LFA Policies Using OSPF as IGP

This chapter provides information about LFA policies using OSPF as IGP.

Topics in this chapter include:

Applicability

This chapter was initially written for SR OS Release 12.0.R4, but the MD-CLI in the current edition corresponds to SR OS Release 23.3.R3.

Overview

Loopfree alternate (LFA) is a local control plane feature. When multiple LFAs exist, RFC 5286 chooses the LFA providing the best coverage of the failure cases. In general, this means that node LFA has preference above link LFA. In some deployments, however, this can lead to suboptimal LFA. For example, an aggregation router (typically using lower bandwidth links) protecting a core node or link (typically using high bandwidth links) is potentially undesirable.

For this reason, the operator wants to have more control in the LFA next hop selection algorithm. This is achieved by the introduction of LFA shortest path first (SPF) policies.

LFA policies can work in combination with IP fast reroute (FRR) and LDP FRR.

Implementation

The SR OS LFA policy implementation is built around the concept of route-next-hop-policy templates which are applied to IP interfaces. A route next hop policy template specifies criteria that influence the selection of an LFA backup next hop for either:

  • a set of prefixes in a prefix list or

  • a set of prefixes which resolve to a specific primary next hop

See RFC 7916 for further information. Two powerful methods which can be used as criteria inside a route next hop policy template are IP admin groups and IP shared risk link groups (SRLGs). IP admin group and IP SRLG criteria are applied before running the LFA next hop algorithm. IP admin groups and SRLGs work in a similar way as the MPLS admin groups and SRLGs.

For example, when one or more IP admin groups or SRLGs are applied to an IP interface, the same MPLS admin group and SRLG rules apply:

  • IP interfaces which do not include one or more of the admin groups defined in the include statements are pruned before computing the LFA next hop.

  • IP interfaces which belong to admin groups which have been explicitly excluded using the exclude statement are pruned before computing the LFA next hop.

  • IP interfaces which belong to the SRLGs used by the primary next hop of a prefix are pruned before computing the LFA next hop.

For more information about MPLS admin groups, see chapter "RSVP Point-to-Point LSPs" in the 7450 ESS, 7750 SR, and 7950 XRS MPLS Advanced Configuration Guide for MD CLI; for SRLGs, see chapter "Shared Risk Link Groups for RSVP-Based LSPs"" in the 7450 ESS, 7750 SR, and 7950 XRS MPLS Advanced Configuration Guide for MD CLI.

In the SR OS implementation, IP admin groups and SRLGs are locally significant, meaning they are not advertised by the IGP. Only the admin groups and SRLGs bound to an MPLS interface are advertised in TE link TLVs and sub-TLVs when the traffic engineering option is enabled in the IGP protocol. IES and VPRN interfaces do not have their attributes advertised in TE TLVs.

Other selection criteria which can be configured inside a route next hop template are protection type preference and next hop type preference. More details on these parameters are provided later in this chapter.

Configuration

Example topology shows the topology with six SR OS nodes. PE-2 will act as the point of local repair (PLR).

Figure 1. Example topology
  1. Configure an IP/MPLS network with LDP FRR enabled on PE-2.

    Because the focus is not on how to set up an IP/MPLS network, only summary bullets are provided.

    • The system and IP interface addresses are configured according to Example topology.

    • OSPF area 0.0.0.0 is selected as the interior gateway protocol (IGP) to distribute routing information between all PEs. All OSPF interfaces are set up as type point-to-point to avoid running the designated router/backup designated router (DR/BDR) election process. All links have an OSPF metric cost of 10, except for interface "int-PE-2-PE-5" on PE-2, which is configured with a metric of 20.

    • Link LDP is enabled on all interfaces, which establishes a full mesh of LDP LSPs between all PE system interfaces. As an example, the tunnel table on PE-2 contains LDP tunnels to all the other PEs, as follows. The LDP LSP metric follows the IGP cost.

      [/]
      A:admin@PE-2# show router tunnel-table
      
      ===============================================================================
      IPv4 Tunnel Table (Router: Base)
      ===============================================================================
      Destination           Owner     Encap TunnelId  Pref   Nexthop        Metric
         Color
      -------------------------------------------------------------------------------
      192.0.2.1/32          ldp       MPLS  65537     9      192.168.12.1   1
      192.0.2.3/32          ldp       MPLS  65538     9      192.168.23.2   1
      192.0.2.4/32          ldp       MPLS  65539     9      192.168.24.2   1
      192.0.2.5/32          ldp       MPLS  65540     9      192.168.12.1   2
      192.0.2.6/32          ldp       MPLS  65541     9      192.168.26.2   1
      -------------------------------------------------------------------------------
      Flags: B = BGP or MPLS backup hop available
             L = Loop-Free Alternate (LFA) hop available
             E = Inactive best-external BGP route
             k = RIB-API or Forwarding Policy backup hop
      ===============================================================================
      
    • Enable LDP FRR on PE-2. This is a two-fold configuration command: the IGP needs to be triggered to do LFA next hop computation, and FRR needs to be enabled within the ldp context. First, LFA is enabled in OSPF on PE-2:

      # on PE-2:
      configure {
          router "Base" {
              ospf 0 {
                  loopfree-alternate {
                  }
       
      [/]
      A:admin@PE-2# show router ospf status | match LFA
      LFA                          : Enabled
      Remote-LFA                   : Disabled
      Max PQ Cost (Remote-LFA)     : 65535
      Remote-LFA (node-protect)    : Disabled
      TI-LFA                       : Disabled
      TI-LFA (node-protect)        : Disabled
      Mhp-LFA (IP-FRR)             : Disabled
      Mhp-LFA (SR)                 : Disabled 
      

      Remote LFA and topology-independent LFA (TI-LFA) can be enabled for segment routing, but this is beyond the scope of this chapter.

