Convergence Mechanism of SR-TE Policy based Explicit-Path with TI-LFA Node Protection

Introduction

This document describes node protection for the explicit primary path by Topology Independent (TI) - Loop-Free Alternative (LFA) and the solution using Segment Routing (SR) - Traffic Engineering (TE) path with SR-TE metric and Open Shortest Path First (OSPF) flexible algorithm.

Problem

This section explains the requirements of XYZ Networks, the design constraints and the reason why the TI-LFA backup path fails to protect any intermediate node failure for an explicitly defined primary path.

Requirements

As per XYZ Networks, these are the requirements of their greenfield network design:

1. The primary traffic path must be explicitly defined and controlled by SR-TE policy (admin) but not by IGP metric.

2. In case of link or node failure, the traffic must converge to a backup path in sub 50 msec of time with a zero-scale network.

If you take a look at Figure 1., an SR-TE policy has been configured end-to-end at the source node PE1 with PE3 being the destination node.

The synopsis of the SR-TE and OSPF configurations are:

segment-routing
 traffic-eng
   !
  !
  segment-list PrimaryPath1
   index 10 mpls adjacency 10.1.11.0 --> First Hop (P1 node) of the explicit-path
   index 20 mpls adjacency 10.1.3.1  --> Second Hop (P3 node) of the explicit-path
   index 30 mpls adjacency 10.3.13.1 --> Third Hop (PE3 node) of the explicit-path
  !
  policy POL1
   source-address ipv4 11.11.11.11          --> Source Node of the explicit-path
   color 10 end-point ipv4 33.33.33.33      --> Destination Node of the explicit-path
   candidate-paths
    preference 100         --> Secondary Path taken care of dynamically by IGP TI-LFA 
     dynamic
      metric
       type igp         
      !
     !
    !
    preference 200
     explicit segment-list PrimaryPath1   --> Primary Explicit-Path of the SR-TE policy 
     !
    !

router ospf CORE
 nsr
distribute link-state
 log adjacency changes
 router-id 11.11.11.11
 segment-routing mpls
 nsf cisco
 microloop avoidance segment-routing
 max-metric router-lsa on-startup 360
 area 0
  interface Bundle-Ether111    --> Primary Explicit-Path Interface
   authentication null
   network point-to-point
   fast-reroute per-prefix     
   fast-reroute per-prefix ti-lfa enable       --> Enabling TI-LFA on the primary interface
   fast-reroute per-prefix tiebreaker node-protecting index 100
   fast-reroute per-prefix tiebreaker srlg-disjoint index 200
   prefix-suppression
  !
  interface Bundle-Ether211    --> Secondary Dynamic Path Interface
   authentication null
   network point-to-point
   fast-reroute per-prefix
   fast-reroute per-prefix ti-lfa enable       --> Enabling TI-LFA on the secondary interface
   fast-reroute per-prefix tiebreaker node-protecting index 100
   fast-reroute per-prefix tiebreaker srlg-disjoint index 200
   prefix-suppression
  !
  interface Loopback80
   passive enable
   prefix-sid index 32130         --> Enabling Node SID on the loopback interface
  !
 !

This configuration is a sample method to configure an explicit-path driven SR-TE policy, there are other ways as well. And under OSPF, it is observed that there is TI-LFA enabled.

However, with the SR-TE and OSPF feature combination, it is found in the lab with SR-TE Explicit Path Policy that OSPF TI-LFA is not able to curve out and install a post-convergence, end-to-end (PE1 to PE3) backup path of the SR-TE Explicit Primary Path for intermediate node failure scenarios as shown in Figure 2. As a result, the traffic protection convergence time exceeds well beyond 50 msec in case either the P1 or P3 node goes down.

A simple example has been chosen to explain the issue:

Figure 1: Normal Traffic Scenario

As in Figure 1., the traffic source node is PE1 and the destination node is PE3. Here if we configure an SR-TE explicit path policy where there is an administrative need to send the traffic via explicit primary traffic path PE1> P1> P3> PE3.

Under this situation, if we configure an explicit SR-TE path via PE1> P1 > P3> PE3 then in case of node failure as shown in Figure 2., TI-LFA is not able to protect the node failure scenario but is able to only protect the link failure scenario. The link failure scenario has been covered in detail in the reference document Convergence of SR-TE Explicit-Path for Link Protection.

Figure 2: Failover Traffic Scenario

TI-LFA once configured under OSPF, by default, points to the Node SID of the destination node to compute and install the backup path in the data plane.

But for this scenario and feature set configuration, TI-LFA coverage from the source node to the destination node does not work, or in other words, the TI-LFA backup path fails to protect any intermediate node failure under 50 msec for the explicitly defined primary path.

Analysis shows that the TI-LFA backup path computation algorithm takes the first next-hop/node in the explicit path as the destination endpoint instead of the actual destination node and calculates the backup path trying to protect only the first next-hop/node, for example, node P1 as in Figure 2. As a result, TI-LFA is not able to compute and install a backup path to protect the actual endpoint or destination node, for example, node PE3.

Hence, it is not able to provide end-to-end protection within sub 50 msec of convergence for the actual destination node PE3 for an intermediate node failure in an explicitly defined primary traffic path.

