Link Protection for MPLS TE Tunnels

Link Protection for MPLS TE Tunnels

Link protection refers to the ability to protect traffic being forwarded on an LSP when a link along the LSP fails. To protect against the failure of a link, a backup tunnel is set up around the link.

Figure 1 shows a sample network which has one LSP from PE1 to PE5 router along the path PE1-P2-P4-PE5. Link P2-P4 must be protected by a backup tunnel taking the path P2-P3-P4. The values on the link represent the cost (metric) of IGP.

When the link P2-P4 fails, all traffic for the main TE tunnel is forwarded onto the backup tunnel around the broken link and delivered to P4, from where it continues on its normal path to destination PE5 router. P2 router where traffic is spliced from the protected path on to the backup path is called Point of Local Repair (PLR). At P4 router, the traffic merges from the backup path to the protected path and hence it is called Merge Point (MP).

Before Link Failure

The backup path must be ready to forward traffic and hence must be computed and signaled before the link failure. Also, the PLR and the MP must be ready to forward the traffic and merge, respectively.

Link protection feature is enabled on PE1 router as below. The command tunnel mpls traffic-eng fast-reroute enables link-protection for TE tunnel.

Enabling link protection for TE tunnel on PE1 router

interface tunnel 10

 ip unnumbered Loopback 0

 tunnel destination 5.5.5.5

 tunnel mode mpls traffic-eng

 tunnel mpls traffic-eng bandwidth 10000

 tunnel mpls traffic-eng autoroute announce

 tunnel mpls traffic-eng path-option 1 explicit name PATH

 tunnel mpls traffic-eng fast-reroute

 tunnel mpls traffic-eng record-route

ip explicit-path name PATH

 next-address 2.2.2.2

 next-address 4.4.4.4

 next-address 5.5.5.5

When PE1 router signals RSVP PATH messages for a TE tunnel requesting link protection, it sets the local protection desired flag in the Session_Attribute object. This information is then available to all routers along the path to destination PE5 router. Notice also Label Recording flag is set. This flag indicates that label information should be included in the RRO sub-object called Sub Label so that they are available to the PLR. This way the PLR is aware of what label the MP expects the traffic to arrive with.

Outgoing PATH message from PE1 router

*Aug 25 13:52:56.287: Outgoing Path:

*Aug 25 13:52:56.287:   version:1 flags:0000 cksum:7ED5 ttl:255 reserved:0 length:228

*Aug 25 13:52:56.291:  SESSION              type 7 length 16:

*Aug 25 13:52:56.291:   Tun Dest:   5.5.5.5  Tun ID: 10  Ext Tun ID: 1.1.1.1

*Aug 25 13:52:56.291:  HOP                  type 1 length 12:

*Aug 25 13:52:56.291:   Hop Addr: 10.12.1.1 LIH: 0x02000403

*Aug 25 13:52:56.295:  TIME_VALUES          type 1 length 8 :

*Aug 25 13:52:56.295:   Refresh Period (msec): 30000

*Aug 25 13:52:56.295:  EXPLICIT_ROUTE       type 1 length 52:

*Aug 25 13:52:56.295:   10.12.1.2 (Strict IPv4 Prefix, 8 bytes, /32)

*Aug 25 13:52:56.295:   10.24.1.1 (Strict IPv4 Prefix, 8 bytes, /32)

*Aug 25 13:52:56.299:   10.24.1.2 (Strict IPv4 Prefix, 8 bytes, /32)

*Aug 25 13:52:56.299:   10.45.1.1 (Strict IPv4 Prefix, 8 bytes, /32)

*Aug 25 13:52:56.299:   10.45.1.2 (Strict IPv4 Prefix, 8 bytes, /32)

*Aug 25 13:52:56.299:   5.5.5.5 (Strict IPv4 Prefix, 8 bytes, /32)

*Aug 25 13:52:56.299:  LABEL_REQUEST        type 1 length 8 :

*Aug 25 13:52:56.299:   Layer 3 protocol ID: 2048

*Aug 25 13:52:56.303:  SESSION_ATTRIBUTE    type 7 length 16:

*Aug 25 13:52:56.303:   Setup Prio: 7, Holding Prio: 7

*Aug 25 13:52:56.303:   Flags: (0x7) Local Prot desired, Label Recording, SE Style

*Aug 25 13:52:56.303:   Session Name: PE1_t10

*Aug 25 13:52:56.307:  SENDER_TEMPLATE      type 7 length 12:

*Aug 25 13:52:56.307:   Tun Sender: 1.1.1.1  LSP ID: 14

*Aug 25 13:52:56.307:  SENDER_TSPEC         type 2 length 36:

