Link Protection for MPLS TE Tunnels
Link Protection for MPLS TE Tunnels
Link protection refers to the ability to protect traffic being forwarded on an LSP when a link along the LSP fails. To protect against the failure of a link, a backup tunnel is set up around the link.
Figure 1 shows a sample network which has one LSP from PE1 to PE5 router along the path PE1-P2-P4-PE5. Link P2-P4 must be protected by a backup tunnel taking the path P2-P3-P4. The values on the link represent the cost (metric) of IGP.
When the link P2-P4 fails, all traffic for the main TE tunnel is forwarded onto the backup tunnel around the broken link and delivered to P4, from where it continues on its normal path to destination PE5 router. P2 router where traffic is spliced from the protected path on to the backup path is called Point of Local Repair (PLR). At P4 router, the traffic merges from the backup path to the protected path and hence it is called Merge Point (MP).
Before Link Failure
The backup path must be ready to forward traffic and hence must be computed and signaled before the link failure. Also, the PLR and the MP must be ready to forward the traffic and merge, respectively.
Link protection feature is enabled on PE1 router as below. The command tunnel mpls traffic-eng fast-reroute enables link-protection for TE tunnel.
Enabling link protection for TE tunnel on PE1 router
interface tunnel 10
ip unnumbered Loopback 0
tunnel destination 5.5.5.5
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng bandwidth 10000
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng path-option 1 explicit name PATH
tunnel mpls traffic-eng fast-reroute
tunnel mpls traffic-eng record-route
!
ip explicit-path name PATH
next-address 2.2.2.2
next-address 4.4.4.4
next-address 5.5.5.5
!
When PE1 router signals RSVP PATH messages for a TE tunnel requesting link protection, it sets the local protection desired flag in the Session_Attribute object. This information is then available to all routers along the path to destination PE5 router. Notice also Label Recording flag is set. This flag indicates that label information should be included in the RRO sub-object called Sub Label so that they are available to the PLR. This way the PLR is aware of what label the MP expects the traffic to arrive with.
Outgoing PATH message from PE1 router
*Aug 25 13:52:56.287: Outgoing Path:
*Aug 25 13:52:56.287: version:1 flags:0000 cksum:7ED5 ttl:255 reserved:0 length:228
*Aug 25 13:52:56.291: SESSION type 7 length 16:
*Aug 25 13:52:56.291: Tun Dest: 5.5.5.5 Tun ID: 10 Ext Tun ID: 1.1.1.1
*Aug 25 13:52:56.291: HOP type 1 length 12:
*Aug 25 13:52:56.291: Hop Addr: 10.12.1.1 LIH: 0x02000403
*Aug 25 13:52:56.295: TIME_VALUES type 1 length 8 :
*Aug 25 13:52:56.295: Refresh Period (msec): 30000
*Aug 25 13:52:56.295: EXPLICIT_ROUTE type 1 length 52:
*Aug 25 13:52:56.295: 10.12.1.2 (Strict IPv4 Prefix, 8 bytes, /32)
*Aug 25 13:52:56.295: 10.24.1.1 (Strict IPv4 Prefix, 8 bytes, /32)
*Aug 25 13:52:56.299: 10.24.1.2 (Strict IPv4 Prefix, 8 bytes, /32)
*Aug 25 13:52:56.299: 10.45.1.1 (Strict IPv4 Prefix, 8 bytes, /32)
*Aug 25 13:52:56.299: 10.45.1.2 (Strict IPv4 Prefix, 8 bytes, /32)
*Aug 25 13:52:56.299: 5.5.5.5 (Strict IPv4 Prefix, 8 bytes, /32)
*Aug 25 13:52:56.299: LABEL_REQUEST type 1 length 8 :
*Aug 25 13:52:56.299: Layer 3 protocol ID: 2048
*Aug 25 13:52:56.303: SESSION_ATTRIBUTE type 7 length 16:
*Aug 25 13:52:56.303: Setup Prio: 7, Holding Prio: 7
*Aug 25 13:52:56.303: Flags: (0x7) Local Prot desired, Label Recording, SE Style
