Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring Ethernet OAM Connectivity Fault Management

SUMMARY This section describes Connectivity Fault Management (CFM), configuration of continuity check protocol, link trace protocol, creating a maintenance domain, and configuration of Ethernet OAM CFM on a security device.

Ethernet interfaces on SRX Series devices support the IEEE 802.1ag standard for Operation, Administration, and Management (OAM). The 802.1ag is an IEEE standard for connectivity fault management (CFM).

Understanding Ethernet OAM Connectivity Fault Management

Ethernet interfaces on SRX Series devices support the IEEE 802.1ag standard for Operation, Administration, and Management (OAM). The 802.1ag is an IEEE standard for connectivity fault management (CFM). The IEEE 802.1ag provides a specification for Ethernet CFM. The Ethernet network can consist of one or more service instances. A service instance could be a VLAN or a concatenation of VLANs. The goal of CFM is to provide a mechanism to monitor, locate, and isolate faulty links.

Note:

Support for the IEEE 802.1ag standard for OAM on SRX Series devices depends on the Junos OS release running on the device.

Starting in Junos OS Release 15.1X49-D80, Ethernet OAM CFM is supported on SRX1500 devices.

Starting in Junos OS Release 15.1X49-D75, Ethernet OAM CFM is supported on SRX300, SRX320, SRX340, SRX345, and SRX550M devices.

Ethernet OAM CFM is not supported from Junos OS Release 15.1X49-D40 to Junos OS Release 15.1X49-D70.

CFM support includes the following features:

  • Fault monitoring using the Continuity Check Protocol. This is a neighbor discovery and health check protocol that discovers and maintains adjacencies at the VLAN or link level.

  • Path discovery and fault verification using the Link Trace protocol. This feature is not supported in Junos OS Release 12.3X48-D65.

  • Fault isolation using the Loopback protocol.

    The Loopback protocol is used to check access to maintenance association end points (MEPs) under the same maintenance association (MA). The Loopback messages are triggered by an administrator using the ping ethernet command.

Note:

Virtual private LAN service (VPLS) is not supported on SRX100, SRX110, SRX210, SRX220, SRX240, SRX300, SRX320, SRX340, SRX345, SRX380, SRX550M, SRX1400, and SRX1500 devices.

CFM partitions the service network into various administrative domains. For example, operators, providers, and customers might be part of different administrative domains. Each administrative domain is mapped into one maintenance domain providing enough information to perform its own management, thus avoiding security breaches and making end-to-end monitoring possible.

In a CFM maintenance domain, each service instance is called a maintenance association. A maintenance association can be thought of as a full mesh of maintenance association end points (MEPs) having similar characteristics. MEPs are active CFM entities generating and responding to CFM protocol messages. There is also a maintenance association intermediate point (MIP), which is a CFM entity similar to the MEP, but more passive (MIPs only respond to CFM messages).

Each maintenance domain is associated with a maintenance domain level from 0 through 7. Level allocation is based on the network hierarchy, where outer domains are assigned a higher level than the inner domains. You configure customer end points to have the highest maintenance domain level. The maintenance domain level is a mandatory parameter that indicates the nesting relationships between various maintenance domains. The level is embedded in each CFM frame. CFM messages within a given level are processed by MEPs at that same level.

To enable CFM on an Ethernet interface, you must configure maintenance domains, maintenance associations, and MEPs.

The limitations for CFM are as follows:

  • You cannot configure MEP and MIP on the same VLAN.

  • CFM and link fault management (LFM) can be configured on the same interface.

  • You cannot configure CFM with Generic VLAN Registration Protocol (GVRP).

  • CFM is not supported on VoIP VLAN ports.

  • On SRX240, and SRX550M devices, the default Loopback message (LBM) packet size is 113 bytes.

