Showing posts with label filtering. Show all posts
Showing posts with label filtering. Show all posts

Thursday, February 6, 2014

NTS: Advanced Multicast

Advanced Multicast



RPF (Reverse Path Forwarding)

In an RPF check, the router looks in a routing table to determine its RPF interface, which is the interface closest to the root (the source or the RP). The RPF interface is also the incoming interface for the multicast data. RPF checks happen in the control-plane (PIM, MSDP) and in the data-plane (multicast data).

The routing table used for RPF checks can be the global unicast routing table or a separate multicast routing table. In any case, the RPF table contains only unicast routes (the multicast source or the RP).

MP-BGP and M-ISIS can be used to create separate unicast and multicast routing tables.

MP-BGP updates can include IPv4 multicast RPF routes along with IPv4 unicast routes, totally separated (different path attributes) from each other.

You can use "sh ip mroute count" to check for increasing RPF counts.


Fixing RPF issues

If you have IP connectivity over a TE tunnel and require PIM connectivity too, then extra care must be taked. Since you cannot activate PIM on a TE tunnel, you must somehow fix the possible RPF issue on the head-end. The same must be done in every other case where unicast and multicast forwarding do not agree.

Solutions
  • static mroute
  • multicast BGP
  • multicast topology in IS-IS
  • mpls traffic-eng multicast-intact (for IGP routes)

You can use the command "sh ip rpf" in order to verify RPF issues.

Before

IOS
R2#sh ip rpf 19.19.19.19
 failed, no route exists


IOS-XR
GSR#sh pim rpf 2.2.2.2
Table: IPv4-Unicast-default
* 2.2.2.2/32 [115/30]
    via Null with rpf neighbor 0.0.0.0


In IOS-XR, the command "sh pim rpf" provides an output only if the address provided is already used as a multicast source. Use "sh pim rpf hash" to check in advance.

After fixing the RPF issue:

IOS
R2#sh ip rpf 19.19.19.19
RPF information for ? (19.19.19.19)
  RPF interface: FastEthernet1/0.24
  RPF neighbor: ? (26.2.4.4)
  RPF route/mask: 19.19.19.19/32
  RPF type: unicast (isis)
  Doing distance-preferred lookups across tables
  RPF topology: ipv4 multicast base, originated from ipv4 unicast base

IOS-XR
GSR#sh pim rpf 2.2.2.2
Table: IPv4-Multicast-default
* 2.2.2.2/32 [115/30]
    via GigabitEthernet0/1/0/1 with rpf neighbor 26.3.19.3


static mroute

IOS
ip mroute 2.2.2.2 255.255.255.255 Tunnel0

IOS-XR
multicast-routing
 address-family ipv4
  static-rpf 2.2.2.2 32 tunnel-te0 3.3.3.3


multicast-intact

When enabled on an IGP, the IGP automatically publishes to the RIB a parallel (or alternate) set of equal-cost next-hops for all IPv4 destinations learned through LS advertisements, for use solely by PIM. These next-hops are called mcast-intact next-hops. The mcast-intact next-hops have the following characteristics:

  • They are guaranteed not to contain any IGP shortcuts (like TE tunnels).
  • They are not used for unicast routing, but are used only by PIM to look up an IPv4 next-hop to a PIM source.
  • They are not published to the FIB.
  • When multicast-intact is enabled on an IGP, all IPv4 destinations that were learned through link-state advertisements are published with a set of equal-cost mcast-intact next-hops to the RIB. This attribute applies even when the native next-hops have no IGP shortcuts.

IOS
router ospf 1
 mpls traffic-eng multicast-intact
router isis 1
 mpls traffic-eng multicast-intact

IOS-XR
router ospf 1
 mpls traffic-eng multicast-intact
!
router isis 1
 address-family ipv4 unicast
  mpls traffic-eng multicast-intact


Multicast-intact doesn't work with TE forwarding-adjacency, use multicast BGP or static mroute.

multicast-intact vs static mroute in TE tunnels
  • use multicast-intact to accept multicast traffic coming from outside a TE tunnel, when the unicast route is pointing inside the TE tunnel
  • use static mroute to accept multicast traffic coming from inside a TE tunnel, when the unicast route is pointing outside the TE tunnel

IS-IS Multicast Topology

Multicast topology for ISIS allows the configuration of a separate IS-IS multicast topology for IPv4 or IPv6 routing, which runs a separate SPF.

IS-IS multicast inserts routes from the IS-IS multicast topology into the multicast-unicast table in the RIB for the corresponding address family. Since PIM uses this table, PIM uses routes from the multicast topology instead of routes from the unicast topology.


