Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring Loop-Free Alternate Routes for OSPF

Per Prefix Loop Free Alternates for OSPF

In certain topologies and usage scenarios, when multiple destinations originate the same prefix and there is no viable LFA to the best prefix originator, whilst a non-best prefix originator has one. Per-prefix LFA is a technology by which, the LFA to a non-best prefix originator can be used in lieu of the LFA to the best prefix originator to provide local repair. This can be used to increase the local repair coverage for the OSPF protocol also.

Per-Prefix Loop Free Alternates (LFA)—Loop Free Alternates (LFA) is a technology by which a neighbor can be used as a backup next hop to provide a local repair path for the traffic to flow temporarily in case of failures in the primary next hop (node or link). For this, the basic requirement is that the selected backup neighbor provides a loop free path with respect to primary next hop towards a destination, originating a set of interior gateway protocol (IGP) prefixes.

The following topology explains the deployment case where per prefix LFA feature is applicable.

Figure 1: Per-Prefix LFA Usage ScenarioPer-Prefix LFA Usage Scenario

ABR1 and ABR2 are area boundary routers (ABRs), dual homed to an IPv6 core network, which advertises the summary LSA for the prefix 10.0.1.0/24 with a metric of 10. Also, from PE router’s perspective, ABR1 is the best prefix originator for 10.0.1.0/24. In this case, P2 is not a valid LFA for ABR1 because of the equal cost multi paths (ECMP) {P2, PE, P1, ABR1} and {P2, ABR2, ABR1} causing some of the traffic to be looped back through the router PE (no valid LFA). However for ABR2, which is also a prefix originator for 10.0.1.0/24, P2 is a valid LFA because the only path is {P2, ABR2}.

Configuring Per-Prefix LFA for OSPF

Per prefix LFA is a mechanism by which LFA to a non-best prefix originator can be used in lieu of the LFA to the best prefix originator to provide local repair. In such cases, per prefix LFA can be used to increase the local repair coverage for the OSPF protocol.

Loop Free Alternates (LFA) is a mechanism by which a neighbor can be used as a backup next hop to provide a local repair path for the traffic to flow temporarily in case of failures in the primary next hop (node or link). For this the basic requirement is that the selected backup neighbor provides a loop free path with respect to primary next hop towards a destination originating a set of IGP prefixes. In certain topologies and usage scenarios, it may be possible that multiple destinations are originating the same prefix and there is no viable LFA to the best prefix originator, whilst a non-best prefix originator has one. Per prefix LFA is a mechanism by which LFA to a non-best prefix originator can be used in lieu of the LFA to the best prefix originator to provide local repair. In such cases, per prefix LFA can be used to increase the local repair coverage for the OSPF protocol.

To configure per prefix LFA for an OSPF interface:

Configure the per-prefix-calculation configuration statement at the [edit protocols (ospf | ospf3) backup-spf-options] hierarchy level.

Loop-Free Alternate Routes for OSPF Overview

Support for OSPF loop-free alternate routes essentially adds IP fast-reroute capability for OSPF. Junos OS precomputes loop-free backup routes for all OSPF routes. These backup routes are preinstalled in the Packet Forwarding Engine, which performs a local repair and implements the backup path when the link for a primary next hop for a particular route is no longer available. With local repair, the Packet Forwarding Engine can correct a path failure before it receives precomputed paths from the Routing Engine. Local repair reduces the amount of time needed to reroute traffic to less than 50 milliseconds. In contrast, global repair can take up to 800 milliseconds to compute a new route. Local repair enables traffic to continue to be routed using a backup path until global repair is able to calculate a new route.

A loop-free path is one that does not forward traffic back through the routing device to reach a given destination. That is, a neighbor whose shortest path first to the destination traverses the routing device that is not used as a backup route to that destination. To determine loop-free alternate paths for OSPF routes, Junos OS runs shortest-path-first (SPF) calculations on each one-hop neighbor. You can enable support for alternate loop-free routes on any OSPF interface. Because it is common practice to enable LDP on an interface for which OSPF is already enabled, this feature also provides support for LDP label-switched paths (LSPs.)

Note:

If you enable support for alternate loop-free routes on an interface configured for both LDP and OSPF, you can use the traceroute command to trace the active path to the primary next hop.

The level of backup coverage available through OSPF routes depends on the actual network topology and is typically less than 100 percent for all destinations on any given routing device. You can extend backup coverage to include RSVP LSP paths.

