Application Assurance — Asymmetry Removal
This chapter describes Application Assurance asymmetry removal configurations.
Topics in this chapter include:
Applicability
This chapter was originally written for and configured on SR OS Release 11.0.R1. The MD-CLI in the current edition corresponds to SR OS Release 25.7.R2.
This chapter is intended for Application Assurance (AA) network architects and engineers. The prerequisites for this chapter are a base understanding of AA configuration and operation for single homed deployments. This chapter applies to dual-homed SAPs and spoke SDPs configurations, in a business or residential AA context. AARP is not used for ESM AA subscribers.
Overview
This chapter provides best practices recommendations to configure AA asymmetry removal.
Asymmetry means that the two directions of a traffic flow (to-sub and from-sub) take different paths through the network. Asymmetry removal is a means of eliminating traffic asymmetry between a set of dual-homed SAP or spoke SDP endpoints. This can be across endpoints within a single node or across a pair of inter-chassis link connected routers, which is the topology described in this chapter. Asymmetry removal ensures all packets of a dual-homed AA subscriber are diverted to an AA ISA to achieve accurate per subscriber traffic identification and policy enforcement.
Traffic asymmetry is created when there are dual-homed links for a service, and the links are simultaneously carrying traffic. Asymmetry removal for transit subscribers must be implemented in the first routed hop on the network side of the subscriber management point, so there is a deterministic and fixed SAP or spoke SDP representing the downstream subscriber management node. This ensures there are no more than two paths that the flows can take, both covered by the asymmetry removal solution.
Configuration
Application Assurance Redundancy Protocol (AARP) provides the data plane connectivity for dynamically keeping a dual-homed AA subscriber’s traffic on the same ISA-AA for AA processing. An AARP instance is configured between the dual-homed routers to establish connectivity with the same AARP instance number on each node.
When asymmetry exists between dual-chassis redundant systems, Ipipe spoke SDPs are used to interconnect these services between peer nodes over an Inter-Chassis Link (ICL). The following sections describe the configuration and operation of the services for use with the Application Assurance Redundancy Protocol.
AARP service configuration
AA asymmetry removal topology shows the following services configured to establish communications between the AARP instances in each of the paired nodes. The network topology is a VPRN (or IES) service configured in each node, with a dual-homed SAP from each node to a downstream access element such as a BNG.
The initial configuration on PE-1 and PE-2 includes an ISA AA group and partition with an identical AA policy "app-prof-1" and divert enabled. Also, the system needs basic routing and LDP configuration for the SDP and the spoke SDPs to be established.
AA asymmetry removal topology shows the system IP addresses, VPRN service, SAPs, and app-profile on PE-1 and PE-2.
|
On PE-1 |
On PE-2 |
|---|---|
|
system IP address: 192.0.2.1 |
system IP address: 192.0.2.2 |
|
dual-homed service: VPRN 200 |
dual-homed service: VPRN 200 |
|
dual-homed SAP: 1/1/4:200 |
dual-homed SAP: 1/1/4:200 |
|
app-profile diverting: yes |
app-profile diverting: yes |
Configuration commands for AARP
To enable AARP, AARP instances and AARP interfaces on both nodes must be configured. The AARP operation has the following dependencies between the nodes:
Shunt links configured and operationally up, both subscriber side shunt and network side shunt.
Peer communications established between nodes, AARP instance operational status is up when peers are communicating.
Dual-homed SAPs and spoke SDPs configured with a unique AARP instance (matched by dual-homed interface).
App-profile "app-prof-1" configured against SAP or spoke SDP with divert enabled (making the sub an aa-sub). The app-profile is the trigger to divert the traffic in the node with the active AARP instance to one of the ISAs in that node, per normal AA divert behavior.
The following AARP configuration on PE-1 and PE-2 is similar. PE-1 is the primary node because it gets the higher priority.