Benefits of Ethernet CFM

Ethernet CFM provides the following benefits:

  • End-to-end service-level OAM technology

  • Reduced operating expense for service provider Ethernet networks

  • Competitive advantage for service providers

CFM over VDSL and PPPoE interfaces for SRX210, SRX220, SRX240, SRX320, SRX340, SRX345, SRX380, SRX550, and SRX550M Devices

Starting in Junos OS Release 12.3X48-D65, on SRX210, SRX220, SRX240, and SRX550 devices, Operation, Administration, and Maintenance (OAM) connectivity fault management (CFM) is supported on very-high-bit-rate digital subscriber line (VDSL) and Point-to-Point Protocol over Ethernet (PPPoE) interfaces in addition to Ethernet interfaces.

CFM over VDSL should be configured on the pt interface. To support CFM over PPPoE, you need to configure maintenance domain and maintenance association end point (MEP). The CFM over VDSL interface supports down direction MEP, continuity check, and loopback protocols.

The following are the limitations when configuring Ethernet CFM over VDSL or Layer 3 interface:

  • CFM action profiles are not supported on the Point-to-Point Protocol over Ethernet (PPPoE) logical interface on SRX210, SRX220, SRX240, SRX550, and SRX650 devices.

  • Synthetic loss measurement on demand is supported only on SRX320, SRX340, SRX345, and SRX550M devices. Proactive synthetic loss measurement is not supported.

  • When CFM over PPPoE is implemented, CFM must be applied on the PPPoE logical interface and not on the underlying interface.

  • CFM over VDSL can be implemented as a MEP but not as a MIP.

  • CFM higher-level pass-through over a VDSL or Gigabit Ethernet interface in Layer 3 interface mode is not supported.

  • For a VLAN-tagged VDSL interface, CFM must always be applied on the respective logical interface and not over the physical interface.

  • When CFM is enabled on VDSL, CFM packets are dropped randomly, causing CFM sessions to flap based on the timer when transit traffic exceeds the line rate. Flapping occurs because the VDSL Mini-Physical Interface Module (Mini-PIM) cannot differentiate and prioritize CFM packets.

Configuring the Continuity Check Protocol on a Security Device

The Continuity Check Protocol is used for fault detection by a maintenance association end point (MEP) within a maintenance association. The MEP periodically sends continuity check multicast messages. The receiving MEPs use the continuity check messages (CCMs) to build a MEP database of all MEPs in the maintenance association.

Starting in Junos OS Release 12.3X48-D65, on SRX210, SRX220, SRX240, and SRX550 devices, the continuity check protocol for Ethernet Operation, Administration, and Management (OAM) connectivity fault management is supported over VDSL and PPPoE interfaces in addition to Ethernet interfaces.

Starting in Junos OS Release 15.1X49-D80, the continuity check protocol for Ethernet OAM CFM is supported on SRX1500 devices.

Starting in Junos OS Release 15.1X49-D75, the continuity check protocol for Ethernet OAM CFMis supported on SRX300, SRX320, SRX340, SRX345, and SRX550M devices.

The continuity check protocol for Ethernet OAM CFM is not supported from Junos OS Release 15.1X49-D40 to Junos OS Release 15.1X49-D70.

To configure the Continuity Check Protocol:

  1. Enable the Continuity Check Protocol.
  2. Specify the continuity check hold interval. The hold interval is the number of minutes to wait before flushing the MEP database if no updates occur. The default value is 10 minutes (not supported in Junos OS Release 12.3X48-D60).
  3. Specify the CCM interval. The interval is the time between the transmission of CCMs. You can specify 10 minutes (10m), 1 minute (1m), 10 seconds (10s), 1 second (1s), or 100 milliseconds (100ms).
  4. Specify the number of CCMs (that is, protocol data units) that can be lost before the MEP is marked as down. The default number of protocol data units (PDUs) is 3.
Note:

If the CCM interval is 100 milliseconds, only four MEPs are supported on a device.

