Understanding Topology-Independent Loop-Free Alternate with Segment Routing for IS-IS
Segment routing enables a router to send a packet along a specific path in the network by imposing a label stack that describes the path. The forwarding actions described by a segment routing label stack do not need to be established on a per-path basis. Therefore, an ingress router can instantiate an arbitrary path using a segment routing label stack and use it immediately without any signaling.
In segment routing, each node advertises mappings between incoming labels and forwarding actions. A specific forwarding action is referred to as a segment and the label that identifies that segment is referred to as a segment identifier (SID). The backup paths created by TI-LFA use the following types of segments:
Node segment—A node segment forwards packets along the shortest path or paths to a destination node. The label representing the node segment (the node SID) is swapped until the destination node is reached.
Adjacency segment—An adjacency segment forwards packets across a specific interface on the node that advertised the adjacency segment. The label representing an adjacency segment (the adjacency SID) is popped by the node that advertised it.
A router can send a packet along a specific path by creating a label stack that uses a combination of node SIDs and adjacency SIDs. Typically, node SIDs are used to represent parts of the path that correspond to the shortest path between two nodes. An adjacency SID is used wherever a node SID cannot be used to accurately represent the desired path.
Loop-free alternate (LFA) and remote LFA (RLFA) have been used to provide fast-reroute protection for several years. With LFA, a point of local repair (PLR) determines whether or not a packet sent to one of its direct neighbors reaches its destination without looping back through the PLR. In a typical network topology, approximately 40 to 60 percent of the destinations can be protected by LFA. Remote LFA expands on the concept of LFA by allowing the PLR to impose a single label to tunnel the packet to a repair tunnel endpoint from which the packet can reach its destination without looping back through the PLR. Using remote LFA, more destinations can be protected by the PLR compared to LFA. However, depending on the network topology, the percentage of destinations protected by remote LFA is usually less than 100 percent.
Topology-independent LFA (TI-LFA) extends the concept of LFA and remote LFA by allowing the PLR to use deeper label stacks to construct backup paths. In addition, the TI-LFA imposes the constraint that the backup path used by the PLR be the same path that a packet takes once the interior gateway protocol (IGP) has converged for a given failure scenario. This path is referred to as the post-convergence path.
Using the post-convergence path as the backup path has some desirable characteristics. For some topologies, a network operator only needs to make sure that the network has enough capacity to carry the traffic along the post-convergence path after a failure. In these cases, a network operator does not need to allocate additional capacity to deal with the traffic pattern immediately after the failure while the backup path is active, because the backup path follows the post-convergence path.
Benefits of TI-LFA
IGP automatically computes the backup path and does not have to allocate additional capacity to deal with failures.
Provides redundancy and protects against congestion and link failure.
Easy to configure and utilize the post convergence path for transmission of packets.
Types of TI-LFA Protection
TI-LFA provides protection against link failure, node failure, fate-sharing failures, and shared risk link group failures. In link failure mode, the destination is protected if the link fails. In node protection mode, the destination is protected if the neighbor connected to the primary link fails. To determine the node-protecting post-convergence path, the cost of all the links leaving the neighbor is assumed to increase by a configurable amount.
With fate-sharing protection, a list of fate-sharing groups are configured on each PLR with the links in each fate-sharing group identified by their respective IP addresses. The PLR associates a cost with each fate-sharing group. The fate-sharing-aware post-convergence path is computed by assuming that the cost of each link in the same fate-sharing group as the failed link has increased the cost associated with that group.
