Seamless BFD Application — Auto-bind tunnel

This chapter provides information about seamless BFD application — auto-bind tunnel.

Topics in this chapter include:

Applicability

This chapter was initially written based on SR OS Release 19.10.R3, but the MD-CLI in the current edition corresponds to SR OS Release 23.3.R3.

A prerequisite is to read the "Seamless BFD for SR-TE LSPs" chapter in the Segment Routing and PCE volume in the 7450 ESS, 7750 SR, and 7950 XRS MD-CLI Advanced Configuration Guide - Part I.

Overview

Bidirectional forwarding detection (BFD) is widely deployed in IP/MPLS networks to rapidly detect failures in the forwarding path between network elements.

Seamless BFD (S-BFD) is described in RFC 7880. S-BFD minimizes the time required to establish BFD sessions by removing the discovery of discriminators during the initial handshaking procedure, which contributes to its seamless operation. S-BFD relies on the fact that the discriminators needed to establish the BFD session are already known by the endpoints for each session, either through configuration or advertisement using unicast protocols.

S-BFD session establishment – continuity check shows the S-BFD session establishment between PE-1 and PE-4. The BFD discriminator used by the initiator is chosen by the system. On PE-1, the BFD (initiator) discriminator equals 123; on PE-4, the S-BFD (reflector) discriminator equals 524288. Through IGP advertisement or configuration, head-end router PE-1 is aware of the S-BFD discriminator of PE-4 (system ID 192.0.2.4; S-BFD discriminator 524288).

Figure 1. S-BFD session establishment – continuity check

The state of the SR-TE LSP is linked to the state of the S-BFD session when failure action failover-or-down is configured. In the "Seamless BFD for SR-TE LSPs" chapter in the Segment Routing and PCE volume in the 7450 ESS, 7750 SR, and 7950 XRS MD-CLI Advanced Configuration Guide - Part I, one of the examples illustrates the use of S-BFD with failure action failover-or-down in an SR-TE LSP with a primary path and a standby secondary path. When a link or node fails on the primary path, the S-BFD session goes down and the head-end node switches to a standby path that is operationally up.

In this chapter, S-BFD is configured in an SR-TE LSP with primary path only. Services such as VPRNs or EVPNs may have auto-bind tunnel configured with multiple tunnel resolution protocols, such as SR-TE and SR-ISIS. SR-TE tunnels are preferred to SR-ISIS tunnels. When a link or node fails on the primary path, the S-BFD session goes operationally down and the SR-TE LSP goes operationally down, and is removed from the tunnel table. The head-end node reverts to the best preference tunnel that is up; in this case, an SR-ISIS tunnel.

Configuration

Example topology shows the example topology. The VPRN and EVPN services will be configured on PE-2 and PE-5.

Figure 2. Example topology

Initial configuration

The initial configuration on the PEs includes:

  • Cards, MDAs, ports

  • Router interfaces

  • IS-IS as IGP (alternatively, OSPF can be used)

  • SR-ISIS enabled

  • Traffic engineering enabled on PE-2 and PE-5

The initial configuration on PE-2 is as follows:

# on PE-2:
configure {
    router "Base" {
        interface "int-PE-2-PE-3" {
            port 1/1/c2/1:1000
            ipv4 {
                primary {
                    address 192.168.23.1
                    prefix-length 30
                }
            }
        }
        interface "int-PE-2-PE-4" {
            port 1/1/c1/1:1000
            ipv4 {
                primary {
                    address 192.168.24.1
                    prefix-length 30
                }
            }
        }
        interface "system" {
            ipv4 {
                primary {
                    address 192.0.2.2
                    prefix-length 32
                }
            }
        }
        mpls-labels {
            sr-labels {
                start 32000
                end 32999
            }
        }
        isis 0 {
            admin-state enable
            advertise-router-capability area
            traffic-engineering true
            area-address [49.0001]
            segment-routing {
                admin-state enable
                prefix-sid-range {
                    global
                }
            }
            interface "int-PE-2-PE-3" {
                interface-type point-to-point
            }
            interface "int-PE-2-PE-4" {
                interface-type point-to-point
            }
            interface "system" {
                ipv4-node-sid {
                    index 2
                }
            }
        }

S-BFD configuration

For S-BFD, the reflector BFD discriminator values must be configured in the range from 524288 to 526335. On far-end node PE-5, the global S-BFD configuration is as follows. This S-BFD discriminator will be advertised by IGP.