*Aug 25 13:52:56.307:   version=0, length in words=7

*Aug 25 13:52:56.307:   Token bucket fragment (service_id=1, length=6 words

*Aug 25 13:52:56.307:     parameter id=127, flags=0, parameter length=5

*Aug 25 13:52:56.311:     average rate=1250000 bytes/sec, burst depth=1000 bytes

*Aug 25 13:52:56.311:     peak rate   =1250000 bytes/sec

*Aug 25 13:52:56.311:     min unit=0 bytes, max pkt size=2147483647 bytes

*Aug 25 13:52:56.311:  ADSPEC   type 2 length 48:

*Aug 25 13:52:56.311:  version=0  length in words=10

*Aug 25 13:52:56.311:  General Parameters  break bit=0  service length=8

*Aug 25 13:52:56.315:                                         IS Hops:1

*Aug 25 13:52:56.315:              Minimum Path Bandwidth (bytes/sec):12500000

*Aug 25 13:52:56.315:                     Path Latency (microseconds):0

*Aug 25 13:52:56.315:                                        Path MTU:1500

*Aug 25 13:52:56.315:  Controlled Load Service  break bit=0  service length=0

*Aug 25 13:52:56.315:  RECORD_ROUTE         type 1 length 12:

*Aug 25 13:52:56.319:   10.12.1.1/32, Flags:0x0 (No Local Protection)

In this case, P2 router computes a protection path for link P2-P4 by running a cSPF computation to destination P4 router, avoiding the protected link. The backup path is usually explicitly defined to avoid the protected link. The path is setup as a regular MPLS TE using RSVP.

The backup tunnel is configured on P2 router as below:

Backup tunnel on P2 router

interface fastethernet 1/0

 ip address 10.24.1.1 255.255.255.0

 ip rsvp bandwidth

 mpls traffic-eng tunnel

 mpls traffic-eng backup-path Tunnel 100

interface tunnel 100

 ip unnumbered Loopback 0

 tunnel destination 4.4.4.4

 tunnel mode mpls traffic-eng

 tunnel mpls traffic-eng autoroute announce

 tunnel mpls traffic-eng bandwidth 50000

 tunnel mpls traffic-eng path-option 1 explicit name BACKUP_PATH

 tunnel mpls traffic-eng record-route

ip explicit-path name BACKUP_PATH

 next-address 3.3.3.3

 next-address 4.4.4.4

!--- The following output shows the backup tunnel on P2 router

P2# show mpls traffic-eng tunnels tunnel 100

Name: P2_t100                             (Tunnel100) Destination: 4.4.4.4

  Status:

    Admin: up         Oper: up     Path: valid       Signalling: connected

    path option 1, type explicit BACKUP_PATH (Basis for Setup, path weight 20)

  Config Parameters:

    Bandwidth: 0        kbps (Global)  Priority: 7  7   Affinity: 0x0/0xFFFF

    Metric Type: TE (default)

    AutoRoute:  enabled   LockDown: disabled  Loadshare: 0        bw-based

    auto-bw: disabled

  Active Path Option Parameters:

    State: explicit path option 1 is active

    BandwidthOverride: disabled  LockDown: disabled  Verbatim: disabled

  InLabel  :  -

  OutLabel : FastEthernet2/0, 17

  RSVP Signalling Info:

       Src 2.2.2.2, Dst 4.4.4.4, Tun_Id 100, Tun_Instance 3

    RSVP Path Info:

      My Address: 10.23.1.1

      Explicit Route: 10.23.1.2 10.34.1.1 10.34.1.2 4.4.4.4

      Record   Route:

      Tspec: ave rate=0 kbits, burst=1000 bytes, peak rate=0 kbits

    RSVP Resv Info:

      Record   Route:  10.34.1.1 10.34.1.2

      Fspec: ave rate=0 kbits, burst=1000 bytes, peak rate=0 kbits

  Shortest Unconstrained Path Info:

    Path Weight: 1 (TE)

    Explicit Route: 10.24.1.1 10.24.1.2 4.4.4.4

  History:

    Tunnel:

      Time since created: 58 minutes, 4 seconds

      Time since path change: 52 minutes, 16 seconds

      Number of LSP IDs (Tun_Instances) used: 3

    Current LSP:

      Uptime: 52 minutes, 16 seconds

      Selection: reoptimization

    Prior LSP:

      ID: path option 1 [2]

      Removal Trigger: configuration changed

There are two techniques available for merging traffic from backup path to the protected path at the MP. Both techniques depend on the label with which the traffic arrives at the MP.