      Second, LDP FRR is enabled on PE-2:

      # on PE-2:
      configure {
          router "Base" {
              ldp {
                  fast-reroute {
                  } 
      
      [/]
      A:admin@PE-2# show router ldp status | match FRR 
      FRR                : Enabled              Mcast Upstream FRR   : Disabled
      Mcast Upst ASBR FRR: Disabled
      

      Multicast upstream FRR is for multicast LDP and is beyond the scope of this chapter.

    After issuing these two CLI commands, the software precomputes both a primary and a backup next hop label forwarding entry (NHLFE) for each LDP forwarding equivalence class (FEC) in the network and downloads them into the IOM/IMM. The primary NHLFE corresponds to the label of the FEC received from the primary next hop as per standard LDP resolution of the FEC prefix in the routing table manager (RTM). The backup NHLFE corresponds to the label received for the same FEC from an LFA next hop. The show router route-table alternative command adds an LFA flag to the associated alternative next hop for a specific destination prefix. Other useful IGP related show commands are show router ospf lfa-coverage and show router ospf routes alternative detail.

    [/]
    A:admin@PE-2# show router route-table alternative
    
    ===============================================================================
    Route Table (Router: Base)
    ===============================================================================
    Dest Prefix[Flags]                            Type    Proto     Age        Pref
          Next Hop[Interface Name]                                   Metric
          Alt-NextHop                                                Alt-
                                                                     Metric
    -------------------------------------------------------------------------------
    192.0.2.1/32                                  Remote  OSPF      00h02m41s  10
           192.168.12.1                                                 1
           192.168.26.2 (LFA)                                           2
    192.0.2.2/32                                  Local   Local     00h02m42s  0
           system                                                       0
    192.0.2.3/32                                  Remote  OSPF      00h02m32s  10
           192.168.23.2                                                 1
           192.168.24.2 (LFA)                                           2
    192.0.2.4/32                                  Remote  OSPF      00h02m27s  10
           192.168.24.2                                                 1
           192.168.23.2 (LFA)                                           2
    192.0.2.5/32                                  Remote  OSPF      00h02m15s  10
           192.168.12.1                                                 2
           192.168.24.2 (LFA)                                           2
    192.0.2.6/32                                  Remote  OSPF      00h02m06s  10
           192.168.26.2                                                 1
           192.168.12.1 (LFA)                                           2
    192.168.12.0/30                               Local   Local     00h02m42s  0
           int-PE-2-PE-1                                                0
    192.168.15.0/30                               Remote  OSPF      00h02m41s  10
           192.168.12.1                                                 2
           192.168.26.2 (LFA)                                           3
    192.168.16.0/30                               Remote  OSPF      00h02m41s  10
           192.168.12.1                                                 2
           192.168.26.2 (LFA)                                           3
    192.168.23.0/30                               Local   Local     00h02m42s  0
           int-PE-2-PE-3                                                0
    192.168.24.0/30                               Local   Local     00h02m42s  0
           int-PE-2-PE-4                                                0
    192.168.25.0/30                               Local   Local     00h02m42s  0
           int-PE-2-PE-5                                                0
    192.168.26.0/30                               Local   Local     00h02m42s  0
           int-PE-2-PE-6                                                0
    192.168.34.0/30                               Remote  OSPF      00h02m32s  10
           192.168.23.2                                                 2
           192.168.24.2 (LFA)                                           3
    192.168.45.0/30                               Remote  OSPF      00h02m27s  10
           192.168.24.2                                                 2
           192.168.23.2 (LFA)                                           3
    192.168.56.0/30                               Remote  OSPF      00h02m06s  10
           192.168.26.2                                                 2
           192.168.12.1 (LFA)                                           3
    -------------------------------------------------------------------------------
    No. of Routes: 16
    Flags: n = Number of times nexthop is repeated
           Backup = BGP backup route
           LFA = Loop-Free Alternate nexthop
           S = Sticky ECMP requested
    ===============================================================================
    

    Displaying the label forwarding information base (LFIB) on PE-2 shows the available alternate next hops that are displayed with the BU flag.

    [/]
    A:admin@PE-2# show router ldp bindings active prefixes ipv4
    
    ===============================================================================
    LDP Bindings (IPv4 LSR ID 192.0.2.2)
                 (IPv6 LSR ID ::)
    ===============================================================================
    Label Status:
            U - Label In Use, N - Label Not In Use, W - Label Withdrawn
            WP - Label Withdraw Pending, BU - Alternate For Fast Re-Route
            e - Label ELC
    FEC Flags:
            LF - Lower FEC, UF - Upper FEC, M - Community Mismatch,
            BA - ASBR Backup FEC
            (S) - Static           (M) - Multi-homed Secondary Support
            (B) - BGP Next Hop     (BU) - Alternate Next-hop for Fast Re-Route
            (I) - SR-ISIS Next Hop (O) - SR-OSPF Next Hop
            (C) - FEC resolved with class-based-forwarding
    ===============================================================================
    LDP IPv4 Prefix Bindings (Active)
    ===============================================================================
    Prefix                                      Op
    IngLbl                                      EgrLbl
    EgrNextHop                                  EgrIf/LspId
    -------------------------------------------------------------------------------
    192.0.2.1/32                                Push
      --                                        524287
    192.168.12.1                                1/1/c2/1:1000
    
    192.0.2.1/32                                Push
      --                                        524286BU
    192.168.26.2                                1/1/c3/1:1000
    
