mpls sr-te-lsp "LSP-PE-2-PE-5_empty_localCSPF" path detail
| match "Actual Hops" post-lines 3
Actual Hops :
192.168.23.2(192.0.2.3)(A-SID) Record Label : 524287
-> 192.168.35.2(192.0.2.5)(A-SID) Record Label : 524286
SR-TE LSP reconnects after retry timer expires show that the primary path of the SR-TE tunnel goes via PE-3.
The tunnel table shows two tunnels to 192.0.2.5: one SR-TE tunnel with tunnel ID 655362 and one SR-ISIS tunnel with tunnel ID 524293:
[/]
A:admin@PE-2# show router tunnel-table 192.0.2.5/32
===============================================================================
IPv4 Tunnel Table (Router: Base)
===============================================================================
Destination Owner Encap TunnelId Pref Nexthop Metric
Color
-------------------------------------------------------------------------------
192.0.2.5/32 sr-te MPLS 655362 8 192.168.23.2 20
192.0.2.5/32 isis (0) MPLS 524293 11 192.168.23.2 20
-------------------------------------------------------------------------------
Flags: B = BGP or MPLS backup hop available
L = Loop-Free Alternate (LFA) hop available
E = Inactive best-external BGP route
k = RIB-API or Forwarding Policy backup hop
===============================================================================
Again, the SR-TE LSP will be preferred to the SR-ISIS LSP and both VPRN "VPRN-1" and EVPN VPLS "VPLS-2" will use the SR-TE tunnel to 192.0.2.5.
Conclusion
S-BFD can be used to determine the state of SR-TE LSPs that only have a primary path. The resiliency is at the service level for VPRN and EVPN services with auto-bind tunnel where several resolution protocols are configured and SR-TE has the lowest preference. When the S-BFD session for the SR-TE tunnel goes operationally down, the SR-TE tunnel goes operationally down. The VPRN and EVPN services will then use the best tunnel that is available; in this example, an SR-ISIS tunnel.