# on PE-5:
configure {
    bfd {
        seamless-bfd {
            reflector "PE-5" {
                admin-state enable
                discriminator 524291
            }
        }

For S-BFD, a BFD template of type CPM-NP must be configured. On PE-2, the following BFD template is configured:

# on PE-2:
configure {
    bfd {
        bfd-template "bfd-cpm-np-1s" {
            receive-interval 1000      # minimum value is 10 ms
            transmit-interval 1000     # minimum value is 10 ms
            type cpm-np
        }
Note:

Even though CPM-NP BFD can use intervals of minimum 10 ms, the used example setup has its limitations. The nodes in the used example setup are sims and the simulation for CPM-NP or central BFD sessions has the limitation that intervals that are configured with a value smaller than 1000 ms are always negotiated to intervals of 1000 ms. To avoid confusion when the configured intervals differ from the negotiated intervals on sims, a BFD template with intervals of 1000 ms is configured and used in this chapter.

On PE-2, the preceding BFD template is applied in the following SR-TE LSP to PE-5. For SR-TE LSPs, the only allowed failure action is failover-or-down.

# on PE-2:
configure {
    router "Base" {
        mpls {
            admin-state enable
            path "empty" {
                admin-state enable
            }
            lsp "LSP-PE-2-PE-5_empty_localCSPF" {
                admin-state enable
                type p2p-sr-te
                to 192.0.2.5
                path-computation-method local-cspf
                bfd {
                    bfd-liveness true
                    bfd-template "bfd-cpm-np-1s"
                    failure-action failover-or-down
                }
                primary "empty" {
                }
            }

The following tunnel table on PE-2 shows that two tunnels are available toward PE-5: an SR-TE tunnel with tunnel ID 655362 and default preference 8, and an SR-ISIS tunnel with tunnel ID 524293 and default preference 11. The SR-TE tunnel with preference 8 is preferred to the SR-ISIS tunnel with preference 11.

[/]
A:admin@PE-2# show router tunnel-table 192.0.2.5/32

===============================================================================
IPv4 Tunnel Table (Router: Base)
===============================================================================
Destination           Owner     Encap TunnelId  Pref   Nexthop        Metric
   Color
-------------------------------------------------------------------------------
192.0.2.5/32          sr-te     MPLS  655362    8      192.168.24.2   20
192.0.2.5/32          isis (0)  MPLS  524293    11     192.168.23.2   20
-------------------------------------------------------------------------------
Flags: B = BGP or MPLS backup hop available
       L = Loop-Free Alternate (LFA) hop available
       E = Inactive best-external BGP route
       k = RIB-API or Forwarding Policy backup hop
===============================================================================

The SR-TE LSP with tunnel ID 655362 is "LSP-PE-2-PE-5_empty_localCSPF":

[/]
A:admin@PE-2# show router mpls sr-te-lsp detail

===============================================================================
MPLS SR-TE LSPs (Originating) (Detail)
===============================================================================
Legend :
    + - Inherited
===============================================================================
-------------------------------------------------------------------------------
Type : Originating
-------------------------------------------------------------------------------
LSP Name   : LSP-PE-2-PE-5_empty_localCSPF
LSP Type        : SrTeLsp                   LSP Tunnel ID        : 1
LSP Index       : 65536                     TTM Tunnel Id        : 655362
From            : 192.0.2.2
To              : 192.0.2.5
Adm State       : Up                        Oper State           : Up
---snip---

The S-BFD session for the SR-TE LSP is up, as follows:

[/]
A:admin@PE-2# show router bfd seamless-bfd session
                                       lsp-name "LSP-PE-2-PE-5_empty_localCSPF"

===============================================================================
Legend:
  Session Id = Interface Name | LSP Name | Prefix | RSVP Sess Name | Service Id
  wp = Working path   pp = Protecting path
===============================================================================
BFD Session
===============================================================================
Session Id                                        State      Tx Pkts    Rx Pkts
  Rem Addr/Info/SdpId:VcId                      Multipl     Tx Intvl   Rx Intvl
  Protocols                                        Type     LAG Port     LAG ID
  Loc Addr
-------------------------------------------------------------------------------
192.0.2.5/32                                         Up          N/A        N/A
  192.0.2.5                                           3         1000       1000
  mplsLsp                                        cpm-np          N/A        N/A
  192.0.2.2
-------------------------------------------------------------------------------
No. of BFD sessions: 1
===============================================================================