    192.0.2.1/32                                Swap
    524286                                      524287
    192.168.12.1                                1/1/c2/1:1000
    
    192.0.2.1/32                                Swap
    524286                                      524286BU
    192.168.26.2                                1/1/c3/1:1000
    
    192.0.2.2/32                                Pop
    524287                                        --
      --                                          --
    
    192.0.2.3/32                                Push
      --                                        524287
    192.168.23.2                                1/1/c1/1:1000
    
    192.0.2.3/32                                Push
      --                                        524286BU
    192.168.24.2                                1/1/c5/1:1000
    
    192.0.2.3/32                                Swap
    524285                                      524287
    192.168.23.2                                1/1/c1/1:1000
    
    192.0.2.3/32                                Swap
    524285                                      524286BU
    192.168.24.2                                1/1/c5/1:1000
    
    192.0.2.4/32                                Push
      --                                        524287
    192.168.24.2                                1/1/c5/1:1000
    
    192.0.2.4/32                                Push
      --                                        524284BU
    192.168.23.2                                1/1/c1/1:1000
    
    192.0.2.4/32                                Swap
    524284                                      524287
    192.168.24.2                                1/1/c5/1:1000
    
    192.0.2.4/32                                Swap
    524284                                      524284BU
    192.168.23.2                                1/1/c1/1:1000
    
    192.0.2.5/32                                Push
      --                                        524283
    192.168.12.1                                1/1/c2/1:1000
    
    192.0.2.5/32                                Push
      --                                        524283BU
    192.168.24.2                                1/1/c5/1:1000
    
    192.0.2.5/32                                Swap
    524283                                      524283
    192.168.12.1                                1/1/c2/1:1000
    
    192.0.2.5/32                                Swap
    524283                                      524283BU
    192.168.24.2                                1/1/c5/1:1000
    
    192.0.2.6/32                                Push
      --                                        524287
    192.168.26.2                                1/1/c3/1:1000
    
    192.0.2.6/32                                Push
      --                                        524282BU
    192.168.12.1                                1/1/c2/1:1000
    
    192.0.2.6/32                                Swap
    524282                                      524287
    192.168.26.2                                1/1/c3/1:1000
    
    192.0.2.6/32                                Swap
    524282                                      524282BU
    192.168.12.1                                1/1/c2/1:1000
    
    -------------------------------------------------------------------------------
    No. of IPv4 Prefix Active Bindings: 21
    ===============================================================================
    

    Finally, a synchronization timer is enabled between the IGP and LDP protocol when LDP FRR is enabled. From the moment that the interface for the previous primary next hop is restored, the IGP may reconverge back to that interface before LDP has completed the FEC exchange with its neighbor over that interface. This may cause LDP to de-program the LFA next hop from the FEC and blackhole the traffic. In this example, a synchronization timer of 10 seconds is configured, as follows:

    # on all PEs:
    configure {
        router "Base" {
            interface <itf-name> {
                ldp-sync-timer {
                    seconds 10
                } 
    

    When this timer is set, on restoring a failed interface, the IGP advertises this link into the network with an infinite metric for the duration of this timer. When the failed link is restored, the LDP synchronization timer is started, and LDP adjacencies are brought up over the restored link and a label exchange is completed between the peers. After the LDP synchronization timer expires, the normal metric is advertised into the network again.

    At this point, everything is in place to start creating LFA policies to influence the calculated LFA next hops.

  2. Create a route next hop policy template.

    This is a mandatory step in the context of LFA policies. The route next hop template name is 32 characters at maximum. Creating a route next hop policy is done in the following way:

    configure {
        routing-options {
            route-next-hop-policy {
                template <template name>
    

    After a commit of a route next hop policy template, the IGP re-evaluates the template and schedules a new LFA SPF to recompute the LFA next hop for the prefixes associated with this template.

  3. Configure admin group constraints in route next hop policy.

    Admin groups are optional in the context of LFA policies. First, configure a group name and a group value for each admin group locally on the router. Admin groups are configured as follows:

    configure {
        routing-options {
            if-attribute {
                admin-group <group-name> {
                    value <number>
                } 
    

    Second, configure the admin group membership of the IP interfaces (network, IES, or VPRN), as follows. Maximum 32 admin groups can be assigned to an IP interface in one command. The configured IP admin group membership applies to all levels or areas the interface is participating in.

    configure {
        router "Base" {
            interface <itf-name> {
                if-attribute {
                    admin-group ["group-name-1" "group-name-2" ... (up to 32 max)]
    
    configure {
        service {
            vprn <svc-name> {
                interface <itf-name> {
                    if-attribute {
                        admin-group ["group-name-1" "group-name-2" ... (up to 32 max)]
    
    configure {
        service {
            ies <svc-name> {
                interface <itf-name> {
                    if-attribute {
                        admin-group ["group-name-1" "group-name-2" ... (up to 32 max)]
    

    Third, add the IP admin group constraints to the route next hop policy template one by one. The include-group statement instructs the LFA SPF selection algorithm to select a subset of LFA next hops among the links which belong to one or more of the specified admin groups. A link which does not belong to any of the admin groups is excluded. The preference option is used to provide a relative preference for the admin group selection. A lower preference value means that LFA SPF will first attempt to select an LFA backup next hop which is a member of the corresponding admin group. If none is found, then the admin group with the next higher preference value is evaluated. If no preference value is configured, then it is the least preferred with a default preference value of 255.

    When evaluating multiple include-group statements having the same preference, any link which belongs to one or more of the included admin groups can be selected as an LFA next hop. There is no relative preference based on how many of those included admin groups the link is a member of.