Creating a Maintenance Domain on a Security Device

A maintenance domain consists of network entities such as operators, providers, and customers. A maintenance domain is a management space for managing and administering a network. A domain is owned and operated by a single entity and defined by the set of ports internal to it and at its boundary. Each maintenance domain is associated with a maintenance domain level from 0 through 7. Level allocation is based on the network hierarchy, where outer domains are assigned a higher level than the inner domains. You configure customer end points to have the highest maintenance domain level. The maintenance domain level is a mandatory parameter that indicates the nesting relationships between various maintenance domains.

To enable connectivity fault management (CFM) on an Ethernet interface, maintenance domains, maintenance associations, and maintenance association end points (MEPs) must be created and configured.

Starting in Junos OS Release 12.3X48-D65, on SRX210, SRX220, SRX240, and SRX550 devices, creating a maintenance domain for Ethernet OAM CFM is supported over VDSL and PPPoE interfaces in addition to Ethernet interfaces.

Starting in Junos OS Release 15.1X49-D80, creating a maintenance domain for Ethernet OAM CFM is supported on SRX1500 devices.

Starting in Junos OS Release 15.1X49-D75, creating a maintenance domain for Ethernet OAM CFM is supported on SRX300, SRX320, SRX340, SRX345, and SRX550M devices.

Creating a maintenance domain for Ethernet OAM CFM is not supported from Junos OS Release 15.1X49-D40 to Junos OS Release 15.1X49-D70.

To create a maintenance domain:

  1. Specify a name for the maintenance domain.

  2. Specify a format for the maintenance domain name. If you do not specify a format, no name is configured.

    • A plain ASCII character string

    • A Domain Name System (DNS) format

    • A media access control (MAC) address plus a two-octet identifier in the range 0 through 65,535

    • None

    For example, to specify the name format as a MAC address plus a two-octet identifier:

    [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name]

    user@host# set name-format mac+2oct

  3. Configure the maintenance domain level, which is used to indicate the nesting relationship between this domain and other domains. Use a value from 0 through 7.

    [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name]

    user@host# set level level-number

Configuring a Maintenance Domain MIP Half Function on a Security Device

Starting in Junos OS Release 15.1X49-D80, configuring a maintenance domain MIP half function for Ethernet OAM connectivity fault management is supported on SRX1500 devices.

Starting in Junos OS Release 15.1X49-D75, configuring a maintenance domain MIP half function for Ethernet OAM connectivity fault management is supported on SRX300, SRX320, SRX340, SRX345, and SRX550M devices.

Configuring a maintenance domain MIP half function for Ethernet OAM connectivity fault management is not supported from Junos OS Release 15.1X49-D40 to Junos OS Release 15.1X49-D70.

MIP half function (MHF) divides the maintenance association intermediate point (MIP) functionality into two unidirectional segments, improves visibility with minimal configuration, and improves network coverage by increasing the number of points that can be monitored. MHF extends monitoring capability by responding to loopback and Link Trace messages to help isolate faults. Whenever a MIP is configured, the MIP half function value for all maintenance domains and maintenance associations must be the same.

To configure the MIP half function:

Note:
  • If SRX340, or SRX345 devices are configured as MIPs, ensure that a static MAC is configured in the Ethernet switching table with the next-hop interface to the MEP MAC.

  • You cannot configure MIP in a nondefault domain.

  • In Q-in-Q mode, double tag packets are not retained by MIP.

  • A maximum of 116 MIPs can be configured on a device.

Creating a Maintenance Association on a Security Device

In a connectivity fault management (CFM) maintenance domain, each service instance is called a maintenance association. A maintenance association can be thought of as a full mesh of maintenance association end points (MEPs) having similar characteristics.

Starting in Junos OS Release 12.3X48-D65, on SRX210, SRX220, SRX240, and SRX550 devices, creating a maintenance association for Ethernet OAM connectivity fault management is supported over VDSL and PPPoE interfaces in addition to Ethernet interfaces.