Another way to look at it is in Figure 1., if you configure the node P3 as the next hop in the explicit path then TI-LFA can provide sub-50 msec of protection for node P1 failure and vice versa. But the node protection cannot happen for that particular node which is defined as one of the explicit hops of the end-to-end explicit path.

Solution

This section focuses on points for explicit primary path-specific scenarios:

A proven and tested out solution is to bring in some additional features/modifications to the scenario so as to enable TI-LFA to take care of the sub-50 msec of convergence during the node failure scenario as well along with the link failure. This solution has been chosen based on the requirements of XYZ Network as mentioned in the Problem section.

1. Explicit-Path is needed but the IGP metric cannot be used as per the requirement.

2. Hence, an alternate metric (SR-TE metric) is used to steer the traffic on a certain path without specifying the explicit hops.

3. OSPF Flex-Algo is used to send traffic to the destination node (using a separate Flex-Algo Node SID reachable via the flex algo) via the topology that uses the SR-TE metric.

3. After OSPF Flex-Algo is added, TI-LFA is able to function normally as it now can protect the actual destination Node SID.

Understanding Different Components of the Solution

Explicit Path Characteristic

Since as per one of the requirements IGP metric cannot be used for explicit control of the primary path, the explicit streamlined characteristic of the primary SR-TE path is controlled via the TE metric additionally configured under the SR-TE interfaces (under segment-routing) for all nodes including the headend PE node till the remote destination PE. Their SR-TE metrics are in turn used by OSPF Flex Algo to create an explicit path under the flex-algo paradigm.

SR-TE metric under Segment Routing at PE1:

segment-routing
 global-block 100000 299999
 traffic-eng
  interface Bundle-Ether111
   metric 10  --> SR-TE Metric of BE111 is less that BE211, so it is a more preferred explicit path given that rest of the SR-TE link cost is same
  !
 interface Bundle-Ether211
   metric 100
  !
  logging
   policy status
  !
  policy er100_to_er102   --> SR-TE policy defined
   source-address ipv4 11.11.11.11.       --> Source Node of the explicit-path
   color 150 end-point ipv4 33.33.33.33   --> Destination Node of the explicit-path
   autoroute
    force-sr-include
    include all
   !
   candidate-paths
    preference 200
     dynamic    --> Here that the primary path is configured as dynamic but it is the SR-TE metric defined above which helps Flex-Algo make it fixed or explicit
     !
     constraints
      segments
       sid-algorithm 128.  --> Primary SR-TE path is configured with constraint as Flex-Algo 128 with no explicit backup path since TI-LFA takes care of the backup path implicitly ensuring sub 50 msec of convergence
      !
     !

Show command at node PE1:

P/0/RP0/CPU0:PE1#show segment-routing traffic-eng policy 
Fri Feb  3 10:25:24.716 UTC

SR-TE policy database
---------------------
Color: 150, End-point: 33.33.33.33  --> Color and Endpoint Loopback IP address of PE3
  Name: srte_c_150_ep_33.33.33.33
  Status:
    Admin: up  Operational: up for 04:57:30 (since Feb  3 05:27:54.774)
  Candidate-paths:
    Preference: 200 (configuration) (active)   --> Preference of 200 as configured under SR-TE policy
      Name: er100_to_er102
      Requested BSID: dynamic
      Constraints:
        Prefix-SID Algorithm: 128    --> Attached to Flex-Algo 128 as configured under SR-TE policy
        Protection Type: protected-preferred   --> Protected Primary Path
        Maximum SID Depth: 12 
      Dynamic (valid)
        Metric Type: TE,   Path Accumulated Metric: 0   --> Metric Type is SR-TE metric
          133138 [Prefix-SID: 33.33.33.33, Algorithm: 128]. --> Node SID of destination node PE3 with index 33138
   Attributes:
    Binding SID: 24010
    Forward Class: Not Configured
    Steering labeled-services disabled: no
    Steering BGP disabled: no
    IPv6 caps enable: yes
    Invalidation drop enabled: no

OSPF Flex-Algo

Overview:

Segment Routing Flexible Algorithm allows operators to customize IGP shortest path computation according to their own needs. An operator can assign custom SR prefix-SIDs to realize forwarding beyond link-cost-based SPF. As a result, Flexible Algorithm provides a traffic-engineered path automatically computed by the IGP to any destination reachable by the IGP.

To provide maximum flexibility, the mapping between the algorithm value and its meaning can be defined by the user. When all the routers in the domain have a common understanding of what the particular algorithm value represents, the computation for such an algorithm is consistent and the traffic is not subject to looping. Here, since the meaning of the algorithm is not defined by any standard, but is defined by the user, it is called a Flexible Algorithm.

Under the OSPF routing paradigm, many possible constraints can be used to compute a path over a network. Some networks are deployed with a single IGP plane and others with multiple IGP planes. For any given network, under each OSPF process, by default, there exists Flex-Algo 0 with a simple form of constraint, for example, OSPF metric.