    The exclude-group command simply prunes all links belonging to the specified admin group before making the LFA backup next hop selection for a prefix. If the same group name is part of both include and exclude statements, the exclude statement takes precedence. In other words, the exclude statement can be viewed as having an implicit preference value of 0.

    Configure the admin group constraints in the route next hop policy template with the following command:

    configure {
        routing-options {
            route-next-hop-policy {
                template <template-name> {
                    exclude-group <ip-admin-group-name>    
                    include-group <ip-admin-group-name> {
                        preference <preference>
                    }
    
  4. Configure SRLG constraints in route next hop policy.

    SRLG constraints are optional in the context of LFA policies. First, configure a group name and group value of each SRLG group locally on the router. The penalty weight controls the likelihood of paths with links sharing SRLG values with a primary path being used by a bypass or detour LSP. The higher the penalty weight, the less desirable it is to use the link with an SRLG. SRLG constraints are configured as follows:

    configure {
        routing-options {
            if-attribute {
                 srlg-group <group-name> {
                     value <group-value> 
                     penalty-weight <penalty-weight>        # default: 0
                 }
    

    Second, configure the SRLG group membership of the IP interfaces (network, IES, or VPRN), as follows. One SRLG group can be applied to an IP interface in the srlg-group command but the command can be applied multiple times. The configured IP SRLG group membership is applied in all levels or areas the interface is participating in.

    configure {
        router "Base" {
            interface <itf-name> {
                if-attribute {
                    srlg-group <group-name>
    
    configure {
        service {
            vprn <svc-name> {
                interface <itf-name> {
                    if-attribute {
                        srlg-group <group-name> 
    
    configure {
        service {
            ies <svc-name> {
                interface <itf-name> {
                    if-attribute {
                        srlg-group <group-name> 
    

    Third, add IP SRLG group constraints to the route next hop policy template, as follows. When this command is applied to a prefix, the LFA SPF attempts to select an LFA next hop which uses an outgoing interface that does not participate in any of the SRLGs of the outgoing interface used by the primary next hop.

    configure {
        routing-options {
            route-next-hop-policy {
                template <template-name> {
                    srlg true
                }
    
  5. Configure the protection type in route next hop policy.

    This is an optional step in the context of LFA policies. With the following command, the user can also select if link protection or node protection is preferred for IP prefixes and LDP FEC prefixes protected by a backup LFA next hop. By default, node protection is chosen. The implementation falls back to link protection if no LFA next hop is found for node protection.

    configure {
        routing-options {
            route-next-hop-policy { 
                template <template-name> {
                    protection-type {link|node}
                }
    
  6. Configure the next hop preference type in route next hop policy.

    This is an optional step in the context of LFA policies. With the following command, the user can also select if tunnel backup next hop or IP backup next hop is preferred for IP prefixes and LDP FEC prefixes protected by a backup LFA next hop. By default, IP backup next hop is chosen. The implementation falls back to the other type (tunnel) if no LFA next hop of the preferred type is found.

    configure {
        routing-options {
            route-next-hop-policy {
                template <template-name> {
                    nh-type {ip|tunnel}
                }
    
  7. Apply the route next hop policy template to an IP interface.

    When the route next hop policy is applied to an IP interface with one of the following commands, all prefixes using this interface as primary next hop take the selection criteria specified in Step 3, Step 4, Step 5, and Step 6 into account.

    configure {
        router "Base" {
            ospf <ospf-instance> {
                area <area-id> {
                    interface <itf-name> {
                        loopfree-alternate {
                            policy-map {
                                route-nh-template <template-name>
    
    configure {
        router "Base" {
            ospf3 <ospf-instance> {
                area <area-id> {
                    interface <itf-name> {
                        loopfree-alternate {
                            policy-map {
                                route-nh-template <template-name>
    
    configure {
        service {
            vprn <svc-name> {
                ospf <ospf-instance> {
                    area <area-id> {
                        interface <itf-name> {
                            loopfree-alternate {
                                policy-map {
                                    route-nh-template <template-name>
    
    configure {
        service {
            vprn <svc-name> {
                ospf3 <ospf-instance> {
                    area <area-id> {
                        interface <itf-name> {
                            loopfree-alternate {
                                policy-map {
                                    route-nh-template <template-name>
    

LFA policy examples

All the following examples focus on providing another LFA next hop for LDP FEC prefix 192.0.2.1/32 and 192.0.2.6/32 (the system IP addresses of PE-1 and PE-6), with PE-2 being the PLR.

See Example topology for the example topology.

The default LFA next hop (without policy) for LDP FEC prefix 192.0.2.1/32 is 192.168.26.2 on PE-6, as follows:

[/]
A:admin@PE-2# show router ldp bindings active prefixes prefix 192.0.2.1/32 

===============================================================================
LDP Bindings (IPv4 LSR ID 192.0.2.2)
             (IPv6 LSR ID ::)
===============================================================================
Label Status:
        U - Label In Use, N - Label Not In Use, W - Label Withdrawn
        WP - Label Withdraw Pending, BU - Alternate For Fast Re-Route
        e - Label ELC
FEC Flags:
        LF - Lower FEC, UF - Upper FEC, M - Community Mismatch,
        BA - ASBR Backup FEC
        (S) - Static           (M) - Multi-homed Secondary Support
        (B) - BGP Next Hop     (BU) - Alternate Next-hop for Fast Re-Route
        (I) - SR-ISIS Next Hop (O) - SR-OSPF Next Hop
        (C) - FEC resolved with class-based-forwarding
===============================================================================
LDP IPv4 Prefix Bindings (Active)
===============================================================================
Prefix                                      Op
IngLbl                                      EgrLbl
EgrNextHop                                  EgrIf/LspId
-------------------------------------------------------------------------------
192.0.2.1/32                                Push
  --                                        524287
192.168.12.1                                1/1/c2/1:1000
                                             