Multicast BGP

The multicast BGP database can be used by a a multicast routing protocol (i.e. PIM) to perform RPF lookups for multicast-capable sources. Thus, packets can be sent and accepted based on the multicast topology and not on the unicast topology.

This is an easy way to change the multicast routing without affecting unicast too. Static mroutes can also be used.

IOS
router bgp 65000
 no bgp default ipv4-unicast
 neighbor 7.7.7.7 remote-as 65000
 !
 address-family ipv4 multicast
  neighbor 7.7.7.7 activate
  network 192.168.7.0
 exit-address-family

IOS-XR
router bgp 65000
 address-family ipv4 multicast
  network 192.168.7.0/24
 !
 neighbor 7.7.7.7
  address-family ipv4 multicast


IOS
R8#sh ip rpf 192.168.7.0
RPF information for ? (192.168.7.0)
  RPF interface: FastEthernet0/0
  RPF neighbor: ? (192.168.78.7)
  RPF route/mask: 192.168.7.0/24
  RPF type: mbgp
  RPF recursion count: 0
  Doing distance-preferred lookups across tables


Changing of BGP distance might be needed on the remote peer, if an IGP already provides a better route.

When you enable the multicast address-family under BGP, then these prefixes take precedence over the prefixes learned in the BGP unicast address-family; only the BGP prefixes learned in the multicast address-family are used for any multicast routing. Use "show route ipv4 multicast" in IOS-XR to display the ipv4 multicast routes.

You might need to also advertise a specific next-hop for the RPF route, if the default next-hop doesn't satisfy the RPF needs (recursive lookup might not be supported).


MSDP & Anycast RP

MSDP provides a way to connect multiple PIM-SM domains, so that RPs can exchange information about active multicast sources. It uses

MSDP sessions are formed between the RPs of various PIM domains, which are called MSDP peers.

MSDP is also used between Anycast RPs within a single PIM domain to synchronize information about the active sources being served by each Anycast-RP peer. Anycast RPs will each have the same IP address configured on a Loopback interface (making this the Anycast address) and will MSDP peer with each other using a separate loopback interface.

With Anycast RP, RP failover depends only on IGP convergence

MSDP RPs send SA (Source-Active) messages in order to notify each other of active multicast sources.

An MSDP RP sends an SA message to its peers each time it receives a PIM Register or Null-Register message from a Source DR about a new/active source. MSDP SA messages include the same multicast data that is also encapsulated in PIM Register or Null-Register messages.


IOS
interface Loopback99
 ip address 99.99.99.99 255.255.255.255
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
ip msdp peer 1.1.1.1 connect-source Loopback0
ip msdp originator-id Loopback0
!
ip pim rp-address 99.99.99.99


IOS-XR
interface Loopback99
  ipv4 address 99.99.99.99 255.255.255.255
!
interface Loopback0
  ipv4 address 1.1.1.1 255.255.255.255
!
router msdp
 originator-id Loopback0
 peer 2.2.2.2
  connect-source Loopback0
!
router pim
 address-family ipv4
  rp-address 99.99.99.99


The address on the interface used as anycast RP must be advertised into an IGP (preferably as external route to be able to play easily with the metric).

When using anycast IPv4 addresses in Loopbacks, it's good practice to hardcode all the protocol router-ids manually in order to avoid using the anycast address as router-id for a protocol.

In some software releases originator-id might not be required, but it's always good practice to configure it (especially in anycast topologies).

In current releases, when running Inter-AS MSDP, the peer/source IPs must agree with the BGP update source on each neighbor. If you also have a BGP peering session with an MSDP peer, you should use the same IP address for MSDP (peer/connect-source) as you do for BGP (update-source). If MDT is using a non-loopback interface due to eBGP with directly connected neighbor, you might get the message "%MDT-4-LBSRC: VRF ABC: MDT X uses source address x.x.x.x from a non-loopback interface". Besides changing the update-source of the eBGP peering, you can also use the "bgp next-hop loopback X" command under the appropriate vrf.

Use "default-peer" in IOS-XR when the peer address isn't in BGP.

If there is a single MSDP peer, then no RPF check takes place about the originator-id. If there are multiple MSDP peers, then you can put them under a mesh-group in order to disable the RPF check on them.


Links



Multicast Filtering

Setting an interface to PIM v1 at the border of a PIM domain prevents v2 Bootstrap messages from leaking to the neighboring PIM domain.