Starting in Junos OS Release 15.1X49-D80, creating a maintenance association for Ethernet OAM CFM is supported on SRX1500 devices.

Starting in Junos OS Release 15.1X49-D75, creating a maintenance association for Ethernet OAM CFM is supported on SRX300, SRX320, SRX340, SRX345, and SRX550M devices.

Creating a maintenance association for Ethernet OAM CFM is not supported from Junos OS Release 15.1X49-D40 to Junos OS Release 15.1X49-D70.

To create a maintenance association:

Note:

On SRX210, SRX220, SRX240, SRX300, SRX320, SRX340, SRX345, SRX380, SRX550, SRX550M, and SRX650 devices, a maximum of seven maintenance associations are supported.

Configuring a Maintenance Association End Point on a Security Device

Starting in Junos OS Release 12.3X48-D65, on SRX210, SRX220, SRX240, and SRX550 devices, configuring a maintenance association end point for Ethernet OAM CFM is supported over VDSL and PPPoE interfaces in addition to Ethernet interfaces.

Starting in Junos OS Release 15.1X49-D80, configuring a maintenance association end point for Ethernet OAM CFM is supported on SRX1500 devices.

Starting in Junos OS Release 15.1X49-D75, configuring a maintenance association end point for Ethernet OAM CFM is supported on SRX300, SRX320, SRX340, SRX345, and SRX550M devices.

Configuring a maintenance association end point for Ethernet OAM CFM is not supported from Junos OS Release 15.1X49-D40 to Junos OS Release 15.1X49-D70.

To configure a MEP:

  1. Specify an ID for the MEP. The value can be from 1 through 8191.

  2. Enable MEP automatic discovery if you want to have the MEP accept continuity check messages (CCMs) from all remote MEPs of the same maintenance association.
  3. Specify that CFM CCM packets be transmitted only in one direction for the MEP. That is, set the direction as down so that CCMs are transmitted only out of (not into) the interface configured on this MEP.
  4. Specify the logical interface to which the MEP is attached. It can be either an access interface or a trunk interface. If you specify a trunk interface, the VLAN associated with that interface must have a VLAN ID.

  5. Configure a remote MEP from which CCMs are expected. If automatic discovery is not enabled, the remote MEP must be configured under the mep statement; otherwise, the CCMs from the remote MEP will be treated as errors.
Note:

You cannot configure MEPs at different levels for the same VLANs.

Example: Configuring Ethernet OAM Connectivity Fault Management on a Security Device

Starting in Junos OS Release 15.1X49-D80, Ethernet OAM connectivity fault management is supported on SRX1500 devices.

Starting in Junos OS Release 15.1X49-D75, Ethernet OAM connectivity fault management is supported on SRX300, SRX320, SRX340, SRX345, and SRX550M devices.

Ethernet OAM connectivity fault management is not supported from Junos OS Release 15.1X49-D40 to Junos OS Release 15.1X49-D70.

Connectivity Fault Management (CFM) provides a mechanism to monitor, locate, and isolate faulty links.

This example describes how to enable and configure an end-to-end OAM CFM session on an Ethernet interface.

Requirements

This example uses the following hardware and software components:

  • Three SRX Series devices connected by a point-to-point Ethernet link.

  • Junos OS Release 12.1X44-D10 or later for SRX Series devices.

Overview

Ethernet interfaces on SRX Series devices support the IEEE 802.1ag standard for Operation, Administration, and Management (OAM). The IEEE 802.1ag specification provides a specification for Ethernet connectivity fault management (CFM). CFM can be used to detect faults in the network path between the customer premises devices. It also helps in detecting the device or node in the provider network, where the failure occurred.

This example describes how to configure an end to end CFM session. In this example, three devices are connected by a point-to-point Ethernet link. The link between these devices is monitored using CFM. To check connectivity or fault through the provider network, maintenance intermediate point (MIP) is configured.