192.0.2.1/32                                Push
  --                                        524285BU
192.168.26.2                                1/1/c3/1:1000
                                             
192.0.2.1/32                                Swap
524286                                      524287
192.168.12.1                                1/1/c2/1:1000
                                             
192.0.2.1/32                                Swap
524286                                      524285BU
192.168.26.2                                1/1/c3/1:1000
                                             
-------------------------------------------------------------------------------
No. of IPv4 Prefix Active Bindings: 4
===============================================================================

The default LFA next hop for LDP FEC prefix 192.0.2.6/32 is 192.168.12.1 on PE-1, as follows:

[/]
A:admin@PE-2# show router ldp bindings active prefixes prefix 192.0.2.6/32 

===============================================================================
LDP Bindings (IPv4 LSR ID 192.0.2.2)
             (IPv6 LSR ID ::)
===============================================================================
Label Status:
        U - Label In Use, N - Label Not In Use, W - Label Withdrawn
        WP - Label Withdraw Pending, BU - Alternate For Fast Re-Route
        e - Label ELC
FEC Flags:
        LF - Lower FEC, UF - Upper FEC, M - Community Mismatch,
        BA - ASBR Backup FEC
        (S) - Static           (M) - Multi-homed Secondary Support
        (B) - BGP Next Hop     (BU) - Alternate Next-hop for Fast Re-Route
        (I) - SR-ISIS Next Hop (O) - SR-OSPF Next Hop
        (C) - FEC resolved with class-based-forwarding
===============================================================================
LDP IPv4 Prefix Bindings (Active)
===============================================================================
Prefix                                      Op
IngLbl                                      EgrLbl
EgrNextHop                                  EgrIf/LspId
-------------------------------------------------------------------------------
192.0.2.6/32                                Push
  --                                        524287
192.168.26.2                                1/1/c3/1:1000
                                             
192.0.2.6/32                                Push
  --                                        524282BU
192.168.12.1                                1/1/c2/1:1000
                                             
192.0.2.6/32                                Swap
524282                                      524287
192.168.26.2                                1/1/c3/1:1000
                                             
192.0.2.6/32                                Swap
524282                                      524282BU
192.168.12.1                                1/1/c2/1:1000
                                             
-------------------------------------------------------------------------------
No. of IPv4 Prefix Active Bindings: 4
===============================================================================

This default LFA next hop can be changed by adding specific selection criteria inside a route next hop policy template.

Example 1: LFA policy with admin group constraint

The objective is to force the LFA next hop for both LDP FEC prefixes to use the path between PE-2 and PE-5.

Define admin group "red" with value 1 and apply it to the IP interfaces "int-PE-2-PE-1" and "int-PE-2-PE-6":

# on PE-2:
configure {
    routing-options {
        if-attribute {
            admin-group "red" {
                value 1
            }
        }
    }
    router "Base" {
        interface "int-PE-2-PE-1" {
            if-attribute {
                admin-group ["red"]
            }
        }
        interface "int-PE-2-PE-6" {
            if-attribute {
                admin-group ["red"]
            }
        } 

Define a route next hop policy template "LFA_NH_exclRed", which excludes IP admin group "red".

# on PE-2:
configure {
    routing-options {
        route-next-hop-policy {
            template "LFA_NH_exclRed" {
                exclude-group "red" { }
            }

Apply the policy to the OSPF interfaces toward PE-1 and PE-6:

# on PE-2:
configure {
    router "Base" {
        ospf 0 {
            area 0.0.0.0 {
                interface "int-PE-2-PE-1" {
                    loopfree-alternate {
                        policy-map {
                            route-nh-template "LFA_NH_exclRed"
                        }
                    }
                }
                interface "int-PE-2-PE-6" {
                    loopfree-alternate {
                        policy-map {
                            route-nh-template "LFA_NH_exclRed"
                        }
                    }
                }
            } 

From the moment that the route next hop policy template "LFA_NH_exclRed" is applied to the OSPF interfaces toward PE-1 and PE-6, the LFA next hops for both LDP FEC prefixes change. They now both point to the IP interface from PE-2 to PE-5 as LFA backup next hop:

[/]
A:admin@PE-2# show router ldp bindings active prefixes prefix 192.0.2.1/32 

===============================================================================
LDP Bindings (IPv4 LSR ID 192.0.2.2)
             (IPv6 LSR ID ::)
===============================================================================
Label Status:
        U - Label In Use, N - Label Not In Use, W - Label Withdrawn
        WP - Label Withdraw Pending, BU - Alternate For Fast Re-Route
        e - Label ELC
FEC Flags:
        LF - Lower FEC, UF - Upper FEC, M - Community Mismatch,
        BA - ASBR Backup FEC
        (S) - Static           (M) - Multi-homed Secondary Support
        (B) - BGP Next Hop     (BU) - Alternate Next-hop for Fast Re-Route
        (I) - SR-ISIS Next Hop (O) - SR-OSPF Next Hop
        (C) - FEC resolved with class-based-forwarding
===============================================================================
LDP IPv4 Prefix Bindings (Active)
===============================================================================
Prefix                                      Op
IngLbl                                      EgrLbl
EgrNextHop                                  EgrIf/LspId
-------------------------------------------------------------------------------
192.0.2.1/32                                Push
  --                                        524287
192.168.12.1                                1/1/c2/1:1000
                                             