Use "ip pim passive" under an interface if you want to block the forwarding of PIM control plane traffic; only IGMP traffic will pass.

BSR filtering

IOS
interface X
 ip pim bsr-border


IOS-XR
router pim
 address-family ipv4
  interface X
   bsr-border



Auto-RP filtering

IOS-XR
multicast-routing
 address-family ipv4
  interface TenGigE0/2/0/0
   boundary MCAST-ACL
!
ipv4 access-list MCAST-ACL
 deny host 224.0.1.39
 deny host 224.0.1.40
 permit any


IGMP filtering

IOS
interface X
 ip igmp access-group IGMP-ACL

! match (*,G)
ip access-list extended IGMP-ACL
 permit ip host 0.0.0.0 host GROUP

! match (S,G) and (*,G)
ip access-list extended IGMP-ACL
 permit ip any host GROUP



Multicast Admission Control


  • Global or per VRF
    • limit the number of mroutes that can be added to the global table
      • ip multicast route-limit MAX-MROUTES THRESHOLD
    •  limit the number of mroutes that can be added to a particular MVRF table
      • ip multicast vrf MVRF route-limit MAX-MROUTES THRESHOLD
    • limit the number of mroute states created from IGMP membership reports
      • ip igmp limit MAX-IGMPS
  • Per interface
    • limit the number of mroute states
      • ip multicast limit MCAST-ACL MAX-MROUTES
    • limit the number of mroutes states created from  IGMP membership reports
      • ip igmp limit MAX-IGMPS
  • Per neighbor
    • Limits the number of SA messages allowed in the SA cache from an MSDP peer
      • ip msdp sa-limit MSDP-PEER MAX-SA-MESSAGES
         
Check "Multicast Filtering" above for the format of MCAST-ACL.


Rate-limit

The "ip multicast rate-limit" interface command is not supported any more.

You need to use the the MQC syntax to define multicast traffic and then police it accordingly.



Multicast Fast Convergence

  • tune PIM hellos (queries)
  • tune RPF check interval/backoff
  • MoFRR


Multicast-only FRR

The basic idea of MoFRR is to send a secondary PIM join from the receiver toward the source on a backup path to a different upstream interface. The network then receives two copies of the multicast stream over two separate and redundant paths through the network, but the redundant packets are discarded at topology merge points due to RPF checks. When the primary path fails, it can switch over to the backup path instantly without issuing a new PIM join. 

Actually MoFRR is pre-building an alternate multicast tree in order to achieve faster convergence.

  • RIB-based MoFRR
    • Supported on CRS and XR12000 series routers
    • Based on routing convergence
  • Flow-based MoFRR
    • Supported ASR9k
    • Based on packet count per 30ms


IOS (15.2)

ip multicast rpf mofrr MOFRR-SG-ACL
!
ip access-list standard MOFRR-SG-ACL
 permit 10.10.10.0 0.0.0.255

IOS > 15.2 is required for MoFRR.


IOS-XR
router pim
 address-family ipv4
  mofrr rib MOFRR-SG-ACL
!
ipv4 access-list MOFRR-SG-ACL
 10 permit ipv4 host 1.1.1.1 host 239.3.3.3


Links


Troubleshooting

Enable "debug ip mfib fs" and "debug ip mfib ps" on the receiver, and then send some pings from a source to an igmp join group on the receiver to check the results.


IPv6 Multicast


IOS
ipv6 multicast-routing

IOS-XR
multicast-routing
 address-family ipv6
  interface all enable


In IOS, all IPv6 interfaces are PIM enabled by default after enabling ipv6 multicast-routing.


IPv6 RP definition

IOS

ipv6 pim bsr candidate bsr 2002:2:2::2
ipv6 pim bsr candidate rp 2002:2:2::2
!
ipv6 pim rp-address 2002:2:2::2

IOS-XR
router pim
 address-family ipv6
  rp-address 2002:2:2::2
  bsr candidate-rp 2002:2:2::2 
  bsr candidate-bsr 2002:2:2::2


MLD

IOS
ipv6 multicast-routing
!interface Loopback0
 ipv6 mld join-group FF99::99

IOS-XR
multicast-routing
 address-family ipv6
  interface all enable
!
router mld
 interface Loopback0
  join-group ff99::99

MLDv2 is used by default.


