BNG-UP resiliency

Resiliency based on Fate Sharing Group

The MAG-c groups the sessions in Fate Sharing Groups (FSGs). All sessions in an FSG share their fate, that is, they become active or standby together. The MAG-c provides the following parameters to the BNG-UP per FSG:

  • FSG ID
  • status (active or standby)
  • unique FSG MAC address also known as a virtual MAC
  • list of associated sessions and one or more aggregate routes associated with these sessions. For more information, see IP gateway, services, and routing.
  • FSG template

When the MAG-c does not provide an FSG template, the template with the name default is used. If there is no default template, the setup of the FSG and any associated session fails.

To configure FSG templates, use the configure subscriber-mgmt up-resiliency fate-sharing-group-template command.

After this, the active BNG-UP and standby BNG-UP are used in the context of a single FSG. Each BNG-UP can have multiple FSGs and can have a different status for each FSG.

To attract traffic from the access network, an active BNG-UP replies to ARP requests or ND messages for any IP gateway associated with the FSG. A standby BNG-UP never replies to those ARP or ND messages. To expedite convergence upon switching from standby to active, the new active BNG-UP sends Gratuitous ARP (GARP) messages using one of the IP gateway addresses for the FSG, or the system IP address if no IP gateway is known.

To configure the granularity of GARP messages for q-in-q SAPs, use the configure subscriber-mgmt up-resiliency fate-sharing-group-template gratuitous-arp command. You can configure the BNG-UP to send a single GARP message per SAP or per outer tag.

To correctly draw traffic to the active BNG-UP, the fsg-active and fsg-standby options are added to the state command in the configure policy-options policy-statement entry from context. All routes received from PFCP, including per-session framed routes, have one of these values as parameter. You can use this parameter to adjust values in routing export policies; for example, adjust a metric or a preference to the needs of the used routing protocol.

The following reduced configuration example shows a simplified policy that sets a metric of 100 for active routes and a metric of 200 for standby routes.

[gl:/configure policy-options policy-statement "upf_resiliency_aware_export"]
A:admin@BNG-UPF# info
    entry 20 {
        from {
            origin pfcp
            state fsg-active
        }
        action {
            action-type accept
            metric {
                set 100
            }
        }
    }
    entry 30 {
        from {
            origin pfcp
            state fsg-standby
        }
        action {
            action-type accept
            metric {
                set 200
            }
        }
    }
An active BNG-UP always forwards traffic in both directions. It uses the FSG MAC as source MAC for downlink unicast traffic. A standby BNG-UP by default forwards downlink traffic using its local port MAC as source MAC and drops all received uplink traffic. You can modify the default behavior in the following ways:
  • To shunt downlink traffic from the standby to the active BNG-UP and have the active BNG-UP forward that downlink traffic, do the following:
    • Configure a redundant interface using the configure subscriber-mgmt up-resiliency fate-sharing-group-template redundant-interface command.
    • Configure the same shunt ID on the active and the standby BNG-UP using the configure service ies subscriber-mgmt multi-chassis-shunt-id or configure service vprn subscriber-mgmt multi-chassis-shunt-id command depending on the service (IES or VPRN).
  • To enable forwarding of uplink traffic by the standby BNG-UP, use the configure subscriber-mgmt up-resiliency fate-sharing-group-template uplink-forwarding-while-standby command.
    Caution: Enabling the uplink-forwarding-while-standby command can lead to packet replication toward the core network. To prevent the possibility of packet replication toward the core network, provision the access network not to replicate unicast packets to the BNG-UP.
When the standby BNG-UP forwards uplink traffic, it can significantly lower packet loss during transition scenarios. The following examples illustrate this benefit:
  • If the current active BNG-UP fails and an access node detects this faster than the MAG-c (for example, using BFD), the access node can start sending packets to the standby BNG-UP before that BNG-UP has become active. When the uplink-forwarding-while-standby command is enabled, the uplink packets are not lost because the standby BNG-UP forwards them.
  • During scheduled maintenance, the MAG-c can switch the roles of the active and standby BNG-UP while both are healthy. For some time, the access node continues to send packets to the previously active BNG-UP that has become the standby BNG-UP. When the uplink-forwarding-while-standby command is enabled, the uplink packets are not lost because the previously active BNG-UP still forwards them. When the uplink-forwarding-while-standby command is disabled, the previously active BNG-UP drops the packets until the access node learns the path to the new active BNG-UP (using GARP).

The resiliency based on FSG does not use the SRRP protocol, but the system internally consumes an SRRP instance for each unique combination of FSG, port, and group interface template. To avoid potential conflicts with pre-configured SRRP instance IDs, define a range of SRRP instance IDs for the inter-BNG-UP resiliency functionality using the configure redundancy srrp auto-srrp-id-range command.

