Login
- Table of Contents
-
- 09-Segment Routing Configuration Guide
- 00-Preface
- 01-SR-MPLS configuration
- 02-SR-MPLS TE policy configuration
- 03-SRv6 configuration
- 04-SRv6 TE policy configuration
- 05-SRv6 VPN overview
- 06-IP L3VPN over SRv6 configuration
- 07-EVPN L3VPN over SRv6 configuration
- 08-Public network IP over SRv6 configuration
- 09-SRv6 OAM configuration
- 10-EVPN VPLS over SRv6 configuration
- 11-EVPN VPWS over SRv6 configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-SRv6 TE policy configuration | 732.26 KB |
Contents
SID list computation using PCE
Traffic steering to an SRv6 TE policy
SRv6 TE policy forwarding procedure
SRv6 TE policy transit node protection
SRv6 TE policy egress protection
SRv6 TE policy tasks at a glance
Manually creating an SRv6 TE policy and configuring its attributes
Automatically creating SRv6 TE policies by using ODN
Enabling the SRv6 capability for a PCC
Configuring PCEP session parameters
Configuring a candidate path and the SID lists of the path
Configuring a candidate path to use manually configured SID lists
Configuring a candidate path to use PCE-computed SID lists
Configuring PCE delegation to create candidate paths and SID lists
Enabling the device to distribute SRv6 TE policy candidate path information to BGP-LS
Shutting down an SRv6 TE policy
Configuring BGP to advertise BGP IPv6 SR policy routes
Restrictions and guidelines for BGP IPv6 SR policy routes advertisement
Enabling BGP to advertise BGP IPv6 SR policy routes
Configuring BGP to redistribute BGP IPv6 SR policy routes
Enabling advertising BGP IPv6 SR policy routes to EBGP peers
Configuring BGP to control BGP IPv6 SR policy route selection and advertisement
Configuring SRv6 TE policy traffic steering
Configuring the SRv6 TE policy traffic steering mode
Configuring color-based traffic steering
Configuring tunnel policy-based traffic steering
Configuring DSCP-based traffic steering
Configuring static route-based traffic steering
Enabling automatic route advertisement for an SRv6 TE policy
Configuring the SRv6 TE policy encapsulation mode
Enabling SBFD for SRv6 TE policies
Configuring the BFD echo packet mode for SRv6 TE policies
Enabling hot standby for SRv6 TE policies
Configuring path switchover and deletion delays for SRv6 TE policies
Setting the delay time for bringing up SRv6 TE policies
Configuring path connectivity verification for SRv6 TE policies
Configuring SRv6 TE policy transit node protection
Configuring SRv6 TE policy egress protection
Restrictions and guidelines for SRv6 TE policy egress protection configuration
Enabling the device to drop traffic when an SRv6 TE policy becomes invalid
Enabling SRv6 TE policies to forward packets without using the last SID in the SID list
Specifying the packet encapsulation type preferred in optimal route selection
Configuring SRv6 TE policy resource usage alarm thresholds
Enabling SRv6 TE policy logging
Enabling SNMP notifications for SRv6 TE policies
Configuring traffic forwarding statistics for SRv6 TE policies
Verifying and maintaining SRv6 TE policies
Verifying the SRv6 TE policy operation status and configuration
Verifying the SRv6 TE policy group operation status and configuration
Verifying the BGP IPv6 SR policy routing configuration
Verifying the SRv6 TE policy BFD and SBFD operation status
Verifying the SRv6 TE policy egress protection configuration
Displaying and clearing SRv6 TE policy forwarding statistics
Displaying SRv6 TE policy information in the PCE
SRv6 TE policy configuration examples
Example: Configuring SRv6 TE policy-based forwarding
Example: Configuring SRv6 TE policy egress protection
Configuring SRv6 TE policies
About SRv6 TE policies
SRv6 Traffic Engineering (SRv6 TE) policies apply to scenarios where multiple paths exist between a source node and a destination node on an SRv6 network. The device can use an SRv6 TE policy to flexibly steer traffic to a proper forwarding path.
SRv6 TE policy identification
An SRv6 TE policy is identified by the following items:
· BSID—SID of the ingress node (source node).
· Color—Color attribute for the forwarding path. You can use the color attribute to distinguish an SRv6 TE policy from other SRv6 TE policies that are configured for the same source and destination nodes.
· End-point—IPv6 address of the destination node.
SRv6 TE policy contents
As shown in Figure 1, an SRv6 TE policy consists of candidate paths with different preferences. Each candidate path can have one or multiple subpaths identified by segment lists (also called SID lists).
· Candidate path
An SRv6 TE policy can have multiple candidate paths. Candidate paths are uniquely identified by their preference values. An SRv6 TE policy chooses a candidate path from all its candidate paths based on the preference values to forward traffic.
Two SRv6 TE policies cannot share the same candidate path.
· SID list
A SID list is a list of SIDs that indicates a packet forwarding path. Each SID is the IPv6 address of a node on the forwarding path.
A candidate path can have a single SID list or multiple SID lists that use different weight values. After an SRv6 TE policy chooses a candidate path with multiple SID lists, the traffic will be load shared among the SID lists based on weight values.
Figure 1 SRv6 TE policy contents
SRv6 TE policy creation
An SRv6 TE policy can be created in the following modes:
· Manual configuration from CLI
In this method, you need to manually configure the candidate settings for the SRv6 TE policy, such as candidate path preferences, SID lists and weights.
· Learning from a BGP IPv6 SR policy route
To support SRv6 TE policy, MP-BGP defines the BGP IPv6 SR address family and the Network Layer Reachability Information (NLRI) called the BGP IPv6 SR policy route. A BGP IPv6 SR policy route contains SRv6 TE policy settings, including the BSID, color, end-point, candidate preferences, SID lists, and SID list weights.
The device can advertise its local SRv6 TE policy settings to its BGP IPv6 SR policy peer through a BGP IPv6 SR policy route. The peer device can create a BGP IPv6 SR policy route according to the received SRv6 TE policy settings.
· Automatic creation by ODN
When the device receives a BGP route, it compares the color extended attribute value of the BGP route with the color value of the ODN template. If the color values match, the device automatically generates an SRv6 TE policy and two candidate paths for the policy.
¡ The policy uses the BGP route's next hop address as the end-point address and the ODN template's color value as the color attribute value of the policy.
¡ The candidate paths use preferences 100 and 200. You need to manually configure the SID lists for the candidate path with preference 200, and use PCE to compute the SID lists for the candidate path with preference 100. For more information about SID list computation using PCE, see "SID list computation using PCE."
You can also manually create candidate paths for an ODN-created SRv6 TE policy.
SID list computation using PCE
On an SRv6 TE policy network, an SRv6 node can act as a Path Computation Client (PCC) to use the paths computed by the Path Computation Element (PCE) to create SID lists for a candidate path.
Basic concepts
· PCE—An entity that provides path computation for network devices. It can provide intra-area path computation as well as complete SID list computation on a complicated network. A PCE can be stateless or stateful.
¡ Stateless PCE—Provides only path computation.
¡ Stateful PCE—Knows all path information maintained by a PCC, and performs intra-area path recomputation and optimization. A stateful PCE can be active or passive.
- Active stateful PCE—Accepts path delegation requests sent by a PCC and optimizes the paths.
- Passive stateful PCE—Only maintains path information for SID lists of a PCC. A passive stateful PCE does not accept path delegation requests sent by a PCC or optimize the paths.
· PCC—A PCC sends a request to a PCE for path computation and uses the path information returned by the PCE to establish forwarding paths. For a PCC to establish a PCEP session with a PCE, the PCC and PCE must be of the same type.
¡ Stateless PCC—Sends path computation requests to a PCE.
¡ Stateful PCC—Delegates SID list information to a stateful PCE. A stateful PCE can be active or passive.
- Active stateful PCC—Reports its SID list information to a PCE, and uses the paths computed by the PCE to create and update the SID lists.
- Passive stateful PCC—Only reports its SID list information to a PCE but does not use the PCE to compute or update path information for the SID lists.
· PCEP—Path Computation Element Protocol. PCEP runs between a PCC and a PCE, or between PCEs. It is used to establish PCEP sessions to exchange PCEP messages over TCP connections.
PCE path computation
As shown in , the PCE path computation procedure is as follows:
1. The PCC sends a path computation request to the PCE.
2. The PCE computes paths after it receives the request.
3. The PCE replies the PCC with the computed path information.
4. The PCC creates SID lists for the SRv6 TE policy candidate path according to the path information computed by the PCE.
Figure 2 Path computation using PCE
SRv6 TE policy validity
An SRv6 TE policy must be valid in order to ensure successful traffic forwarding.
The following describes the rules for identifying the validity of an SRv6 TE policy:
1. An SRv6 TE policy is valid only if it has valid candidate paths.
2. A candidate path is valid only if it has a valid SID list.
3. A SID list is valid if none of the following situations exists:
¡ The SID list is empty.
¡ The weight of the SID list is 0.
¡ An SR node and the first IPv6 address in the SID list cannot reach each other.
Figure 3 SRv6 TE policy validity determination
Traffic steering to an SRv6 TE policy
The following modes are available to steer traffic to an SRv6 TE policy:
· BSID—If the destination IPv6 address of a received packet is the BSID of an SRv6 TE policy, the device uses the SRv6 TE policy to forward the packet.
· Color—The device searches for an SRv6 TE policy that has the same color and end-point address as the color and nexthop address of a BGP route. If a matching SRv6 TE policy exists, the device recurses the BGP route to that SRv6 TE policy. Then, when the device receives packets that match the BGP route, it forwards the packets through the SRv6 TE policy.
· Tunnel policy—In an MPLS L3VPN, EVPN L3VPN, EVPN VPLS, or EVPN VPWS network, use an SRv6 TE policy as the public tunnel to carry the packets of a VPN instance. For more information about the tunnel policy configuration, see MPLS Configuration Guide.
· DSCP—Create color-to-DSCP mappings for an SRv6 TE policy group, and create a tunnel policy that binds a destination IP address to the SRv6 TE policy group. Upon receiving a packet with the specified destination address, the device searches for the SRv6 TE policy containing the color value mapped to the DSCP value of the packet. The device will use the SRv6 TE policy to forward the packet.
The device obtains an SRv6 TE policy group for traffic steering as follows:
¡ Matches the destination IP address in a packet with a tunnel policy associated with an SRv6 TE policy group.
¡ Searches for an SRv6 TE policy group with color and endpoint address matching the color extended community attribute and next hop in a BGP route, and recurses the BGP route to the SRv6 TE policy group.
· Static route—Directs traffic to an SRv6 TE policy through a static route. The device uses the SRv6 TE policy to forward the packets that match the static route.
· PBR—Directs traffic to an SRv6 TE policy through PBR. The device uses the SRv6 TE policy to forward the packets that match the PBR policy. For more information about PBR, see Layer 3—IP Routing Configuration Guide.
· Automatic route advertisement—Advertises an SRv6 TE policy to IGP (IPv6 IS-IS or OSPFv3) for route computation, so as to forward the matching traffic through the SRv6 TE policy.
An SRv6 TE policy supports only automatic route advertisement in IGP shortcut mode, which is also called autoroute announce. Autoroute announce regards the SRv6 TE policy tunnel as a link that connects the tunnel ingress and egress. The tunnel ingress includes the SRv6 TE policy tunnel in IGP route computation. It does not advertise the SRv6 TE policy tunnel in the IGP, so other devices do not include the SRv6 TE policy tunnel in route computation.
SRv6 TE policy path selection
After traffic is steered in to an SRv6 TE policy, the SRv6 TE policy selects a forwarding path for the traffic as follows:
1. Selects the valid candidate path that has the highest preference.
2. Performs Weighted ECMP (WECMP) load sharing among the SID lists of the selected candidate path. The load of SID list x is equal to Weight x/(Weight 1 + Weight 2 + … + Weight n).
For example, as shown in Figure 4, Device A first selects a valid SRv6 TE policy by BSID. Then, the device selects a candidate path by preference. The candidate path has two valid SID lists: SID list 1 and SID list 2. The weight value of SID list 1 is 20 and the weight value of SID list 2 is 80. One fifth of the traffic will be forwarded through the subpath identified by SID list 1. Four fifth of the traffic will be forwarded through the subpath identified by SID list 2.
Figure 4 SRv6 TE policy path selection
SRv6 TE policy forwarding procedure
As shown in Figure 5, the SRv6 TE policy forwarding procedure is as follows (BSID-based traffic steering as an example):
1. After Device A receives a packet with destination address 100::1, it searches its IPv6 routing table and determines that the address is a BSID. Then, Device A encapsulates the packet with an SRH header according to the SRv6 TE policy of the BSID. The SRH header contains SID list {10::2, 20::2, 30::2}, where 10::2 is the SID for Device B, 20::2 is the SID for Device C, and 30::2 is the SID for Device D.
2. Device A forward the packet to the next hop Device B.
3. After Device B receives the packet, it obtains the next hop Device C from the SRH, and then forwards the packet to Device C.
4. After Device C receives the packet, it obtains the next hop Device D from the SRH, and then forwards the packet to Device D.
5. After Device D receives the packet, it identifies that the SL value is 0 in the SRH. So Device D decapsulates the packet. Device D deletes the SRH header and forwards the packet according to the destination address of the packet.
Figure 5 SRv6 TE policy forwarding diagram
BFD for SRv6 TE policy
Echo BFD for SRv6 TE policy
If a candidate path of an SRv6 TE policy contains multiple SID lists, the SRv6 TE policy establishes a BFD session for each SID list to detect validity of the corresponding forwarding paths.
As shown in Figure 6, configure an SRv6 TE policy on Device A and use echo BFD to detect the SRv6 TE policy. The detection process is as follows:
1. The source node and sends BFD echo packets that each encapsulate a SID list of the SRv6 TE policy.
2. After the end-point node receives an BFD echo packet, it sends the BFD echo packet back to the source node by using the IPv6 routing table.
3. If the source node can receive the BFD echo packet within the detection timeout time, it determines the corresponding SID list (forwarding path) of the SRv6 TE policy is available. If no BFD echo packet is received, the device determines that the SID list is faulty. If all the SID lists for the primary path are faulty, BFD triggers a primary-to-backup path switchover.
Figure 6 Echo BFD for SRv6 TE policy procedure
SBFD for SRv6 TE policy
An SRv6 TE policy cannot maintain its status by exchanging messages between devices. You can configure seamless BFD (SBFD) to verify the connectivity of an SRv6 TE policy to implement fast failover in milliseconds.
As shown in Figure 7, configure an SRv6 TE policy on Device A and use SBFD to detect the SRv6 TE policy. The detection process is as follows:
1. The source node (Device A, the initiator) and sends SBFD packets that encapsulate the SID lists of the primary and backup candidate paths of the SRv6 TE policy.
2. After the destination node (Device E, the reflector) receives an SBFD packets, it checks whether the remote discriminator carried the packet is the same as the local discriminator. If yes, the reflector sends the SBFD response packet to the initiator by using the IPv6 routing table. If no, the reflector drops the SBFD packet.
3. If the source node can receive the SBFD response within the detection timeout time, it determines the corresponding SID list (forwarding path) of the SRv6 TE policy is available. If no response is received, the device determines that the SID list is faulty. If all the SID lists for the primary path are faulty, SBFD triggers a primary-to-back path switchover.
Figure 7 SBFD for SRv6 TE policy procedure
|
|
NOTE: Because SBFD responses are forwarded according to the IPv6 routing table lookup, all SBFD sessions for the SRv6 TE policies that have the same source and destination nodes use the same path to send responses. A failure of the SBFD response path will cause all the SBFD sessions to be down and consequentially packets cannot be forwarded through the SRv6 TE policies. |
SRv6 TE policy hot standby
If an SRv6 TE policy has multiple valid candidate paths, the device chooses the candidate path with the greatest preference value. If the chosen path fails, the SRv6 TE policy must select another candidate path. During path reselection, packet loss might occur and thus affect service continuity.
The SRv6-TE hot standby feature can address this issue. This feature takes the candidate path with the greatest preference value as the primary path and that with the second greatest preference value as the backup path in hot standby state. As shown in Figure 8, when the forwarding paths corresponding to all SID lists of the primary path fails, the standby path immediately takes over to minimize service interruption.
Figure 8 SRv6 TE policy hot standby
You can configure both the hot standby and SBFD features for an SR-TE policy. Use SBFD to detect the availability of the primary and standby paths specified for hot standby. If all SID lists of the primary path become unavailable, the standby path takes over and a path recalculation is performed. The standby path becomes the new primary path, and a new standby path is selected. If both the primary and standby paths fail, the SR-TE policy will calculate new primary and standby paths.
SRv6 TE policy transit node protection
Protection path failure
The SID list of an SRv6 TE policy specifies the nodes or links that packets must traverse. As shown in Figure 9, node A forwards packets to node F through an SRv6 TE policy that includes node D in the forwarding path. The backup path must also contain node D. In this case, the backup path cannot provide protection for the forwarding path when node D fails.