# on primary node PE-1:
configure {
application-assurance {
aarp 200 {
admin-state enable
description "aarp protecting a dual-homed sap"
peer 192.0.2.2
priority 200 # higher priority (PE-1 is primary; PE-2 is backup)
}
# on backup node PE-2:
configure {
application-assurance {
aarp 200 {
admin-state enable
description "aarp protecting a dual-homed sap"
peer 192.0.2.1
# priority 100 ## default
}
The following SDPs are configured:
# on PE-1:
configure {
service {
sdp 12 {
admin-state enable
delivery-type mpls
ldp true
far-end {
ip-address 192.0.2.2
}
}
# on PE-2:
configure {
service {
sdp 21 {
admin-state enable
delivery-type mpls
ldp true
far-end {
ip-address 192.0.2.1
}
}
The Ipipe shunt configuration is as follows:
# on PE-1:
configure {
service {
ipipe "Ipipe-210" {
admin-state enable
service-id 210
customer "1"
vc-switching true
service-mtu 1552
spoke-sdp 12:212 {
aarp {
id 200
type subscriber-side-shunt
}
}
spoke-sdp 12:213 {
aarp {
id 200
type network-side-shunt
}
}
}
# on PE-2:
configure {
service {
ipipe "Ipipe-210" {
admin-state enable
service-id 210
customer "1"
vc-switching true
service-mtu 1552
spoke-sdp 21:200 {
aarp {
id 200
type subscriber-side-shunt
}
}
spoke-sdp 21:201 {
aarp {
id 200
type network-side-shunt
}
}
}
The dual-homed and interface shunt configuration in VPRN 200 is as follows:
# on PE-1:
configure {
service {
vprn "VPRN-200" {
admin-state enable
service-id 200
customer "1"
bgp-ipvpn {
mpls {
admin-state enable
route-distinguisher "64496:200"
}
}
interface "int-BNG-1" {
sap 1/1/4:200 {
description "AA enabled SAP"
app-profile "app-prof-1"
aarp {
id 200
type dual-homed
}
}
}
aarp-interface "netside_1" {
spoke-sdp 12:201 {
aarp {
id 200
type network-side-shunt
}
}
}
aarp-interface "subside_1" {
spoke-sdp 12:200 {
aarp {
id 200
type subscriber-side-shunt
}
}
}
}
# on PE-2:
configure {
service {
vprn "VPRN-200" {
admin-state enable
description "VPRN 200 Dual Homed Routed Service"
service-id 200
customer "1"
bgp-ipvpn {
mpls {
admin-state enable
route-distinguisher "64496:200"
}
}
interface "int-BNG-1" {
sap 1/1/4:200 {
app-profile "app-prof-1"
aarp {
id 200
type dual-homed
}
}
}
aarp-interface "netside_1" {
spoke-sdp 21:213 {
aarp {
id 200
type network-side-shunt
}
}
}
aarp-interface "subside_1" {
spoke-sdp 21:212 {
aarp {
id 200
type subscriber-side-shunt
}
}
}
}
Show commands for AARP
The configuration can be verified on each node. The following output displays the example configuration for PE-1.
Starting with the AARP instance in each node, the following command verifies that the AARP instance operational state is up:
[/]
A:admin@PE-1# show application-assurance aarp 200
===============================================================================
AARP Instance 200
===============================================================================
Description : aarp protecting a dual-homed sap
Admin State : Up Oper State : Up
Local IP : 192.0.2.1 Peer IP : 192.0.2.2
Local State : master Peer State : backup
Local Priority : 200 Peer Priority : 100
Local Flags : none
Peer Flags : none
Peer End-Point : none
Master Selection Mode : minimizeSwitchovers
-------------------------------------------------------------------------------
Service References
-------------------------------------------------------------------------------
Service Reference Reference Type
-------------------------------------------------------------------------------
VPRN 200 1/1/4:200 Dual-Homed
Ipipe 210 12:212 Subscriber-Side Pipe Shunt
Ipipe 210 12:213 Network-Side Pipe Shunt
VPRN 200 12:200 Subscriber-Side AARP-Interface Shunt
VPRN 200 12:201 Network-Side AARP-Interface Shunt
-------------------------------------------------------------------------------
No. of service references: 5
-------------------------------------------------------------------------------
===============================================================================
Verifying that the AARP instance is up is an indication that the dual-node communications for AARP is working (instance, shunts, and so on). In addition, in the preceding output, verify on both PE nodes that the intended SAPs are dual-homed for that instance.