Junos OS provides three mechanisms for route redundancy for OSPF through alternate loop-free routes:

  • Link protection—Offers per-link traffic protection. Use link protection when you assume that only a single link might become unavailable but that the neighboring node on the primary path would still be available through another interface.

  • Node-link protection—Establishes an alternate path through a different routing device altogether. Use node-link protection when you assume that access to a node is lost when a link is no longer available. As a result, Junos OS calculates a backup path that avoids the primary next-hop routing device.

  • Per-prefix loop-free alternates (LFAs)—It is a technology by which a neighbor can be used as a backup next hop to provide a local repair path for the traffic to flow temporarily in case of failures in the primary next hop (node or link). For this, the basic requirement is that the selected backup neighbor provides a loop-free path with respect to a primary next hop towards a destination, originating a set of interior gateway protocol (IGP) prefixes.

    In certain topologies and usage scenarios, it may be possible that multiple destinations are originating the same prefix and there is no viable LFA to the best prefix originator, while a non-best prefix originator has a viable LFA. Per-prefix LFA is a mechanism by which LFA to a non-best prefix originator can be used in lieu of the LFA to the best prefix originator to provide local repair. In such cases, per prefix LFA can be used to increase the local repair coverage for the OSPF protocol.

When you enable link protection or node-link protection on an OSPF interface, Junos OS creates an alternate path to the primary next hop for all destination routes that traverse a protected interface.

Excluding an OSPF Interface as a Backup for a Protected Interface

By default, all OSPF interfaces that belong to the default instance or to a specific routing instance are eligible as a backup interface for interfaces configured with link-protection or node-link protection. You can specify that any OSPF interface be excluded from functioning as a backup interface to protected interfaces.

To exclude an OSPF interface as a backup interface for a protected interface:

  • Include the no-eligible-backup statement at the [edit protocols (ospf | ospf3) area area-id interface interface-name] hierarchy level.

In the following example, interface so-0/0/0.0 has been configured to prohibit backup traffic for traffic destined for a protected interface. This means that if a neighboring next-hop path or node for a protected interface fails, interface so-0/0/0.0 cannot be used to transmit traffic to a backup path.

Configuring Backup SPF Options for Protected OSPF Interfaces

By default, if at least one OSPF interface is configured for link-protection or node-link protection, Junos OS calculates backup next hops for all the topologies in an OSPF instance. You can configure the following backup shortest-path-first (SPF) options to override the default behavior:

  • Disable the calculation of backup next hops for an OSPF instance or a specific topology in an instance.

  • Prevent the installation of backup next hops in the routing table or the forwarding table for an OSPF instance or a specific topology in an instance.

  • Limit the calculation of backup next hops to a subset of paths as defined in RFC 5286, Basic Specification for IP Fast Reroute: Loop-Free Alternates.

You can disable the backup SPF algorithm for an OSPF instance or specific topology in an instance. Doing so prevents the calculation of backup next hops for that OSPF instance or topology.

To disable the calculation of backup next hops for an OSPF instance or topology:

  • Include the disable statement at the [edit protocols (ospf | ospf3) backup-spf-options] or [edit protocols ospf backup-spf-options topology topology-name] hierarchy level.

In the following example, the calculation of backup next hops is disabled for the OSPF topology voice:

You can configure the routing device to prevent the installation of backup next hops in the routing table or the forwarding table for an OSPF instance, or a specific topology in an OSPF instance. The SPF algorithm continues to calculate backup next hops, but they are not installed.

To prevent the routing device from installing backup next hops in the routing table or the forwarding table:

  • Include the no-install statement at the [edit protocols (ospf | ospf3) backup-spf-options] or the [edit protocols ospf topology topology-name] hierarchy level.

In the following example, backup next hops for the OSPF topology voice are not installed in the routing table or forwarding table. Any calculated backup next hops for other OSPF instances or topologies continue to be installed.

You can limit the calculation of backup next hops to downstream paths, as defined in RFC 5286. You can specify for Junos OS to use only downstream paths as backup next hops for protected interfaces for an OSPF instance or a specific topology in an OSPF instance. In a downstream path, the distance from the backup neighbor to the destination must be smaller than the distance from the calculating routing device to the destination. Using only downstream paths as loop-free alternate paths for protected interfaces ensures that these paths do not result in microloops. However, you might experience less than optimal backup coverage for your network.

To limit the calculation of backup next hops to downstream paths:

  • Include the downstream-paths-only statement at the [edit protocols (ospf | ospf3) backup-spf-options] or [edit protocols ospf backup-spf-options topology topology-name] hierarchy level.