Figure 9 Protection path failure
Transit node protection
To resolve the protection path failure caused by strict node constraints in an SRv6 TE policy, SRv6 TE FRR is introduced.
After SRv6 TE FRR is enabled, when a transit node of an SRv6 TE policy fails, the upstream node of the faulty node can take over to forward packets. The upstream node is called a proxy forwarding node.
After SRv6 TE FRR is enabled on a node, upon receiving a packet that contains an SRH and the SL in the SRH is greater than 1 (SL>1), the node will act as a proxy forwarding node in any of the following scenarios:
· The node does not find a matching forwarding entry in the IPv6 FIB.
· The next hop address of the packet is the destination address of the packet, and the outgoing interface for the destination address is in DOWN state.
· The matching local SRv6 SID is an END.X SID, and the outgoing interface for the END.X SID is in DOWN state.
· The outgoing interface in the matching route is NULL0.
A proxy forwarding node forwards packets as follows:
· Decrements the SL value in the SRH of a packet by 1.
· Copies the next SID to the DA field in the outer IPv6 header, so as to use the SID as the destination address of the packet.
· Looks up the forwarding table by the destination address and then forwards the packet.
In this way, the proxy forwarding node bypasses the fault node. This transit node failure protection technology is referred to as SRv6 TE FRR.
Figure 10 SRv6 TE FRR for transit node failure protection
As shown in Figure 10, after a packet is steered into an SRv6 TE policy, the packet is forwarded as instructed by the SID list {d, f}.
When node D fails, the node failure protection process is as follows:
1. Upstream node B detects that the nexthop of the packet is faulty, the nexthop address is the destination address of the packet, and the SL value is greater than 0. Therefore, node B performs the proxy forwarding behavior: Decrements the SL value by 1, copies the next SID to the DA field in the outer IPv6 header, and then forwards the packet according to the SID (destination address of the packet). Because the SL value is now 0, node B can remove the SRH and then search the corresponding table to forward the packet based on the destination address (f).
2. Node B forwards the packet as follows:
¡ If the route to node F is converged (the next hop in the route is node C), node B uses the converged shortest path to forward the packet to node C.
¡ If the route to node F is not converged (the primary next hop in the route is node D), node B uses the TI-LFA computed backup path to forward packet. The backup path's repair list is <c1>. Therefore, node B encapsulates an SRH to the packet to add backup path Segment List c1, and then forwards the packet over the backup path to node F.
Special processing on the source node
If source node A (ingress node) of the SRv6 TE policy detects the failure of node D (the first SID in the SID list is unreachable), node A then places the SRv6 TE policy to the down state. The device cannot forward packets through the SRv6 TE policy or trigger SRv6 TE FRR.
To resolve this issue, enable the bypass feature for the SRv6 TE policy on the source node. This feature enables the source node to generate a route that uses the first SID as the destination address and the NULL0 interface as the outgoing interface. The route ensures that the SRv6 TE policy is in up state when the first SID is unreachable, so as to trigger SRv6 TE FRR.
After node A triggers SRv6 TE FRR, node A decrements the SL value by 1, copies the next SID (f) to the DA field in the outer IPv6 header, and then forwards the packet to node B according to the SID (destination address of the packet).
When node B receives the packet, it processes the packet as follows:
· If the route to node F is converged (the next hop in the route is node C), node B uses the converged shortest path to forward the packet to node C.
· If the route to node F is not converged (the primary next hop in the route is node D), node B uses the TI-LFA computed backup path to forward the packet to node F.
SRv6 TE policy egress protection
This feature provides egress node protection in IP L3VPN over SRv6, EVPN L3VPN over SRv6, EVPN VPLS over SRv6, EVPN VPWS over SRv6, or IP public network over SRv6 networks where the public tunnel is an SRv6 TE policy tunnel.
SRv6 TE policy egress protection applies only to the dual homing scenario. To implement SRv6 TE policy egress protection, the egress node and the egress node's protection node must have the same forwarding entries.
|
|
NOTE: The EVPN VPLS over SRv6 and EVPN VPWS over SRv6 dual-homed single-active networks do not support SRv6 TE policy egress protection. |
As shown in Figure 11, deploy an SRv6 TE policy between PE 1 and PE 3. PE 3 is the egress node (endpoint node) of the SRv6 TE policy. To improve forwarding reliability, configure PE 4 to protect PE 3.
Figure 11 SRv6 TE policy egress protection
End.M SID
In SRv6 TE policy egress protection, an End.M SID is used to protect the SRv6 SIDs in a specific locator. If an SRv6 SID advertised by the remote device (PE 3 in this example) is within the locator, the protection node (PE 4) uses the End.M SID to protect that SRv6 SID (remote SRv6 SID).
PE 4 takes different actions as instructed by an End.M SID in different network scenarios:
· IP L3VPN/EVPN L3VPN/IP public network over SRv6 TE policy scenario
a. Removes the outer IPv6 header to obtain the remote SRv6 SID from the inner packet.
b. Searches the remote SRv6 SID and VPN instance/public instance mapping table to find the VPN instance/public instance mapped to the remote SRv6 SID.
c. Forwards the packet by looking up the routing table of the VPN instance/public instance.
· EVPN VPWS over SRv6 TE policy scenario
d. Removes the outer IPv6 header to obtain the remote SRv6 SID from the inner packet.
e. Searches the remote SRv6 SID and cross-connect mapping table to find the cross-connect mapped to the remote SRv6 SID.
f. Forwards the packet to the AC associated with the cross-connect.
· EVPN VPLS over SRv6 TE policy scenario
g. Removes the outer IPv6 header to obtain the remote SRv6 SID from the inner packet.
h. Searches the remote SRv6 SID and VSI mapping table to find the VSI mapped to the remote SRv6 SID.
i. Forwards the packet according to the MAC address forwarding table of the VSI.
Remote SRv6 SID
As shown in Figure 11, PE 4 receives a BGP route from PE 3. If the SRv6 SID in the BGP route is within the locator protected by the End.M SID on PE 4, PE 4 regards the SRv6 SID as a remote SRv6 SID and generates a mapping between the remote SRv6 SID and the VPN instance/public instance, cross-connect, or VSI.
When the adjacency between PE 4 and PE 3 breaks, PE 4 deletes the BGP route received from PE 3. As a result, the remote SRv6 SID and VPN instance/public instance/cross-connect/VSI mapping will be deleted, resulting in packet loss. To avoid this issue, you can configure the mappings deletion delay time on PE 4 to ensure that traffic is forwarded through PE 4 before PE 1 knows the PE 3 failure and computes a new forwarding path.
Route advertisement
The route advertisement procedure is similar in IP L3VPN, EVPN L3VPN, EVPN VPWS, EVPN VPLS, or IP public network over SRv6 TE policy egress protection scenarios. The following example describes the route advertisement in an IP L3VPN over SRv6 TE policy egress protection scenario.
As shown in Figure 11, the FRR path is generated on P 1 as follows:
1. PE 4 advertises the End.M SID and the protected locator to P 1 through an IS-ISv6 route. Meanwhile, PE 4 generates a local SID entry for the End.M SID.
2. Upon receiving the route that carries the End.M SID, P 1 generates an FRR route destined for the specified locator and the action for the route is pushing the End.M SID.
On PE 4, a <remote SRv6 SID, VPN instance > mapping entry is generated as follows:
1. Upon receiving the private route from CE 2, PE 3 encapsulates the route as a VPNv4 route and sends it to PE 4. The VPNv4 route carries the SRv6 SID, RT, and RD information.
2. After PE 4 receives the VPNv4 route, it obtains the SRv6 SID and the VPN instance. Then, PE 4 performs longest matching of the SRv6 SID against the locators protected by End.M SIDs. If a match is found, PE 4 uses the SRv6 SID as a remote SRv6 SID and generates a <remote SRv6 SID, VPN instance> mapping entry.
Packet forwarding
The packet forwarding procedure is similar in IP L3VPN, EVPN L3VPN, EVPN VPWS, EVPN VPLS, or IP public network over SRv6 TE policy egress protection scenarios. The following example describes the packet forwarding in an IP L3VPN over SRv6 TE policy egress protection scenario.
Figure 12 Data forwarding in SRv6 TE policy egress protection
As shown in Figure 12, typically traffic is forwarded along the CE 1-PE 1-P 1-PE 3-CE 2 path. When the egress node PE 3 fails, a packet is forwarded as follows:
1. P 1 detects that its next hop (PE 3) is unreachable and thus switches traffic to the FRR path. P 1 pushes the End.M SID into the IPv6 header of the packet and forwards the packet to PE 4.
2. PE 4 parses the packet and obtains the End.M SID. PE 4 queries the local SID table and takes actions as instructed by the End.M SID:
a. Removes the outer IPv6 header to obtain the remote SRv6 SID from the inner packet. (The remote SRv6 SID is A100::1 in this example)
b. Searches the remote SRv6 SID and VPN instance mapping table to find the VPN instance mapped to the remote SRv6 SID. (The VPN instance is VPN 1 in this example.)
c. Looks up the routing table of the VPN instance and forwards the packet to CE 2 according to the matching route.
SRv6 TE policy tasks at a glance
To configure an SRv6 TE policy, perform the following tasks:
1. Configuring an SRv6 TE policy and configure basic settings for the policy:
This task is required when you use PCE to compute SID lists.
c. Configuring a candidate path and the SID lists of the path
d. (Optional.) Enabling the device to distribute SRv6 TE policy candidate path information to BGP-LS
e. (Optional.) Shutting down an SRv6 TE policy
2. (Optional.) Configuring BGP to advertise BGP IPv6 SR policy routes
a. Enabling BGP to advertise BGP IPv6 SR policy routes
b. Configuring BGP to redistribute BGP IPv6 SR policy routes
c. (Optional.) Enabling advertising BGP IPv6 SR policy routes to EBGP peers
d. (Optional.) Enabling Router ID filtering
e. (Optional.) Configuring BGP to control BGP IPv6 SR policy route selection and advertisement
f. (Optional.) Maintaining BGP sessions
3. Configuring SRv6 TE policy traffic steering
4. (Optional.) Configuring the SRv6 TE policy encapsulation mode
5. (Optional.) Configuring high availability features for SRv6 TE policy
¡ Enabling SBFD for SRv6 TE policies
¡ Configuring the BFD echo packet mode for SRv6 TE policies
¡ Enabling hot standby for SRv6 TE policies
¡ Configuring path switchover and deletion delays for SRv6 TE policies
¡ Setting the delay time for bringing up SRv6 TE policies
¡ Configuring path connectivity verification for SRv6 TE policies
¡ Configuring SRv6 TE policy egress protection
6. (Optional.) Configuring advanced settings for SRv6 TE policies
¡ Enabling the device to drop traffic when an SRv6 TE policy becomes invalid
¡ Enabling SRv6 TE policies to forward packets without using the last SID in the SID list
¡ Specifying the packet encapsulation type preferred in optimal route selection
7. (Optional.) Maintaining an SRv6 TE policy
¡ Configuring SRv6 TE policy resource usage alarm thresholds
¡ Enabling SRv6 TE policy logging
¡ Enabling SNMP notifications for SRv6 TE policies
¡ Configuring traffic forwarding statistics for SRv6 TE policies
Creating an SRv6 TE policy
Manually creating an SRv6 TE policy and configuring its attributes
About this task
An SRv6 TE policy is identified by a BSID, color, and end-point.
You can bind a BSID to the policy manually, or set only the color and end-point attributes of the policy so the system automatically assigns a BSID to the policy. If you use both methods, the manually bound BSID takes effect.
Restrictions and guidelines
The configured BSID must be on the locator specified for SRv6 TE policies in SRv6 TE view. Otherwise, the SRv6 TE policy cannot forward packets. For more information about the locator configuration, see "Configuring IPv6 Segment Routing."
Different SRv6 TE policies cannot have the same color and end-point configuration.
Procedure
1. Enter system view.
system-view
2. Enter SRv6 view.
segment-routing ipv6
3. Enter SRv6 TE view.
traffic-engineering
4. Specify a locator for SRv6 TE.
srv6-policy locator locator-name
By default, no locator is specified for SRv6 TE.
5. Enter SRv6 TE policy view.
policy policy-name
6. Configure a BSID for the policy.
binding-sid ipv6 ipv6-address
7. Set the color and end-point attributes.
color color-value end-point ipv6 ipv6-address
By default, the color and end-point attributes of an SRv6 TE policy are not configured.
Automatically creating SRv6 TE policies by using ODN
About this task
When the device receives a BGP route, if the color extended attribute value of the BGP route is the same as the color value of an ODN template, the device automatically creates an SRv6 TE policy and two candidate paths for the policy. The automatically created candidate paths use preferences 100 and 200.
You can specify an IPv6 prefix list to filter BGP routes. The BGP routes permitted by the specified IPv6 prefix list can trigger ODN to create SRv6 TE policies. The BGP routes denied by the specified IPv6 prefix list cannot trigger ODN to create SRv6 TE policies.
An ODN-created SRv6 TE policy is deleted immediately when the matching BGP route is deleted. To avoid packet loss before the new forwarding path is computed, you can configure a proper deletion delay time for the SRv6 TE policy.
Restrictions and guidelines
You need to configure candidate paths for an ODN-created SRv6 TE policy.
· For the ODN-created candidate path preference 200, manually configure the SID lists for the candidate path.
· For the ODN-created candidate path preference 100, use PCE to compute the SID lists for the candidate path.
· Manually create candidate paths that use preferences other than 100 and 200, and then configure the SID lists for the candidate paths.
Procedure
1. Enter system view.
system-view
2. Enter SRv6 view.
segment-routing ipv6
3. Enter SRv6 TE view.
traffic-engineering
4. Specify a locator for SRv6 TE.
srv6-policy locator locator-name
By default, no locator is specified for SRv6 TE.
5. Create an ODN template and enter SRv6-TE-ODN view.
on-demand color color-value
6. (Optional.) Configure the ODN SRv6 TE policy generation policy.
restrict prefix-list-name
By default, a BGP route can trigger ODN to create an SRv6 TE policy when the route's color attribute value is the same as the ODN color.
7. (Optional.) Configure the deletion delay time for ODN-created SRv6 TE policies.
delete-delay delay-time
By default, the deletion delay time for ODN-created SRv6 TE policies is 180000 milliseconds.
Configuring a PCEP session
Restrictions and guidelines
For more information about the PCEP commands, see MPLS commands in MPLS Command Reference.
Discovering PCEs
About this task
You can manually specify a PCE by using the pce static command on a PCC. A PCC sends PCEP connection requests to the discovered PCEs but does not accept requests from the PCEs.
Procedure
1. Enter system view.
system-view
2. Enter PCC view.
pce-client
3. Specify the IP address of the PCE.
pce static ip-address
Enabling the SRv6 capability for a PCC
About this task
To establish a PCEP session that supports SRv6, you need to enable the SRv6 capability on the devices at both sides of the PCEP session.
Procedure
1. Enter system view.
system-view
2. Configure the TE IPv6 router ID of the device.
te ipv6-router-id router-id
By default, the TE IPv6 router ID is not configured.
The TE IPv6 router ID is used to identify the source node in PCE requests. The TE IPv6 router ID of a device must be unique on the IPv6 network.
3. Enter PCC view.
pce-client
4. Enable the SRv6 capability for the PCC device.
pce capability segment-routing ipv6
By default, a PCC device does not have the SRv6 capability.
Configuring PCEP session parameters
About this task
This task allows you to configure parameters for a PCC to establish PCEP sessions to manually specified PCEs.
Procedure
1. Enter system view.
system-view
2. Enter PCC view.
pce-client
3. Set the path computation request timeout time.
pce request-timeout value
By default, the request timeout time is 10 seconds.
4. Set the PCEP session deadtimer.
pce deadtimer value
By default, the PCEP session deadtimer is 120 seconds.
5. Set the keepalive interval for PCEP sessions.
pce keepalive interval
By default, the keepalive interval is 30 seconds.
6. Set the minimum acceptable keepalive interval and the maximum number of allowed unknown messages received from the PCE peer.
pce tolerance { min-keepalive value | max-unknown-messages value }
By default, the minimum acceptable keepalive interval is 10 seconds, and the maximum number of allowed unknown messages in a minute is 5.
7. Configure PCEP session authentication for a peer. Choose one option as needed:
¡ Configure the keychain authentication.
pce peer ip-address keychain keychain-name
¡ Configure the MD5 authentication.
pce peer ip-address md5 { cipher | plain } string
By default, PCEP session authentication is not configured.
For two devices to establish a PCEP session, you must configure the same authentication mode and specify the same key string on both devices.
Configuring a candidate path and the SID lists of the path
Restrictions and guidelines
Do not configure an SRv6 TE policy candidate path to use both manually configured SID lists and PCE-computed SID lists.
Configuring a candidate path to use manually configured SID lists
About this task
Before you specify a SID list for a candidate path, you need to create the SID list and add nodes to the SID list.
After you add nodes to a SID list, the system will sort the nodes in ascending order of node index. The node with the smallest index represents the next hop of the source node on the forwarding path.