Verification

R2#sh ipv6 mroute
Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group,
       C - Connected, L - Local, I - Received Source Specific Host Report,
       P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set,
       J - Join SPT
Timers: Uptime/Expires
Interface state: Interface, State

(*, FF99::99), 00:00:08/00:03:21, RP 2002:2:2::2, flags: S
  Incoming interface: Tunnel4
  RPF nbr: 2002:2:2::2
  Immediate Outgoing interface list:
    Ethernet0/2, Forward, 00:00:08/00:03:21

 R2#ping FF99::99
Output Interface: Ethernet0/2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FF99::99, timeout is 2 seconds:
Packet sent with a source address of 2002:2:2:27::2

Reply to request 0 received from 2002:2:2::7, 60 ms
Reply to request 1 received from 2002:2:2::7, 0 ms
Reply to request 2 received from 2002:2:2::7, 4 ms
Reply to request 3 received from 2002:2:2::7, 4 ms
Reply to request 4 received from 2002:2:2::7, 0 ms
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/13/60 ms
5 multicast replies and 0 errors.


Almost everything cli-wise is similar to IPv4.


Static mroutes

IOS
ipv6 route 2002:2:2::2/128 Tunnel0 multicast

IOS-XR
multicast-routing
 address-family ipv6
  static-rpf 2002:2:2::2 128 tunnel-te0 2002:3::1





NSF

IOS-XR
router pim
 nsf lifetime 30
!
router igmp
 nsf lifetime 30
!
router mld
 nsf lifetime 30


Generally, configure the IGMP NSF and PIM NSF lifetime values to be equal or larger than the query or join query interval, but less than the holdtime



Multipath

By default, if ECMP paths are available, the RPF for multicast traffic will be based on the highest IP address (aka highest PIM neighbor).

When the 'ip multicast multipath' command is configured, the multicast load splitting will be based on the source address of the stream. PIM Joins will be distributed over the different ECMP links based on a hash of the source address.

Multicast multipath must be enabled on the receiver side of the ECMP path.

IOS
ip multicast multipath

IOS
R2#sh ip rpf 19.19.19.19
RPF information for ? (19.19.19.19)
  RPF interface: FastEthernet0/0.24
  RPF neighbor: ? (20.2.4.4)
  RPF route/mask: 19.19.19.19/32
  RPF type: unicast (ospf 1)
  Doing distance-preferred lookups across tables
  Multicast Multipath enabled.
  RPF topology: ipv4 multicast base, originated from ipv4 unicast base

By default only the source address is used in the calculation. Better load-splitting can be achieved by using the "s-g-hash next-hop-based" options.

When the ip multicast multipath command is enabled, the presence of PIM hello message from neighbors is not considered; that is, the chosen RPF neighbor does not depend on whether or not PIM hello messages are received from that neighbor; it only depends on the presence or absence of an equal-cost route entry.

If using BGP and multicast, then you must also enable multipath on BGP.

If using static mroutes, then you need to somehow create two (or more) different static mroutes because only one is accepted. You can use a dummy ip address and two (or more) static ip routes in order to achieve this.


IOS
ip route 192.168.1.1 255.255.255.255 20.2.3.3
ip route 192.168.1.1 255.255.255.255 20.2.4.4
!
ip mroute 19.19.19.19 255.255.255.255 192.168.1.1

In the above example, multicast load-balancing occurs between 20.2.3.3 and 20.2.4.4 for source 19.19.19.19 (192.168.1.1 is the dummy address used).

Use "sh ip multicast rpf tracked" to verify the multiple rpf paths.


Posted by at 1 comment:
Labels: , , , , , , , , , , , ,

NTS: MPLS/LDP

MPLS/LDP



LDP (Label Distribution Protocol) is defined in RFC 5036.
MPLS (Multi-Protocol Label Switching) architecture is defined in RFC 3031.
MPLS Label Stack Encoding is defined in RFC 3032.


LDP messages
  • LDP Discovery (to directly connected neighbors)
    • Multicast UDP to 244.0.0.2:646
  • targeted LDP Discovery (to non-directly connected neighbors)
    • Unicast UDP to x.x.x.x:646
  • LDP Session/Advertisement/Notification (to all)
    • Unicast TCP to x.x.x.x:646
A working IGP between neighbors is a requirement for all the above, besides LDP Discovery.

Label retention/distribution
  • Label retention
    • liberal
    • conservative
  • Label distribution
    • downstream
      • unsolicited
      • on-demand

Liberal, downstream, unsolicited is the most common case.


General

Although in latest software releases LDP is the default label protocol, it's a good practice to always enable it with "mpls label protocol ldp". The same applies with the "mpls ldp router-id", which should in most cases be loopback0.