Starting in Junos OS Release 20.2R1, you can configure Shared Risk Link Group (SRLG) protection in TI-LFA networks for segment routing to choose a fast reroute path that does not include SRLG links in the topology-independent loop-free alternate (TI-LFA) backup paths. SRLGs share a common fibre and they also share the risks of a broken link. When one link in an SRLG fails, other links in the group might also fail. Therefore, you need to avoid links that share the same risk as the protected link in the backup path. Configuring SRLG protection prevents TI-LFA from selecting backup paths that include a shared risk link. If you have configured SRLG protection then IS-IS computes the fast reroute path that is aligned with the post convergence path and excludes the links that belong to the SRLG of the protected link. All local and remote links that are from the same SRLG as the protected link are excluded from the TI-LFA back up path. The point of local repair (PLR) sets up the label stack for the fast reroute path with a different outgoing interface. Currently you cannot enable SRLG protection in IPv6 networks and in networks with multitopology.
In order to construct a backup path that follows the post-convergence path, TI-LFA uses several labels in the label stack that define the backup path. If the number of labels required to construct a particular post-convergence backup path exceeds a certain amount, it is useful in some circumstances to not install that backup path. You can configure the maximum number of labels that a backup path can have in order to be installed. The default value is 3, with a range of 2 through 5.
It is often the case that the post-convergence path for a given failure is actually a set of equal-cost paths. TI-LFA attempts to construct the backup paths to a given destination using multiple equal-cost paths in the post-failure topology. Depending on the topology, TI-LFA might need to use different label stacks to accurately construct those equal-cost backup paths. By default, TI-LFA only installs one backup path for a given destination. However, you can configure the value in the range from 1 through 8.
TI-LFA in IPv6 Networks
Starting in Junos OS Release 20.1R1, you can configure TI-LFA with segment routing in an IPv6-only network to provide fast reroute (FRR) backup paths corresponding to the post-convergence path for a given failure. However, you cannot configure fate-sharing protection for IPv6-only networks. To compute backup paths in IPv6-only networks, the IS-IS protocol must advertise the following TLV types:
TLV 233 - IPv6 Global Interface Address
Subtlv 12 and 13 of TLV 22
Although you can configure multiple global IPv6 addresses on an interface, the backup routes are computed for one global interface only.
Starting in Junos OS Release 19.1R1, you can configure a point of local repair (PLR) to create a topology independent loop-free alternate backup path for prefix-SIDs derived from Segment Routing Mapping Server advertisements in an IS-IS network. In a network configured with segment routing, IS-IS uses the Segment Routing Mapping Server advertisements to derive prefix-SIDs. Segment Routing Mapping Server advertisements for IPv6 are currently not supported. To attach flags to Segment Routing Mapping Server advertisements, include the attached, domain-wide-flooding, and no-node-segment statements at the [edit routing-options source-packet-routing mapping-server-entry mapping-server-name] hierarchy level.
The backup path for prefix-SIDs from Segment Routing Mapping Server advertisements are not created in the following scenarios:
If some hops are present in a non-SR domain.
If the segment routing node is advertising a prefix and a prefix-SID index directly, then Junos OS uses the prefix-SID index and disregards the mapping server advertisement for that prefix.
If a backup path requires an adjacency-SID from the LDP domain then the backup path cannot be installed.
If the PLR is unable to determine the label mapping using LDP.
Currently you cannot configure remote LFA and TI-LFA on a SR-LDP stitching node in the same instance. Therefore, you cannot configure both post-convergence-lfa and link-protection on the same device.
Advertisement Flags for TI-LFA
Set the following mapping server advertisement flags to indicate the origin of the advertised prefix:
Label Binding TLV
default value is 0
Attached Flag–Include the attached configuration statement to set this flag to 1 to indicate that the prefixes and SIDs advertised in the SID or Label Binding TLV are directly connected to their originators.
Label Binding TLV
default value is 0
Include the domain-wide-flooding configuration statement to set this flag to 1 to indicate that the SID or Label Binding TLV is flooded across the entire routing domain.
Label Binding TLV
default value is 0
Set by a border node when readvertising a SID or Label Binding TLV to indicate that the SID or Label Binding TLV is leaked from level 2 to level 1.
Prefix-SID sub TLV
default value is 1
Include the no-node-segment configuration statement to set this flag to 0 to indicate that the prefix has originated from a single node.