To reduce the SRH cost, you can use four 32-bit G-SIDs to represent one normal 128-bit SRv6 SID. In a SID list, you can add a 128-bit SRv6 SID with a COC flavor, indicating that the next node of the current node is a 32-bit G-SID. For more information about G-SIDs, see "Configuring SRv6."
You can specify a backup SID list for each SID list. When the primary SID list fails, the traffic is switched to the backup SID list to reduce service interruption. If multiple candidate paths exist, traffic is switched from the current candidate path to the backup candidate path only when all primary and backup SID lists on the candidate path fail.
Restrictions and guidelines
When you add G-SIDs to a SID list, make sure the following conditions are met:
· The SRv6 SID for the previous node of the G-SID must be End(COC32) SID or End.X(COC32) SID.
· The SRv6 SID for the last node does not contain the COC flavor. That is, you cannot use the index index-number coc32 ipv6 command to specify the SRv6 SID for the penultimate node.
Procedure
1. Enter system view.
system-view
2. Enter SRv6 view.
segment-routing ipv6
3. Enter SRv6 TE view.
traffic-engineering
4. Create a SID list and enter SID list view.
segment-list segment-list-name
5. Add a node to the SID list.
¡ Add a normal 128-bit SRv6 SID.
index index-number ipv6 ipv6-address
¡ Add a 128-bit SRv6 SID with the COC flavor, and specify the common prefix length for the next G_SID.
index index-number coc32 ipv6 ipv6-address common-prefix-length
6. Return to SRv6 TE view.
quit
7. Enter SRv6 TE policy view.
policy policy-name
8. Create and enter SRv6 TE policy candidate path view.
candidate-paths
9. Set the preference for a candidate path and enter SRv6 TE policy path preference view.
preference preference-value
By default, no candidate path preferences are set.
Each preference represents a candidate path.
10. Specify an explicit path for the candidate path.
explicit segment-list segment-list-name [ path-mtu mtu-value | weight weight-value | backup-segment-list backup-segment-list-name [ backup-path-mtu mtu-value | backup-weight weight-value ] * ] *
A candidate path can have multiple SID lists.
Configuring a candidate path to use PCE-computed SID lists
Prerequisites
Before you perform this task, configure a PCEP session first.
Procedure
1. Enter system view.
system-view
2. Enter SRv6 view.
segment-routing ipv6
3. Enter SRv6 TE view.
traffic-engineering
4. Enter SRv6 TE policy view.
policy policy-name
5. Create and enter SRv6 TE policy candidate path view.
candidate-paths
6. Set the preference for a candidate path and enter SRv6 TE policy path preference view.
preference preference-value
By default, no candidate path preferences are set.
Each preference represents a candidate path.
7. Create and enter SRv6 TE policy path preference dynamic view.
dynamic
8. Enable a candidate path to use PCE to compute the SID lists.
pcep
By default, a candidate path does not use PCE to compute SID lists.
Configuring PCE delegation to create candidate paths and SID lists
About this task
After PCE delegation for an SRv6 TE policy is enabled, the PCC delegates the policy's candidate paths to a PCE. The PCC creates or updates candidate paths according to the creation or update requests received from the PCE.
When the device delegates only part of its SRv6 TE policies to a PCE, the PCE does not have complete SRv6 TE policy candidate path information to calculate global bandwidth information. You can enable the device to report information about the undelegated SRv6 TE policies to the PCE without using the PCE to compute candidate paths for the policies. This feature is referred to as the passive delegation report only feature.
Restrictions and guidelines
You can configure the PCE delegation and passive delegation report only features for all SRv6 TE policies globally in SRv6 TE view or for a specific SRv6 TE policy in SRv6 TE policy view. The policy-specific configuration takes precedence over the global configuration. An SRv6 TE policy uses the global configuration only when it has no policy-specific configuration.
In SRv6 TE view, if you execute both the srv6-policy pce delegation enable command and the srv6-policy pce passive-delegate report-only enable command, the srv6-policy pce passive-delegate report-only enable command takes effect.
In SRv6 TE policy view, if you execute both the pce delegation command and the pce passive-delegate report-only command, the pce passive-delegate report-only command takes effect.
Prerequisites
Before you perform this task, configure a PCEP session first.
Configuring PCE delegation parameters
1. Enter system view.
system-view
2. Enter PCC view.
pce-client
3. Set the delegation priority of a PCE.
pce peer ip-address delegation-priority priority
By default, the delegation priority of a PCE is 65535.
A smaller value represents a higher priority.
4. Set the redelegation timeout interval.
pce redelegation-timeout value
By default, the redelegation timeout interval is 30 seconds.
5. Set the state timeout interval on the PCC.
pce state-timeout value
By default, the state timeout interval is 60 seconds.
Enabling delegation
1. Enter system view.
system-view
2. Enter PCC view.
pce-client
3. Configure the PCEP device type as active stateful or passive stateful.
pcep type { active-stateful | passive-stateful }
By default, the PCEP device type is stateless.
4. Return to system view.
quit
5. Enter SRv6 view.
segment-routing ipv6
6. Enter SRv6 TE view.
traffic-engineering
7. Enable PCE delegation for SRv6 TE policies globally.
srv6-policy pce delegation enable
By default, PCE delegation for SRv6 TE policies is disabled globally.
8. Globally enable the PCC to report candidate information of an SRv6 TE policy to the PCE without delegating the policy to the PCE.
srv6-policy pce passive-delegate report-only enable
By default, this feature is disabled globally.
9. Enter SRv6 TE policy view.
policy policy-name
10. Enable PCE delegation for the SRv6 TE policy.
pce delegation { enable | disable }
By default, an SRv6 TE policy uses the PCE delegation setting configured in SRv6 TE view.
11. Enable the PCC to report candidate information of the SRv6 TE policy to the PCE without delegating the policy to the PCE.
pce passive-delegate report-only { enable | disable }
By default, an SRv6 TE policy uses the passive delegation report only setting configured in SRv6 TE view.
Enabling the device to distribute SRv6 TE policy candidate path information to BGP-LS
About this task
After this feature is enabled, the device distributes SRv6 TE policy candidate path information to BGP-LS. BGP-LS advertises the SRv6 TE policy candidate path information in routes to meet application requirements.
Prerequisites
Before you configure this feature, enable the device to exchange LS information with the related peer or peer group. For more information about the LS exchange capability, see the BGP LS configuration in Layer 3—IP Routing Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter SRv6 view.
segment-routing ipv6
3. Enter SRv6 TE view.
traffic-engineering
4. Enable the device to distribute SRv6 TE policy candidate path information to BGP-LS.
distribute bgp-ls
By default, the device cannot distribute SRv6 TE policy candidate path information to BGP-LS
Shutting down an SRv6 TE policy
About this task
This feature controls the administrative state of an SRv6 TE policy.
If multiple SRv6 TE policies exist on the device, you can shut down unnecessary SRv6 TE policies to prevent them from affecting traffic forwarding.
Procedure
1. Enter system view.
system-view
2. Enter SRv6 view.
segment-routing ipv6
3. Enter SRv6 TE view.
traffic-engineering
4. Enter SRv6 TE policy view.
policy policy-name
5. Shut down the SRv6 TE policy.
shutdown
By default, an SRv6 TE policy is not administratively shut down.
Configuring BGP to advertise BGP IPv6 SR policy routes
Restrictions and guidelines for BGP IPv6 SR policy routes advertisement
For more information about BGP commands, see Layer 3—IP Routing Commands.
Enabling BGP to advertise BGP IPv6 SR policy routes
1. Enter system view.
system-view
2. Configure a global router ID.
router id router-id
By default, no global router ID is configured.
3. Enable a BGP instance and enter its view.
bgp as-number [ instance instance-name ]
By default, BGP is disabled and no BGP instances exist.
4. Configure a peer or peer group.
peer { group-name | ipv6-address [ prefix-length ] } as-number as-number
5. Create the BGP IPv6 SR policy address family and enter its view.
address-family ipv6 sr-policy
6. Enable BGP to exchange BGP IPv6 SR policy routing information with the peer or peer group.
peer { group-name | ipv6-address [ prefix-length ] } enable
By default, the device cannot use BGP to exchange BGP IPv6 SR policy routing information with a peer or peer group.
Configuring BGP to redistribute BGP IPv6 SR policy routes
About this task
After you configure BGP to redistribute BGP IPv6 SR policy routes, the system will redistribute the local BGP IPv6 SR policy routes to the BGP routing table and advertise the routes to peers. Then, the peers can forward traffic based on the BGP IPv6 SR policy.
Procedure
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP IPv6 SR policy address family view.
address-family ipv6 sr-policy
4. Enable BGP to redistribute routes from BGP IPv6 SR policies.
import-route sr-policy
By default, BGP does not redistribute BGP IPv6 SR policy routes.
Enabling advertising BGP IPv6 SR policy routes to EBGP peers
About this task
By default, BGP IPv6 SR policy routes are advertised among IBGP peers. To advertise BGP IPv6 SR policy routes to EBGP peers, you must perform this task to enable the advertisement capability.
Procedure
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP IPv6 SR policy address family view.
address-family ipv6 sr-policy
4. Enable advertising BGP IPv6 SR policy routes to EBGP peers.
advertise ebgp enable
By default, BGP IPv6 SR policy routes are not advertised to EBGP peers.
Enabling Router ID filtering
About this task
For the device to process only part of the received BGP IPv6 SR policy routes, you can perform this task to enable filtering the routes by Router ID.
This feature enables the device to check the Route Target attribute of a received BGP IPv6 SR policy route. The device accepts the route only if the Route Target attribute contains the Router ID of the local device.
Restrictions and guidelines
To use Router ID filtering, make sure you add Route Target attributes to BGP IPv6 SR policy routes properly by using routing policy or other methods. Otherwise, Router ID filtering might learn or drop BGP IPv6 SR policy routes incorrectly.
Procedure
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP IPv6 SR policy address family view.
address-family ipv6 sr-policy
4. Enable Router ID filtering.
router-id filter
By default, Router ID filtering is disabled.
Configuring BGP to control BGP IPv6 SR policy route selection and advertisement
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP IPv6 SR policy address family view.
address-family ipv6 sr-policy
4. Configure the NEXT_HOP attribute for routes. Choose one option as needed:
¡ Specify the local router as the next hop for routes sent to a peer or peer group.
peer { group-name | ipv6-address [ mask-length ] } next-hop-local
¡ Configure the device to not change the next hop of routes advertised to peers.
peer { group-name | ipv6-address [ prefix-length ] } next-hop-invariable
By default, BGP sets the local router as the next hop for all routes sent to an EBGP peer or peer group. BGP does not set the local router as the next hop for routes sent to an IBGP peer or peer group.
The peer next-hop-local and peer next-hop-invariable commands are mutually exclusive.
5. Allow a local AS number to exist in the AS_PATH attribute of routes from a peer or peer group, and to set the number of times the local AS number can appear.
peer { group-name | ipv6-address [ prefix-length ] } allow-as-loop [ number ]
By default, the local AS number is not allowed to exist in the AS_PATH attribute of routes from a peer or peer group.
6. Specify a preferred value for routes received from a peer or peer group.
peer { group-name | ipv6-address [ prefix-length ] } preferred-value value
By default, the preferred value is 0 for routes received from a peer or peer group.
7. Set the maximum number of routes that can be received from a peer or peer group.
peer { group-name | ipv6-address [ prefix-length ] } route-limit prefix-number [ { alert-only | discard | reconnect reconnect-time } | percentage-value ] *
By default, the number of routes that can be received from a peer or peer group is not limited.
8. Configure BGP route reflection:
a. Configure the device as a route reflector and specify a peer or peer group as a client.
peer { group-name | ipv6-address [ prefix-length ] } reflect-client
By default, neither the route reflector nor the client is configured.
b. (Optional.) Enable BGP IPv6 SR policy route reflection between clients.
reflect between-clients
By default, route reflection between clients is enabled.
c. (Optional.) Configure the cluster ID for the RR.
reflector cluster-id { cluster-id | ipv4-address }
By default, the RR uses its own router ID as the cluster ID.
9. Specify an IPv6 prefix list to filter routes received from or advertised to a peer or peer group.
peer { group-name | ipv6-address [ prefix-length ] } prefix-list ipv6-prefix-list-name { export | import }
By default, no prefix list based filtering is configured.
10. Apply a routing policy to routes incoming from or outgoing to a peer or peer group.
peer { group-name | ipv6-address [ prefix-length ] } route-policy route-policy-name { export | import }
By default, no routing policy is applied to routes incoming from or outgoing to a peer or peer group.
11. Advertise the COMMUNITY attribute to a peer or peer group.
peer { group-name | ipv6-address [ prefix-length ] } advertise-community
By default, no COMMUNITY attribute is advertised to any peers or peer groups.
12. Advertise the extended community attribute to a peer or peer group.
peer { group-name | ipv6-address [ prefix-length ] } advertise-ext-community
By default, no extended community attribute is advertised to any peers or peer groups.
13. Assign a peer or peer group a high priority in BGP route selection.
peer { group-name | ipv6-address [ prefix-length ] } high-priority
By default, a peer or peer group does not have a high priority in BGP route selection.
14. Configure the optimal route selection delay timer.
route-select delay delay-value
By default, the optimal route selection delay timer is 0 seconds (optimal route selection is not delayed).
Maintaining BGP sessions
To maintain BGP sessions, execute the following commands in user view:
· Reset BGP sessions for the BGP IPv6 SR policy address family.
reset bgp [ instance instance-name ] { as-number | ipv6-address [ prefix-length ] | all | external | group group-name | internal } ipv6 sr-policy
· Soft-reset BGP sessions for the BGP IPv6 SR policy address family.
refresh bgp [ instance instance-name ] { ipv6-address [ prefix-length ] | all | external | group group-name | internal } { export | import } ipv6 sr-policy
Configuring SRv6 TE policy traffic steering
Configuring the SRv6 TE policy traffic steering mode
Restrictions and guidelines
This feature does not take effect on L2VPN networks.
Prerequisites
To use color-based traffic steering, you need to add the color extended community to IPv6 unicast routes by using routing policy or other methods. For information about the routing policy configuration, see Layer 3—IP Routing Configuration Guide.
To use tunnel policy-based traffic steering, you need to configure a bound tunnel, preferred tunnel, or load sharing tunnel policy that uses an SRv6 TE policy. For more information about the tunnel policy configuration, see MPLS Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Configure the traffic steering mode for SRv6 TE policies.
sr-policy steering { disable | policy-based }
By default, the device steering data packets to SRv6 TE policies based on colors of the packets.
If you specify the policy-based keyword, the device steers traffic based on the bound policy, color, and tunnel load sharing policy in a descending order of priority.
Configuring color-based traffic steering
About this task
To steer traffic to an SRv6 TE policy based on colors, you can configure a color extended community for routes that do not carry a color extended community in the following methods:
· Configure a routing policy to add a color value to routes.
· Configure a default color value.
The color value specified in the routing policy is preferred.
Restrictions and guidelines
The default color value applies only to the VPN routes or public network routes learned from a remote PE.
The default color value is used only for SRv6 TE policy traffic steering. It does not used in route advertisement.
Configuring a routing policy to add a color value to routes
1. Enter system view.
system-view
2. Enter routing policy node view.
route-policy route-policy-name { deny | permit } node node-number
3. Set the color extended community attribute for BGP routes.
apply extcommunity color color [ additive ]
By default, no color extended community attribute is set for BGP routes.
4. Return to system view.
quit
5. Enter BGP instance view.
bgp as-number [ instance instance-name ]
6. Enter a BGP address family view as needed:
¡ Enter BGP IPv4 unicast address family view.
address-family ipv4 [ unicast ]
¡ Enter BGP IPv6 unicast address family view
address-family ipv6 [ unicast ]
¡ Enter BGP VPNv4 address family view.
address-family vpnv4
¡ Enter BGP VPNv6 address family view.
address-family vpnv6
¡ Enter BGP EVPN address family view.
address-family l2vpn evpn
7. Apply the routing policy to filter routes advertised to or received from a peer or peer group.
peer { group-name | ipv6-address [ prefix-length ] } route-policy route-policy-name { export | import }
By default, no routing policy is applied to a peer or peer group.
Configuring a default color value for VPN routes
1. Enter system view.
system-view
2. Enter VPN instance view.
ip vpn-instance vpn-instance-name [ index vpn-index ]
3. Enter IPv4 address family view or IPv6 address family view of the VPN instance.
¡ Enter VPN instance IPv4 address family view.
address-family ipv4
¡ Enter VPN instance IPv6 address family view.
address-family ipv6
4. Configure a default color value for L3VPN route recursion to an SRv6 TE policy.
default-color color-value [ evpn ]
By default, no default color is configured for L3VPN route recursion to an SRv6 TE policy.
Configuring a default color value for public network routes
5. Enter system view.
system-view
6. Enter pubic instance view.
ip public-instance
7. Enter public instance IPv4 or IPv6 address family view.
¡ Enter public instance IPv4 address family view
address-family ipv4
¡ Enter public instance IPv6 address family view.
address-family ipv6
8. Configure a default color value for public network route recursion to an SRv6 TE policy.
default-color color-value
By default, no default color value is configured for public network route recursion to an SRv6 TE policy.