Use "sh mpls ldp bindings" to check the LIB (labels for all IGP database prefixes)
Use "sh mpls forwarding" to check the LFIB (labels for RIB installed prefixes)

Outgoing Label under "show mpls forwarding-table":
  • X Label 
    • Local device is an LSR
  • Pop Label
    • Local device is an LSR and also the PHP
  • No Label
    • Local device is a LER

You need to configure "mpls ldp explicit-null" if you want to keep the EXP QoS till the end PE. Default is implicit-null due to PHP.

"debug mpls packet" includes the label stack {Label EXP TTL} information

Fa0/0.1: rx: Len 122 Stack {29 0 253} - ipv4 data
Fa0/0.2: tx: Len 122 Stack {30 0 252} - ipv4 data


Debugging should be the last thing you should do in case of a problem in production networks. So learn not to depend on it.


Label Allocation Methods

  • an IGP/Transport Label is allocated through
    • LDP (+IGP)
    • RSVP (MPLS TE)
    • Labeled BGP
  • a VPN Label (L3VPN) is allocated through
    • MP-BGP (VPNv4/v6)
  • a PW Label (L2VPN) is allocated through
    • Targeted LDP 
  • an IPv6 Label (6PE) is allocated through
    • Labeled BGP


Targeted LDP Sessions

You can create targeted LDP sessions (assuming ip connectivity exists) using the following methods:

IOS

Static LDP neighbors on both routers

R1
mpls ldp neighbor R2 targeted

R2
mpls ldp neighbor R1 targeted


Static LDP neighbor on one router and accept targeted hellos on the other

R1
mpls ldp neighbor R2 targeted

R2
mpls ldp discovery targeted-hello accept


MPLS/LDP under a TE tunnel interface on one router and static LDP neighbor on the other

R1
interface Tunnel0
 tunnel destination R2
 mpls ip

R2
mpls ldp neighbor R1 targeted


MPLS/LDP under a TE tunnel interface on one router and accept targeted hellos on the other

R1
interface Tunnel0
 tunnel destination R2
 mpls ip

R2
mpls ldp discovery targeted-hello accept


Something similar applies to IOS-XR too.

IOS-XR

R1
mpls ldp
 neighbor R2 targeted

R2
mpls ldp
 discovery targeted-hello accept


In case of RSVP in the core and LDP in the access, you can have tLDP sessions over RSVP, where end-to-end LSPs will have 1 label (LDP) in the access and 2 labels (RSVP/LDP) in the core.

You can also use RSVP solely for (one-hop) link protection, having tLDP on top of it.


Simple VPN with iBGP & LDP

The rule for LSP usage in BGP is that when an LSP is available for the BGP next-hop of a route, that LSP can be used to forward traffic to that route destination.

Assuming a network of R1-R2-R3-R4-R5-R6, where R2,R3,R4,R5 run LDP+IGP in the core and R2,R5 run iBGP between them, then R1 and R6 can communicate between each other as long as their networks as advertised to R2,R5 (i.e with eBGP) and R2,R5 are using their loopbacks as next-hops in their iBGP. The intermediate routers R3,R4 just do mpls switching based on the R2,R5 loopback labels.

R2,R5 have BGP-generated labels for the R1,R6 prefixes which according to BGP have R2,R5 as next-hops.
These labels (which are the same as the ones used for the BGP next-hop) are shown only if you exclusively define the network in "sh mpls forwarding-table" or use "sh ip cef".

IOS
R2#sh mpls forwarding-table | i 6.6.6.6
R2# -no entry shown-

R2#sh mpls forwarding-table 6.6.6.6
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
None       22         6.6.6.6/32       0             Fa0/0.23   20.2.3.3

R2#sh mpls forwarding-table | i 5.5.5.5
21         22         5.5.5.5/32       0             Fa0/0.23   20.2.3.3

R2#sh ip route 6.6.6.6
Routing entry for 6.6.6.6/32
  Known via "bgp 100", distance 200, metric 0
  Tag 20, type internal
  Last update from 5.5.5.5 00:35:32 ago
  Routing Descriptor Blocks:
  * 5.5.5.5, from 5.5.5.5, 00:35:32 ago
      Route metric is 0, traffic share count is 1
      AS Hops 1
      Route tag 20
      MPLS label: none

R2#sh ip cef 6.6.6.6 det
6.6.6.6/32, epoch 0, flags rib only nolabel, rib defined all labels
  recursive via 5.5.5.5
    nexthop 20.2.3.3 FastEthernet0/0.23 label 22


R3,R4 have LDP-generated labels for the R2,R5 next-hops



Static Labels

After you configure the label range, you need to remove the mpls ldp config from the IGP process or from the interfaces in order to use the label range. If you just clear the LDP neighbors, then the old labels remain.

