Egress Protection (draft-shen-mpls-egress-protection-framework) Presented by Krzysztof G. Szarkowicz NANOG71 October 4, 2017
Current status draft-shen-mpls-egress-protection-framework-05 Co-authored by Juniper Networks, Orange, RtBrick, Deutsche Telekom and Huawei Technologies Current draft (05) issued around two months ago (on July 31, 2017) Discusses the overall framework for egress node protection egress link protection Provides some examples for egress node protection egress link protection First deployment started few years ago in one of DT s network Proven and stable architecture
Lets start Lets start with Clarifying the model Clarifying the terminology Before jumping to the deeper level
Seamless MPLS Architectural Model NODES AN SN TN BN TN BN TN BN BN TN BN TN BN TN SN AN CE PE P ABR P ABR P ASBR ASBR P ABR P ABR P PE CE AS X AS Y Area 1 Area 0 Area 2 Area 1 Area 0 Area 2 Intra-domain (area or autonomous system) transport Inter-domain (area or autonomous system) transport IGP IGP IGP IGP IGP IGP IGP IGP IGP IGP IGP IGP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP ibgp-lu ibgp-lu ibgp-lu ebgp-lu ibgp-lu ibgp-lu ibgp-lu nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs Legend AN Access Node (CE, CPE) BN Border Node (ABR, ASBR) SN Services Node (PE) TN Transport Node (P) Inter-domain endto-end LSP model LDP/RSVP LSP LDP/RSVP LDP LDP/RSVP LDP LDP/RSVP LSP LDP/RSVP LSP LDP/RSVP LSP BGP-LU LSP
E2E protection Terminology NODES Access Node (AN) Non-MPLS node connected to MPLS based Service Node (PE) AN (CE, CPE) in seamless MPLS architecture Ingress Node (IN) First node of intra-area (LDP/RSVP) LSP SN (PE) or BN (ABR, ASBR) in seamless MPLS architecture Egress Node (EN) Last node of intra-area (LDP/RSVP) LSP BN that has directly connected downstream BGP-LU neighbor with not underlying LDP/RSVP LSP (e.g. ASBR scenario) SN (PE) or BN (ABR, ASBR) in seamless MPLS architecture Transit Node (TN) Transit node (between ingress and egress) in intra-area (LDP/RSVP) LSP TN (P) in seamless MPLS architecture Each intra-area (LDP/RSVP) LSP has exactly one ingress node, exactly one egress node and may have (multiple) transit node(s), if LSP is longer than one hop
E2E protection Terminology ACCESS NODE (AN) AN SN TN BN TN BN TN BN BN TN BN TN BN TN SN AN CE PE P ABR P ABR P ASBR ASBR P ABR P ABR P PE CE AS X Traffic flow direction AS Y Area 1 Area 0 Area 2 Area 1 Area 0 Area 2 Intra-domain (area or autonomous system) transport Inter-domain (area or autonomous system) transport IGP IGP IGP IGP IGP IGP IGP IGP IGP IGP IGP IGP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP ibgp-lu ibgp-lu ibgp-lu ebgp-lu ibgp-lu ibgp-lu ibgp-lu nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs Legend AN Access Node (CE, CPE) BN Border Node (ABR, ASBR) SN Services Node (PE) TN Transport Node (P) Inter-domain endto-end LSP model LDP/RSVP LSP LDP/RSVP LDP LDP/RSVP LDP LDP/RSVP LSP LDP/RSVP LSP LDP/RSVP LSP BGP-LU LSP
E2E protection Terminology INGRESS NODE (IN) AN SN TN BN TN BN TN BN BN TN BN TN BN TN SN AN CE PE P ABR P ABR P ASBR ASBR P ABR P ABR P PE CE AS X Traffic flow direction AS Y Area 1 Area 0 Area 2 Area 1 Area 0 Area 2 Intra-domain (area or autonomous system) transport Inter-domain (area or autonomous system) transport IGP IGP IGP IGP IGP IGP IGP IGP IGP IGP IGP IGP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP ibgp-lu ibgp-lu ibgp-lu ebgp-lu ibgp-lu ibgp-lu ibgp-lu nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs Legend AN Access Node (CE, CPE) BN Border Node (ABR, ASBR) SN Services Node (PE) TN Transport Node (P) Inter-domain endto-end LSP model LDP/RSVP LSP LDP/RSVP LDP LDP/RSVP LDP LDP/RSVP LSP LDP/RSVP LSP LDP/RSVP LSP BGP-LU LSP