BNG-UP health reporting

The BNG-UP can send health reports to the MAG-c using PFCP Node Report messages. The MAG-c uses the health reports to determine the need for a BNG-UP status change (active or standby). Per FSG, the MAG-c selects the active and the standby BNG-UP. For example, the MAG-c can base its decision on link failures in the access network.

The BNG-UP supports health reports for the following contexts:
  • per network instance

    Configure the health monitoring using the commands in the configure service ies subscriber-mgmt up-resiliency or configure service vprn subscriber-mgmt up-resiliency context, depending on the service. The health reports per network instance can, for example, be used to indicate the status of the network where the subscriber is serviced.

  • per Layer 2 access ID

    Configure the health monitoring using the commands in the configure service vpls capture-sap pfcp up-resiliency context. The health reports per Layer 2 access ID can, for example, be used to indicate the status of the access links.

Each health report generates a single byte health value between 0 (unhealthy) and 255 (healthy). The base health value is 255 and decreases with the number of failed members in the operation group x the configured health drop number for the operational group.

Whenever a member of the operational group changes its state (fails or recovers), the BNG-UP calculates the health value and sends an updated report to the MAG-c.

To configure the operational group and the health drop number, use the monitor-oper-group and the monitor-oper-group health-drop commands in the above mentioned contexts.

For more information about operational groups, see 7450 ESS, 7750 SR, 7950 XRS, and VSR Layer 3 Services Guide: IES and VPRN, sections Object grouping and state monitoring.

With the following example configuration, the BNG-UP sends health reports for Layer 2 access ID (port) lag-access. The operational group has five members (port 1/1/20 to port 1/1/24) and the health value decreases with 51 per failed member, that is, with 20% of the base health value.

[gl:/configure port 1/1/20]
A:admin@BNG-UPF# info
    oper-group "lag_access_health"
[gl:/configure port 1/1/21]
A:admin@BNG-UPF# info
    oper-group "lag_access_health"
[gl:/configure port 1/1/22]
A:admin@BNG-UPF# info
    oper-group "lag_access_health"
[gl:/configure port 1/1/23]
A:admin@BNG-UPF# info
    oper-group "lag_access_health"
[gl:/configure port 1/1/24]
A:admin@BNG-UPF# info
    oper-group "lag_access_health"
[gl:/configure service vpls "access" capture-sap lag-access:*.* pfcp up-resiliency]
A:admin@BNG-UPF# info
    monitor-oper-group "lag_access_health" {
        health-drop 51
    }

With the following example configuration, the BNG-UP sends health reports for network instance HSI. The health drop number is not configured, that is, the default value of 255 is used. The health is based on a BFD session that is used to check if the BNG-UP is isolated from the rest of the network. When the BFD session is up, the health value equals 255, otherwise, the health value equals 0.

[gl:/configure service oper-group "hsi-bfd"]
A:admin@BNG-UPF# info
    bfd-liveness {
        router-instance "to_uplink_router"
        interface-name "endpoint"
        dest-ip 203.0.113.10
    }
[gl:/configure service vprn "hsi" subscriber-mgmt up-resiliency]
A:admin@BNG-UPF# info
    monitor-oper-group "hsi-bfd" {
    }

The BNG-UP sends a health report for every status change in the operational group. Additionally, it sends all health reports periodically (every 60 seconds) and when a PFCP audit is requested.

Interaction with headless mode

If the PFCP path between the BNG-UP and the MAG-c fails and the BNG-UP becomes headless, all active FSGs are autonomously changed to standby if the following conditions are met:
  • No single per network instance health is monitored.
  • All monitored per network instance health indicate failure.
When the headless conditions are no longer valid, the BNG-UP reverts the FSG state to active. The FSGs on standby during the headless conditions are kept as-is.
Note: If a BNG-UP is headless and not all per network instance health indicate failure, the existing FSGs stay active and attract traffic, for example, by replying to ARP/ND requests. If the MAG-c makes another BNG-UP active because of the headless conditions, both BNG-UPs may become active. Nokia recommends carefully monitoring this scenario for the following issues:
  • When the aggregation network replicates unicast packets to both BNG-UPs, these packets are forwarded twice, leading to duplicate packets in the network. If possible, disable any unicast replication to avoid this.
  • QoS enforcement is not guaranteed in this situation.
  • Charging and accounting is not accurate during this situation. When the MAG-c receives up-to-date statistics after recovering from headless mode, charging and accounting is accurate again.