Configuring tunnel policy-based traffic steering
Configuring a tunnel policy
1. Enter system view.
system-view
2. Create a tunnel policy and enter tunnel policy view.
tunnel-policy tunnel-policy-name [ default ]
3. Configure the tunnel policy. Choose the following tasks as needed:
¡ Specify an SRv6 TE policy to be bound with the specified destination IPv6 address.
binding-destination dest-ipv6-address srv6-policy { name policy-name | end-point ipv6 ipv6-address color color-value } [ ignore-destination-check ] [ down-switch ]
By default, no SRv6 TE policy is specified for a tunnel policy.
¡ Specify an SRv6 TE policy as a preferred tunnel of the tunnel policy.
preferred-path srv6-policy name sr-policy-name
By default, no preferred tunnel is specified for a tunnel policy.
¡ Configuring SRv6 TE policy load sharing for the tunnel policy.
select-seq srv6-policy load-balance-number number
By default, no load sharing tunnel policy is configured.
For more information about the tunnel policy commands, see MPLS Command Reference.
Specifying the tunnel policy for a VPN instance
1. Enter system view.
system-view
2. Enter a VPN instance view as needed.
¡ Enter VPN instance view.
ip vpn-instance vpn-instance-name
¡ Execute the following commands in sequence to enter VPN instance IPv4 address family view:
ip vpn-instance vpn-instance-name
address-family ipv4
¡ Execute the following commands in sequence to enter VPN instance IPv6 address family view:
ip vpn-instance vpn-instance-name
address-family ipv6
3. Specify a tunnel policy for the VPN instance.
tnl-policy tunnel-policy-name
By default, no tunnel policy is specified for a VPN instance.
For more information about this command, see MPLS L3VPN commands in MPLS Command Reference.
Specifying the tunnel policy for a PW
1. Enter system view.
system-view
2. Enter cross-connect group view.
xconnect-group group-name
3. Enter cross-connect view.
connection connection-name
4. Create an EVPN PW and specify a tunnel policy for this PW.
evpn local-service-id local-service-id remote-service-id remote-service-id tunnel-policy tunnel-policy-name
Specifying the tunnel policy for an EVPN instance
1. Enter system view.
system-view
2. Enter VSI view.
vsi vsi-name
3. Enter EVPN instance view.
evpn encapsulation srv6
4. Specify a tunnel policy for the EVPN instance.
tunnel-policy tunnel-policy-name
By default, no tunnel policy is specified for an EVPN instance.
For more information about this command, see EVPN Command Reference.
Configuring DSCP-based traffic steering
About this task
Each SRv6 TE policy in an SRv6 TE policy group has a different color attribute value. By configuring color-to-DSCP mappings for an SRv6 TE policy group, you associate DSCP values to SRv6 TE policies. This allows IPv6 packets containing a specific DSCP value to be steered to the corresponding SRv6 TE policy for further forwarding.
You can create an SRv6 TE policy group through manual creation at the CLI. This method requires manually configuring the destination node address of the SRv6 TE policy group.
Restrictions and guidelines
You can map the color values of only valid SRv6 TE policies to DSCP values.
You can configure color-to-DSCP mappings separately for the IPv4 address family and IPv6 address family. For a specific address family, a DSCP value can be mapped to only one color value.
Use the color match dscp default command to specify the default SRv6 TE policy for an address family. If no SRv6 TE policy in an SRv6 TE policy group matches a specific DSCP value, the default SRv6 TE policy is used to forward packets containing the DSCP value. Only one default SRv6 TE policy can be specified for an address family.
When the device receives an IPv4 or IPv6 packet that does not match any color-to-DSCP mapping, the device selects a valid SRv6 TE policy for the packet in the following order:
1. The default SRv6 TE policy specified for the same address family as the packet.
2. Valid SRv6 BE tunnel enabled for forwarding packets that do not match a color-to-DSCP mapping in the same address family.
3. The default SRv6 TE policy specified for the other address family.
4. Valid SRv6 BE tunnel enabled for forwarding packets that do not match a color-to-DSCP mapping in the other address family.
5. The SRv6 TE policy mapped to the smallest DSCP value in the same address family as the packet.
6. The SRv6 TE policy mapped to the smallest DSCP value in the other address family.
Procedure
1. Enter system view.
system-view
2. Enter SRv6 view.
segment-routing ipv6
3. Enter SRv6 TE view.
traffic-engineering
4. Create an SRv6 TE policy group and enter its view.
policy-group group-id
5. Configure the end-point IPv6 address for the SRv6 TE policy group.
end-point ipv6 ipv6-address
By default, no end-point IPv6 address is configured for the SRv6 TE policy group.
The SRv6 TE policies identified by the colors in the SRv6 TE policy group must use the same end-point IPv6 address as the SRv6 TE policy group.
6. (Optional.) Create the color value for the SRv6 TE policy group.
group-color color-value
By default, the color value is not configured for an SRv6 TE policy group.
7. Create color-to-DSCP mappings for the SRv6 TE policy group.
color color-value match dscp { ipv4 | ipv6 } dscp-value-list
color color-value match dscp { ipv4 | ipv6 } default
By default, no color-to-DSCP mappings are created for the SRv6 TE policy group.
DSCP-based traffic steering cannot function if no color-to-DSCP mappings are created.
8. (Optional.) Enable SRv6 BE forwarding for packets that do not match a color-to-DSCP mapping.
best-effort { ipv4 | ipv6 } default
By default, the device does not perform SRv6 BE forwarding for packets that do not match a color-to-DSCP mapping.
Steering traffic to an SRv6 TE policy group
1. Enter system view.
system-view
2. Configure traffic steering to an SRv6 TE policy group.
a. Create a tunnel policy and enter tunnel policy view.
tunnel-policy tunnel-policy-name [ default ]
b. Bind the SRv6 TE policy group to a destination IP address.
binding-destination dest-ip-address sr-policy group sr-policy-group-id [ ignore-destination-check ] [ down-switch ]
By default, a tunnel policy does not bind any SRv6 TE policy group to a destination IP address.
For more information about the command, see tunnel policy commands in MPLS Command Reference.
c. Configure color-based traffic steering.
For more information, see "Configuring color-based traffic steering."
Specify a color value as the color extended community attribute of BGP routes in the routing policy according to the creation method of the SRv6 TE policy group.
If the SRv6 TE policy group is manually created, the specified color value must be the color value of the SRv6 TE policy group.
Configuring static route-based traffic steering
Restrictions and guidelines
After you configure this feature on a public IP over SRv6 network, execute the route-replicate command in public instance IPv4/IPv6 address family view to replicate the routes of the specified VPN instance to the public network. The public network then can use the VPN routes to forward user traffic.
Procedure
1. Enter system view.
system-view
2. Configure static route recursion to an SRv6 TE policy:
¡ Configure IPv4 static route recursion to an SRv6 TE policy:
Public network:
ip route-static dest-address { mask-length | mask } srv6-policy { color color-value end-point ipv6 ipv6-address | name policy-name } [ sid sid ] [ preference preference ] [ tag tag-value ] [ description text ]
VPN:
ip route-static vpn-instance s-vpn-instance-name dest-address { mask-length | mask } srv6-policy { color color-value end-point ipv6 ipv6-address | name policy-name } [ sid sid ] [ preference preference ] [ tag tag-value ] [ description text ]
By default, no IPv4 static route is configured.
For more information, see static routing commands in Layer 3—IP Routing Command Reference.
¡ Configure IPv6 static route recursion to an SRv6 TE policy:
Public network:
ipv6 route-static ipv6-address prefix-length srv6-policy { color color-value end-point ipv6 ipv6-address | name policy-name } [ sid sid ] [ preference preference ] [ tag tag-value ] [ description text ]
VPN:
ipv6 route-static vpn-instance s-vpn-instance-name ipv6-address prefix-length srv6-policy { color color-value end-point ipv6 ipv6-address | name policy-name } [ sid sid ] [ preference preference ] [ tag tag-value ] [ description text ]
By default, no IPv6 static route is configured.
For more information, see IPv6 static routing commands in Layer 3—IP Routing Command Reference.
Enabling automatic route advertisement for an SRv6 TE policy
1. Enter system view.
system-view
2. Enter SRv6 view.
segment-routing ipv6
3. Enter SRv6 TE view.
traffic-engineering
4. Enter SRv6 TE policy view.
policy policy-name
5. Enable automatic route advertisement for the SRv6 TE policy.
autoroute enable [ isis | ospfv3 ]
By default, automatic route advertisement is disabled for an SRv6 TE policy.
6. Configure an autoroute metric for the SRv6 TE policy.
autoroute metric { absolute value | relative value }
By default, the autoroute metric of an SRv6 TE policy equals its IGP metric.
7. Return to system view.
quit
quit
quit
8. Include the SRv6 TE policy in IGP computation:
¡ Execute the following commands in sequence to enable automatic route advertisement for IS-IS SRv6 TE policies.
isis [ process-id ] [ vpn-instance vpn-instance-name ]
address-family ipv6 [ unicast ]
srv6-policy autoroute enable [ level-1 | level-2 ]
¡ Execute the following commands in sequence to enable automatic route advertisement for OSPFv3 SRv6 TE policies.
ospfv3 [ process-id | vpn-instance vpn-instance-name ] *
srv6-policy autoroute enable
By default, automatic route advertisement for SRv6 TE policies is disabled for IPv6 IS-IS and OSPFv3.
Configuring the SRv6 TE policy encapsulation mode
About this task
If the traffic steering mode is BSID, packets whose destination IPv6 address is the same as the BSID of an SRv6 TE policy will be forwarded by the SRv6 TE policy. In this case, the device needs to encapsulate the SID list of the SRv6 TE policy for the packets.
The supported encapsulation mode is Encaps (normal encapsulation mode). It adds an IPv6 header and SRH to the original packets. All SIDs in the SID list of the SRv6 TE policy are encapsulated in the SRH. In Encaps encapsulation mode, the destination IPv6 address in the IPv6 header is the first IPv6 address in the SID list of the SRv6 TE policy. The source IPv6 address is the IPv6 address specified by using the encapsulation source-address command.
If the traffic steering mode is BSID and the SRv6 SID of the ingress node is an End.X SID, the device does not encapsulate the End.X SID into the SRH by default.
To obtain complete SRv6 forwarding path information from the SRH of packets, you can configure the device to encapsulate the local End.X SID in the SRH.
Restrictions and guidelines
The policy-specific configuration takes precedence over the global configuration. An SRv6 TE policy uses the global configuration only when it has no policy-specific configuration.
The device uses the Encaps.Red encapsulation mode by default. You do not need to configure this mode.
Procedure
1. Enter system view.
system-view
2. Enter SRv6 view.
segment-routing ipv6
3. Enter SRv6 TE view.
traffic-engineering
4. Enable the device to include the local End.X SID in the SRH of the packets forwarded by SRv6 TE policies.
srv6-policy encapsulation-mode encaps include local-end.x
By default, the device does not include the local End.X SID in the SRH of the packets forwarded by SRv6 TE policies.
5. Enter SRv6 TE policy view.
policy policy-name
6. Configure local End.X SID encapsulation in the SRH of the packets forwarded by the SRv6 TE policy.
encapsulation-mode encaps include local-end.x [ disable ]
By default, local End.X SID encapsulation is not configured for an SRv6 TE policy, and the local End.X SID encapsulation setting configured in SRv6 TE view applies.
Enabling SBFD for SRv6 TE policies
About this task
To use SBFD to detect an SRv6 TE policy, the device needs to encapsulate the SID list of the SRv6 TE policy for the SBFD packets. The following encapsulation modes are available:
· Encaps—Normal encapsulation mode. It adds a new IPv6 header and an SRH to the original packets.
¡ The destination IPv6 address in the new IPv6 header is the first SID in the SID list of the SRv6 TE policy. The source IPv6 address is the IPv6 address specified by using the encapsulation source-address command.
¡ All SIDs in the SID list of the SRv6 TE policy are encapsulated in the SRH.
· Insert—Insertion mode. It inserts an SRH after the original IPv6 header.
¡ The destination IPv6 address in the original IPv6 header is changed to the first SID in the SID list of the SRv6 TE policy. The source IPv6 address is the IPv6 address specified by using the encapsulation source-address command.
¡ All SIDs in the SID list of the SRv6 TE policy and the endpoint of the SRv6 TE policy are encapsulated in the SRH. The endpoint is the last one in the SID list.
· Insert no-endpoint—Insert no-endpoint mode. It inserts an SRH without an endpoint after the original IPv6 header. The last SID in the SID list and the endpoint in the SRv6 TE policy represent the same node.
¡ The destination IPv6 address in the original IPv6 header changes to the first IPv6 address in the SID list of the SRv6 TE policy. The source IPv6 address in the original BFD echo packet does not change.
¡ All SIDs in the SID list of the SRv6 TE policy are encapsulated in the SRH. The endpoint of the SRv6 TE policy is not encapsulated in the SRH.
Restrictions and guidelines
You can enable SBFD for all SRv6 TE policies globally in SRv6 TE view or for a specific SRv6 TE policy in SRv6 TE policy view. The policy-specific configuration takes precedence over the global configuration. An SRv6 TE policy uses the global configuration only when it has no policy-specific configuration.
The remote discriminator specified in this command must be the same as that specified in the sbfd local-discriminator command on the reflector. Otherwise, the reflector will not send responses to the initiator.
The device supports the echo packet mode BFD and the SBFD for an SRv6 TE policy. If both modes are configured for the same SRv6 TE policy, the SBFD takes effect.
For an SBFD session, the device selects a source address for SBFD packets in the following order:
1. The packet source address specified by using the source-address command.
2. The address specified by using the sbfd source-ipv6 command.
To ensure that an SRv6 TE policy egress does not have duplicate End SIDs when you use SBFD to detect an SRv6 TE policy, follow these restrictions and guidelines:
· The OAM SID specified by the oam-sid keyword in the sbfd command cannot be the same as the last SID in the SID list of the SRv6 TE policy.
· The last two SIDs in the SRv6 TE policy SID list cannot be the same End SID.
Procedure
1. Enter system view.
system-view
2. Configure the encapsulation mode for the SBFD packets used for SRv6 forwarding paths connectivity detection.
bfd srv6-encapsulation-mode insert [ no-endpoint ]
By default, the encapsulation mode is Encap.
3. Configure the source IPv6 address used by the initiator to send SBFD packets.
sbfd source-ipv6 ipv6-address
By default, no source IPv6 address is configured for SBFD packets.
4. Enter SRv6 view.
segment-routing ipv6
5. Enter SRv6 TE view.
traffic-engineering
6. Enable SBFD for all SRv6 TE policies and configure the SBFD session parameters.
srv6-policy sbfd [ remote remote-id ] [ template template-name ] [ backup-template backup-template-name ]
By default, SBFD is disabled for all SRv6 TE policies.
7. (Optional.) Enable BFD session down events to trigger SRv6 TE policy path switchover globally.
srv6-policy bfd trigger path-down enable
By default, the feature for triggering SRv6 TE policy path switchover with BFD session down events is disabled globally.
8. (Optional.) Configure the timer that delays reporting the first BFD or SBFD session establishment failure to an SRv6 TE policy.
srv6-policy bfd first-fail-timer seconds
By default, the timer that delays reporting the first BFD or SBFD session establishment failure to an SRv6 TE policy is 60 seconds.
9. Enter SRv6 TE policy view.
policy policy-name
10. (Optional.) Specify the source IP address of SRv6 TE policy SBFD packets.
source-address ipv6 ipv6-address
By default, no source IP address is specified for SRv6 TE policy SBFD packets.
11. Configure SBFD for the SRv6 TE policy.
sbfd { disable | enable [ remote remote-id ] [ template template-name ] [ backup-template backup-template-name ] [ oam-sid sid ] [ encaps | insert [ no-endpoint ] ] }
By default, SBFD is not configured for an SRv6 TE policy.
If you do not specify the encaps or insert keyword, the encapsulation mode configured by the bfd srv6-encapsulation-mode encap command applies.
12. (Optional.) Enable BFD session down events to trigger SRv6 TE policy path switchover.
bfd trigger path-down { disable | enable }
By default, the feature for triggering SRv6 TE policy path switchover by BFD session down events is not configured. The configuration in SRv6 TE view applies.
Configuring the BFD echo packet mode for SRv6 TE policies
About this task
To use echo BFD to detect an SRv6 TE policy, the device needs to encapsulate the SID list of the SRv6 TE policy for the BFD packets. The following encapsulation modes are available:
· Encaps—Normal encapsulation mode. It adds a new IPv6 header and an SRH to the original packets.
¡ The destination IPv6 address in the new IPv6 header is the first SID in the SID list of the SRv6 TE policy. The source IPv6 address is the IPv6 address specified by using the encapsulation source-address command.
¡ All SIDs in the SID list of the SRv6 TE policy are encapsulated in the SRH.