E2E protection Terminology TRANSIT NODE (TN) AN SN TN BN TN BN TN BN BN TN BN TN BN TN SN AN CE PE P ABR P ABR P ASBR ASBR P ABR P ABR P PE CE AS X Traffic flow direction AS Y Area 1 Area 0 Area 2 Area 1 Area 0 Area 2 Intra-domain (area or autonomous system) transport Inter-domain (area or autonomous system) transport IGP IGP IGP IGP IGP IGP IGP IGP IGP IGP IGP IGP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP ibgp-lu ibgp-lu ibgp-lu ebgp-lu ibgp-lu ibgp-lu ibgp-lu nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs Legend AN Access Node (CE, CPE) BN Border Node (ABR, ASBR) SN Services Node (PE) TN Transport Node (P) Inter-domain endto-end LSP model LDP/RSVP LSP LDP/RSVP LDP LDP/RSVP LDP LDP/RSVP LSP LDP/RSVP LSP LDP/RSVP LSP BGP-LU LSP
E2E protection Terminology EGRESS NODE (EN) AN SN TN BN TN BN TN BN BN TN BN TN BN TN SN AN CE PE P ABR P ABR P ASBR ASBR P ABR P ABR P PE CE AS X Traffic flow direction AS Y Area 1 Area 0 Area 2 Area 1 Area 0 Area 2 Intra-domain (area or autonomous system) transport Inter-domain (area or autonomous system) transport IGP IGP IGP IGP IGP IGP IGP IGP IGP IGP IGP IGP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP ibgp-lu ibgp-lu ibgp-lu ebgp-lu ibgp-lu ibgp-lu ibgp-lu nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs Legend AN Access Node (CE, CPE) BN Border Node (ABR, ASBR) SN Services Node (PE) TN Transport Node (P) Inter-domain endto-end LSP model LDP/RSVP LSP LDP/RSVP LDP LDP/RSVP LDP LDP/RSVP LSP LDP/RSVP LSP LDP/RSVP LSP BGP-LU LSP
E2E protection Terminology INGRESS AND TRANSIT PROTECTION Ingress Protection Measures to protect against failure of ingress Service Node (ingress SN) Point of Local Repair (PLR) is AN that is multi-homed to multiple SNs AN after detecting failure (via LOS, OAM, BFD, etc.) of SN (or link to SN) switches the outgoing traffic to another SN Transit Protection Measures to protect against failure of Transit Node (TN) Point of Local Repair (PLR) is IN or TN (non-penultimate node) of intra-area LSP Downstream node IN or TN on intra-area LSP after detecting the failure of upstream TN (or link to upstream TN) redirects the traffic (going still to the same EN) via different transit link/ node: LFA (basic LFA, RLFA, TI-LFA) RSVP + facility protection (node-link protection) RSVP + one-to-one protection (fast-reroute) Both ingress and transit protection are well known techniques, thus they are not covered in this presentation
E2E protection Terminology INGRESS PROTECTION AN SN TN BN TN BN TN BN BN TN BN TN BN TN SN AN CE PE P ABR P ABR P ASBR ASBR P ABR P ABR P PE CE AS X Traffic flow direction AS Y Area 1 Area 0 Area 2 Area 1 Area 0 Area 2 Intra-domain (area or autonomous system) transport Inter-domain (area or autonomous system) transport Inter-domain endto-end LSP model IGP IGP IGP IGP IGP IGP IGP IGP IGP IGP IGP IGP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP ibgp-lu ibgp-lu ibgp-lu ebgp-lu ibgp-lu ibgp-lu ibgp-lu nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs LDP/RSVP LSP LDP/RSVP LDP LDP/RSVP LDP LDP/RSVP LSP LDP/RSVP LSP LDP/RSVP LSP BGP-LU LSP Legend AN Access Node (CE, CPE) BN Border Node (ABR, ASBR) SN Services Node (PE) TN Transport Node (P) Point of Local Repair (PLR) Node being protected