Now a detailed review of the configured AARP shunt infrastructure services can be shown to make sure they are all properly configured with the intended AARP parameters (such as AARP ID and Type on the network and subscriber side shunts) as displayed in the following output:
[/]
A:admin@PE-1# show service id "Ipipe-210" all
===============================================================================
Service Detailed Information
===============================================================================
Service Id : 210 Vpn Id : 0
Service Type : Ipipe
MACSec enabled : no
Name : Ipipe-210
Description : (Not Specified)
Customer Id : 1 Creation Origin : manual
Last Status Change: 09/16/2025 12:47:16
Last Mgmt Change : 09/16/2025 12:47:03
Admin State : Up Oper State : Up
MTU : 1552
Vc Switching : True
SAP Count : 0 SDP Bind Count : 2
CE IPv4 Discovery : n/a
CE IPv6 Discovery : n/a Stack Cap Sig : n/a
-------------------------------------------------------------------------------
ETH-CFM service specifics
-------------------------------------------------------------------------------
Tunnel Faults : ignore
-------------------------------------------------------------------------------
Service Destination Points(SDPs)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Sdp Id 12:212 -(192.0.2.2)
-------------------------------------------------------------------------------
Description : (Not Specified)
SDP Id : 12:212 Type : Spoke
Spoke Descr : (Not Specified)
Split Horiz Grp : (Not Specified)
VC Type : Ipipe VC Tag : 0
Admin Path MTU : 0 Oper Path MTU : 1552
Delivery : MPLS
Far End : 192.0.2.2 Tunnel Far End :
Oper Tunnel Far End: 192.0.2.2
LSP Types : LDP
Hash Label : Disabled Hash Lbl Sig Cap : Disabled
Oper Hash Label : Disabled
Entropy Label : Disabled
Admin State : Up Oper State : Up
MinReqd SdpOperMTU : 1552
Acct. Pol : None Collect Stats : Disabled
Ingress Label : 524281 Egress Label : 524281
---snip---
Application Profile: None
Transit Policy : None
AARP Id : 200
AARP Type : subscriber-side-shunt
---snip---
-------------------------------------------------------------------------------
IPIPE Service Destination Point specifics
-------------------------------------------------------------------------------
Configured CE IPv4 Addr: n/a Peer CE IPv4 Addr : 0.0.0.0
-------------------------------------------------------------------------------
Sdp Id 12:213 -(192.0.2.2)
-------------------------------------------------------------------------------
Description : (Not Specified)
SDP Id : 12:213 Type : Spoke
Spoke Descr : (Not Specified)
Split Horiz Grp : (Not Specified)
VC Type : Ipipe VC Tag : 0
Admin Path MTU : 0 Oper Path MTU : 1552
Delivery : MPLS
Far End : 192.0.2.2 Tunnel Far End :
Oper Tunnel Far End: 192.0.2.2
LSP Types : LDP
Hash Label : Disabled Hash Lbl Sig Cap : Disabled
Oper Hash Label : Disabled
Entropy Label : Disabled
Admin State : Up Oper State : Up
MinReqd SdpOperMTU : 1552
Acct. Pol : None Collect Stats : Disabled
Ingress Label : 524280 Egress Label : 524280
---snip---
Application Profile: None
Transit Policy : None
AARP Id : 200
AARP Type : network-side-shunt
---snip---
Next, the configuration of the VPRN service of the dual-homed SAP can be reviewed to ensure it reflects the attached endpoints for the shunt Ipipe spoke SDPs:
[/]
A:admin@PE-1# show service id "VPRN-200" all
===============================================================================
Service Detailed Information
===============================================================================
Service Id : 200 Vpn Id : 0
Service Type : VPRN
MACSec enabled : no
Name : VPRN-200
Description : (Not Specified)
Customer Id : 1 Creation Origin : manual
Last Status Change: 09/16/2025 12:47:03