192.0.2.1/32                                Push
  --                                        524286BU
192.168.25.2                                1/1/c4/1:1000
                                             
192.0.2.1/32                                Swap
524286                                      524287
192.168.12.1                                1/1/c2/1:1000
                                             
192.0.2.1/32                                Swap
524286                                      524286BU
192.168.25.2                                1/1/c4/1:1000
                                             
-------------------------------------------------------------------------------
No. of IPv4 Prefix Active Bindings: 4
===============================================================================
[/]
A:admin@PE-2# show router ldp bindings active prefixes prefix 192.0.2.6/32 

===============================================================================
LDP Bindings (IPv4 LSR ID 192.0.2.2)
             (IPv6 LSR ID ::)
===============================================================================
Label Status:
        U - Label In Use, N - Label Not In Use, W - Label Withdrawn
        WP - Label Withdraw Pending, BU - Alternate For Fast Re-Route
        e - Label ELC
FEC Flags:
        LF - Lower FEC, UF - Upper FEC, M - Community Mismatch,
        BA - ASBR Backup FEC
        (S) - Static           (M) - Multi-homed Secondary Support
        (B) - BGP Next Hop     (BU) - Alternate Next-hop for Fast Re-Route
        (I) - SR-ISIS Next Hop (O) - SR-OSPF Next Hop
        (C) - FEC resolved with class-based-forwarding
===============================================================================
LDP IPv4 Prefix Bindings (Active)
===============================================================================
Prefix                                      Op
IngLbl                                      EgrLbl
EgrNextHop                                  EgrIf/LspId
-------------------------------------------------------------------------------
192.0.2.6/32                                Push
  --                                        524287
192.168.26.2                                1/1/c3/1:1000
                                             
192.0.2.6/32                                Push
  --                                        524282BU
192.168.25.2                                1/1/c4/1:1000
                                             
192.0.2.6/32                                Swap
524282                                      524287
192.168.26.2                                1/1/c3/1:1000
                                             
192.0.2.6/32                                Swap
524282                                      524282BU
192.168.25.2                                1/1/c4/1:1000
                                             
-------------------------------------------------------------------------------
No. of IPv4 Prefix Active Bindings: 4
===============================================================================

Example 2: LFA policy with SRLG constraint

The objective is to force the LFA next hop for both LDP FEC prefixes to use the path from PE-2 to PE-5.

Define SRLG group "blue" with value 2 and apply it to the IP interfaces "int-PE-2-PE-1" and "int-PE-2-PE-6".

# on PE-2:
configure {
    routing-options {
        if-attribute {
            srlg-group "blue" {
                value 2
            }
        }
    }
    router "Base" {
        interface "int-PE-2-PE-1" {
            if-attribute {
                srlg-group "blue" { }
            }
        }
        interface "int-PE-2-PE-6" {
            if-attribute {
                srlg-group "blue" { }
            }
        } 

Define a route next hop policy template "LFA_NH_SRLG", where SRLG is enabled, as follows:

# on PE-2:
configure {
    routing-options {
        route-next-hop-policy {
            template "LFA_NH_SRLG" {
                srlg true
            }

Apply the policy to the OSPF interface toward PE-1 and PE-6:

# on PE-2:
configure {
    router "Base" {
        ospf 0 {
            area 0.0.0.0 {
                interface "int-PE-2-PE-1" {
                    loopfree-alternate {
                        policy-map {
                            route-nh-template "LFA_NH_SRLG"
                        }
                    }
                }
                interface "int-PE-2-PE-6" {
                    loopfree-alternate {
                        policy-map {
                            route-nh-template "LFA_NH_SRLG"
                        }
                    }
                }
            } 

Only one LFA policy mapping is allowed on an OSPF interface at a time. The new LFA policy mapping replaces the previous one.

The LFA next hops for both LDP FEC prefixes will both point now to the interface from PE-2 to PE-5 as LFA backup next hop, as follows:

[/]
A:admin@PE-2# show router ldp bindings active prefixes prefix 192.0.2.1/32 

===============================================================================
LDP Bindings (IPv4 LSR ID 192.0.2.2)
             (IPv6 LSR ID ::)
===============================================================================
Label Status:
        U - Label In Use, N - Label Not In Use, W - Label Withdrawn
        WP - Label Withdraw Pending, BU - Alternate For Fast Re-Route
        e - Label ELC
FEC Flags:
        LF - Lower FEC, UF - Upper FEC, M - Community Mismatch,
        BA - ASBR Backup FEC
        (S) - Static           (M) - Multi-homed Secondary Support
        (B) - BGP Next Hop     (BU) - Alternate Next-hop for Fast Re-Route
        (I) - SR-ISIS Next Hop (O) - SR-OSPF Next Hop
        (C) - FEC resolved with class-based-forwarding
===============================================================================
LDP IPv4 Prefix Bindings (Active)
===============================================================================
Prefix                                      Op
IngLbl                                      EgrLbl
EgrNextHop                                  EgrIf/LspId
-------------------------------------------------------------------------------
192.0.2.1/32                                Push
  --                                        524287
192.168.12.1                                1/1/c2/1:1000
                                             
192.0.2.1/32                                Push
  --                                        524286BU
192.168.25.2                                1/1/c4/1:1000
                                             
192.0.2.1/32                                Swap
524286                                      524287
192.168.12.1                                1/1/c2/1:1000
                                             
192.0.2.1/32                                Swap
524286                                      524286BU
192.168.25.2                                1/1/c4/1:1000
                                             
-------------------------------------------------------------------------------
No. of IPv4 Prefix Active Bindings: 4
===============================================================================
[/]
A:admin@PE-2# show router ldp bindings active prefixes prefix 192.0.2.6/32 