Check "Inter-AS MPLS L3VPN" for more examples.


LDP Auto-configuration
  • Supported in OSPF and IS-IS
  • Not supported on MPLS-TE Tunnels

IOS
router ospf/isis X
 mpls ldp autoconfig
!
interface X
  no mpls ldp igp autoconfig


IOS-XR
mpls ldp
!
router ospf/isis X
 mpls ldp auto-config
 !
 interface X
   igp auto-config disable


Use "sh mpls interfaces detail" or "sh mpls ldp discovery detail" to find out how LDP was activated on an interface.

IOS-XR requires the explicit activation of MPLS LDP prior to LDP autoconfiguration.


LDP Authentication

Authentication is applicable only to the LDP TCP session.

After setting the LDP password, the LDP session might need to be cleared manually to have the password enabled.

When setting "mpls ldp password required", all LDP sessions are cleared automatically.

Password can be configured:
  • per neighbor
    • "mpls ldp neighbor x.x.x.x password" (IOS, IOS-XR)
  • per group of neighbors
    • "mpls ldp password option X for Y-ACL" (IOS)
  • as a default password for all neighbors
    • "mpls ldp password fallback" (IOS)
    • "mpls ldp neighbor password" (IOS-XR)


Label Filtering

The LDP default behavior is to allocate local labels for all non-BGP prefixes, which includes IGP learned prefixes and connected interfaces with LDP on.
  • Local Label Allocation Filtering
    • controls the allocation of local labels
    • uses prefix-lists for filtering
    • use "allocate global prefix-list" under "mpls ldp label" config (IOS)
    • use "mpls ldp label allocate" under global config (IOS-XR)
    • use "sh mpls ldp bindings local" to verify
  • Inbound Label Binding Filtering
    • controls label bindings that a router accepts from a specific neighbor
    • uses access-lists for filtering
    • use "mpls ldp neighbor x.x.x.x labels accept" under global config (IOS)
    • use "mpls ldp label accept" under global config (IOS-XR)
    • use "sh mpls ldp bindings neighbor" to verify
  • Outbound Label Binding Filtering
    • controls label bindings that a router sends to a specific neighbor
    • uses access-lists for filtering
    • use "mpls ldp advertise-labels" under global config (IOS) - "no mpls advertise" is needed first
    • use "mpls ldp label advertise" under global config (IOS-XR)
    • use "sh mpls ldp bindings neighbor" to verify

LDP does not apply the configured local label filter to redistributed BGP routes in the global table for which BGP allocates the local label, but LDP does the advertisements (i.e. Inter-AS Option C). LDP neither forwards these entries, nor releases the local labels allocated by BGP.

Common use of label filtering is to allocate labels only for PE loopback addresses.


LDP Session Protection

When enabled, a new targeted LDP session is created between the neighbors, in order to keep their LDP session active over any backup path, after the direct/primary link fails. When the primary/direct link is restored, label bindings do not need to be re-exchanged.

2 implementation choices:
  • both neighbors must be configured for session protection
  • one router must be configured for session protection and the other router must simply respond to targeted hellos

IOS
mpls ldp session protection
mpls ldp session protection for LDP-NEI-ACL duration X

IOS-XR
mpls ldp
 session protection
 session protection for LDP-NEI-ACL duration X


You can enable it for all LDP neighbors or for specific ones using an ACL.

IOS
R2#sh mpls ldp neighbor detail | i Protection|duration
        LDP Session Protection enabled, state: Ready
            duration: 86400 seconds
        LDP Session Protection enabled, state: Incomplete
            duration: 86400 seconds
        LDP Session Protection enabled, state: Protecting
            duration: 86400 seconds

R2#sh mpls ldp neighbor 3.3.3.3 detail
...
        LDP discovery sources:
          FastEthernet0/0.23; Src IP addr: 20.2.3.3
            holdtime: 15000 ms, hello interval: 5000 ms
          Targeted Hello 2.2.2.2 -> 3.3.3.3, active, passive;
            holdtime: infinite, hello interval: 10000 ms

Successful recovery

%LDP-5-SP: 3.3.3.3:0: session hold up initiated
%LDP-5-SP: 3.3.3.3:0: session recovery succeeded

Failed recovery

%LDP-5-SP: 4.4.4.4:0: session hold up initiated
%LDP-5-SP: 4.4.4.4:0: session recovery failed
%LDP-5-NBRCHG: LDP Neighbor 4.4.4.4:0 (1) is DOWN (Session Protection disabled targeted session)


LDP IGP Synchronization

When enabled, links where LDP adjacencies are not established, will have their IGP metric increased to the max by the local IGP process.