However, keeping specific requirements in mind, a more sophisticated form of constraint is used here which includes extended parameters like TE-metric (Multiple Flex-Algo numbers range from 128 to 255). In Cisco IOS® XR 7.3.2, this TE metric has to be configured under the SR-TE traffic engineering section but is used by OSPF Flex-Algo for explicit-path computation.

TI-LFA computes the backup path and keeps the data plane ready in case of primary path failure and switches the traffic with a convergence time of sub 50 msec for a zero-scaled network.

Configuration:

OSPF Flex-Algo is configured under Router OSPF and advertised across the network. OSPF flex-algo and TE metric together take care of the explicit path and sub-50 msec of convergence. Configuring Flex-Algo under OSPF builds up a virtual OSPF topology and helps TI-LFA to compute end-to-end backup path in advance for a pair of source-destination endpoints, which in turn ensures less than 50 sec of convergence for primary path failure.

OSPF Configuration at PE1:

router ospf CORE
 nsr
 distribute link-state
 log adjacency changes
 router-id 11.11.11.11
 segment-routing mpls
 nsf cisco
 microloop avoidance segment-routing
 max-metric router-lsa on-startup 360
 area 0
  interface Bundle-Ether111
   cost 10000 
   authentication null
   network point-to-point
   fast-reroute per-prefix
   fast-reroute per-prefix ti-lfa enable
   fast-reroute per-prefix tiebreaker node-protecting index 100
   fast-reroute per-prefix tiebreaker srlg-disjoint index 200
   prefix-suppression
  !
  interface Bundle-Ether211
   cost 10000
   authentication null
   network point-to-point
   fast-reroute per-prefix
   fast-reroute per-prefix ti-lfa enable
   fast-reroute per-prefix tiebreaker node-protecting index 100
   fast-reroute per-prefix tiebreaker srlg-disjoint index 200
   prefix-suppression
  !
  interface Loopback80
   passive enable
   prefix-sid index 32130
   prefix-sid algorithm 128 index 33130     --> Assigning different Node SIDs to different Flex Algo to keep it unique
   prefix-sid algorithm 129 index 34130     --> Assigning different Node SIDs to different Flex Algo to keep it unique
  !
 !
flex-algo 128         --> Defining OSPF Flex Algo which creates a virtual topology and enables TI-LFA to take care of sub 50 msec of convergence
  metric-type te-metric
  advertise-definition
 !
flex-algo 129.       --> One or more than one Flex Algo can be defined based on the requirement
  metric-type delay
  advertise-definition
 !
!

OSPF Config at PE3:

router ospf CORE
 nsr
 distribute link-state
 log adjacency changes
 router-id 33.33.33.33
 segment-routing mpls
 nsf cisco
 microloop avoidance segment-routing
 max-metric router-lsa on-startup 360
 area 0
  interface Bundle-Ether111
   cost 10000
   authentication null
   network point-to-point
   fast-reroute per-prefix
   fast-reroute per-prefix ti-lfa enable
   fast-reroute per-prefix tiebreaker node-protecting index 100
   fast-reroute per-prefix tiebreaker srlg-disjoint index 200
   prefix-suppression
  !
  interface Bundle-Ether211
   cost 10000
   authentication null
   network point-to-point
   fast-reroute per-prefix
   fast-reroute per-prefix ti-lfa enable
   fast-reroute per-prefix tiebreaker node-protecting index 100
   fast-reroute per-prefix tiebreaker srlg-disjoint index 200
   prefix-suppression
  !
  interface Loopback80
   passive enable
   prefix-sid index 32138
   prefix-sid algorithm 128 index 33138   --> Node SID assigned for OSPF Flex-Algo 128 which is shown above by show command at PE1
   prefix-sid algorithm 129 index 34138   --> Assigning different Node SIDs to different Flex Algo to keep it unique
  !
 !
flex-algo 128.         --> Defining OSPF Flex Algo which creates a virtual topology and enables TI-LFA to take care of sub 50 msec of convergence
  metric-type te-metric --> Metric type te-metric
  advertise-definition  --> To enable the router to advertise the definition for the particular Flexible Algorithm, advertise-definition command is used
 !
flex-algo 129          --> Additional Flex Algo definition (if needed)    
  metric-type delay     --> Metric type delay
  advertise-definition
 !       
!

Solution Summary

To summarize, the SR-TE metrics help to navigate the traffic through the designated SR-TE explicit-path, since the IGP metric cannot be used. OSPF Flex-Algo, by adding one layer of the virtual control plane, helps TI-LFA to ensure a sub-50 msec of convergence of the primary explicit-path traffic to the pre-calculated TI-LFA backup path. This happens since only destination Node SID is being advertised to enable TI-LFA to determine the actual destination node and thereby protect both the intermediate nodes (P1 & P3) between a pair of source-destination nodes of the explicit primary path PE1> P1 > P3> PE3. The dynamically protected backup path adhering sub 50 msec of convergence with zero-scale, in this case, is PE1> P2 > P4> PE3.

Software Used

The software used to test and validate the solution is Cisco IOS® XR 7.3.2

Related Information

• Part 1. Convergence of SR-TE Explicit-Path for Link Protection
• Cisco Technical Support & Downloads