In the following example, only downstream paths are calculated as backup next hops for the topology voice:

Configuring RSVP Label-Switched Paths as Backup Paths for OSPF

When configuring an OSPF interface for link protection or node-link protection, relying on the shortest-path-first (SPF) calculation of backup paths for one-hop neighbors might result in less than 100 percent backup coverage for a specific network topology. You can enhance coverage of OSPF and LDP label-switched-paths (LSPs) by configuring RSVP LSPs as backup paths.

When configuring an LSP, you must specify the IP address of the egress router.

Note:

RSVP LSPs can be used as backup paths only for the default topology for OSPFv2 and not for a configured topology. Additionally, RSVP LSP cannot be used a backup paths for non-default instances for OSPFv2 or OSPFv3.

To configure a specific RSVP LSP as a backup path:

  1. Include the backup statement at the [edit protocols mpls labeled-switched-path lsp-name] hierarchy level.
  2. Specify the address of the egress router by including the to ip-address statement at the [edit protocols mpls label-switched-path] hierarchy level.

In the following example, the RSVP LSP f-to-g is configured as a backup LSP for protected OSPF interfaces. The egress router is configured with the IP address 192.168.1.4.

Example: Configuring Loop-Free Alternate Routes for OSPF

This example demonstrates the use of link protection for interfaces that have OSPF enabled.

When you enable link protection, Junos OS creates an alternate path to the primary next hop for all destination routes that traverse a protected interface. Use link protection when you assume that only a single link might become unavailable but that the neighboring node would still be available through another interface.

Requirements

No special configuration beyond device initialization is required before configuring this example.

Overview

In this example, six OSPF neighbors are configured with link protection. This causes Junos OS to create an alternate path to the primary next hop for all destination routes that traverse each protected interface. Link protection is used here because even if a link becomes unavailable, the neighboring node would still be available through another interface.

The example shows two topologies. One is the default topology, and the other is the voice topology. For more information about multitopology routing, see the Multitopology Routing User Guide.

The example also includes RSVP LSPs configured as backup LSPs for protected OSPF interfaces.

Topology

Figure 2 shows the sample network.

Figure 2: OSPF Link ProtectionOSPF Link Protection

CLI Quick Configuration shows the configuration for all of the devices in Figure 2.

The section #d270e65__d270e783 describes the steps on Device R1.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Device R1

Device R2

Device R3

Device R4

Device R5

Device R6

Procedure

Step-by-Step Procedure

The following example requires that you navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure Device R1:

  1. Configure the device interfaces.

  2. Extend backup coverage to include RSVP LSP paths.

  3. Enable MPLS on the interfaces, and configure backup LSPs to Device R3.

  4. Configure OSPF connections, link metrics, and link protection.

  5. (Optional) Configure a specific OSPF topology for voice traffic.

  6. Enable LDP on the interfaces.

  7. (Optional) Configure per-packet load balancing.

  8. Configure the routing protocol process (rpd) to request an acknowledgement when creating a new forwarding next hop.

    We recommend that the indirect-next-hop-change-acknowledgements statement be configured when protection mechanisms are being used. This includes MPLS RSVP protection such as fast reroute (FRR) as well as interior gateway protocol (IGP) loop-free alternate (LFA) link or node protection.

Results

From configuration mode, confirm your configuration by entering the show interfaces, show protocols, show policy-options, and show routing-options commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying the Routes on Device R1

Purpose

On Device R1, check the OSPF routes in the routing table.

Action
Meaning

As expected, Device R1 has multiple potential routes to each destination.

Checking the Backup Coverage

Purpose

On Device R1, use the show (ospf | ospf3) backup coverage command to check the level of backup coverage available for all the nodes and prefixes in the network.

Action

Checking the Backup LSPs

Purpose

On Device R1, use the show (ospf | ospf3) backup lsp command to check LSPs designated as backup routes for OSPF routes.

Action

Checking the Backup Neighbors

Purpose

On Device R1, use the show (ospf | ospf3) backup neighbor command to check the neighbors through which direct next hops for the backup paths are available.

Action

Checking the SPF Calculations

Purpose

On Device R1, use the show (ospf | ospf3) backup spf detail command to check OSPF shortest-path-first (SPF) calculations for backup paths. To limit the output, the voice topology is specified in the command.