E2E protection Terminology TRANSIT PROTECTION AN SN TN BN TN BN TN BN BN TN BN TN BN TN SN AN CE PE P ABR P ABR P ASBR ASBR P ABR P ABR P PE CE AS X Traffic flow direction AS Y Area 1 Area 0 Area 2 Area 1 Area 0 Area 2 Intra-domain (area or autonomous system) transport Inter-domain (area or autonomous system) transport Inter-domain endto-end LSP model IGP IGP IGP IGP IGP IGP IGP IGP IGP IGP IGP IGP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP ibgp-lu ibgp-lu ibgp-lu ebgp-lu ibgp-lu ibgp-lu ibgp-lu nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs LDP/RSVP LSP LDP/RSVP LDP LDP/RSVP LDP LDP/RSVP LSP LDP/RSVP LSP LDP/RSVP LSP BGP-LU LSP Legend AN Access Node (CE, CPE) BN Border Node (ABR, ASBR) SN Services Node (PE) TN Transport Node (P) Point of Local Repair (PLR) Node being protected
E2E protection Terminology TERMS USED WITH EGRESS PROTECTION Primary Egress Node Primary EN (SN) SN (PE) with multi-homed access site, that terminates VPN traffic flow originated at Ingress SN (PE) Backup Egress Node Backup EN (SN) SN (PE) having corresponding (backup) VPN route as Primary Egress SN (PE) Multi-homed access sites are connected to Primary and Backup Egress SN (PE)
E2E protection Terminology EGRESS PROTECTION (TRADITIONAL) Egress Protection Measures to protect against failure of Egress Node (EN) Traditionally, egress protection is executed on ingress node Ingress node realizes primary egress node failure Ingress node switches the traffic to backup egress node using pre-programed nexthop in the FIB This concept is called BGP Prefix Independent Convergence (PIC) Edge
Egress protection Concept EGRESS PE PROTECTION WITH BGP PIC EDGE AN SN TN BN TN BN TN BN BN TN BN TN BN TN SN AN CE PE P ABR P ABR P ASBR ASBR P ABR P ABR P PE CE Traffic flow direction AS X AS Y Ingress PE Area 1 Area 0 Area 2 Area 1 Area 0 Area 2 Primary Egress PE Backup Egress PE Ingress PE pre-installs next-hops towards both egress PEs in the FIB Traffic restoration independent from the size of BGP table
Egress protection Concept EGRESS PE PROTECTION WITH BGP PIC EDGE Ingress PE must realize primary egress PE failure in order to switch to pre-installed backup egress PE This might be achieved using Global IGP convergence in single IGP domain design Typically ~200-500 ms in small IGP domains Typically ~0.5 1 (or more) seconds in large IGP domains Global IGP + BGP-LU convergence in multiple IGP domain design Might reach multiple seconds in large network PE-to-PE OAM (BFD) Might introduce scaling challenges when large number of BFD (for MPLS tunnels) session with aggressive timers are deployed
Egress protection Concept EGRESS PE PROTECTION WITH BGP PIC EDGE Depending on traffic restoration requirements (sub-second, sub-500 ms, sub-100 ms, etc.) network complexity (small IGP domain, large IGP domain, multiple IGP domains) BGP PIC Edge might not provide suitable protection for egress PE failure New concept of egress protection shifts the duty of protecting the traffic from ingress PE to some node closer (directly connected) to egress PE Large global IGP/BGP-LU convergence irrelevant No problems with BFD scaling only local link BFD might be required
E2E protection Terminology EGRESS PROTECTION (NEW) Egress Protection Measures to protect against failure of Egress Node (EN) Point of Local Repair (PLR) is penultimate node (one before EN: IN for single-hop LSPs, TN for multi-hop LSPs) of intra-area LSP Penultimate node on intra-area LSP after detecting the failure of EN (or link to EN) switches the traffic to another (protector/backup) EN Protector/backup EN must understand the labels (e.g. VPN labels) assigned by first (primary) EN in order to be able to forward the traffic Labels allocated by EN have local significance (e.g. label for VPN prefix X allocated by primary EN is different than label allocated for the same VPN prefix X allocated by protector/backup EN) Primary and protector/backup EN has to understand (exchange and use: mirror) each other labels Due to this paradigm, egress protection (called as well service mirroring ) is more complex than ingress or transit protection