VPRN and EVPN services with auto-bind tunnel

Both VPRN "VPRN-1" and an EVPN VPLS "VPLS-2" will be configured on PE-2 and PE-5. For advertising VPN-IPv4 and EVPN routes, BGP is configured on PE-2 and PE-5 for the VPN-IPv4 and EVPN address families. Both VPRN "VPRN-1" and EVPN VPLS "VPLS-2" have auto-bind tunnel enabled with resolution filter allowing SR-ISIS and SR-TE.

# on PE-2:
configure {
        router "Base" {
        autonomous-system 64496
        bgp {
            vpn-apply-export true
            vpn-apply-import true
            rapid-withdrawal true
            split-horizon true
            rapid-update {
                vpn-ipv4 true
                evpn true
            }
            group "internal" {
                peer-as 64496
                family {
                    vpn-ipv4 true
                    evpn true
                }
            }
            neighbor "192.0.2.5" {
                group "internal"
            }
        }
    }
    service {
        vpls "VPLS-2" {
            admin-state enable
            service-id 2
            customer "1"
            bgp 1 {
            }
            bgp-evpn {
                evi 2
                mpls 1 {
                    admin-state enable
                    auto-bind-tunnel {
                        resolution filter
                        resolution-filter {
                            sr-isis true
                            sr-te true
                        }
                    }
                }
            }
            sap 1/1/c3/1:2 {
            }
        }
        vprn "VPRN-1" {
            admin-state enable
            service-id 1
            customer "1"
            bgp-ipvpn {
                mpls {
                    admin-state enable
                    route-distinguisher "64496:1"
                    vrf-target {
                        community "target:64496:1"
                    }
                    auto-bind-tunnel {
                        resolution filter
                        resolution-filter {
                            sr-isis true
                            sr-te true
                        }
                    }
                }
            }
            interface "int-VPRN-1_PE-2_CE-11" {
                mac 00:00:5e:00:53:11
                ipv4 {
                    primary {
                        address 172.31.2.2
                        prefix-length 30
                    }
                }
                sap 1/1/c4/1:1 {
                }
            }
        }

The following route table for VPRN "VPRN-1" on PE-2 shows that the SR-TE tunnel with tunnel ID 655362 is used toward next-hop 192.0.2.5:

[/]
A:admin@PE-2# show router 1 route-table

===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags]                            Type    Proto     Age        Pref
      Next Hop[Interface Name]                                    Metric
-------------------------------------------------------------------------------
172.31.2.0/30                                 Local   Local     00h01m53s  0
       int-VPRN-1_PE-2_CE-11                                        0
172.31.5.4/30                                 Remote  BGP VPN   00h01m39s  170
       192.0.2.5 (tunneled:SR-TE:655362)                            20
-------------------------------------------------------------------------------
No. of Routes: 2
Flags: n = Number of times nexthop is repeated
       B = BGP backup route available
       L = LFA nexthop available
       S = Sticky ECMP requested
===============================================================================

Likewise, for the EVPN service, the SR-TE tunnel with tunnel ID 655362 is used toward 192.0.2.5, as follows:

[/]
A:admin@PE-2# show service id 2 fdb detail

===============================================================================
Forwarding Database, Service 2
===============================================================================
ServId     MAC               Source-Identifier       Type     Last Change
            Transport:Tnl-Id                         Age
-------------------------------------------------------------------------------
2          00:00:5e:00:53:12 sap:1/1/c3/1:2          L/0      07/05/23 15:17:23
2          00:00:5e:00:53:62 mpls-1:                 Evpn     07/05/23 15:17:23
                             192.0.2.5:524285
           sr-te:655362
-------------------------------------------------------------------------------
No. of MAC Entries: 2
-------------------------------------------------------------------------------
Legend:  L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf
===============================================================================
[/]
A:admin@PE-2# show router bgp next-hop evpn service-id 2
===============================================================================
 BGP Router ID:192.0.2.2        AS:64496       Local AS:64496
===============================================================================