Action

Remote LFA over LDP Tunnels in OSPF Networks Overview

In an OSPF network, a loop free alternate (LFA) is a directly connected neighbor that provides precomputed backup paths to the destinations reachable through the protected link on the point of local repair (PLR). A remote LFA is not directly connected to the PLR and provides precomputed backup paths using dynamically created LDP tunnels to the remote LFA node. The PLR uses this remote LFA backup path when the primary link fails. The primary goal of the remote LFA is to increase backup coverage for the OSPF networks and provide protection for Layer 1 metro-rings.

LFAs do not provide full backup coverage for OSPF networks. This is a major setback for metro Ethernet networks that are often shaped as ring topologies. To overcome this setback, Resource Reservation Protocol - Traffic Engineering (RSVP-TE) backup tunnels are commonly used to extend the backup coverage. However, a majority of network providers have already implemented LDP as the MPLS tunnel setup protocol and do not want to implement the RSVP-TE protocol merely for backup coverage. LDP automatically brings up transport tunnels to all potential destinations in an OSPF network and hence is the preferred protocol. The existing LDP implemented for the MPLS tunnel setup can be reused for protection of OSPF networks and subsequent LDP destinations, thereby eliminating the need for RSVP-TE backup tunnels for backup coverage.

To calculate the remote LFA backup path, the OSPF protocol determines the remote LFA node in the following manner:

  1. Calculates the reverse shortest path first from the adjacent router across the protected link of a PLR. The reverse shortest path first uses the incoming link metric instead of the outgoing link metric to reach a neighboring node.

    The result is a set of links and nodes, which is the shortest path from each leaf node to the root node.

  2. Calculates the shortest path first (SPF) on the remaining adjacent routers to find the list of nodes that can be reached without traversing the link being protected.

    The result is another set of links and nodes on the shortest path from the root node to all leaf nodes.

  3. Determines the common nodes from the above results. These nodes are the remote LFAs.

OSPF listens to the advertised labels for the LDP routes. For each advertised LDP route, OSPF checks whether it contains an LDP supplied next hop. If the corresponding OSPF route does have a backup next hop, then OSPF runs the backup policy and adds an additional tracking route with the corresponding LDP label-switched path next hop as the backup next hop. If there are no backup next hops, LDP builds a dynamic LDP tunnel to the remote LFA, and LDP establishes a targeted adjacency between the remote LFA node and the PLR node. This backup route has two LDP labels. The top label is the OSPF route, which denotes the backup path from the PLR to the remote LFA route. The bottom label is the LDP MPLS label-switched path that denotes the route for reaching the ultimate destination from the remote LFA. When an LDP session goes down and a remote tunnel is no longer available, OSPF changes all the routes that have been using this backup LDP tunnel.

Note:

Currently, Junos OS supports only IPv4 transport LSPs. If you need to reuse IPv4 transport LSPs for IPv6 IGP networks, add an IPv6 explicit NULL label to the label stack of the tracking route. The system automatically converts the IPv4 LSP to an IPv6 LSP.

LDP might be vulnerable by an automatically targeted adjacency, and these threats can be mitigated using all or some of the following mechanisms:

  • Remote LFAs that are several hops away use extended hello messages to indicate willingness to establish a targeted LDP session. A remote LFA can reduce the threat of spoofed extended hello messages by filtering them and accepting only those originating at sources permitted by an access or filter list.

  • There is a need to authenticate with TCP-MD5 all auto-targeted LDP sessions in the given IGP/LDP domain using apply groups or LDP global-level authentication.

  • As an added security measure, the repair or remote tunnel endpoint routers should be assigned from a set of addresses that are not reachable from outside of the routing domain.

Configuring Remote LFA Backup over LDP Tunnels in an OSPF Network

The primary goal of a remote loop free alternate (LFA) is to increase backup coverage for OSPF routes and provide protection especially for Layer 1 metro-rings. The existing LDP implemented for the MPLS tunnel setup can be reused for protection of OSPF networks and subsequent LDP destinations. The OSPF protocol creates a dynamic LDP tunnel to reach the remote LFA node from the point of local repair (PLR). The PLR uses this remote LFA backup path when the primary link fails.

Before you configure remote LFA over LDP tunnels in an OSPF network, you must do the following:

  1. Enable LDP on the loopback interface.

    Configure a loopback interface because an LDP targeted adjacency cannot be formed without a loopback interface. LDP targeted adjacency is essential for determining remote LFA backup paths.

  2. Make sure that remote LFA allows asymmetric remote neighbor discovery—that is, it must send periodic targeted hello messages to the router that initiated the remote neighbor for LDP auto-targeted adjacency.