Last Mgmt Change : 09/16/2025 12:47:03
Admin State : Up Oper State : Up
Router Oper State : Up
Route Dist. : 64496:200 VPRN Type : regular
Oper Route Dist : 64496:200
Oper RD Type : configured
AS Number : None Router Id : 192.0.2.1
ECMP : Enabled ECMP Max Routes : 1
Max IPv4 Routes : No Limit
Local Rt Domain-Id: None D-Path Lng Ignore : Disabled
Auto Bind Tunnel
Allow Flex-Alg-Fb : Disabled
Resolution : disabled
Weighted ECMP : Disabled ECMP Max Routes : 1
Strict Tnl Tag : Disabled
Max IPv6 Routes : No Limit
Ignore NH Metric : Disabled
Hash Label : Disabled
Entropy Label : Disabled
Vrf Target : None
Vrf Import : None
Vrf Export : None
MVPN Vrf Target : None
MVPN Vrf Import : None
MVPN Vrf Export : None
Car. Sup C-VPN : Disabled
Label mode : vrf
BGP VPN Backup : Disabled
BGP Export Inactv : Disabled
LOG all events : Disabled
SAP Count : 1 SDP Bind Count : 2
-------------------------------------------------------------------------------
---snip---
-------------------------------------------------------------------------------
Service Destination Points(SDPs)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Sdp Id 12:200 -(192.0.2.2)
-------------------------------------------------------------------------------
Description : (Not Specified)
SDP Id : 12:200 Type : Spoke
Spoke Descr : (Not Specified)
VC Type : n/a VC Tag : n/a
Admin Path MTU : 0 Oper Path MTU : 1552
Delivery : MPLS
Far End : 192.0.2.2 Tunnel Far End :
Oper Tunnel Far End: 192.0.2.2
LSP Types : LDP
Hash Label : Disabled Hash Lbl Sig Cap : Disabled
Oper Hash Label : Disabled
Entropy Label : Disabled
Admin State : Up Oper State : Up
---snip---
Application Profile: None
Transit Policy : None
AARP Id : 200
AARP Type : subscriber-side-shunt
---snip---
-------------------------------------------------------------------------------
IPIPE Service Destination Point specifics
-------------------------------------------------------------------------------
Configured CE IPv4 Addr: n/a Peer CE IPv4 Addr : 0.0.0.0
-------------------------------------------------------------------------------
Sdp Id 12:201 -(192.0.2.2)
-------------------------------------------------------------------------------
Description : (Not Specified)
SDP Id : 12:201 Type : Spoke
Spoke Descr : (Not Specified)
VC Type : n/a VC Tag : n/a
Admin Path MTU : 0 Oper Path MTU : 1552
Delivery : MPLS
Far End : 192.0.2.2 Tunnel Far End :
Oper Tunnel Far End: 192.0.2.2
LSP Types : LDP
Hash Label : Disabled Hash Lbl Sig Cap : Disabled
Oper Hash Label : Disabled
Entropy Label : Disabled
Admin State : Up Oper State : Up
---snip---
Application Profile: None
Transit Policy : None
AARP Id : 200
AARP Type : network-side-shunt
---snip---
Continuing deeper into the same VPRN service show output, or using the following show command, it can be verified that the dual-homed SAP itself is properly configured and associated with that service and AARP instance:
[/]
A:admin@PE-1# show service id "VPRN-200" sap 1/1/4:200 detail
===============================================================================
Service Access Points(SAP)
===============================================================================
Service Id : 200
SAP : 1/1/4:200 Encap : q-tag
Description : AA enabled SAP
Admin State : Up Oper State : Up
Flags : None
Multi Svc Site : None
Last Status Change : 09/16/2025 12:35:38
Last Mgmt Change : 09/16/2025 12:47:03
Sub Type : regular
Dot1Q Ethertype : 0x8100 QinQ Ethertype : 0x8100
Split Horizon Group: (Not Specified)
Admin MTU : 1518 Oper MTU : 1518
Ingr IP Fltr-Id : n/a Egr IP Fltr-Id : n/a
Ingr Mac Fltr-Id : n/a Egr Mac Fltr-Id : n/a
Ingr IPv6 Fltr-Id : n/a Egr IPv6 Fltr-Id : n/a
qinq-pbit-marking : both
Egr Agg Rate Limit : max