Facility Backup (N:1)

In this technique, traffic arrives over the backup tunnel at the MP with the same label as it would if it arrived over the failed (or protected) link- only the interface on which the MP receives traffic changes. This can be ensured if the PLR pushes an extra label of the backup tunnel onto the label stack of the main tunnel. Also, P4 router advertises an implicit-null label to P3 router so penultimate-hop popping (PHP) can be done for backup tunnel label before the MP. To demonstrate this, there are two LSPs established between PE1 and PE2 (Tunnel 10 and 20). Notice MP advertises implicit-null label for both LSPs.

MP (P4) router advertises implicit-null label

P4# show mpls forwarding-table

Local  Outgoing      Prefix            Bytes Label   Outgoing   Next Hop

Label  Label or VC   or Tunnel Id      Switched      interface

17     Pop Label     1.1.1.1 10 [80]  1650          Fa1/1      10.45.1.2

19     Pop Label     1.1.1.1 20 [18]   978           Fa1/1      10.45.1.2

Any number of LSPs crossing the protected P2-P4 link can be protected by a single backup tunnel and hence this yields N:1. Cisco IOS supports this technique.

Notice from below output that P2 router protects both tunnels. The status is ready.

P2 router protects any number of LSPs

P2# show mpls traffic-eng fast-reroute database

Headend frr information:

Protected tunnel              In-label Out intf/label   FRR intf/label   Status

LSP midpoint frr information:

LSP identifier                In-label Out intf/label   FRR intf/label   Status

1.1.1.1 10 [80]               18       Fa1/1:18         Tu100:18         ready

1.1.1.1 20 [18]               17       Fa1/1:16         Tu100:16         ready

One-to-one Backup (1:1)

In this technique, traffic arrives at the MP with a different label than the one used by the main path. In this case, no extra label is pushed onto the label stack by the PLR. Hence, a separate backup tunnel is required for every LSP.

The advantage of this technique is that it allows tighter control over the backup tunnel and its properties. However, the disadvantage is that the amount of forwarding states to be maintained by the PLR, the MP and all the intermediate routers along the backup path, increases proportionally to the number of LSPs protected.

The following output shows the labels imposed when the protected link is operational.

Traceroute to 5.5.5.5

PE1# traceroute 5.5.5.5

Type escape sequence to abort.

Tracing the route to 5.5.5.5

  1 10.12.1.2 [MPLS: Label 16 Exp 0] 92 msec 104 msec 100 msec

  2 10.24.1.2 [MPLS: Label 17 Exp 0] 244 msec 196 msec 108 msec

  3 10.45.1.2 132 msec 196 msec *

After Link Failure

When the protected link fails, P2 router receives the notification, however, it suppresses any error notification to the headend (PE1) router that may cause it to teardown the LSP when local protection is available.

The purpose of the backup path is to protect traffic for the LSPs while the headend router computes an alternate path for the LSPs, avoiding the failed link. So, the PLR (P2) router notifies PE1 router about the failure using a RSVP PATH Error message with Notify error code and Tunnel Locally Repaired subcode. Also, a new flag indicating path is locally repaired is turned ON in RRO object.

PE1 receives notification from PLR (P2) router

*Aug 25 15:23:26.179: Incoming PathError:

*Aug 25 15:23:26.183:   version:1 flags:0000 cksum:7746 ttl:255 reserved:0 length:132

*Aug 25 15:23:26.183:  SESSION              type 7 length 16:

*Aug 25 15:23:26.183:   Tun Dest:   5.5.5.5  Tun ID: 10  Ext Tun ID: 1.1.1.1

*Aug 25 15:23:26.187:  ERROR_SPEC           type 1 length 12:

*Aug 25 15:23:26.187:   Error Node: 10.12.1.2

*Aug 25 15:23:26.187:   Error Code: 25 (Notify)

*Aug 25 15:23:26.187:   Error Value: 0x3  (Tunnel locally repaired)

*Aug 25 15:23:26.187:   Flags: 0x0

*Aug 25 15:23:26.191:  SENDER_TEMPLATE      type 7 length 12:

*Aug 25 15:23:26.191:   Tun Sender: 1.1.1.1  LSP ID: 80

*Aug 25 15:23:26.191:  SENDER_TSPEC         type 2 length 36:

*Aug 25 15:23:26.191:   version=0, length in words=7

*Aug 25 15:23:26.191:   Token bucket fragment (service_id=1, length=6 words

*Aug 25 15:23:26.191:     parameter id=127, flags=0, parameter length=5

*Aug 25 15:23:26.195:     average rate=1250000 bytes/sec, burst depth=1000 bytes

*Aug 25 15:23:26.195:     peak rate   =1250000 bytes/sec

*Aug 25 15:23:26.195:     min unit=0 bytes, max pkt size=2147483647 bytes

*Aug 25 15:23:26.195:  ADSPEC               type 2 length 48:

*Aug 25 15:23:26.195:  version=0  length in words=10

*Aug 25 15:23:26.195:  General Parameters  break bit=0  service length=8

*Aug 25 15:23:26.199:                                         IS Hops:1

*Aug 25 15:23:26.199:              Minimum Path Bandwidth (bytes/sec):12500000

*Aug 25 15:23:26.199:                     Path Latency (microseconds):0

*Aug 25 15:23:26.199:                                        Path MTU:1500

*Aug 25 15:23:26.199:  Controlled Load Service  break bit=0  service length=0

*Aug 25 15:23:26.207: Incoming PathError:

*Aug 25 15:23:26.207:   version:1 flags:0000 cksum:767A ttl:255 reserved:0 length:132

*Aug 25 15:23:26.207:  SESSION              type 7 length 16:

*Aug 25 15:23:26.211:   Tun Dest:   5.5.5.5  Tun ID: 20  Ext Tun ID: 1.1.1.1

*Aug 25 15:23:26.211:  ERROR_SPEC           type 1 length 12:

*Aug 25 15:23:26.211:   Error Node: 10.12.1.2

*Aug 25 15:23:26.211:   Error Code: 25 (Notify)

*Aug 25 15:23:26.211:   Error Value: 0x3  (Tunnel locally repaired)

*Aug 25 15:23:26.215:   Flags: 0x0

*Aug 25 15:23:26.215:  SENDER_TEMPLATE      type 7 length 12:

*Aug 25 15:23:26.215:   Tun Sender: 1.1.1.1  LSP ID: 18

*Aug 25 15:23:26.215:  SENDER_TSPEC         type 2 length 36:

*Aug 25 15:23:26.215:   version=0, length in words=7

*Aug 25 15:23:26.215:   Token bucket fragment (service_id=1, length=6 words

*Aug 25 15:23:26.219:     parameter id=127, flags=0, parameter length=5

*Aug 25 15:23:26.219:     average rate=2500000 bytes/sec, burst depth=1000 bytes

*Aug 25 15:23:26.219:     peak rate   =2500000 bytes/sec

*Aug 25 15:23:26.219:     min unit=0 bytes, max pkt size=2147483647 bytes

*Aug 25 15:23:26.219:  ADSPEC               type 2 length 48:

*Aug 25 15:23:26.219:  version=0  length in words=10

*Aug 25 15:23:26.223:  General Parameters  break bit=0  service length=8

*Aug 25 15:23:26.223:                                         IS Hops:1

*Aug 25 15:23:26.223:              Minimum Path Bandwidth (bytes/sec):12500000

*Aug 25 15:23:26.223:                     Path Latency (microseconds):0

*Aug 25 15:23:26.223:                                        Path MTU:1500

*Aug 25 15:23:26.223:  Controlled Load Service  break bit=0  service length=0

When PE1 router receives the notification, it computes a new path for the LSPs avoiding the failed link, and sets it up in make-before-break fashion i.e. temporarily, the resources are double-booked as long as the old path is not tore down. Notice the status is active in below output.

P2 router protects both LSPs from PE1 router

P2# show mpls traffic-eng fast-reroute database

Headend frr information:

Protected tunnel              In-label Out intf/label   FRR intf/label   Status

LSP midpoint frr information:

LSP identifier                In-label Out intf/label   FRR intf/label   Status

1.1.1.1 10 [80]               18       Fa1/1:18         Tu100:18         active

1.1.1.1 20 [18]               17       Fa1/1:16         Tu100:16         active

Again, a traceroute to destination 5.5.5.5 shows that an extra label is imposed by PLR (P2) router when traffic is forwarded over the backup path.

Traceroute to 5.5.5.5

PE1# traceroute 5.5.5.5

Type escape sequence to abort.

Tracing the route to 5.5.5.5

  1 10.12.1.2 [MPLS: Label 18 Exp 0] 184 msec 136 msec 80 msec

  2 10.23.1.2 [MPLS: Labels 17/18 Exp 0] 192 msec 156 msec 128 msec

  3 10.34.1.2 [MPLS: Label 18 Exp 0] 104 msec 268 msec 144 msec

  4 10.45.1.2 232 msec 244 msec *

To summarize, link protection can be achieved by setting up the backup path before the failure. After the failure, PLR suppresses the teardown message and notifies the headend router that the tunnel is locally protected, and switching of main path to backup path at the PLR is completed.