*Aug 25 13:52:56.303: Session Name: PE1_t10
*Aug 25 13:52:56.307: SENDER_TEMPLATE type 7 length 12:
*Aug 25 13:52:56.307: Tun Sender: 1.1.1.1 LSP ID: 14
*Aug 25 13:52:56.307: SENDER_TSPEC type 2 length 36:
*Aug 25 13:52:56.307: version=0, length in words=7
*Aug 25 13:52:56.307: Token bucket fragment (service_id=1, length=6 words
*Aug 25 13:52:56.307: parameter id=127, flags=0, parameter length=5
*Aug 25 13:52:56.311: average rate=1250000 bytes/sec, burst depth=1000 bytes
*Aug 25 13:52:56.311: peak rate =1250000 bytes/sec
*Aug 25 13:52:56.311: min unit=0 bytes, max pkt size=2147483647 bytes
*Aug 25 13:52:56.311: ADSPEC type 2 length 48:
*Aug 25 13:52:56.311: version=0 length in words=10
*Aug 25 13:52:56.311: General Parameters break bit=0 service length=8
*Aug 25 13:52:56.315: IS Hops:1
*Aug 25 13:52:56.315: Minimum Path Bandwidth (bytes/sec):12500000
*Aug 25 13:52:56.315: Path Latency (microseconds):0
*Aug 25 13:52:56.315: Path MTU:1500
*Aug 25 13:52:56.315: Controlled Load Service break bit=0 service length=0
*Aug 25 13:52:56.315: RECORD_ROUTE type 1 length 12:
*Aug 25 13:52:56.319: 10.12.1.1/32, Flags:0x0 (No Local Protection)
In this case, P2 router computes a protection path for link P2-P4 by running a cSPF computation to destination P4 router, avoiding the protected link. The backup path is usually explicitly defined to avoid the protected link. The path is setup as a regular MPLS TE using RSVP.
The backup tunnel is configured on P2 router as below:
Backup tunnel on P2 router
interface fastethernet 1/0
ip address 10.24.1.1 255.255.255.0
ip rsvp bandwidth
mpls traffic-eng tunnel
mpls traffic-eng backup-path Tunnel 100
!
interface tunnel 100
ip unnumbered Loopback 0
tunnel destination 4.4.4.4
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng bandwidth 50000
tunnel mpls traffic-eng path-option 1 explicit name BACKUP_PATH
tunnel mpls traffic-eng record-route
!
ip explicit-path name BACKUP_PATH
next-address 3.3.3.3
next-address 4.4.4.4
!
!--- The following output shows the backup tunnel on P2 router
P2# show mpls traffic-eng tunnels tunnel 100
Name: P2_t100 (Tunnel100) Destination: 4.4.4.4
Status:
Admin: up Oper: up Path: valid Signalling: connected
path option 1, type explicit BACKUP_PATH (Basis for Setup, path weight 20)
Config Parameters:
Bandwidth: 0 kbps (Global) Priority: 7 7 Affinity: 0x0/0xFFFF
Metric Type: TE (default)
AutoRoute: enabled LockDown: disabled Loadshare: 0 bw-based
auto-bw: disabled
Active Path Option Parameters:
State: explicit path option 1 is active
BandwidthOverride: disabled LockDown: disabled Verbatim: disabled
InLabel : -
OutLabel : FastEthernet2/0, 17
RSVP Signalling Info:
Src 2.2.2.2, Dst 4.4.4.4, Tun_Id 100, Tun_Instance 3
RSVP Path Info:
My Address: 10.23.1.1
Explicit Route: 10.23.1.2 10.34.1.1 10.34.1.2 4.4.4.4
Record Route:
Tspec: ave rate=0 kbits, burst=1000 bytes, peak rate=0 kbits
RSVP Resv Info:
Record Route: 10.34.1.1 10.34.1.2
Fspec: ave rate=0 kbits, burst=1000 bytes, peak rate=0 kbits
Shortest Unconstrained Path Info:
Path Weight: 1 (TE)
Explicit Route: 10.24.1.1 10.24.1.2 4.4.4.4
History:
Tunnel:
Time since created: 58 minutes, 4 seconds
Time since path change: 52 minutes, 16 seconds
Number of LSP IDs (Tun_Instances) used: 3
Current LSP:
Uptime: 52 minutes, 16 seconds
Selection: reoptimization
Prior LSP:
ID: path option 1 [2]
Removal Trigger: configuration changed
There are two techniques available for merging traffic from backup path to the protected path at the MP. Both techniques depend on the label with which the traffic arrives at the MP.