===============================================================================
BGP VPN Next Hop
===============================================================================
VPN Next Hop                                                Owner
   Autobind                                        FibProg  Reason
   Labels (User-labels)                            FlexAlgo Metric
   Admin-tag-policy (strict-tunnel-tagging)                 Last Mod.
-------------------------------------------------------------------------------
192.0.2.5                                                   SR_TE
   sr-isis sr-te                                   Y
   -- (3)                                          --       20
   -- (N)                                                   00h02m02s
-------------------------------------------------------------------------------
Next Hops : 1
===============================================================================

Failure of the SR-TE LSP

The following command shows that—without any failures—the primary path of the SR-TE LSP goes via PE-4:

[/]
A:admin@PE-2# show router mpls sr-te-lsp "LSP-PE-2-PE-5_empty_localCSPF" path detail
                                                 | match "Actual Hops" post-lines 3
Actual Hops      :                         
    192.168.24.2(192.0.2.4)(A-SID)               Record Label        : 524286
 -> 192.168.45.2(192.0.2.5)(A-SID)               Record Label        : 524286

Primary path of SR-TE LSP via PE-4 shows the primary path of the SR-TE LSP.

Figure 3. Primary path of SR-TE LSP via PE-4

S-BFD is configured in the SR-TE LSP with failure action failover-or-down. If the SR-TE LSP fails, the S-BFD session will go down and it will bring the SR-TE tunnel down. The next-hop 192.0.2.5 cannot be resolved using the SR-TE tunnel, so an SR-ISIS tunnel will be used instead.

On PE-4, port 1/1/c1/1 to PE-5 is disabled to emulate a failure in the primary path of the SR-TE LSP, as follows:

# on PE-4:
configure {
    port 1/1/c1/1 {     # port to PE-5
        admin-state disable

Remote failure in the primary path of the SR-TE LSP shows that a remote failure occurs in the primary path of the SR-TE LSP.

Figure 4. Remote failure in the primary path of the SR-TE LSP

The S-BFD session goes operationally down, as follows:

[/]
A:admin@PE-2# show router bfd seamless-bfd session lsp-path detail prefix 192.0.2.5/32

===============================================================================
BFD Session
===============================================================================
Prefix         : 192.0.2.5/32
Local Address  : 192.0.2.2
LSP Name       : LSP-PE-2-PE-5_empty_localCSPF
LSP Index      : 65536                    Path LSP ID      : 4096
Fec Type       : srTe
Oper State     : Down                     Protocols        : mplsLsp
Last Up Time   : 0d 00:04:14              Up Transitions   : 1
Down Time      : 0d 00:00:01              Down Transitions : 1
                                          Version Mismatch : 0

Forwarding Information

Local Discr    : 1                        Local State      : Down
Local Diag     : 1 (Detect time expired)
Local Mode     : Demand
Local Min Tx   : 1000                     Local Mult       : 3
Last Sent (ms) : 0                        Local Min Rx     : 0
Type           : cpm-np
Remote         : Unheard                  Remote Discr     : 524291
===============================================================================
===============================================================================

When the S-BFD session goes down, the SR-TE LSP goes operationally down, as follows:

[/]
A:admin@PE-2# show router mpls sr-te-lsp

===============================================================================
MPLS SR-TE LSPs (Originating)
===============================================================================
LSP Name                                            Tun     Protect   Adm  Opr
  To                                                Id      Path
-------------------------------------------------------------------------------
LSP-PE-2-PE-5_empty_localCSPF                       1       N/A       Up   Dwn
  192.0.2.5
-------------------------------------------------------------------------------
LSPs : 1
===============================================================================

Because the SR-TE tunnel is operationally down, the only available tunnel to 192.0.2.5 is the SR-ISIS tunnel, as follows:

[/]
A:admin@PE-2# show router tunnel-table 192.0.2.5/32

===============================================================================
IPv4 Tunnel Table (Router: Base)
===============================================================================
Destination           Owner     Encap TunnelId  Pref   Nexthop        Metric
   Color
-------------------------------------------------------------------------------
192.0.2.5/32          isis (0)  MPLS  524293    11     192.168.23.2   20
-------------------------------------------------------------------------------
Flags: B = BGP or MPLS backup hop available
       L = Loop-Free Alternate (LFA) hop available
       E = Inactive best-external BGP route
       k = RIB-API or Forwarding Policy backup hop
===============================================================================