===============================================================================
LDP Bindings (IPv4 LSR ID 192.0.2.2)
             (IPv6 LSR ID ::)
===============================================================================
Label Status:
        U - Label In Use, N - Label Not In Use, W - Label Withdrawn
        WP - Label Withdraw Pending, BU - Alternate For Fast Re-Route
        e - Label ELC
FEC Flags:
        LF - Lower FEC, UF - Upper FEC, M - Community Mismatch,
        BA - ASBR Backup FEC
        (S) - Static           (M) - Multi-homed Secondary Support
        (B) - BGP Next Hop     (BU) - Alternate Next-hop for Fast Re-Route
        (I) - SR-ISIS Next Hop (O) - SR-OSPF Next Hop
        (C) - FEC resolved with class-based-forwarding
===============================================================================
LDP IPv4 Prefix Bindings (Active)
===============================================================================
Prefix                                      Op
IngLbl                                      EgrLbl
EgrNextHop                                  EgrIf/LspId
-------------------------------------------------------------------------------
192.0.2.6/32                                Push
  --                                        524287
192.168.26.2                                1/1/c3/1:1000
                                             
192.0.2.6/32                                Push
  --                                        524282BU
192.168.25.2                                1/1/c4/1:1000
                                             
192.0.2.6/32                                Swap
524282                                      524287
192.168.26.2                                1/1/c3/1:1000
                                             
192.0.2.6/32                                Swap
524282                                      524282BU
192.168.25.2                                1/1/c4/1:1000
                                             
-------------------------------------------------------------------------------
No. of IPv4 Prefix Active Bindings: 4
===============================================================================

The LFA policy mapping is removed from the OSPF interfaces as follows:

# on PE-2:
configure {
    router "Base" {
        ospf 0 {
            area 0.0.0.0 {
                interface "int-PE-2-PE-1" {
                    delete loopfree-alternate
                }
                interface "int-PE-2-PE-6" {
                    delete loopfree-alternate
                }
            }

Example 3: LFA policy with next hop type constraint

The objective is to force the LFA next hop for IP prefix 192.0.2.6/32 to use an RSVP tunnel.

Enable IP FRR as follows:

# on PE-2:
configure {
    routing-options {
        ip-fast-reroute true

Set up an RSVP LSP tunnel toward 192.0.2.6 with a strict MPLS path going over PE-2 to PE-4 to PE-5 to PE-6.

Note:

Because an RSVP LSP is set up between PE-2 and PE-6, MPLS and RSVP protocols need to be enabled on all the corresponding IP interfaces along the MPLS path.

# on PE-2:
configure {
    router "Base" {
        mpls {
            interface "int-PE-2-PE-4" {
            }
            path "path-PE-2-PE-4-PE-5-PE-6" {
                admin-state enable
                hop 10 {
                    ip-address 192.168.24.2
                    type strict
                }
                hop 20 {
                    ip-address 192.168.45.2
                    type strict
                }
                hop 30 {
                    ip-address 192.168.56.2
                    type strict
                }
            }
            lsp "LSP-PE-2-PE-6-strict" {
                admin-state enable
                type p2p-rsvp
                to 192.0.2.6
                primary "path-PE-2-PE-4-PE-5-PE-6" {
                }
            }

Enable IGP shortcut with resolution filter RSVP within the IGP on PE-2 and indicate that the newly created RSVP LSP is a possible shortcut candidate for LFA backup next hop only.

# on PE-2: 
configure {
    router "Base" {
        ospf 0 {
            igp-shortcut {
                admin-state enable
                tunnel-next-hop {
                    family ipv4 {
                        resolution filter
                        resolution-filter {
                            rsvp true
                        }
                    }
                }
            }
        }
        mpls {
            lsp "LSP-PE-2-PE-6-strict" {
                igp-shortcut {
                    lfa-type lfa-only
                }     
            }
        } 

The following tunnel table on PE-2 for prefix 192.0.2.6 shows that an LDP LSP and an RSVP LSP are available toward PE-6:

[/]
A:admin@PE-2# show router tunnel-table 192.0.2.6 

===============================================================================
IPv4 Tunnel Table (Router: Base)
===============================================================================
Destination           Owner     Encap TunnelId  Pref   Nexthop        Metric
   Color                                                              
-------------------------------------------------------------------------------
192.0.2.6/32          rsvp      MPLS  1         7      192.168.24.2   16777215
192.0.2.6/32 [L]      ldp       MPLS  65541     9      192.168.26.2   1
-------------------------------------------------------------------------------
Flags: B = BGP or MPLS backup hop available
       L = Loop-Free Alternate (LFA) hop available
       E = Inactive best-external BGP route
       k = RIB-API or Forwarding Policy backup hop
===============================================================================

The RSVP tunnel with tunnel ID 1 corresponds to the RSVP LSP "LSP-PE-2-PE-6-strict", as follows:

[/]
A:admin@PE-2# show router mpls lsp 

===============================================================================
MPLS LSPs (Originating)
===============================================================================
LSP Name                                            Tun     Fastfail  Adm  Opr
  To                                                Id      Config         
-------------------------------------------------------------------------------
LSP-PE-2-PE-6-strict                                1       No        Up   Up
  192.0.2.6                                                                
-------------------------------------------------------------------------------
LSPs : 1
===============================================================================

By default, the preferred next hop type is IP, not tunnel. Therefore, the RSVP tunnel will not be used for the LFA backup, as follows:

[/]
A:admin@PE-2# show router route-table alternative 192.0.2.6/32 

===============================================================================
Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags]                            Type    Proto     Age        Pref
      Next Hop[Interface Name]                                   Metric    
      Alt-NextHop                                                Alt-      
                                                                 Metric    
-------------------------------------------------------------------------------
192.0.2.6/32                                  Remote  OSPF      00h00m22s  10
       192.168.26.2                                                 1
       192.168.12.1 (LFA)                                           2
-------------------------------------------------------------------------------
No. of Routes: 1
Flags: n = Number of times nexthop is repeated
       Backup = BGP backup route
       LFA = Loop-Free Alternate nexthop
       S = Sticky ECMP requested
===============================================================================

Define a route next hop policy template "LFA_NH_Tunnel", where the next hop type is set to tunnel.