E2E protection Terminology ADDITIONAL TERMS USED WITH EGRESS PROTECTION Point of Local Repair PLR Penultimate router directly connected to Primary EN Upon detection of Primary EN (or link to Primary EN) failure, PLR redirects traffic via MPLS local repair mechanism (e.g. LFA) to Protector/Backup EN Protector Performs translation between Primary and Backup EN labels Protector Must know Primary and Backup EN routes Can be combined (and usually is) with Backup EN on one node In this presentation only combined Protector/Backup EN deployment is discussed Context-ID Virtual next-hop address advertised (originated) in IGP by Primary EN and Protector Primary EN advertises Context-ID as preferred by IGP (e.g. with IGP metric 1) Protector advertises the same Context-ID as non-preferred by IGP (e.g. with IGP metric max-1) Context-ID must be used as BGP protocol next-hop (instead of usually used lo0.0) IP address in NLRIs advertised by Primary EN for egress protection to work Upon Primary EN failure detection, PLR redirects the traffic to Protector using MPLS local repair mechanism for Context-ID
E2E protection Terminology EGRESS PROTECTION AN SN TN BN TN BN TN BN BN TN BN TN BN TN SN AN CE PE P ABR P ABR P ASBR ASBR P ABR P ABR P PE CE AS X Traffic flow direction This node is being protected, as well as acting as PLR for upstream ASBR AS Y Area 1 Area 0 Area 2 Area 1 Area 0 Area 2 Intra-domain (area or autonomous system) transport Inter-domain (area or autonomous system) transport Inter-domain endto-end LSP model IGP IGP IGP IGP IGP IGP IGP IGP IGP IGP IGP IGP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP LDP/RSVP ibgp-lu ibgp-lu ibgp-lu ebgp-lu ibgp-lu ibgp-lu ibgp-lu nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs nhs LDP/RSVP LSP LDP/RSVP LDP LDP/RSVP LDP LDP/RSVP LSP LDP/RSVP LSP LDP/RSVP LSP BGP-LU LSP Legend AN Access Node (CE, CPE) BN Border Node (ABR, ASBR) SN Services Node (PE) TN Transport Node (P) Point of Local Repair (PLR) Node being protected
Egress protection Concept EGRESS PE PROTECTION AN SN TN BN TN BN TN BN BN TN BN TN BN TN SN AN CE PE P ABR P ABR P ASBR ASBR P ABR P ABR P PE CE AS X Traffic flow direction AS Y Ingress PE Area 1 Area 0 Area 2 Area 1 Area 0 Area 2 PLR Primary Egress PE Protector/ Backup Egress PE Legend AN Access Node (CE, CPE) BN Border Node (ABR, ASBR) SN Services Node (PE) TN Transport Node (P) LDP/RSVP LSP LDP/RSVP LDP LDP/RSVP LDP LDP/RSVP LSP LDP/RSVP LSP LDP/RSVP LSP BGP-LU LSP
Egress protection Concept EGRESS PE PROTECTION Ingress PE PLR Primary Egress PE (PE1) 10/8 Protector/Backup Egress PE (PE2)
Egress protection Concept EGRESS PE PROTECTION (1) Ingress PE PLR 1.1, m=1 Primary Egress PE (PE1) Egress PE protection elements 1. PE1 advertises 1.1 (primary context-id) with best IGP parameters 10/8 Protector/Backup Egress PE (PE2)
Egress protection Concept EGRESS PE PROTECTION (2) Ingress PE PLR 1.1, m=1 Primary Egress PE (PE1) Egress PE protection elements 1. PE1 advertises 1.1 (primary context-id) with best IGP parameters 2. PE2 advertises 1.1 (protector context-id) with worst IGP parameters 1.1, m=16m 10/8 Protector/Backup Egress PE (PE2)
Egress protection Concept EGRESS PE PROTECTION (3) Ingress PE PLR 1.1, m=1 Primary Egress PE (PE1) Egress PE protection elements 1. PE1 advertises 1.1 (primary context-id) with best IGP parameters 2. PE2 advertises 1.1 (protector context-id) with worst IGP parameters 3. PLR builds LFA FIB structure for 1.1 (context- ID) with primary/backup next-hops programed in PFE to prefer PE1 over PE2 1.1, m=16m 10/8 Protector/Backup Egress PE (PE2)