Facility Backup (N:1)
In this technique, traffic arrives over the backup tunnel at the MP with the same label as it would if it arrived over the failed (or protected) link- only the interface on which the MP receives traffic changes. This can be ensured if the PLR pushes an extra label of the backup tunnel onto the label stack of the main tunnel. Also, P4 router advertises an implicit-null label to P3 router so penultimate-hop popping (PHP) can be done for backup tunnel label before the MP. To demonstrate this, there are two LSPs established between PE1 and PE2 (Tunnel 10 and 20). Notice MP advertises implicit-null label for both LSPs.
MP (P4) router advertises implicit-null label
P4# show mpls forwarding-table
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or VC or Tunnel Id Switched interface
17 Pop Label 1.1.1.1 10 [80] 1650 Fa1/1 10.45.1.2
19 Pop Label 1.1.1.1 20 [18] 978 Fa1/1 10.45.1.2
Any number of LSPs crossing the protected P2-P4 link can be protected by a single backup tunnel and hence this yields N:1. Cisco IOS supports this technique.
Notice from below output that P2 router protects both tunnels. The status is ready.
P2 router protects any number of LSPs
P2# show mpls traffic-eng fast-reroute database
Headend frr information:
Protected tunnel In-label Out intf/label FRR intf/label Status
LSP midpoint frr information:
LSP identifier In-label Out intf/label FRR intf/label Status
1.1.1.1 10 [80] 18 Fa1/1:18 Tu100:18 ready
1.1.1.1 20 [18] 17 Fa1/1:16 Tu100:16 ready
One-to-one Backup (1:1)
In this technique, traffic arrives at the MP with a different label than the one used by the main path. In this case, no extra label is pushed onto the label stack by the PLR. Hence, a separate backup tunnel is required for every LSP.
The advantage of this technique is that it allows tighter control over the backup tunnel and its properties. However, the disadvantage is that the amount of forwarding states to be maintained by the PLR, the MP and all the intermediate routers along the backup path, increases proportionally to the number of LSPs protected.
The following output shows the labels imposed when the protected link is operational.
Traceroute to 5.5.5.5
PE1# traceroute 5.5.5.5
Type escape sequence to abort.
Tracing the route to 5.5.5.5
1 10.12.1.2 [MPLS: Label 16 Exp 0] 92 msec 104 msec 100 msec
2 10.24.1.2 [MPLS: Label 17 Exp 0] 244 msec 196 msec 108 msec
3 10.45.1.2 132 msec 196 msec *
After Link Failure
When the protected link fails, P2 router receives the notification, however, it suppresses any error notification to the headend (PE1) router that may cause it to teardown the LSP when local protection is available.
The purpose of the backup path is to protect traffic for the LSPs while the headend router computes an alternate path for the LSPs, avoiding the failed link. So, the PLR (P2) router notifies PE1 router about the failure using a RSVP PATH Error message with Notify error code and Tunnel Locally Repaired subcode. Also, a new flag indicating path is locally repaired is turned ON in RRO object.
PE1 receives notification from PLR (P2) router
*Aug 25 15:23:26.179: Incoming PathError:
*Aug 25 15:23:26.183: version:1 flags:0000 cksum:7746 ttl:255 reserved:0 length:132
*Aug 25 15:23:26.183: SESSION type 7 length 16:
*Aug 25 15:23:26.183: Tun Dest: 5.5.5.5 Tun ID: 10 Ext Tun ID: 1.1.1.1
*Aug 25 15:23:26.187: ERROR_SPEC type 1 length 12:
*Aug 25 15:23:26.187: Error Node: 10.12.1.2
*Aug 25 15:23:26.187: Error Code: 25 (Notify)
*Aug 25 15:23:26.187: Error Value: 0x3 (Tunnel locally repaired)
*Aug 25 15:23:26.187: Flags: 0x0
*Aug 25 15:23:26.191: SENDER_TEMPLATE type 7 length 12:
*Aug 25 15:23:26.191: Tun Sender: 1.1.1.1 LSP ID: 80