  3. Configure link protection or node-link protection on the PLR.

To configure remote LFA backup over LDP tunnels in an OSPF network:

  1. Enable remote LFA backup to determine the backup next hop using dynamic LDP label-switched path.
  2. Enable automatically targeted LDP sessions using the loopback addresses between the PLR and the remote LFA node.
  3. Specify a time interval for which the targeted LDP sessions are kept up even after the remote LFA node goes down.

    For example, to set a teardown delay value of 60 seconds:

  4. Specify the maximum number of automatically targeted LDP sessions to optimize memory usage.

    For example, to set a maximum sessions allowed to 20:

Example: Configuring Remote LFA Over LDP Tunnels in OSPF Networks

In an OSPF network, a loop free alternate(LFA) is a directly connected neighbor that provides precomputed backup paths to the destinations reachable via the protected link on the point of local repair (PLR). A remote LFA is not directly connected to the PLR and provides precomputed backup paths using dynamically created LDP tunnels to the remote LFA node. The PLR uses this remote LFA backup path when the primary link fails. The primary goal of the remote LFA is to increase backup coverage for the OSPF networks and provide protection for Layer 1 metro-rings. This example shows how to configure remote LFA for LDP tunnels in an OSPF network for extending backup protection.

Requirements

This example uses the following hardware and software components:

  • Nine MX Series routers with OSPF protocol and LDP enabled on the connected interfaces.

  • Junos OS Release 15.1 or later running on all devices.

Before you configure remote LFA over LDP tunnels in an OSPF networks, make sure of the following:

  • LDP is enabled on the loopback interface. Without a loopback interface, LDP targeted adjacency cannot be formed. Remote LFA cannot be configured without LDP targeted adjacency.

  • Remote LFA must allow asymmetric remote neighbor discovery, that is, it must send periodic targeted hellos to the router that initiated the remote neighbor for LDP auto targeted adjacency.

  • Link protection or node-link protection must be configured on the point of local repair (PLR).

Overview

The example includes nine routers in a ring topology. Configure the OSPF protocol on the directly connected interfaces. Device R6 is the PLR. This example verifies that Junos OS updates the routing table of Device R6 with LDP next-hop routes as the backup route.

Topology

In the topology Figure 3 shows the remote LFA over LDP tunnels in OSPF networks is configured on Device R6.

Figure 3: Example Remote LFA over LDP TunnelsExample Remote LFA over LDP Tunnels

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

R0

R1

R2

R3

R4

R5

R6

R7

R8

Configuring Device R6

Step-by-Step Procedure

The following example requires that you navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure Device R6:

  1. Configure the interfaces.

  2. Assign the loopback addresses to the device.

  3. Configure the router ID. Apply the policy to the forwarding table of the local router with the export statement.

  4. Enable remote LFA backup which calculates the backup next hop using dynamic LDP label-switched path.

  5. Configure the traffic engineering and the link protection for the interfaces in the OSPF area.

  6. Specify a time interval for which the targeted LDP sessions are kept up when the remote LFA goes down, and specify a maximum number of automatically, targeted LDP sessions to optimize the use of memory.

  7. Configure the LDP protocols on the interfaces.

  8. Configure the policy options to load balance the per-packet of the policy-statement routing policy.

Results

From configuration mode, confirm your configuration by entering the show interfaces, show protocols, show policy-options, and show routing-options commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from the configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying the Routes

Purpose

Verify that the expected routes are learned.

Action

On Device R6, from operational mode, run the show route 6.6.6.6/24 command to display the routes in the routing table.

Meaning

The output shows all the routes in the routing table of Device R6.

Verifying the LDP Routes

Purpose

Verify the automatically targeted LDP routes.

Action

From operational mode, enter the show ldp session auto-targeted detail command.

Verifying the OSPF Routes

Purpose

Display all the LDP backup routes in the OSPF routing table of Device R6.

Action

On Device R6, from operational mode, run the show ospf route command to display the routes in the OSPF routing table.

Meaning

The output shows all the LDP backup routes in the OSPF routing table of Device R6.

Verifying the Designated Backup Path Node

Purpose

Display the remote LFA next hop determined for a given destination.

Action

From operational mode, enter the show ospf backup spf results command.

Meaning

The output indicates whether a specific interface or node has been designated as a remote backup path and why.

Verifying the Backup Neighbors

Purpose

Display the backup neighbors for the Device R6

Action

From operational mode, enter the show ospf backup neighbor command.

Meaning

The output displays the backup neighbors available for area 0.0.0.0.