· Insert—Insertion mode. It inserts an SRH after the original IPv6 header.
¡ The destination IPv6 address in the original IPv6 header is changed to the first SID in the SID list of the SRv6 TE policy. The source IPv6 address is the IPv6 address specified by using the encapsulation source-address command.
¡ All SIDs in the SID list of the SRv6 TE policy are encapsulated in the SRH.
Restrictions and guidelines
You can configure the echo packet mode BFD for all SRv6 TE policies globally in SRv6 TE view or for a specific SRv6 TE policy in SRv6 TE policy view. The policy-specific configuration takes precedence over the global configuration. An SRv6 TE policy uses the global configuration only when it has no policy-specific configuration.
For a BFD session in echo packet mode, the device selects a source address for BFD echo packets in the following order:
1. The packet source address specified by using the source-address command.
2. The packet source address specified by using the bfd echo-source-ipv6 command.
3. The BFD session source address specified by using the bfd echo command.
4. The BFD session source address specified by using the srv6-policy bfd echo command.
On the source node in an SRv6 TE policy, the BFD session source address specified by using the bfd echo or srv6-policy bfd echo command is also the destination address of BFD echo packets. BFD echo packets might use the same IP address as the source address and destination address. In this case, BFD echo session establishment will fail if the network is deployed with security devices that have features such as uRPF, because the features falsely treat the BFD echo packets as illegal packets and intercept them. To resolve this issue, you can configure a source address for BFD echo packets. Make sure the source and destination addresses of BFD echo packets are different.
If you do not specify the source-ipv6 ipv6-address option in the bfd echo command for an SRv6 TE policy, you must enable the echo packet mode BFD globally in SRv6 TE view. Otherwise, the device cannot establish a BFD session for the SRv6 TE policy.
The device supports the echo packet mode BFD and the SBFD for an SRv6 TE policy. If both modes are configured for the same SRv6 TE policy, the SBFD takes effect.
Before you execute this command, execute the bfd echo-source-ipv6 command on the local device to specify the source IPv6 address for echo packets.
Procedure
1. Enter system view.
system-view
2. Configure the encapsulation mode for the BFD packets used for SRv6 forwarding paths connectivity detection.
bfd srv6-encapsulation-mode insert
By default, the encapsulation mode is Encap.
3. Enter SRv6 view.
segment-routing ipv6
4. Enter SRv6 TE view.
traffic-engineering
5. Enable echo packet mode BFD for all SRv6 TE policies and configure the BFD session parameters.
srv6-policy bfd echo source-ipv6 ipv6-address [ template template-name ] [ backup-template backup-template-name ]
By default, the echo packet mode BFD is disabled for all SRv6 TE policies.
6. (Optional.) Enable BFD session down events to trigger SRv6 TE policy path switchover globally.
srv6-policy bfd trigger path-down enable
By default, the feature for triggering SRv6-TE policy path switchover with BFD session down events is disabled globally.
7. (Optional.) Configure the timer that delays reporting the first BFD or SBFD session establishment failure to an SRv6 TE policy.
srv6-policy bfd first-fail-timer seconds
By default, the timer that delays reporting the first BFD or SBFD session establishment failure to an SRv6 TE policy is 60 seconds.
8. Enter SRv6 TE policy view.
policy policy-name
9. (Optional.) Specify the source IP address of SRv6 TE policy echo packets.
source-address ipv6 ipv6-address
By default, no source IP address is specified for SRv6 TE policy echo packets.
10. Configure the echo packet mode BFD for the SRv6 TE policy.
bfd echo { disable | enable [ source-ipv6 ipv6-address ] [ template template-name ] [ backup-template backup-template-name ] [ oam-sid sid ] [ encaps | insert ] }
By default, the echo packet mode BFD is not configured for an SRv6 TE policy. An SRv6 TE policy uses the echo BFD settings configured in SRv6 TE view.
If you do not specify the encaps or insert keyword, the encapsulation mode configured by the bfd srv6-encapsulation-mode encap command applies.
11. (Optional.) Enable BFD session down events to trigger SRv6 TE policy path switchover.
bfd trigger path-down { disable | enable }
By default, the feature for triggering SRv6-TE policy path switchover by BFD session down events is not configured. The configuration in SRv6 TE view applies.
Enabling hot standby for SRv6 TE policies
About this task
When the hot standby feature is enabled, the numbers of the main and backup paths are as follows if multiple candidate paths exist.
· One main path one backup path—The candidate path with the greatest preference value in the SRv6 TE policy is the main path and that with the second greatest preference value is the backup path. When all SID lists of the mail path fail, the backup path immediately takes over the service to minimize service interruption.
· One main path two backup paths—A secondary backup path is also provided for the main path besides the backup path. The secondary backup path is the candidate path with the third highest preference in the SR-MPLS TE policy. When all SID lists of the mail path fail, the backup path immediately takes over the service. If the backup path fails, too, the secondary backup path takes over the service to minimize service interruption.
Restrictions and guidelines
You can enable hot standby for all SRv6 TE policies globally in SRv6 TE view or for a specific SRv6 TE policy in SRv6 TE policy view. The policy-specific configuration takes precedence over the global configuration. An SRv6 TE policy uses the global configuration only when it has no policy-specific configuration.
Procedure
1. Enter system view.
system-view
2. Enter SRv6 view.
segment-routing ipv6
3. Enter SRv6 TE view.
traffic-engineering
4. Enable hot standby for all SRv6 TE policies.
srv6-policy backup hot-standby enable [ multilevel-backup ]
By default, hot standby is disabled for all SRv6 TE policies.
5. Enter SRv6 TE policy view.
policy policy-name
6. Configure hot standby for the SRv6 TE policy.
backup hot-standby { disable | enable [ multilevel-backup ] }
By default, hot standby is not configured for an SRv6 TE policy, and the hot standby configuration in SRv6 TE view applies.
Configuring path switchover and deletion delays for SRv6 TE policies
About this task
The switchover delay and deletion delay mechanism is used to avoid traffic forwarding failure during a forwarding path (SID list) switchover.
When updating an SRv6 TE policy forwarding path, the device first establishes the new forwarding path before it deletes the old one. During the new path setup process, the device uses the old path to forward traffic until the switchover delay timer expires. When the switchover delay timer expires, the device switches traffic to the new path. The old path is deleted when the deletion delay timer expires.
Procedure
1. Enter system view.
system-view
2. Enter SRv6 view.
segment-routing ipv6
3. Enter SRv6 TE view.
traffic-engineering
4. Configure the switchover delay time and deletion delay time for the SRv6 TE policy forwarding path.
srv6-policy switch-delay switch-delay-time delete-delay delete-delay-time
By default, the switchover delay time and deletion delay time for the SRv6 TE policy forwarding path is 5000 milliseconds and 20000 milliseconds, respectively.
Setting the delay time for bringing up SRv6 TE policies
About this task
After an SRv6 TE policy recovers from a fault, the device waits for the delay time before bringing up the SRv6 TE policy. This is to ensure that the fault is completely removed so as to avoid packet loss caused by SRv6 TE policy flapping.
After this command is executed, the device starts different delay timers for an SRv6 TE policy according to the BFD/SBFD configuration for the SRv6 TE policy.
· If BFD/SBFD is not enabled, the device starts an LSP delay timer when the SID list state changes from Down to Up.
· If BFD/SBFD is enabled, the device starts a BFD delay timer when the BFD/SBFD session state changes from Down to Up.
Restrictions and guidelines
To view the BFD/SBFD configuration, SID list state, and SBFD session state, execute the display segment-routing ipv6 te policy command.
Set a proper SRv6 TE policy up delay time according to your network conditions. A very long delay time will cause an SRv6 TE policy to be unable to process user traffic for a long time.
You can set the delay time for all SRv6 TE policies globally in SR TE view or for a specific SRv6 TE policy in SRv6 TE policy view. The policy-specific configuration takes precedence over the global configuration. An SRv6 TE policy uses the global configuration only when it has no policy-specific configuration.
If you execute this command for multiple times, the most recent configuration takes effect. A new delay time setting does not apply to the SRv6 TE policies that are already in a policy-up delay process.
Procedure
1. Enter system view.
system-view
2. Enter SRv6 view.
segment-routing ipv6
3. Enter SRv6 TE view.
traffic-engineering
4. Set the policy-up delay time for all SRv6 TE policies.
srv6-policy up-delay delay-time
By default, the device does not delay bringing up SRv6 TE policies.
5. Enter SRv6 TE policy view.
policy policy-name
6. Set the policy-up delay time for the SRv6 TE policy.
up-delay delay-time
By default, no policy-up delay time is set for an SRv6 TE policy and the policy-up delay time set in SR TE view applies.
Configuring path connectivity verification for SRv6 TE policies
About this task
Typically, the controller deploys the SID list of an SRv6 TE policy. Without BFD configured, the first node cannot immediately detect path failures in the SRv6 TE policy. It only changes the SID list of the SRv6 TE policy as instructed by the controller that completes path recalculation upon detecting a topology change. If the controller or the link to the controller fails, the first node will be unable to detect failures and change SID lists, resulting in traffic loss.
For fast traffic switchover and high availability, you can enable path connectivity verification for the first node of the SRv6 TE policy. This feature enables the first node to collect network topology information, and verify all SID lists in the SRv6 TE policy as follows:
· If all SRv6 SIDs exist in the topology and the associated locator prefixes are routable, the SID list is valid.
· If any SRv6 SIDs do not exist in the topology or any of the associated locator prefixes are not routable, the SID list is invalid.
Upon detecting an invalid SID list (SID list failure), the first node changes paths as follows:
· If the valid candidate paths of the SRv6 TE policy contain multiple SID lists, and one of the SID list fails, traffic is distributed to other valid SID lists.
· If the SRv6 TE policy has valid primary and backup candidate paths, and all SID lists for the primary candidate path fail, traffic is distributed to the backup candidate path.
· If all valid candidate paths of the SRv6 TE policy fail, the SRv6 TE policy is faulty and an associated protection action is taken (for example, MPLS L3VPN FRR).
Restrictions and guidelines
You must perform this task on the first node of the SRv6 TE policy.
You can configure SRv6 TE policy path connectivity verification in both SRv6 TE view and SRv6 TE policy view. The configuration in SRv6 TE policy view takes precedence over the configuration in SRv6 TE view. If path connectivity verification is not configured for an SRv6 TE policy, the configuration in SRv6 TE applies.
The first node must have all SRv6 SIDs and routes in the IGP domain to detect their status through the following settings:
· Enable the IGP domain to forward routing information through IPv6 IS-IS.
· Configure the distribute link-state command in IS-IS view for the first node to report link status.
If a BSID exists in the segment list path, path connectivity verification will fail because the BSID cannot be flooded in the IGP topology. Do not perform this task in the scenario where BSID is deployed.
Procedure
1. Enter system view.
system-view
2. Enter SRv6 view.
segment-routing ipv6
3. Enter SRv6 TE view.
traffic-engineering
4. Enable path connectivity verification for all SRv6 TE policies.
srv6-policy path verification enable [ rib-check-only ]
By default, path connectivity verification is disabled for all SRv6 TE policies.
5. Enter SRv6 TE policy view.
policy policy-name
6. Configure path connectivity verification for an SRv6 TE policy.
path verification { enable [ rib-check-only ] | disable }
By default, path connectivity verification is not configured for an SRv6 TE policy. The setting configured in SRv6 TE view applies.
Configuring SRv6 TE policy transit node protection
About this task
The transit node protection technology is referred to as SRv6 TE FRR. After SRv6 TE FRR is enabled, when a transit node of an SRv6 TE policy fails, the upstream node of the faulty node can take over to forward packets. The upstream node is called a proxy forwarding node that bypasses the faulty transit node to implement node failure protection.
Restrictions and guidelines
In a complex network, any node might act as a transit node. As a best practice to improve the whole network security, enable SRv6 TE FRR on all nodes.
Procedure
1. Enter system view.
system-view
2. Enter SRv6 view.
segment-routing ipv6
3. Enable SRv6 TE FRR.
sr-te frr enable
4. Enter SRv6 TE view.
traffic-engineering
5. Enter SRv6 TE policy view.
policy policy-name
6. Enable the bypass feature for the SRv6 TE policy.
bypass enable
By default, the SRv6 TE policy bypass feature is disabled.
Execute this command only on the source node.
Configuring SRv6 TE policy egress protection
Restrictions and guidelines for SRv6 TE policy egress protection configuration
To configure SRv6 TE policy egress protection, all nodes that the packets will traverse must support SRv6.
Configuring an End.M SID
Restrictions and guidelines
Perform this task on protection node for the egress node.
For more information about the commands used in this task, see SRv6 commands in Segment Routing Command Reference.
Procedure
1. Enter system view.
system-view
2. Enter SRv6 view.
segment-routing ipv6
3. Create a locator and enter SRv6 locator view.
locator locator-name [ ipv6-prefix ipv6-address prefix-length [ args args-length | static static-length ] * ]
4. Configure an End.M SID and specify the locator to be protected by the End.M SID.
opcode opcode end-m mirror-locator ipv6-address prefix-length
Enabling egress protection
About this task
This task enables the SRv6 node to compute a backup path (mirror FRR path) for the egress node based on the End.M SID carried in a received IS-ISv6 or OSPFv3 route. When the egress node fails, the transit node can forward traffic to the node that protects the egress node according to the End.M SID.
In an egress protection scenario, the transit node deletes the mirror FRR path after completing route convergence. If the deletion occurs before the ingress node switches traffic back from the mirror FRR path, the traffic will be dropped because of no mirror FRR path.
To resolve this issue, you can configure a proper mirror FRR deletion delay time on the transit node to delay the deletion of the mirror FRR route. So, packets can be forwarded over the mirror FRR path before the ingress finishes the path switchover.
Enabling IS-IS egress protection
1. Enter system view.
system-view
2. Enter IS-IS view.
isis [ process-id ] [ vpn-instance vpn-instance-name ]
3. Enter IS-IS IPv6 address family view.
address-family ipv6 [ unicast ]
4. Enable IS-IS egress protection.
fast-reroute mirror enable
By default, IS-IS egress protection is disabled.
5. (Optional.) Configure the mirror FRR deletion delay time.
fast-reroute mirror delete-delay delete-delay-time
By default, the mirror FRR deletion delay time is 60 seconds.
Enabling OSPFv3 egress protection
1. Enter system view.
system-view
2. Enter OSPFv3 view.
ospfv3 [ process-id | vpn-instance vpn-instance-name ] *
3. Enable OSPFv3 egress protection.
fast-reroute mirror enable
By default, OSPFv3 egress protection is disabled.
4. (Optional.) Configure the mirror FRR deletion delay time.
fast-reroute mirror delete-delay delete-delay-time
By default, the mirror FRR deletion delay time is 60 seconds.
Configuring the deletion delay time for remote SRv6 SID mappings with VPN instances/public instance/cross-connects/VSIs
About this task
In an egress protection scenario, if the egress node and the egress node's protection node are disconnected, the protection node will delete the BGP routes received from the egress node. The remote SRv6 SID and VPN instance/public instance/cross-connect/VSI mappings will then be deleted as a result. To avoid this issue, you can configure the mappings deletion delay time on the protection node. This ensures that traffic is forwarded through the protection node before the ingress detects the egress failure and computes a new forwarding path.
Restrictions and guidelines
Perform this task on the protection node for the egress node.
Procedure
1. Enter system view.
system-view
2. Enter SRv6 view.
segment-routing ipv6
3. Configure the deletion delay time for remote SRv6 SID mappings with VPN instances/public instance/cross-connects/VSIs.
mirror remote-sid delete-delay delete-delay-time
By default, the deletion delay time for remote SRv6 SID and VPN instance/public instance/cross-connect/VSI mappings is 60 seconds.
Enabling the device to drop traffic when an SRv6 TE policy becomes invalid
About this task
Enable this feature for an SRv6 TE policy if you want to use only the SRv6 TE policy to forward traffic.
By default, if all forwarding paths of an SRv6 TE policy become invalid, the device forwards the packets through IPv6 routing table lookup based on the packet destination IPv6 addresses.
After you execute the drop-upon-invalid enable command, the device drops the packets if all forwarding paths of the SRv6 TE policy become invalid.
Restrictions and guidelines
The drop-upon-invalid enable command does not take effect in the following cases:
· BSID request failed or BSID conflicted for the SRv6 TE policy. To view the BSID state, see the Request state field in the display segment-routing ipv6 te policy command output.
· The SRv6 TE policy is invalid. To check the SRv6 TE policy validity, see the Forwarding index field in the display segment-routing ipv6 te policy command output. If the value is 0, the SRv6 TE policy is invalid.
The drop-upon-invalid command configured on the remote device does not affect an SRv6 TE policy generated based on a BGP IPv6 SR-TE policy route. The SRv6 TE policy is controlled by only the drop-upon-invalid command configured on the local device.
You can configure the drop-upon-invalid feature globally in SRv6 TE view or for a specific SRv6 TE policy in SRv6 TE policy view. The policy-specific configuration takes precedence over the global configuration. An SRv6 TE policy uses the global configuration only when it has no policy-specific configuration.