*Aug 25 15:23:26.191: SENDER_TSPEC type 2 length 36:
*Aug 25 15:23:26.191: version=0, length in words=7
*Aug 25 15:23:26.191: Token bucket fragment (service_id=1, length=6 words
*Aug 25 15:23:26.191: parameter id=127, flags=0, parameter length=5
*Aug 25 15:23:26.195: average rate=1250000 bytes/sec, burst depth=1000 bytes
*Aug 25 15:23:26.195: peak rate =1250000 bytes/sec
*Aug 25 15:23:26.195: min unit=0 bytes, max pkt size=2147483647 bytes
*Aug 25 15:23:26.195: ADSPEC type 2 length 48:
*Aug 25 15:23:26.195: version=0 length in words=10
*Aug 25 15:23:26.195: General Parameters break bit=0 service length=8
*Aug 25 15:23:26.199: IS Hops:1
*Aug 25 15:23:26.199: Minimum Path Bandwidth (bytes/sec):12500000
*Aug 25 15:23:26.199: Path Latency (microseconds):0
*Aug 25 15:23:26.199: Path MTU:1500
*Aug 25 15:23:26.199: Controlled Load Service break bit=0 service length=0
*Aug 25 15:23:26.207: Incoming PathError:
*Aug 25 15:23:26.207: version:1 flags:0000 cksum:767A ttl:255 reserved:0 length:132
*Aug 25 15:23:26.207: SESSION type 7 length 16:
*Aug 25 15:23:26.211: Tun Dest: 5.5.5.5 Tun ID: 20 Ext Tun ID: 1.1.1.1
*Aug 25 15:23:26.211: ERROR_SPEC type 1 length 12:
*Aug 25 15:23:26.211: Error Node: 10.12.1.2
*Aug 25 15:23:26.211: Error Code: 25 (Notify)
*Aug 25 15:23:26.211: Error Value: 0x3 (Tunnel locally repaired)
*Aug 25 15:23:26.215: Flags: 0x0
*Aug 25 15:23:26.215: SENDER_TEMPLATE type 7 length 12:
*Aug 25 15:23:26.215: Tun Sender: 1.1.1.1 LSP ID: 18
*Aug 25 15:23:26.215: SENDER_TSPEC type 2 length 36:
*Aug 25 15:23:26.215: version=0, length in words=7
*Aug 25 15:23:26.215: Token bucket fragment (service_id=1, length=6 words
*Aug 25 15:23:26.219: parameter id=127, flags=0, parameter length=5
*Aug 25 15:23:26.219: average rate=2500000 bytes/sec, burst depth=1000 bytes
*Aug 25 15:23:26.219: peak rate =2500000 bytes/sec
*Aug 25 15:23:26.219: min unit=0 bytes, max pkt size=2147483647 bytes
*Aug 25 15:23:26.219: ADSPEC type 2 length 48:
*Aug 25 15:23:26.219: version=0 length in words=10
*Aug 25 15:23:26.223: General Parameters break bit=0 service length=8
*Aug 25 15:23:26.223: IS Hops:1
*Aug 25 15:23:26.223: Minimum Path Bandwidth (bytes/sec):12500000
*Aug 25 15:23:26.223: Path Latency (microseconds):0
*Aug 25 15:23:26.223: Path MTU:1500
*Aug 25 15:23:26.223: Controlled Load Service break bit=0 service length=0
When PE1 router receives the notification, it computes a new path for the LSPs avoiding the failed link, and sets it up in make-before-break fashion i.e. temporarily, the resources are double-booked as long as the old path is not tore down. Notice the status is active in below output.
P2 router protects both LSPs from PE1 router
P2# show mpls traffic-eng fast-reroute database
Headend frr information:
Protected tunnel In-label Out intf/label FRR intf/label Status
LSP midpoint frr information:
LSP identifier In-label Out intf/label FRR intf/label Status
1.1.1.1 10 [80] 18 Fa1/1:18 Tu100:18 active
1.1.1.1 20 [18] 17 Fa1/1:16 Tu100:16 active
Again, a traceroute to destination 5.5.5.5 shows that an extra label is imposed by PLR (P2) router when traffic is forwarded over the backup path.
Traceroute to 5.5.5.5
PE1# traceroute 5.5.5.5
Type escape sequence to abort.
Tracing the route to 5.5.5.5
1 10.12.1.2 [MPLS: Label 18 Exp 0] 184 msec 136 msec 80 msec
2 10.23.1.2 [MPLS: Labels 17/18 Exp 0] 192 msec 156 msec 128 msec
3 10.34.1.2 [MPLS: Label 18 Exp 0] 104 msec 268 msec 144 msec
4 10.45.1.2 232 msec 244 msec *
To summarize, link protection can be achieved by setting up the backup path before the failure. After the failure, PLR suppresses the teardown message and notifies the headend router that the tunnel is locally protected, and switching of main path to backup path at the PLR is completed.