# on PE-2:
configure {
    routing-options {
        route-next-hop-policy {
            template "LFA_NH_Tunnel" {
                nh-type tunnel
            }

Apply the route next hop policy template to the OSPF interface toward PE-6, as follows:

# on PE-2:
configure {
    router "Base" {
        ospf 0 {
            area 0.0.0.0 {
                interface "int-PE-2-PE-6" {
                    loopfree-alternate {
                        policy-map {
                            route-nh-template "LFA_NH_Tunnel"
                        }
                    }

The LFA next hop uses the RSVP tunnel. The reference to the RSVP tunnel ID 1 in the following show output corresponds with the tunnel ID shown in the preceding show router tunnel-table 192.0.2.6 output:

[/]
A:admin@PE-2# show router route-table alternative 192.0.2.6/32 

===============================================================================
Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags]                            Type    Proto     Age        Pref
      Next Hop[Interface Name]                                   Metric    
      Alt-NextHop                                                Alt-      
                                                                 Metric    
-------------------------------------------------------------------------------
192.0.2.6/32                                  Remote  OSPF      00h00m38s  10
       192.168.26.2                                                 1
       192.0.2.6 (LFA) (tunneled:RSVP:1)                            65535
-------------------------------------------------------------------------------
No. of Routes: 1
Flags: n = Number of times nexthop is repeated
       Backup = BGP backup route
       LFA = Loop-Free Alternate nexthop
       S = Sticky ECMP requested
===============================================================================

The following command shows the FIB next hop summary:

[/]
A:admin@PE-2# show router fib 1 nh-table-usage 

===============================================================================
FIB Next-Hop Summary
===============================================================================
IPv4/IPv6                     Active                   Available
-------------------------------------------------------------------------------
IP Next-Hop                   9                        65535
Tunnel Next-Hop               1                        993279
ECMP Next-Hop                 0                        512000
ECMP Tunnel Next-Hop          0                        261120
===============================================================================

Example 4: Exclude prefix from LFA computation

The objective is to force no LFA next hop for LDP FEC prefix 192.0.2.1/32 where PE-2 is the PLR.

The IP FRR and LDP FRR implementation in SR OS allows to exclude an IGP interface, IGP area (OSPF), or IGP level (IS-IS) from the LFA SPF computation. The user can also exclude specific prefixes from the LFA SPF by using prefix lists and policy statements, which is configured as follows:

# on PE-2:
configure {
    policy-options {
        prefix-list "lo0-PE-1" {
            prefix 192.0.2.1/32 type exact {
            }
        }
        policy-statement "LFA_Exclude_PE-1" {
            entry 10 {
                from {
                    prefix-list ["lo0-PE-1"]
                }
                action {
                    action-type accept
                }
            }
        }

The configured policy statement is applied to the IGP protocol, as follows:

# on PE-2:
configure {
    router "Base" { 
        ospf 0 {
            loopfree-alternate {
                exclude {
                    prefix-policy ["LFA_Exclude_PE-1"]
                }
            }

From the moment that it is applied, the existing LFA next hop entries for LDP FEC prefix 192.0.2.5/32 disappear instantly (compare with the preceding example 1):

[/]
A:admin@PE-2# show router ldp bindings active prefixes prefix 192.0.2.1/32 

===============================================================================
LDP Bindings (IPv4 LSR ID 192.0.2.2)
             (IPv6 LSR ID ::)
===============================================================================
Label Status:
        U - Label In Use, N - Label Not In Use, W - Label Withdrawn
        WP - Label Withdraw Pending, BU - Alternate For Fast Re-Route
        e - Label ELC
FEC Flags:
        LF - Lower FEC, UF - Upper FEC, M - Community Mismatch,
        BA - ASBR Backup FEC
        (S) - Static           (M) - Multi-homed Secondary Support
        (B) - BGP Next Hop     (BU) - Alternate Next-hop for Fast Re-Route
        (I) - SR-ISIS Next Hop (O) - SR-OSPF Next Hop
        (C) - FEC resolved with class-based-forwarding
===============================================================================
LDP IPv4 Prefix Bindings (Active)
===============================================================================
Prefix                                      Op
IngLbl                                      EgrLbl
EgrNextHop                                  EgrIf/LspId
-------------------------------------------------------------------------------
192.0.2.1/32                                Push
  --                                        524287
192.168.12.1                                1/1/c2/1:1000
                                             
192.0.2.1/32                                Swap
524286                                      524287
192.168.12.1                                1/1/c2/1:1000
                                             
-------------------------------------------------------------------------------
No. of IPv4 Prefix Active Bindings: 2
===============================================================================

Conclusion

In production MPLS networks where IP FRR and/or LDP FRR are deployed, it is possible that the existing calculated LFA next hops are not always taking the most optimal or desirable paths.

With LFA policies, operators have better control on the way in which LFA backup next hops are computed.

Different selection criteria can be part of the route next hop policy: IP admin groups, IP SRLG groups, protection type preference, and next hop type preference.