The route table for VPRN "VPRN-1" shows that an SR-ISIS tunnel is used toward next-hop 192.0.2.5:

[/]
A:admin@PE-2# show router 1 route-table

===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags]                            Type    Proto     Age        Pref
      Next Hop[Interface Name]                                    Metric
-------------------------------------------------------------------------------
172.31.2.0/30                                 Local   Local     00h03m17s  0
       int-VPRN-1_PE-2_CE-11                                        0
172.31.5.4/30                                 Remote  BGP VPN   00h00m12s  170
       192.0.2.5 (tunneled:SR-ISIS:524293)                          20
-------------------------------------------------------------------------------
No. of Routes: 2
Flags: n = Number of times nexthop is repeated
       B = BGP backup route available
       L = LFA nexthop available
       S = Sticky ECMP requested
===============================================================================

Likewise, the FDB for the EVPN VPLS "VPLS-2" shows that an SR-ISIS tunnel with tunnel ID 524293 is used toward next-hop 192.0.2.5:

[/]
A:admin@PE-2# show service id 2 fdb detail

===============================================================================
Forwarding Database, Service 2
===============================================================================
ServId     MAC               Source-Identifier       Type     Last Change
            Transport:Tnl-Id                         Age
-------------------------------------------------------------------------------
2          00:00:5e:00:53:12 sap:1/1/c3/1:2          L/60     07/05/23 15:17:23
2          00:00:5e:00:53:62 mpls-1:                 Evpn     07/05/23 15:17:23
                             192.0.2.5:524285
           isis:524293
-------------------------------------------------------------------------------
No. of MAC Entries: 2
-------------------------------------------------------------------------------
Legend:  L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf
===============================================================================

SR-TE LSP reconnects after retry timer expires

When the SR-TE LSP retry timer expires, the primary path is recalculated and it will go via PE-3 (192.0.2.3), as follows:

[/]
A:admin@PE-2# show router mpls sr-te-lsp "LSP-PE-2-PE-5_empty_localCSPF" path detail 
                                                | match "Actual Hops" post-lines 3
Actual Hops      :
    192.168.23.2(192.0.2.3)(A-SID)               Record Label        : 524287
 -> 192.168.35.2(192.0.2.5)(A-SID)               Record Label        : 524286

SR-TE LSP reconnects after retry timer expires show that the primary path of the SR-TE tunnel goes via PE-3.

Figure 5. SR-TE LSP reconnects after retry timer expires

The tunnel table shows two tunnels to 192.0.2.5: one SR-TE tunnel with tunnel ID 655362 and one SR-ISIS tunnel with tunnel ID 524293:

[/]
A:admin@PE-2# show router tunnel-table 192.0.2.5/32

===============================================================================
IPv4 Tunnel Table (Router: Base)
===============================================================================
Destination           Owner     Encap TunnelId  Pref   Nexthop        Metric
   Color
-------------------------------------------------------------------------------
192.0.2.5/32          sr-te     MPLS  655362    8      192.168.23.2   20
192.0.2.5/32          isis (0)  MPLS  524293    11     192.168.23.2   20
-------------------------------------------------------------------------------
Flags: B = BGP or MPLS backup hop available
       L = Loop-Free Alternate (LFA) hop available
       E = Inactive best-external BGP route
       k = RIB-API or Forwarding Policy backup hop
===============================================================================

Again, the SR-TE LSP will be preferred to the SR-ISIS LSP and both VPRN "VPRN-1" and EVPN VPLS "VPLS-2" will use the SR-TE tunnel to 192.0.2.5.

Conclusion

S-BFD can be used to determine the state of SR-TE LSPs that only have a primary path. The resiliency is at the service level for VPRN and EVPN services with auto-bind tunnel where several resolution protocols are configured and SR-TE has the lowest preference. When the S-BFD session for the SR-TE tunnel goes operationally down, the SR-TE tunnel goes operationally down. The VPRN and EVPN services will then use the best tunnel that is available; in this example, an SR-ISIS tunnel.