Egress protection Concept EGRESS PE PROTECTION (4) Ingress PE RD:10/8, nh=1.1 Egress PE protection elements RR 1. PE1 advertises 1.1 (primary context-id) with best IGP parameters 2. PE2 advertises 1.1 (protector context-id) with worst IGP parameters 3. PLR builds LFA FIB structure for 1.1 (context-id) with primary/backup next-hops programed in PFE to prefer PE1 over PE2 4. PE1 advertises service prefixes (e.g. L3VPN) with 1.1 (context-id) as next-hop RD:10/8, nh=1.1 RD:10/8, nh=1.1 PLR 1.1, m=1 1.1, m=16m Primary Egress PE (PE1) 10/8 Protector/Backup Egress PE (PE2)
Egress protection Concept EGRESS PE PROTECTION (5) Ingress PE RD:10/8, nh=1.1 Egress PE protection elements RR 1. PE1 advertises 1.1 (primary context-id) with best IGP parameters 2. PE2 advertises 1.1 (protector context-id) with worst IGP parameters 3. PLR builds LFA FIB structure for 1.1 (context-id) with primary/backup next-hops programed in PFE to prefer PE1 over PE2 4. PE1 advertises service prefixes (e.g. L3VPN) with 1.1 (context-id) as next-hop 5. For service prefixes with 1.1 as next-hop (for which PE2 is protector) PE2 builds appropriate FIB structures using info (service labels) from primary egress PE RD:10/8, nh=1.1 RD:10/8, nh=1.1 PLR 1.1, m=1 1.1, m=16m Primary Egress PE (PE1) 10/8 Protector/Backup Egress PE (PE2)
Egress protection Concept EGRESS PE PROTECTION (6) Ingress PE RD:10/8, nh=1.1 Egress PE protection elements RR 1. PE1 advertises 1.1 (primary context-id) with best IGP parameters 2. PE2 advertises 1.1 (protector context-id) with worst IGP parameters 3. PLR builds LFA FIB structure for 1.1 (context-id) with primary/backup next-hops programed in PFE to prefer PE1 over PE2 4. PE1 advertises service prefixes (e.g. L3VPN) with 1.1 (context-id) as next-hop 5. For service prefixes with 1.1 as next-hop (for which PE2 is protector) PE2 builds appropriate FIB structures using info (service labels) from primary egress PE 6. Ingress PE sends the service (e.g. L3VPN) traffic using LSP established towards 1.1 (context-id) RD:10/8, nh=1.1 RD:10/8, nh=1.1 PLR 1.1, m=1 1.1, m=16m Primary Egress PE (PE1) 10/8 Protector/Backup Egress PE (PE2)
Egress protection Concept EGRESS PE PROTECTION (7) Ingress PE RD:10/8, nh=1.1 PLR RR RD:10/8, nh=1.1 1.1, m=1 Primary Egress PE (PE1) Egress PE protection elements 1. PE1 advertises 1.1 (primary context-id) with best IGP parameters 2. PE2 advertises 1.1 (protector context-id) with worst IGP parameters 3. PLR builds LFA FIB structure for 1.1 (context-id) with primary/backup next-hops programed in PFE to prefer PE1 over PE2 4. PE1 advertises service prefixes (e.g. L3VPN) with 1.1 (context-id) as next-hop 5. For service prefixes with 1.1 as next-hop (for which PE2 is protector) PE2 builds appropriate FIB structures using info (service labels) from primary egress PE 6. Ingress PE sends the service (e.g. L3VPN) traffic using LSP established towards 1.1 (context-id) 7. Upon failure of PE1 or PLRà PE1 link, traffic is locally repaired on PLR and PE2 until global convergence happens RD:10/8, nh=1.1 LDP/RSVP tunnel labels locally repaired 1.1, m=16m Service labels locally repaired 10/8 Protector/Backup Egress PE (PE2)