Q Frame-Based Acct : Disabled Limit Unused BW : Disabled
Qinq-vlan- Qinq-vlan-
translation : None translation Ids : None
Acct. Pol : None Collect Stats : Disabled
Anti Spoofing : None Dynamic Hosts : Enabled
Avl Static Hosts : 0 Tot Static Hosts : 0
Calling-Station-Id : n/a
Application Profile: app-prof-1
Transit Policy : None
AARP Id : 200
AARP Type : dual-homed
Oper Group : (none) Monitor Oper Grp : (none)
Host Lockout Plcy : n/a
Lag Link Map Prof : (none)
Bandwidth : Not-Applicable
Oper DCpu Prot Pol : _default-access-policy
Virtual Port : (Not Specified)
-------------------------------------------------------------------------------
---snip---
Network to subscriber traffic flow
When the AARP is operationally up, AARP tracks which ISA is the primary ISA for each dual-homed AARP instance and uses the inter-chassis services (spoke SDP AARP shunts) to move all traffic for each instance traffic to the node with the primary ISA. Traffic from the backup AARP interface is sent the primary AARP node for AA divert. Afterward the traffic is sent back to the backup AARP interface.
Looking at traffic in the network to subscriber direction (Network to subscriber traffic flow):
Traffic arriving on PE-1 is diverted to the local primary ISA, processed, then proceeds to the egress SAP.
Traffic arriving on PE-2 with the backup AARP interface is sent to the primary node for AA processing. The ingress FP forwards packets to network-side-shunt AARP interface for remote AA divert.
Arriving on PE-1, the packets on the AARP Ipipe are diverted to the primary ISA where the packets are processed as if this traffic was traveling in the to-sub direction toward the dual-homed endpoint on PE-1, then returned to PE-2.
Entering PE-2, the traffic from the subscriber side shunt interface is not diverted to ISAs in that node and egresses on the AARP instance SAP.
With this behavior, traffic always returns to the original ingress node before egressing toward the subscriber (network path for the flows are not modified).
Subscriber to network traffic flow
Looking at traffic in the subscriber to network direction (Subscriber to network traffic flow):
Traffic arriving on PE-1 is diverted to the local primary ISA, processed, then proceeds to the egress SAP.
Traffic arriving on PE-2 with the backup AARP ISA is sent to the primary node for AA processing (not diverted to an ISA in PE-2). The ingress FP forwards packets to subscriber-side-shunt AARP interface for remote AA divert.
Arriving on PE-1, the packets on the AARP Ipipe are diverted to the primary ISA where the packets are processed as if the traffic was flowing in the from-sub direction on the dual-homed endpoint, then returned to PE-2 over the Ipipe AARP subscriber-side-shunt.
Entering PE-2, the traffic from the network side shunt interface is forwarded by the VPRN or IES service to its destination.
Figure 3. Subscriber to network traffic flow 
Typical configuration mistakes
Operators configuring AARP can make some typical mistakes listed below that keep the AARP instance in operational state down:
The spoke SDP AARP shunt instances’ IDs must be aligned with the respective spoke SDP on the peer node: if not, it results in a flag indicating that the shunts are down in the show output.
Ipipe service MTU alignment — The Ipipe service MTU values must be the same in both nodes, otherwise it results in the VPRN or IES services in operational status up, but the AARP instance remains down.
Conclusion
This chapter is intended for Application Assurance (AA) network architects and engineers to provide the information required to understand and configure dual-node asymmetry removal following the intended service configuration as used by the AARP implementation.