Generally when an IGP adjacency is established on a link with LDP-IGP Sync on, but LDP-IGP Sync is not yet achieved (or is lost), the IGP advertises the max-metric on that link. That way the link won't be preferred for passing traffic and black-holing will be prevented.

IOS
router ospf/isis X
 mpls ldp sync
!
mpls ldp igp sync holddown x
!
interface X
 no mpls ldp igp sync
 mpls ldp igp sync delay x


IOS-XR
router ospf/isis X
 mpls ldp sync
!
mpls ldp
 igp sync delay x
 interface X
  igp sync delay x


IOS
R2#sh mpls ldp igp sync
    FastEthernet0/0.23:
        LDP configured; LDP-IGP Synchronization enabled.
        Sync status: sync achieved; peer reachable.
        Sync delay time: 0 seconds (0 seconds left)
        IGP holddown time: infinite.
        Peer LDP Ident: 3.3.3.3:0
        IGP enabled: OSPF 1

R2#sh mpls ldp igp sync
    FastEthernet0/0.23:
        LDP configured; LDP-IGP Synchronization enabled.
        Sync status: sync not achieved; peer reachable.
        Sync delay time: 0 seconds (0 seconds left)
        IGP holddown time: infinite.
        Peer LDP Ident: 3.3.3.3:0
        IGP enabled: OSPF 1


IOS-XR
GSR#sh mpls ldp igp sync

GigabitEthernet0/1/0/1.619:
  Sync status: Ready
  Peers:
    6.6.6.6:0


Targeted LDP sessions (i.e. AToM) are not supported, which is expected because these are already tLDP sessions that can use IGP for rerouting.

In IS-IS the maximum wide metric -1 (0XFFFFFE) is used with MPLS LDP IGP synchronization.


Links


TTL Propagation

Default behavior is to copy the TTL from the IP header to the MPLS header (topmost label).

2 extra options are available:
  • do not copy the TTL for forwarded packets
    • "no mpls ip propagate-ttl forwarded" (IOS)
    • "mpls ip-ttl-propagate disable forwarded" (IOS-XR)
  • do not copy the TTL for locally generated packets
    • "no mpls ip propagate-ttl local" (IOS)
    • "mpls ip-ttl-propagate disable local" (IOS-XR)
If the TTL is not copied for forwarded packets, then a traceroute from a local CE to a remote CE, will include the local PE, the remote PE and the remote CE (all the intermediate P routers won't be shown). You can use this in order to hide the MPLS hops from the customer.

You only need to disable the TTL propagation on the PEs, since the P (LSR) routers do not see the original IP packet, so no TTL propagation takes place there.

Traceroute in MPLS L3VPNs works a little bit differently than in normal IP networks, because when the traceroute packet reaches the MPLS core (P routers), the local generated ttl-exceeded response packet must first reach the PE at the other side of the VPN before it's returned back to the traceroute source.

i.e. in a traceroute from CE1 to CE2 (CE1-PE1-P-PE2-CE2), the following happens

  • CE1 sends a ICMP packet with TTL=1
    • Source=CE1
    • Destination=CE2
    • TTL=1
  • PE1 receives the ICMP packet
  • PE1 sends an ICMP ttl-exceeded response back to CE1
    • Source=PE1
    • Destination=CE1
  • CE1 receives the ICMP response
  • CE2 sends an ICMP packet with TTL=2
    • Source = CE1
    • Destination=CE2
    • TTL=2
  • PE1 receives the ICMP packet
  • PE1 forwards the ICMP packet to the next P
    • Source=CE1
    • Destination=CE2
    • TTL=1
  • P receives the ICMP packet
  • P creates an ICMP ttl-exceeded response and sends it to PE2 using the original label stack
    • Source=P
    • Destination=CE1
    • TTL=default
  • PE2 receives the ICMP response and forwards it to CE1 which is the actual destination
    • Source=P
    • Destination=CE1
  • CE1 receives the ICMP response
  • CE1 sends a ICMP packet with TTL=3
    • and so on...


MPLS MTU

Every label adds 4 bytes to the frame size.