Procedure
1. Enter system view.
system-view
2. Enter SRv6 view.
segment-routing ipv6
3. Enter SRv6 TE view.
traffic-engineering
4. Globally enable the feature of dropping traffic when SRv6 TE policies become invalid.
srv6-policy drop-upon-invalid enable
By default, the drop-upon-invalid feature is disabled globally.
5. Enter SRv6 TE policy view.
policy policy-name
6. Configure the device to drop traffic when an SRv6 TE policy becomes invalid.
drop-upon-invalid { disable | enable }
By default, the drop-upon-invalid feature is not configured for an SRv6 TE policy. The configuration in SRv6 TE view applies.
Enabling SRv6 TE policies to forward packets without using the last SID in the SID list
About this task
In an SRv6 VPN scenario, to forward a public network packet through the SRv6 TE policy, the device encapsulates an SRH into the packet. The SRH contains the SID list of the SRv6 TE policy and the SID assigned to the VPN instance or public network instance (End.DT4 SID, for example). Both the last SID in the SID list and the End.DT4 SID are used to identify the egress node. To reduce the SRv6 packet size, you can configure this command to use only the End.DT4 SID to identify the egress node.
Restrictions and guidelines
You can configure this feature for all SRv6 TE policies globally in SRv6 TE view or for a specific SRv6 TE policy in SRv6 TE policy view. The policy-specific configuration takes precedence over the global configuration. An SRv6 TE policy uses the global configuration only when it has no policy-specific configuration.
Procedure
1. Enter system view.
system-view
2. Enter SRv6 view.
segment-routing ipv6
3. Enter SRv6 TE view.
traffic-engineering
4. Enable all SRv6 TE policies to forward packets without using the last SID in the SID list.
srv6-policy forwarding ignore-last-sid
By default, the feature is disabled..
5. Enter SRv6 TE policy view.
policy policy-name
6. Enable the SRv6 TE policy to forward packets without using the last SID in the SID list.
forwarding ignore-last-sid { disable | enable }
By default, the feature is not configured. The configuration in SRv6 TE view applies.
Specifying the packet encapsulation type preferred in optimal route selection
About this task
As shown in Figure 13, PE 4 is the RR, and it establishes an IBGP connection with PE 1, PE 2, and PE 3, respectively. PE 1 and PE 3 support SRv6. PE 2 does not support SRv6. Both an MPLS L3VPN connection and an EVPN L3VPN over SRv6 connection exist between PE 1 and PE 3.
In this case, you can perform this task to specify the preferred encapsulation type (SRv6 encapsulation or MPLS encapsulation) for BGP optimal route selection in the L3VPN. Then, BGP prefers the routes with the specified encapsulation type when routes have the same Preferred-value and LOCAL_PREF attributes. The subsequent route selection steps are the same as those in the original BGP route select procedure. For more information about BGP route selection, see BGP overview in Layer 3—IP Routing Configuration Guide.
Figure 13 MPLS L3VPN and EVPN L3VPN over SRv6 coexist
If you specify the preferred keyword in the bestroute encap-type command, BGP prefers the routes with specified encapsulation type (SRv6 or MPLS) when multiple routes have the same Preferred-value attribute value. The subsequent route selection steps are the same as those in the original BGP route select procedure.
If you do not specify the preferred keyword in the bestroute encap-type command, BGP prefers the routes with the specified encapsulation type (SRv6 or MPLS) when multiple routes have the same Preferred-value and LOCAL_PREF attribute values. The subsequent route selection steps are the same as those in the original BGP route select procedure.
For more information about BGP route selection, see BGP overview in Layer 3—IP Routing Configuration Guide.
Restrictions and guidelines
If you configure both the bestroute encap-type preferred command and the bestroute nexthop-type preferred command, BGP selects the optimal route in the VPN instance by using the following procedure:
1. Drops the route with an unreachable NEXT_HOP.
2. Selects the route with the highest Preferred-value.
3. Uses the optimal route selection rule configured by the bestroute encap-type command: prefers to use an MPLS-encapsulated or SRv6-encapsulated route.
4. Uses the optimal route selection rule configured by the bestroute nexthop-type command: prefers to use a route whose next hop is an IP address or a tunnel.
5. Selects the route with the highest LOCAL_PREF.
6. Proceeds the subsequent steps in the original BGP route select procedure.
For more information about the bestroute nexthop-type command, see BGP commands in Layer 3—IP Routing Command Reference.
Procedure
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP-VPN instance view.
ip vpn-instance vpn-instance-name
4. Specify the packet encapsulation type preferred in optimal route selection.
bestroute encap-type { mpls | srv6 } [ preferred ]
By default, BGP does not select optimal routes according to the packet encapsulation type.
Configuring SRv6 TE policy resource usage alarm thresholds
About this task
After you configure this feature, when the number of SRv6 TE policy resources crosses the upper threshold or lower threshold, the device generates log and alarm information. The administrator can then obtain the resource usage status of SRv6 TE policies.
SRv6 TE policy resources include the following:
· Number of valid forwarding paths for all SRv6 TE policies.
· Number of entries of the SRv6Policy type in the SRv6 forwarding table.
· Number of entries of the SRv6PGROUP type in the SRv6 forwarding table.
· Number of entries of the SRv6PSIDList type in the SRv6 forwarding table.
To view SRv6 forwarding table information, use the display segment-routing ipv6 forwarding command.
Restrictions and guidelines
To view resource usage for the current SRv6 TE policy, use the display segment-routing ipv6 te policy statistics command.
Procedure
1. Enter system view.
system-view
2. Enter SRv6 view.
segment-routing ipv6
3. Enter SRv6 TE view.
traffic-engineering
4. Configure the alarm thresholds for resource usage of SRv6 TE policies.
srv6-policy { forwarding-path | policy | policy-group | segment-list } alarm-threshold upper-limit upper-limit-value lower-limit lower-limit-value
By default, the upper and lower alarm thresholds are 80% and 75% for all resources of SRv6 TE policies.
Enabling SRv6 TE policy logging
About this task
This feature enables the device to generate logs for SRv6 TE policy state changes and resource usage anomalies. The administrator can use the logging information to audit SRv6 TE policies. The device delivers logs to its information center. The information center processes the logs according to user-defined output rules (whether to output logs and where to output). For more information about the information center, see the network management and monitoring configuration guide for the device.
Procedure
1. Enter system view.
system-view
2. Enter SRv6 view.
segment-routing ipv6
3. Enter SRv6 TE view.
traffic-engineering
4. Enable SRv6 TE policy logging.
srv6-policy log enable
By default, SRv6 TE policy logging is disabled.
Enabling SNMP notifications for SRv6 TE policies
About this task
This feature enables the device to send SNMP notifications about state changes and resource usage anomalies of SRv6 TE policies. For SNMP notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see the network management and monitoring configuration guide for the device.
Procedure
1. Enter system view.
system-view
2. Enable SNMP notifications for SRv6 TE policies.
snmp-agent trap enable srv6-policy
By default, SNMP notifications for SRv6 TE policies are disabled.
Configuring traffic forwarding statistics for SRv6 TE policies
About this task
This feature collects statistics on the traffic forwarded by SRv6 TE policies.
Restrictions and guidelines
You can configure traffic forwarding statistics for all SRv6 TE policies globally in SRv6 TE view or for a specific SRv6 TE policy in SRv6 TE policy view. The policy-specific configuration takes precedence over the global configuration. An SRv6 TE policy uses the global configuration only when it has no policy-specific configuration.
Procedure
1. Enter system view.
system-view
2. Enter SRv6 view.
segment-routing ipv6
3. Enter SRv6 TE view.
traffic-engineering
4. Enable traffic forwarding statistics for all SRv6 TE policies.
srv6-policy forwarding statistics enable
By default, traffic forwarding statistics is disabled for all SRv6 TE policies.
5. (Optional.) Set the traffic forwarding statistics interval for all SRv6 TE policies.
srv6-policy forwarding statistics interval interval
By default, the SRv6 TE policy forwarding statistics interval is 30 seconds.
6. Enter SRv6 TE policy view.
policy policy-name
7. Configure traffic forwarding statistics for the SRv6 TE policy.
forwarding statistics { disable | enable }
By default, an SRv6 TE policy uses the traffic forwarding statistics configuration in SRv6 TE view.
Verifying and maintaining SRv6 TE policies
Verifying the SRv6 TE policy operation status and configuration
Perform display tasks in any view:
· Display SRv6 TE policy information.
display segment-routing ipv6 te policy [ name policy-name | down | up | { color color-value | end-point ipv6 ip-address } * ]
· Display status information about SRv6 TE policies.
display segment-routing ipv6 te policy status [ policy-name policy-name ]
· Display SRv6 TE policy statistics.
display segment-routing ipv6 te policy statistics
· Display information about the most recent down event for SRv6 TE policies.
display segment-routing ipv6 te policy last-down-reason [ binding-sid bsid | color color-value endpoint ipv6 ipv6-address | policy-name policy-name ]
· Display SRv6-TE SID list information.
display segment-routing ipv6 te segment-list [ name seglist-name | id id-value ]
· Display SRv6 TE policy database information.
display segment-routing ipv6 te database [ link | node | prefix | srv6-sid ]
· Display information about SRv6 SIDs collected from the LS database.
display segment-routing ipv6 te source-sid [ end | end-x | sid ]
Verifying the SRv6 TE policy group operation status and configuration
Perform display tasks in any view:
· Display SRv6 TE policy group information:
display segment-routing ipv6 te policy-group [ group-id ] [ verbose ]
· Display information about the most recent down event for SRv6 TE policy groups.
display segment-routing ipv6 te policy-group last-down-reason [ group-id | endpoint ipv6-address color color-value ]
· Display SRv6-TE policy group statistics.
display segment-routing ipv6 te policy-group statistics
Verifying the BGP IPv6 SR policy routing configuration
Perform display tasks in any view:
· Display BGP IPv6 SR policy routing information.
display bgp [ instance instance-name ] routing-table ipv6 sr-policy [ sr-policy-prefix [ advertise-info | as-path | cluster-list | community | ext-community ] | { color color-value | end-point ipv6 ipv6-address } * | peer ipv6-address { advertised-routes | received-routes } [ statistics ] [ color color-value | end-point ipv6 ipv6-address ] * | statistics [ color color-value | end-point ipv6 ipv6-address ] * ]
display bgp [ instance instance-name ] routing-table ipv6 sr-policy [ statistics ] community [ community-number&<1-32> | aa:nn&<1-32> ] [ internet | no-advertise | no-export | no-export-subconfed ] [ whole-match ]
display bgp [ instance instance-name ] routing-table ipv6 sr-policy [ statistics ] community-list { basic-community-list-number | comm-list-name | adv-community-list-number } [ whole-match ]
display bgp [ instance instance-name ] routing-table ipv6 sr-policy [ statistics ] ext-community [ bandwidth link-bandwidth-value | color color | rt route-target | soo site-of-origin ]&<1-32> [ whole-match ]
· Display status and statistics information about a BGP IPv6 SR policy peer or peer group.
display bgp [ instance instance-name ] peer ipv6 sr-policy [ ipv6-address prefix-length | { ipv6-address | group-name group-name } log-info | [ ipv6-address ] verbose ]
· Display information about a BGP IPv6 SR policy peer group.
display bgp [ instance instance-name ] group ipv6 sr-policy [ group-name group-name ]
· Display information about a BGP IPv6 SR policy update group.
display bgp [ instance instance-name ] update-group ipv6 sr-policy [ ipv6-address ]
Verifying the SRv6 TE policy BFD and SBFD operation status
Perform display tasks in any view:
· Display BFD information for SRv6 TE policies.
display segment-routing ipv6 te bfd [ down | policy { { color color-value | end-point ipv6 ipv6-address } * | name policy-name } | up ]
· Display SBFD information for SRv6 TE policies.
display segment-routing ipv6 te sbfd [ down | policy { { color color-value | end-point ipv6 ipv6-address } * | name policy-name } | up ]
Verifying the SRv6 TE policy egress protection configuration
Perform display tasks in any view:
· Display remote SRv6 SIDs protected by mirror SIDs.
display bgp [ instance instance-name ] mirror remote-sid [ end-dt4 | end-dt46 | end-dt6 ] [ sid ]
· Display remote SRv6 SIDs protected by mirror SIDs on EVPN VPWS over SRv6 networks.
display evpn srv6 mirror remote-sid [ sid | type { end-dt2u | end-dx2 } ]
Displaying and clearing SRv6 TE policy forwarding statistics
To display SRv6 TE forwarding information, execute the following command in any view:
display segment-routing ipv6 te forwarding [ policy { name policy-name | { color color-value | end-point ipv6 ipv6-address } * } ] [ verbose ]
To clear traffic forwarding statistics of SRv6 TE policies, execute the following command in user view:
reset segment-routing ipv6 te forwarding statistics [ binding-sid binding-sid | color color-value endpoint endpoint-ipv6 | name name-value ]
Displaying SRv6 TE policy information in the PCE
Perform display tasks in any view:
· Display SRv6 TE policy information stored in the PCE.
display pce segment-routing ipv6 policy database [ color color-value endpoint ipv6 ipv6-address | policyname policy-name] [ verbose ]
· Display information about the SRv6 TE policy Initiate messages cached in the PCE process.
display pce segment-routing ipv6 policy initiate-cache
SRv6 TE policy configuration examples
Example: Configuring SRv6 TE policy-based forwarding
Network configuration
As shown in Figure 14, perform the following tasks on the devices to implement SRv6 TE policy-based forwarding over a specific path:
· Configure Device A through Device D to run IS-IS to implement Layer 3 connectivity.
· Configure basic SRv6 on Device A through Device D.
· Configure an SRv6 TE policy on Device A to forward user packets along path Device A > Device B > Device C > Device D.
|
Device |
Interface |
IP address |
Device |
Interface |
IP address |
|
Device A |
Loop1 |
1::1/128 |
Device B |
Loop1 |
2::2/128 |
|
|
HGE1/0/1 |
1000::1/64 |
|
HGE1/0/1 |
1000::2/64 |
|
|
HGE1/0/2 |
4000::1/64 |
|
HGE1/0/2 |
2000::2/64 |
|
Device C |
Loop1 |
3::3/128 |
Device D |
Loop1 |
4::4/128 |
|
|
HGE1/0/1 |
3000::3/64 |
|
HGE1/0/1 |
3000::4/64 |
|
|
HGE1/0/2 |
2000::3/64 |
|
HGE1/0/2 |
4000::4/64 |
Prerequisites
By default, interfaces on the device are in administratively down state. Use the undo shutdown command to bring up interfaces as needed in the corresponding interface view.