Topology

Figure 1 shows three SRX Series devices connected by a point-to-point Ethernet link.

Figure 1: Ethernet CFM with SRX Series Devices Ethernet CFM with SRX Series Devices

Configuring Ethernet OAM Connectivity Fault Management

Configuring Ethernet OAM Connectivity Fault Management on Device 1

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To enable and configure OAM CFM on device 1:

  1. Define a VLAN and enable the interface for family Ethernet switching with interface mode trunk or access.

  2. Specify the maintenance domain name and the maintenance domain level.

  3. Create a maintenance association and configure MEP.

  4. Enable MEP automatic discovery.

  5. Enable the Continuity Check Protocol and specify the continuity check interval and hold interval.

Results

From configuration mode, confirm your configuration by entering the show protocols command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show protocols command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

If you are done configuring the device, enter commit from configuration mode.

Configuring Ethernet OAM CFM with MIP Half Function on Device 2

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure MIP half function:

  1. Define a VLAN and enable the interface for family Ethernet switching with interface mode trunk or access.

  2. Create a maintenance domain and configure VLAN.

  3. Create a MIP half function.

    Note:

    If you want to configure traceoptions, run the following commands:

Results

From configuration mode, confirm your configuration by entering the show protocols command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

If you are done configuring the device, enter commit from configuration mode.

Configuring Ethernet OAM Connectivity Fault Management on Device 3

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To enable and configure OAM CFM on Device 3:

  1. Define a VLAN and enable the interface for family Ethernet switching with interface mode trunk or access.

  2. Specify the maintenance domain name and the maintenance domain level.

  3. Create a maintenance association and configure MEP.

  4. Enable MEP automatic discovery.

  5. Enable the Continuity Check Protocol and specify the continuity check interval and hold interval.

Results

From configuration mode, confirm your configuration by entering the show protocols command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying the OAM CFM Configuration on Device 1

Purpose

Verify that OAM CFM has been configured properly.

Action

From operational mode, enter the following commands:

  • show oam ethernet connectivity-fault-management adjacencies to display connectivity-fault-management adjacencies.

  • show oam ethernet connectivity-fault-management interfaces to display the Ethernet OAM information for the specified interface.

These commands produce the following sample output:

Meaning
  • If the show oam ethernet connectivity-fault-management interfaces detail command output displays continuity-check status as enabled and displays details of the remote MEP, it means that connectivity fault management (CFM) was configured properly.

  • If the show oam ethernet connectivity-fault-management adjacencies command output displays the state as ok, it indicates that the Continuity Check Protocol is up.

Verifying the OAM CFM Configuration with MIP Half Function on Device 2

Purpose

Verify that OAM CFM has been configured properly.

Action

From operational mode, run the show oam ethernet connectivity-fault-management mip command.

Meaning

The show oam ethernet connectivity-fault-management mip command output displays the MIP information.

Verifying the OAM CFM Configuration on Device 3

Purpose

Verify that OAM CFM has been configured properly.

Action

From operational mode, enter the following commands:

  • show oam ethernet connectivity-fault-management adjacencies to display connectivity-fault-management adjacencies.

  • show oam ethernet connectivity-fault-management interfaces to display the Ethernet OAM information for the specified interface.

Meaning
  • If the show oam ethernet connectivity-fault-management interfaces detail command output displays continuity-check status as enabled and displays details of the remote MEP, it means that connectivity fault management (CFM) was configured properly.

  • If the show oam ethernet connectivity-fault-management adjacencies command output displays the state as ok, it indicates that the Continuity Check Protocol is up.

Verifying the Path Using the Link Trace Protocol

Purpose

Verify the path between maintenance endpoints.

Action

From operational mode, enter the traceroute ethernet command.

Verifying MEP Continuity Using Ping

Purpose

Verify access to MEPs under the same maintenance association.

Action

From operational mode, enter the ping ethernet command.