Common label stacks
  • L3VPN
    • LDP label + VC label
  • L2VPN/VPLS
    • LDP label + VC label
  • MPLS-TE
    • TE label + VC label
    • TE label + LDP label + VC label
  • MPLS-TE/FRR
    • FRR label + TE label + VC label
    • FRR label + TE label + LDP label + VC label
  • AToM & TE/FRR & CsC
    • FRR label + TE label + LDP label + VPN label + VC label

Common transport header sizes (in bytes):
  • Ethernet port:14
  • Ethernet VLAN: 14 + 4 per vlan tag
  • Frame-Relay DLCI: 2 (Cisco), 8 (IETF)
  • HDLC/PPP: 4
  • AToM Control Word: 4

All L3 protocols (i.e. IPv4, IPv6, MPLS, CLNS) inherit their MTU settings from L2 MTU.

The default MPLS MTU value of a link equals the interface MTU value. You need to first change the interface MTU in order to be able to increase the MPLS MTU too.

IOS
R4#sh mpls int detail
Interface FastEthernet0/0:
        IP labeling not enabled
        LSP Tunnel labeling enabled
        BGP labeling not enabled
        MPLS operational
        MTU = 1500

IOS
interface FastEthernet0/0
 mtu 1530

R4#sh mpls int detail
Interface FastEthernet0/0:
        IP labeling not enabled
        LSP Tunnel labeling enabled
        BGP labeling not enabled
        MPLS operational
        MTU = 1530

IOS
interface FastEthernet0/0
 mtu 1530
 mpls mtu 1508

R4#sh mpls int detail
Interface FastEthernet0/0:
        IP labeling not enabled
        LSP Tunnel labeling not enabled
        BGP labeling not enabled
        MPLS operational
        MTU = 1508


In IOS-XR, interface MTU includes the L2 header (i.e. +14 bytes in case of untagged ethernet).

IOS-XR
interface TenGigE0/0/0/6
 mtu 9214

IOS-XR
ASR9k#sh imds int Te0/0/0/6

View: OWN - Owner, L3P - Local 3rd Party, G3P - Global 3rd Party,
      LDP - Local Data Plane, GDP - Global Data Plane, RED - Redundancy

Node 0/RSP0/CPU0 (0x41)

Interface TenGigE0/0/0/6, ifh 0x000002c0 (up, 9214)
  Interface flags:          0x000000000010059f (IFCONNECTOR|IFINDEX
                            |SUP_NAMED_SUB|BROADCAST|CONFIG|HW|VIS|DATA
                            |CONTROL)
  Encapsulation:            ether
  Interface type:           IFT_TENGETHERNET
  Control parent:           None
  Data parent:              None
  Views:                    GDP|G3P

  Protocol        Caps (state, mtu)
  --------        -----------------
  None            spio (up, 9214)
  None            ether (up, 9214)
  arp             arp (up, 9200)
  ipv4            ipv4 (up, 9200)
  mpls            mpls (up, 9200)
  ether_sock      ether_sock (up, 9200)
  ether_link_oam  ether_link_oam (up, 9200)

The "sh imds" command is hidden in most IOS-XR releases.

IOS-XR
ASR9k#sh ip int Te0/0/0/6
TenGigE0/0/0/6 is Up, ipv4 protocol is Up
  Vrf is default (vrfid 0x60000000)
  Internet address is 10.201.10.221/30
  MTU is 9214 (9200 is available to IP)


In IOS-XR, if you change the interface MTU, then you need to take into account the L2 header. If you change the L3 protocol MTU, then it's the same as in IOS.


Fragmentation

If a labeled packet is received and the LSR notices that the outgoing MTU is not big enough for this packet, the LSR strips off the label stack, fragments the IP packet, puts the label stack (after the pop, swap, or push operation) onto all fragments, and forwards the fragments.

If the IP header has the DF bit set, the LSR doesn't fragment the IP packet, but it drops the packet and returns an ICMP error message "Fragmentation needed and do not fragment bit set" to the originator of the IP packet (following the same procedure as with traceroute).

Fragmentation should be avoided if possible.

IOS uses MRU in order to "inform" the LSR how big a received labeled packet of a certain FEC can be in order for that to be forwarded out of this LSR without fragmenting it.

IOS
R6#sh mpls forwarding-table 19.19.19.19 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
None       No Label   19.19.19.19/32   0             Fa0/0.619  20.6.19.19
        MAC/Encaps=18/18, MRU=1504, Label Stack{}
        CA020BB00008CA01063000008100026B0800
        No output feature configured




Posted by at 2 comments:
Labels: , , , , , , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)