Egress protection Concept EGRESS PE PROTECTION (8) Ingress PE RD:10.10, RD:10/8, nh=1.2 nh=1.1 PLR RR RD:10/8, nh=1.1 1.1, m=1 Primary Egress PE (PE1) Egress PE protection elements 1. PE1 advertises 1.1 (primary context-id) with best IGP parameters 2. PE2 advertises 1.1 (protector context-id) with worst IGP parameters 3. PLR builds LFA FIB structure for 1.1 (context-id) with primary/backup next-hops programed in PFE to prefer PE1 over PE2 4. PE1 advertises service prefixes (e.g. L3VPN) with 1.1 (context-id) as next-hop 5. For service prefixes with 1.1 as next-hop (for which PE2 is protector) PE2 builds appropriate FIB structures using info (service labels) from primary egress PE 6. Ingress PE sends the service (e.g. L3VPN) traffic using LSP established towards 1.1 (context-id) 7. Upon failure of PE1 or PLRà PE1 link, traffic is locally repaired on PLR and PE2 until global convergence happens 8. After global convergence, ingress PE switches to LSP towards 1.2 (primary context-id on PE2) RD:10.10, RD:10/8, nh=1.2 nh=1.1 LDP/RSVP tunnel labels locally repaired 1.1, m=16m Service labels locally repaired 10/8 Protector/Backup Egress PE (PE2)
Protector Functions OVERALL As mentioned previously, regardless of the label protocol (LDP/RSVP) protector always binds real label to protector context-id This protector context-id label is used to point to RIB/FIB structure in order to translate labels Packet arrives to protector with protector context-id label (on the top) and label stack with next label allocated by primary PE Protector uses context-id label to point to the table with labels learned from primary PE
Protector Functions PE (L3VPN) PROTECTION Protector Function MPLS-Lookup: For each advertised Protector Context-ID, transport (real) label mpls.0 RIB entry is created, which points to the Context-ID specific MPLS RIB ( 10.1.1.1 mpls.0). mpls.0 POP MPLS-lookup (Context Label Table): VPN label lookup, based on the VPN label advertised by Primary PE. Entry points to Context-ID/VPN specific IP RIB, with the name based on VRF, if VRF defined locally on Protector (e.g. 10.1.1.1-<vrf-name>.inet.0) or with the name based in RT, if VRF not defined locally on Protector (e.g. 10.1.1.1-<rt-name>.inet.0). 10.1.1.1.mpls.0 POP IP lookup (Context IP/VPN Table): IP lookup (within context Context-ID and VPN/RT) to figure out how to send the packet to Backup PE. è effectively Protector does Label translation from Primary PE VPN label to Backup PE VPN label. 10.1.1.1-<vrf-name>.inet.0 10.1.1.1-<rt-name>.inet.0 Backup PE Function <vrf-name>.inet.0 Protector function and Backup PE function can be deployed on one physical device à Combined Protector/Backup PE design
Protector Functions PE (L3VPN) PROTECTION Protector Function root@pe2> show route table mpls.0 ( ) 301600(S=0) *[MPLS/0] 01:11:20 to table 10.1.1.1.mpls.0 ( ) Real label allocated by Protector (PE2) for Ctx-ID 10.1.1.1 mpls.0 POP root@pe2> show route table 10.1.1.1.mpls.0 ( ) 300368 *[Egress- Protection/170] 01:36:09 to table 10.1.1.1- vpn- 101.inet.0 ( ) VPN labels of VPN prefixes advertised by primary (PE1) with NH=10.1.1.1 10.1.1.1.mpls.0 POP 10.1.1.1-<vrf-name>.inet.0 10.1.1.1-<rt-name>.inet.0 root@pe2> show route table 10.1.1.2- vpn- 101.inet.0 ( ) 172.15.89.0/24 *[Egress- Protection/170] 01:18:20 to 10.0.2.2 via ge- 0/0/9.0 172.15.90.0/24 *[Egress- Protection/170] 01:18:20 to 10.0.2.4 via ge- 0/0/3.0 ( )
Conclusion EGRESS PE PROTECTION Traffic repair duty moved from ingress PE (as in case of BGP PIC Edge) to router(s) closer to egress PE Sub-100 ms protection in case of egress PE failure, independent from IGP scale BGP scale No requirement for large scale BFD with aggressive timers BFD First deployment started at Deutsche Telekom couple of years ago Proven architecture Remarkable traffic restoration times No issues observed
Q & A