Procedure
1. Configure IP addresses and masks for interfaces. (Details not shown.)
2. Configure Device A:
# Configure an SRv6 SID list.
[DeviceA] segment-routing ipv6
[DeviceA-segment-routing-ipv6] encapsulation source-address 1::1
[DeviceA-segment-routing-ipv6] locator a ipv6-prefix 5000:: 64 static 32
[DeviceA-segment-routing-ipv6-locator-a] opcode 1 end
[DeviceA-segment-routing-ipv6-locator-a] quit
[DeviceA-segment-routing-ipv6] traffic-engineering
[DeviceA-srv6-te] srv6-policy locator a
[DeviceA-srv6-te] segment-list s1
[DeviceA-srv6-te-sl-s1] index 10 ipv6 6000::1
[DeviceA-srv6-te-sl-s1] index 20 ipv6 7000::1
[DeviceA-srv6-te-sl-s1] index 30 ipv6 8000::1
[DeviceA-srv6-te-sl-s1] quit
# Create an SRv6 TE policy and set the attributes.
[DeviceA-srv6-te] policy p1
[DeviceA-srv6-te-policy-p1] binding-sid ipv6 5000::2
[DeviceA-srv6-te-policy-p1] color 10 end-point ipv6 4::4
[DeviceA-srv6-te-policy-p1] candidate-paths
[DeviceA-srv6-te-policy-p1-path] preference 10
[DeviceA-srv6-te-policy-p1-path-pref-10] explicit segment-list s1
[DeviceA-srv6-te-policy-p1-path-pref-10] quit
[DeviceA-srv6-te-policy-p1-path] quit
[DeviceA-srv6-te-policy-p1] quit
[DeviceA-srv6-te] quit
[DeviceA-segment-routing-ipv6] quit
# Configure IS-IS and set the IS-IS cost style to wide.
<DeviceA> system-view
[DeviceA] isis 1
[DeviceA-isis-1] network-entity 00.0000.0000.0001.00
[DeviceA-isis-1] cost-style wide
[DeviceA-isis-1] address-family ipv6 unicast
[DeviceA-isis-1-ipv6] segment-routing ipv6 locator a
[DeviceA-isis-1-ipv6] quit
[DeviceA-isis-1] quit
[DeviceA] interface hundredgige 1/0/1
[DeviceA-HundredGigE1/0/1] isis ipv6 enable 1
[DeviceA-HundredGigE1/0/1] quit
[DeviceA] interface hundredgige 1/0/2
[DeviceA-HundredGigE1/0/2] isis ipv6 enable 1
[DeviceA-HundredGigE1/0/2] quit
[DeviceA] interface loopback 1
[DeviceA-LoopBack1] isis ipv6 enable 1
[DeviceA-LoopBack1] quit
3. Configure Device B:
# Configure the SRv6 End.SID.
[DeviceB] segment-routing ipv6
[DeviceB-segment-routing-ipv6] locator b ipv6-prefix 6000:: 64 static 32
[DeviceB-segment-routing-ipv6-locator-b] opcode 1 end
[DeviceB-segment-routing-ipv6-locator-b] quit
[DeviceB-segment-routing-ipv6] quit
# Configure IS-IS and set the IS-IS cost style to wide.
<DeviceB> system-view
[DeviceB] isis 1
[DeviceB-isis-1] network-entity 00.0000.0000.0002.00
[DeviceB-isis-1] cost-style wide
[DeviceB-isis-1] address-family ipv6 unicast
[DeviceB-isis-1-ipv6] segment-routing ipv6 locator b
[DeviceB-isis-1-ipv6] quit
[DeviceB-isis-1] quit
[DeviceB] interface hundredgige 1/0/1
[DeviceB-HundredGigE1/0/1] isis ipv6 enable 1
[DeviceB-HundredGigE1/0/1] quit
[DeviceB] interface hundredgige 1/0/2
[DeviceB-HundredGigE1/0/2] isis ipv6 enable 1
[DeviceB-HundredGigE1/0/2] quit
[DeviceB] interface loopback 1
[DeviceB-LoopBack1] isis ipv6 enable 1
[DeviceB-LoopBack1] quit
4. Configure Device C:
# Configure the SRv6 End.SID.
[DeviceC] segment-routing ipv6
[DeviceC-segment-routing-ipv6] locator c ipv6-prefix 7000:: 64 static 32
[DeviceC-segment-routing-ipv6-locator-c] opcode 1 end
[DeviceC-segment-routing-ipv6-locator-c] quit
[DeviceC-segment-routing-ipv6] quit
# Configure IS-IS and set the IS-IS cost style to wide.
<DeviceC> system-view
[DeviceC] isis 1
[DeviceC-isis-1] network-entity 00.0000.0000.0003.00
[DeviceC-isis-1] cost-style wide
[DeviceC-isis-1] address-family ipv6 unicast
[DeviceC-isis-1-ipv6] segment-routing ipv6 locator c
[DeviceC-isis-1-ipv6] quit
[DeviceC-isis-1] quit
[DeviceC] interface hundredgige 1/0/1
[DeviceC-HundredGigE1/0/1] isis ipv6 enable 1
[DeviceC-HundredGigE1/0/1] quit
[DeviceC] interface hundredgige 1/0/2
[DeviceC-HundredGigE1/0/2] isis ipv6 enable 1
[DeviceC-HundredGigE1/0/2] quit
[DeviceC] interface loopback 1
[DeviceC-LoopBack1] isis ipv6 enable 1
[DeviceC-LoopBack1] quit
5. Configure Device D:
# Configure the SRv6 End.SID.
[DeviceD] segment-routing ipv6
[DeviceD-segment-routing-ipv6] locator d ipv6-prefix 8000:: 64 static 32
[DeviceD-segment-routing-ipv6-locator-d] opcode 1 end
[DeviceD-segment-routing-ipv6-locator-d] quit
[DeviceD-segment-routing-ipv6] quit
# Configure IS-IS and set the IS-IS cost style to wide.
<DeviceD> system-view
[DeviceD] isis 1
[DeviceD-isis-1] network-entity 00.0000.0000.0004.00
[DeviceD-isis-1] cost-style wide
[DeviceD-isis-1] address-family ipv6 unicast
[DeviceD-isis-1-ipv6] segment-routing ipv6 locator d
[DeviceD-isis-1-ipv6] quit
[DeviceD-isis-1] quit
[DeviceD] interface hundredgige 1/0/1
[DeviceD-HundredGigE1/0/1] isis ipv6 enable 1
[DeviceD-HundredGigE1/0/1] quit
[DeviceD] interface hundredgige 1/0/2
[DeviceD-HundredGigE1/0/2] isis ipv6 enable 1
[DeviceD-HundredGigE1/0/2] quit
[DeviceD] interface loopback 1
[DeviceD-LoopBack1] isis ipv6 enable 1
[DeviceD-LoopBack1] quit
Verifying the configuration
# Display SRv6 TE policy information on Device A.
[DeviceA] display segment-routing ipv6 te policy
Name/ID: p1/0
Color: 10
Endpoint: 4::4
Name from BGP:
BSID:
Mode: Explicit Type: Type_2 Request state: Succeeded
Current BSID: 5000::2 Explicit BSID: 5000::2 Dynamic BSID: -
Reference counts: 4
Flags: A/BS/NC
Status: Up
AdminStatus: Up
Up time: 2020-04-02 16:08:03
Down time: 2020-04-02 16:03:48
Hot backup: Disabled
Statistics: Disabled
Statistics by service class: Disabled
Path verification: Disabled
Forwarding ignore last SID: Disabled
Drop-upon-invalid: Disabled
BFD trigger path-down: Disabled
SBFD: Disabled
BFD Echo: Disabled
Forwarding index: 2150629377
Association ID: 1
Service-class: -
Rate-limit: 15000 kbps
PCE delegation: Disabled
PCE delegate report-only: Disabled
Encaps reduced: Disabled
Encaps include local End.X: Disabled
Candidate paths state: Configured
Candidate paths statistics:
CLI paths: 1 BGP paths: 0 PCEP paths: 0
Candidate paths:
Preference : 10
CPathName:
ProtoOrigin: CLI Discriminator: 30
Instance ID: 0 Node address: 0.0.0.0
Originator: 0, ::
Optimal: Y Flags: V/A
Dynamic: Not configured
PCEP: Not configured
Explicit SID list:
ID: 1 Name: s1
Weight: 1 Forwarding index: 2149580801
State: Up State(-): -
Verification State: -
Active path MTU: 1280 bytes
The output shows that the SRv6 TE policy is in up state. The device can use the SRv6 TE policy to forward packets.
# Display SRv6 TE forwarding information on Device A.
[DeviceA] display segment-routing ipv6 te forwarding verbose
Total forwarding entries: 1
Policy name/ID: p1/0
Binding SID: 5000::2
Policy forwording index: 2150629377
Main path:
Seglist Name/ID: 1
Seglist forwording index: 2149580801
Weight: 1
Outgoing forwording index: 2148532225
Interface: GE1/0/1
Nexthop: FE80::54CB:70FF:FE86:316
Path ID: 0
SID list: {6000::1, 7000::1, 8000::1}
# Display SRv6 forwarding information on Device A.
[DeviceA] display segment-routing ipv6 forwarding
Total SRv6 forwarding entries: 3
Flags: T - Forwarded through a tunnel
N - Forwarded through the outgoing interface to the nexthop IP address
A - Active forwarding information
B - Backup forwarding information
ID FWD-Type Flags Forwarding info
--------------------------------------------------------------------------------
2148532225 SRv6PSIDList NA HGE1/0/1
FE80::54CB:70FF:FE86:316
{6000::1, 7000::1, 8000::1}
2149580801 SRv6PCPath TA 2148532225
2150629377 SRv6Policy TA 2149580801
Example: Configuring SRv6 TE policy egress protection
Network configuration
As shown in Figure 15, deploy an SRv6 TE policy in both directions between PE 1 and PE 2 to carry the L3VPN service. PE 2 is the egress node of the SRv6 TE policy. To improve the forwarding reliability, configure PE 3 to protect PE 2.
Table 1 Interface and IP address
|
Device |
Interface |
IP Address |
Device |
Interface |
IP Address |
|
CE 1 |
HGE1/0/1 |
10.1.1.2/24 |
PE 2 |
Loop0 |
3::3/128 |
|
PE 1 |
Loop0 |
1::1/128 |
|
HGE1/0/1 |
10.2.1.1/24 |
|
|
HGE1/0/1 |
10.1.1.1/24 |
|
HGE1/0/2 |
2002::1/64 |
|
|
HGE1/0/2 |
2001::1/96 |
|
HGE1/0/3 |
2004::2/96 |
|
P |
Loop0 |
2::2/128 |
PE 3 |
Loop0 |
4::4/128 |
|
|
HGE1/0/1 |
2001::2/96 |
|
HGE1/0/1 |
10.3.1.1/24 |
|
|
HGE1/0/2 |
2002::2/64 |
|
HGE1/0/2 |
2003::1/96 |
|
|
HGE1/0/3 |
2003::2/96 |
|
HGE1/0/3 |
2004::1/96 |
|
|
|
|
CE 2 |
HGE1/0/1 |
10.2.1.2/24 |
|
|
|
|
|
HGE1/0/2 |
10.3.1.2/24 |
Prerequisites
Configure interface addresses as shown in Table 1.
By default, interfaces on the device are in administratively down state. Use the undo shutdown command to bring up interfaces as needed in the corresponding interface view.
Procedure
1. Configure CE 1:
# Establish an EBGP peer relationship with PE 1 and redistribute the VPN routes.
<CE1> system-view
[CE1] bgp 65410
[CE1-bgp-default] peer 10.1.1.1 as-number 100
[CE1-bgp-default] address-family ipv4 unicast
[CE1-bgp-default-ipv4] peer 10.1.1.1 enable
[CE1-bgp-default-ipv4] import-route direct
[CE1-bgp-default-ipv4] quit
[CE1-bgp-default] quit
2. Configure PE 1:
# Configure IPv6 IS-IS for backbone network connectivity.
<PE1> system-view
[PE1] isis 1
[PE1-isis-1] is-level level-1
[PE1-isis-1] cost-style wide
[PE1-isis-1] network-entity 10.1111.1111.1111.00
[PE1-isis-1] address-family ipv6 unicast
[PE1-isis-1-ipv6] quit
[PE1-isis-1] quit
[PE1] interface loopback 0
[PE1-LoopBack0] ipv6 address 1::1 128
[PE1-LoopBack0] isis ipv6 enable 1
[PE1-LoopBack0] quit
[PE1] interface hundredgige 1/0/2
[PE1-HundredGigE1/0/2] ipv6 address 2001::1 96
[PE1-HundredGigE1/0/2] isis ipv6 enable 1
[PE1-HundredGigE1/0/2] quit
# Configure a VPN instance and bind it to the CE-facing interface.
[PE1] ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] route-distinguisher 100:1
[PE1-vpn-instance-vpn1] vpn-target 111:1
[PE1-vpn-instance-vpn1] quit
[PE1] interface hundredgige 1/0/1
[PE1-HundredGigE1/0/1] ip binding vpn-instance vpn1
[PE1-HundredGigE1/0/1] ip address 10.1.1.1 24
[PE1-HundredGigE1/0/1] quit
# Establish an EBGP peer relationship with the connected CE to redistribute the VPN routes.
[PE1] bgp 100
[PE1-bgp-default] router-id 1.1.1.1
[PE1-bgp-default] ip vpn-instance vpn1
[PE1-bgp-default-vpn1] peer 10.1.1.2 as-number 65410
[PE1-bgp-default-vpn1] address-family ipv4 unicast
[PE1-bgp-default-ipv4-vpn1] peer 10.1.1.2 enable
[PE1-bgp-default-ipv4-vpn1] quit
[PE1-bgp-default-vpn1] quit
# Establish MP-IBGP peer relationships with the peer PEs.
[PE1] bgp 100
[PE1-bgp-default] peer 3::3 as-number 100
[PE1-bgp-default] peer 4::4 as-number 100
[PE1-bgp-default] peer 3::3 connect-interface loopback 0
[PE1-bgp-default] peer 4::4 connect-interface loopback 0
[PE1-bgp-default] address-family vpnv4
[PE1-bgp-default-vpnv4] peer 3::3 enable
[PE1-bgp-default-vpnv4] peer 4::4 enable
[PE1-bgp-default-vpnv4] quit
[PE1-bgp-default] quit
# Configure L3VPN over SRv6 TE policy.
[PE1] segment-routing ipv6
[PE1-segment-routing-ipv6] encapsulation source-address 1::1
[PE1-segment-routing-ipv6] locator aaa ipv6-prefix 1:2::1:0 96 static 8
[PE1-segment-routing-ipv6-locator-aaa] opcode 1 end-dt4 vpn-instance vpn1
[PE1-segment-routing-ipv6-locator-aaa] quit
[PE1-segment-routing-ipv6] quit
[PE1] bgp 100
[PE1-bgp-default] address-family vpnv4
[PE1-bgp-default-vpnv4] peer 3::3 prefix-sid
[PE1-bgp-default-vpnv4] peer 4::4 prefix-sid
[PE1-bgp-default-vpnv4] quit
[PE1-bgp-default] ip vpn-instance vpn1
[PE1-bgp-default-vpn1] address-family ipv4 unicast
[PE1-bgp-default-ipv4-vpn1] segment-routing ipv6 traffic-engineering best-effort
[PE1-bgp-default-ipv4-vpn1] segment-routing ipv6 locator aaa
[PE1-bgp-default-ipv4-vpn1] quit
[PE1-bgp-default-vpn1] quit
[PE1-bgp-default] quit
[PE1] isis 1
[PE1-isis-1] address-family ipv6 unicast
[PE1-isis-1-ipv6] segment-routing ipv6 locator aaa
[PE1-isis-1-ipv6] quit
[PE1-isis-1] quit
# Configure an SRv6 TE policy.
[PE1] segment-routing ipv6
[PE1-segment-routing-ipv6] traffic-engineering
[PE1-srv6-te] srv6-policy locator aaa
[PE1-srv6-te] segment-list s1
[PE1-srv6-te-s1-s1] index 10 ipv6 100:abc:1::1
[PE1-srv6-te-s1-s1] index 20 ipv6 6:5::1:2
[PE1-srv6-te-s1-s1] quit
[PE1-srv6-te] policy p1
[PE1-srv6-te-policy-p1] binding-sid ipv6 1:2::1:2
[PE1-srv6-te-policy-p1] color 10 end-point ipv6 3::3
[PE1-srv6-te-policy-p1] forwarding ignore-last-sid enable
[PE1-srv6-te-policy-p1] candidate-paths
[PE1-srv6-te-policy-p1-path] preference 10
[PE1-srv6-te-policy-p1-path-pref-10] explicit segment-list s1
[PE1-srv6-te-policy-p1-path-pref-10] quit
[PE1-srv6-te-policy-p1-path] quit
[PE1-srv6-te-policy-p1] quit
[PE1-srv6-te] segment-list s2
[PE1-srv6-te-s2-s2] index 10 ipv6 100:abc:1::1
[PE1-srv6-te-s2-s2] index 20 ipv6 9:7::100
[PE1-srv6-te-s2-s2] quit
[PE1-srv6-te] policy p2
[PE1-srv6-te-policy-p2] binding-sid ipv6 1:2::1:2
[PE1-srv6-te-policy-p2] color 10 end-point ipv6 4::4
[PE1-srv6-te-policy-p2] forwarding ignore-last-sid enable
[PE1-srv6-te-policy-p2] candidate-paths
[PE1-srv6-te-policy-p2-path] preference 20
[PE1-srv6-te-policy-p2-path-pref-20] explicit segment-list s2
[PE1-srv6-te-policy-p2-path-pref-20] quit
[PE1-srv6-te-policy-p2-path] quit
[PE1-srv6-te-policy-p2] quit
[PE1-srv6-te] quit
[PE1-segment-routing-ipv6] quit
3. Configure the P device:
# Configure IPv6 IS-IS for backbone network connectivity.
<P> system-view
[P] isis 1
[P-isis-1] is-level level-1
[P-isis-1] cost-style wide
[P-isis-1] network-entity 10.2222.2222.2222.00
[P-isis-1] address-family ipv6 unicast
[P-isis-1-ipv6] quit
[P-isis-1] quit
[P] interface loopback 0
[P-LoopBack0] ipv6 address 2::2 128
[P-LoopBack0] isis ipv6 enable 1
[P-LoopBack0] quit
[P] interface hundredgige 1/0/1
[P-HundredGigE1/0/1] ipv6 address 2001::2 96
[P-HundredGigE1/0/1] isis ipv6 enable 1
[P-HundredGigE1/0/1] quit
[P] interface hundredgige 1/0/2
[P-HundredGigE1/0/2] ipv6 address 2002::2 96
[P-HundredGigE1/0/2] isis ipv6 enable 1
[P-HundredGigE1/0/2] quit
[P] interface hundredgige 1/0/3
[P-HundredGigE1/0/3] ipv6 address 2003::2 96
[P-HundredGigE1/0/3] isis ipv6 enable 1
[P-HundredGigE1/0/3] quit
# Configure SRv6.
[P] segment-routing ipv6
[P-segment-routing-ipv6] locator p ipv6-prefix 100:abc:1::0 120 static 8
[P-segment-routing-ipv6-locator-p] opcode 1 end
[P-segment-routing-ipv6-locator-p] quit
[P-segment-routing-ipv6] quit
[P] isis 1
[P-isis-1] address-family ipv6 unicast
[P-isis-1-ipv6] segment-routing ipv6 locator p
# Configure the FRR backup nexthop information and enable egress protection.
[P-isis-1-ipv6] fast-reroute lfa level-1
[P-isis-1-ipv6] fast-reroute ti-lfa
[P-isis-1-ipv6] fast-reroute mirror enable
[P-isis-1-ipv6] fast-reroute mirror delete-delay 480
[P-isis-1-ipv6] quit
[P-isis-1] quit
4. Configure PE 2:
# Configure IPv6 IS-IS for backbone network connectivity.
<PE2> system-view
[PE2] isis 1
[PE2-isis-1] is-level level-1
[PE2-isis-1] cost-style wide
[PE2-isis-1] network-entity 10.3333.3333.3333.00
[PE2-isis-1] address-family ipv6 unicast
[PE2-isis-1-ipv6] quit
[PE2-isis-1] quit
[PE2] interface loopback 0
[PE2-LoopBack0] ipv6 address 3::3 128
[PE2-LoopBack0] isis ipv6 enable 1
[PE2-LoopBack0] quit
[PE2] interface hundredgige 1/0/2
[PE2-HundredGigE1/0/2] ipv6 address 2002::1 96
[PE2-HundredGigE1/0/2] isis ipv6 enable 1
[PE2-HundredGigE1/0/2] quit
[PE2] interface hundredgige 1/0/3
[PE2-HundredGigE1/0/3] ipv6 address 2004::2 96
[PE2-HundredGigE1/0/3] isis ipv6 enable 1
[PE2-HundredGigE1/0/3] quit
# Configure a VPN instance and bind it to the CE-facing interface.
[PE2] ip vpn-instance vpn1
[PE2-vpn-instance-vpn1] route-distinguisher 100:1
[PE2-vpn-instance-vpn1] vpn-target 111:1
[PE2-vpn-instance-vpn1] quit
[PE2] interface hundredgige 1/0/1
[PE2-HundredGigE1/0/1] ip binding vpn-instance vpn1
[PE2-HundredGigE1/0/1] ip address 10.2.1.1 24
[PE2-HundredGigE1/0/1] quit
# Establish an EBGP peer relationship with the connected CE to redistribute the VPN routes.
[PE2] bgp 100
[PE2-bgp-default] router-id 2.2.2.2
[PE2-bgp-default] ip vpn-instance vpn1
[PE2-bgp-default-vpn1] peer 10.2.1.2 as-number 65420
[PE2-bgp-default-vpn1] address-family ipv4 unicast
[PE2-bgp-default-ipv4-vpn1] peer 10.2.1.2 enable
[PE2-bgp-default-ipv4-vpn1] quit
[PE2-bgp-default-vpn1] quit
# Establish MP-IBGP peer relationships with the peer PEs.
[PE2] bgp 100
[PE2-bgp-default] peer 1::1 as-number 100
[PE2-bgp-default] peer 4::4 as-number 100
[PE2-bgp-default] peer 1::1 connect-interface loopback 0
[PE2-bgp-default] peer 4::4 connect-interface loopback 0
[PE2-bgp-default] address-family vpnv4
[PE2-bgp-default-vpnv4] peer 1::1 enable
[PE2-bgp-default-vpnv4] peer 4::4 enable
[PE2-bgp-default-vpnv4] quit
[PE2-bgp-default] quit
# Configure L3VPN over SRv6 TE policy.
[PE2] segment-routing ipv6
[PE2-segment-routing-ipv6] encapsulation source-address 3::3
[PE2-segment-routing-ipv6] locator bbb ipv6-prefix 6:5::1:0 96 static 8
[PE2-segment-routing-ipv6-locator-bbb] opcode 1 end-dt4 vpn-instance vpn1
[PE2-segment-routing-ipv6-locator-bbb] quit
[PE2-segment-routing-ipv6] quit
[PE2] bgp 100
[PE2-bgp-default] address-family vpnv4
[PE2-bgp-default-vpnv4] peer 1::1 prefix-sid
[PE2-bgp-default-vpnv4] peer 4::4 prefix-sid
[PE2-bgp-default-vpnv4] quit
[PE2-bgp-default] ip vpn-instance vpn1
[PE2-bgp-default-vpn1] address-family ipv4 unicast
[PE2-bgp-default-ipv4-vpn1] segment-routing ipv6 traffic-engineering best-effort
[PE2-bgp-default-ipv4-vpn1] segment-routing ipv6 locator bbb
[PE2-bgp-default-ipv4-vpn1] quit
[PE2-bgp-default-vpn1] quit
[PE2-bgp-default] quit
[PE2] isis 1
[PE2-isis-1] address-family ipv6 unicast
[PE2-isis-1-ipv6] segment-routing ipv6 locator bbb
[PE2-isis-1-ipv6] quit
[PE2-isis-1] quit
5. Configure PE 3:
# Configure IPv6 IS-IS for backbone network connectivity.
<PE3> system-view
[PE3] isis 1
[PE3-isis-1] is-level level-1
[PE3-isis-1] cost-style wide
[PE3-isis-1] network-entity 10.4444.4444.4444.00
[PE3-isis-1] address-family ipv6 unicast
[PE3-isis-1-ipv6] quit
[PE3-isis-1] quit
[PE3] interface loopback 0
[PE3-LoopBack0] ipv6 address 4::4 128
[PE3-LoopBack0] isis ipv6 enable 1
[PE3-LoopBack0] quit
[PE3] interface hundredgige 1/0/2
[PE3-HundredGigE1/0/2] ipv6 address 2003::1 96
[PE3-HundredGigE1/0/2] isis ipv6 enable 1
[PE3-HundredGigE1/0/2] quit
[PE3] interface hundredgige 1/0/3
[PE3-HundredGigE1/0/3] ipv6 address 2004::1 96
[PE3-HundredGigE1/0/3] isis ipv6 enable 1
[PE3-HundredGigE1/0/3] quit
# Configure a VPN instance and bind it to the CE-facing interface.
[PE3] ip vpn-instance vpn1
[PE3-vpn-instance-vpn1] route-distinguisher 100:1
[PE3-vpn-instance-vpn1] vpn-target 111:1
[PE3-vpn-instance-vpn1] quit
[PE3] interface hundredgige 1/0/1
[PE3-HundredGigE1/0/1] ip binding vpn-instance vpn1
[PE3-HundredGigE1/0/1] ip address 10.3.1.1 24
[PE3-HundredGigE1/0/1] quit
# Establish an EBGP peer relationship with the connected CE to redistribute the VPN routes.
[PE3] bgp 100
[PE3-bgp-default] router-id 3.3.3.3
[PE3-bgp-default] ip vpn-instance vpn1
[PE3-bgp-default-vpn1] peer 10.3.1.2 as-number 65420
[PE3-bgp-default-vpn1] address-family ipv4 unicast
[PE3-bgp-default-ipv4-vpn1] peer 10.3.1.2 enable
[PE3-bgp-default-ipv4-vpn1] quit
[PE3-bgp-default-vpn1] quit
# Establish MP-IBGP peer relationships with the peer PEs.
[PE3] bgp 100
[PE3-bgp-default] peer 1::1 as-number 100
[PE3-bgp-default] peer 3::3 as-number 100
[PE3-bgp-default] peer 1::1 connect-interface loopback 0
[PE3-bgp-default] peer 3::3 connect-interface loopback 0
[PE3-bgp-default] address-family vpnv4
[PE3-bgp-default-vpnv4] peer 1::1 enable
[PE3-bgp-default-vpnv4] peer 3::3 enable
[PE3-bgp-default-vpnv4] quit
[PE3-bgp-default] quit
# Configure the source address in the outer IPv6 header of SRv6 VPN packets.
[PE3] segment-routing ipv6
[PE3-segment-routing-ipv6] encapsulation source-address 4::4
# Configure the deletion delay time for remote SRv6 SID mappings with VPN instances/cross-connects/VSIs.
[PE3-segment-routing-ipv6] mirror remote-sid delete-delay 21845
# Configure an End.M SID to protect PE 2.
[PE3-segment-routing-ipv6] locator ccc ipv6-prefix 9:7::1:0 96 static 8
[PE3-segment-routing-ipv6-locator-ccc] opcode 1 end-m mirror-locator 6:5::1:0 120
[PE3-segment-routing-ipv6-locator-ccc] quit
[PE3-segment-routing-ipv6] quit
# Recurse the VPN routes to the End.M SID route.
[PE3] bgp 100
[PE3-bgp-default] address-family vpnv4
[PE3-bgp-default-vpnv4] peer 1::1 prefix-sid
[PE3-bgp-default-vpnv4] peer 3::3 prefix-sid
[PE3-bgp-default-vpnv4] quit
[PE3-bgp-default] ip vpn-instance vpn1
[PE3-bgp-default-vpn1] address-family ipv4 unicast
[PE3-bgp-default-ipv4-vpn1] segment-routing ipv6 locator ccc
[PE3-bgp-default-ipv4-vpn1] quit
[PE3-bgp-default-vpn1] quit
[PE3-bgp-default] quit
[PE3] isis 1
[PE3-isis-1] address-family ipv6 unicast
[PE3-isis-1-ipv6] segment-routing ipv6 locator ccc
[PE3-isis-1-ipv6] quit
[PE3-isis-1] quit
6. Configure CE 2:
# Establish an EBGP peer relationship with PEs and redistribute the VPN routes.
<CE2> system-view
[CE2] bgp 65420
[CE2-bgp-default] peer 10.2.1.1 as-number 100
[CE2-bgp-default] peer 10.3.1.1 as-number 100
[CE2-bgp-default] address-family ipv4 unicast
[CE2-bgp-default-ipv4] peer 10.2.1.1 enable
[CE2-bgp-default-ipv4] peer 10.3.1.1 enable
[CE2-bgp-default-ipv4] import-route direct
[CE2-bgp-default-ipv4] quit
[CE2-bgp-default] quit
Verifying the configuration
# Display the SRv6 TE policy configuration. The output shows that the SRv6 TE policy is up for traffic forwarding.
[PE1] display segment-routing ipv6 te policy
Name/ID: p1/0
Color: 10
End-point: 3::3
Name from BGP:
BSID:
Mode: Explicit Type: Type_2 Request state: Succeeded
Current BSID: 1:2::1:2 Explicit BSID: 1:2::1:2 Dynamic BSID: -
Reference counts: 4
Flags: A/BS/NC
Status: Up
AdminStatus: Up
Up time: 2020-10-28 09:10:33
Down time: 2020-10-28 09:09:32
Hot backup: Disabled
Statistics: Disabled
Statistics by service class: Disabled
Path verification: Disabled
Forwarding ignore last SID: Disabled
Drop-upon-invalid: Disabled
BFD trigger path-down: Disabled
SBFD: Disabled
BFD Echo: Disabled
Forwarding index: 2150629377
Association ID: 1
Service-class: -
Rate-limit: -
PCE delegation: Disabled
PCE delegate report-only: Disabled
Encaps reduced: Disabled
Encaps include local End.X: Disabled
Candidate paths state: Configured
Candidate paths statistics:
CLI paths: 1 BGP paths: 0 PCEP paths: 0 ODN paths: 0
Candidate paths:
Preference : 10
CPathName:
ProtoOrigin: CLI Discriminator: 30
Instance ID: 0 Node address: 0.0.0.0
Originator: 0, ::
Optimal: Y Flags: V/A
Dynamic: Not configured
PCEP: Not configured
Explicit SID list:
ID: 1 Name: s1
Weight: 1 Forwarding index: 2149580801
State: Up State(-): -
Verification State: -
Active path MTU: 1280 bytes
# Display SRv6 TE policy forwarding information on PE 1.
[PE1] display segment-routing ipv6 te forwarding verbose
Total forwarding entries: 1
Policy name/ID: p1/0
Binding SID: 1:2::1:2
Forwarding index: 2150629377
Main path:
Seglist Name/ID: 1
Seglist forwarding index: 2149580801
Weight: 1
Outgoing forwarding index: 2148532225
Interface: HGE1/0/2
Nexthop: FE80::988A:B5FF:FED9:316
Path ID: 0
SID list: {100:ABC:1::1, 6:5::1:1}
# Display SRv6 TE policy forwarding path information on PE 1.
[PE1] display segment-routing ipv6 forwarding
Total SRv6 forwarding entries: 3
Flags: T - Forwarded through a tunnel
N - Forwarded through the outgoing interface to the nexthop IP address
A - Active forwarding information
B - Backup forwarding information
ID FWD-Type Flags Forwarding info
Attri-Val Attri-Val
--------------------------------------------------------------------------------
2148532225 SRv6PSIDList NA HGE1/0/2
FE80::988A:B5FF:FED9:316
{100:ABC:1::1, 6:5::1:1}
2149580801 SRv6PCPath TA 2148532225
2150629377 SRv6Policy TA 2149580801
p1
# Display remote SRv6 SIDs protected by End.M SIDs on PE 3.
[PE3] display bgp mirror remote-sid
Remote SID: 6:5::1:1
Remote SID type: End.DT4
Mirror locator: 6:5::1:0/120
Vpn instance name: vpn1
# Display the End.M SID carried in the IS-IS IPv6 route on the P device.
[P] display isis route ipv6 6:5::1:0 120 verbose
Route information for IS-IS(1)
------------------------------
Level-1 IPv6 forwarding table
-----------------------------
IPv6 dest : 6:5::1:0/120
Flag : R/-/- Cost : 10
Admin tag : - Src count : 3
Nexthop : FE80::988A:BDFF:FEB6:417
Interface : HGE1/0/2
Mirror FRR:
Interface : HGE1/0/3
BkNextHop : FE80::988A:C6FF:FE0D:517
LsIndex : 0x80000001
Backup label stack(top->bottom): {9:7::1:1}
Nib ID : 0x24000006
Flags: D-Direct, R-Added to Rib, L-Advertised in LSPs, U-Up/Down Bit Set
Typically, VPN traffic from CE 1 to CE 2 is forwarded over the CE 1-PE 1-P-PE 2-CE 2 path. When PE 2 fails, the P device switches traffic to the mirror FRR path for the SRv6 TE policy when it detects that the next hop (PE 2) is unreachable.
# Shut down the interface that connects P to PE 2.
[P] interface hundredgige 1/0/2
[P-HundredGigE1/0/2] shut
[P-HundredGigE1/0/2] quit
# Display the IS-IS IPv6 route information. The output shows that the nexthop interface becomes the backup interface.
[P] display isis route ipv6 6:5::1:0 120 verbose
Route information for IS-IS(1)
------------------------------
Level-1 IPv6 forwarding table
-----------------------------
IPv6 dest : 6:5::1:0/120
Flag : R/-/- Cost : 20
Admin tag : - Src count : 3
Nexthop : FE80::988A:BDFF:FEB6:417
Interface : HGE1/0/2
Mirror FRR:
Interface : HGE1/0/3
BkNextHop : FE80::988A:C6FF:FE0D:517
LsIndex : 0x80000001
Backup label stack(top->bottom): {9:7::1:1}
Nib ID : 0x24000006
Flags: D-Direct, R-Added to Rib, L-Advertised in LSPs, U-Up/Down Bit Set
# Display SRv6 TE policy information on PE 1. The output shows that the SRv6 TE policy is still up.
[PE1] display segment-routing ipv6 te policy
Name/ID: p1/0
Color: 10
End-point: 3::3
Name from BGP:
BSID:
Mode: Explicit Type: Type_2 Request state: Succeeded
Current BSID: 1:2::1:2 Explicit BSID: 1:2::1:2 Dynamic BSID: -
Reference counts: 4
Flags: A/BS/NC
Status: Up
AdminStatus: Up
Up time: 2020-10-28 09:10:33
Down time: 2020-10-28 09:09:32
Hot backup: Disabled
Statistics: Disabled
Statistics by service class: Disabled
Path verification: Disabled
Forwarding ignore last SID: Disabled
Drop-upon-invalid: Disabled
BFD trigger path-down: Disabled
SBFD: Disabled
BFD Echo: Disabled
Forwarding index: 2150629377
Association ID: 1
Service-class: -
Rate-limit: -
PCE delegation: Disabled
PCE delegate report-only: Disabled
Encaps reduced: Disabled
Encaps include local End.X: Disabled
Candidate paths state: Configured
Candidate paths statistics:
CLI paths: 1 BGP paths: 0 PCEP paths: 0 ODN paths: 0
Candidate paths:
Preference : 10
CPathName:
ProtoOrigin: CLI Discriminator: 30
Instance ID: 0 Node address: 0.0.0.0
Originator: 0, ::
Optimal: Y Flags: V/A
Dynamic: Not configured
PCEP: Not configured
Explicit SID list:
ID: 1 Name: s1
Weight: 1 Forwarding index: 2149580801
State: Up State(-): -
Verification State: -
Active path MTU: 1280 bytes
