2 IP Router Configuration: 2.1 in This Chapter
2 IP Router Configuration: 2.1 in This Chapter
RELEASE 15.0.R1
2 IP Router Configuration
A special type of IP interface is the system interface. A system interface must have
an IP address with a 32-bit subnet mask. The system interface is used as the router
identifier by higher-level protocols such as OSPF and BGP, unless overwritten by an
explicit router ID.
• Interfaces
• Creating an IP Address Range
• Autonomous Systems (AS)
• Confederations
• Proxy ARP
Refer to the Triple Play Guide for information about DHCP and support as well as
configuration examples for the 7750 SR and 7450 ESS.
2.2.1 Interfaces
Nokia routers use different types of interfaces for various functions. Interfaces must
be configured with parameters such as the interface type (network and system) and
address. A port is not associated with a system interface. An interface can be
associated with the system (loopback address).
To determine which network ports (and, therefore, which network complexes) are
eligible to transport traffic of individual SDPs, network-domain is provided. Network-
domain information is then used for the sap-ingress queue allocation algorithm
applied to VPLS SAPs. This algorithm is optimized in so that no sap-ingress queues
are allocated if the specified port does not belong to the network-domain used in the
specified VPLS. Also, sap-ingress queues will not be allocated toward network ports
(regardless of the network-domain membership) if the specified VPLS does not
contain any SDPs.
Network-domain configuration at the SDP level is ignored when the SDP is used for
Epipe, Ipipe, or Apipe bindings.
The network-domain information will only be used for ingress VPLS sap queue-
allocation. It will not be considered by routing during SDP setup. Therefore, if the
specified SDP is routed through network interfaces that are not part of the configured
network domain, the packets will be still forwarded, but their QoS and queuing
behavior will be based on default settings. Also, the packet will not appear in SAP
statistics.
There will always be one network-domain with reserved name default. The interfaces
will always belong to a default network-domain. It will be possible to assign a specific
interface to different user-defined network-domains. The loopback and system
interfaces will be also associated with the default network-domain at the creation.
However, any attempt to associate those interfaces with any explicitly defined
network-domain will be blocked at the CLI level because there is no benefit for that
association.
Any SDP can be assigned only to one network domain. If none is specified, the
system will assign the default network-domain. This means that all SAPs in VPLS will
have queue reaching all fwd-complexes serving interfaces that belong to the same
network-domains as the SDPs.
The system interface is associated with a network entity (such as a specific router or
switch), not a specific interface. The system interface is also referred to as the
loopback address. The system interface is associated during the configuration of the
following entities:
uRPF helps to mitigate problems that are caused by the introduction of malformed or
forged (spoofed) IP source addresses into a network by discarding IP packets that
lack a verifiable IP source address. For example, a number of common types of
denial-of-service (DoS) attacks, including smurf and tribe flood network (TFN), can
take advantage of forged or rapidly changing source addresses to allow attackers to
thwart efforts to locate or filter the attacks. For Internet service providers (ISPs) that
provide public access, uRPF deflects such attacks by forwarding only packets with
source addresses that are valid and consistent with the IP routing table. This action
protects the network of the ISP, its customer, and the rest of the Internet.
uRPF is supported for both IPv4 and IPv6 on network and access. It is supported on
any IP interface, including base router, IES, VPRN, and subscriber group interfaces.
In strict mode, uRPF checks whether the incoming packet has a source address that
matches a prefix in the routing table, and whether the interface expects to receive a
packet with this source address prefix.
In loose mode, uRPF checks whether the incoming packet has a source address that
matches a prefix in the routing table; loose mode does not check whether the
interface expects to receive a packet with a specific source address prefix.
Loose mode uRPF check is supported for ECMP, IGP shortcuts, and VPRN MP-BGP
routes. Packets coming from a source that matches any ECMP, IGP shortcut, or
VPRN MP-BGP route will pass the uRPF check even when uRPF is set to strict mode
on the incoming interface.
An IP address range can be reserved for exclusive use for services by defining the
config>router>service-prefix command. When the service is configured, the IP
address must be in the range specified by a service prefix. If no service prefix is
configured, no limitation exists.
Addresses in the range of a service prefix can be allocated to a network port unless
the exclusive parameter is specified. Then, the address range is exclusively reserved
for services.
When defining a range that is a superset of a previously defined service prefix, the
subset will be replaced with the superset definition. For example, if a service prefix
exists for 10.10.10.0/24, and a new service prefix is configured as 10.10.0.0/16, then
the old address (10.10.10.0/24) will be replaced with the new address (10.10.0.0/16).
When defining a range that is a subset of a previously defined service prefix, the
subset will replace the existing superset, providing that addresses used by services
are not affected. For example, if a service prefix exists for 10.10.0.0/16, and a new
service prefix is configured as 10.10.10.0/24, then the 10.10.0.0/16 address will be
removed, provided that no services are configured that use 10.10.x.x addresses
other than 10.10.10.x.
This section describes QPPB as it applies to VPRN, IES, and router interfaces. Refer
to the Internet Enhanced Service section in the Services Guide and the IP Router
Configuration section in the Router Configuration Guide.
QoS policy propagation using BGP (QPPB) is a feature that allows a route to be
installed in the routing table with a forwarding-class and priority so that packets
matching the route can receive the associated QoS. The forwarding-class and
priority associated with a BGP route are set using BGP import route policies. This
feature is called QPPB, even though the feature name refers to BGP specifically. On
SR OS, QPPB is supported for BGP (IPv4, IPv6, VPN-IPv4, VPN-IPv6), RIP, and
static routes.
SAP ingress and network QoS policies can achieve the same result as QPPB (for
example, by assigning a packet arriving on an IP interface to a specific forwarding-
class and priority/profile, based on the source address or destination address of the
packet). However, the effort involved in creating the QoS policies, keeping them up-
to-date, and applying them across many nodes is much greater than with QPPB. In
a typical application of QPPB, a BGP route is advertised with a BGP community
attribute that conveys a specific QoS. Routers that receive the advertisement accept
the route into their routing table and set the forwarding-class and priority of the route
from the community attribute.
The operator of an administrative domain “A” can use QPPB to signal to a peer
administrative domain “B” that traffic sent to certain prefixes advertised by domain A
should receive a specific QoS treatment in domain B. For example, an ASBR of
domain A can advertise a prefix to domain B and include a BGP community attribute
with the route. The community value implies a specific QoS treatment, as agreed by
the two domains (in their peering agreement or service level agreement, for
example). When the ASBR and other routers in domain B accept and install the route
for that prefix into their routing table, they apply a QoS policy on selected interfaces
that classifies traffic toward that prefix into the QoS class implied by the BGP
community value.
QPPB may also be used to request that traffic sourced from specific networks
receive appropriate QoS handling in downstream nodes that may span different
administrative domains. This can be achieved by advertising the source prefix with a
BGP community, as described. However, in this case, other approaches are equally
valid, such as marking the DSCP or other CoS fields based on the source IP address,
so that downstream domains can take action based on a common understanding of
the QoS treatment implied by different DSCP values.
Figure 1 shows an example of an ISP that has an agreement with the content
provider managing AS300 to provide traffic sourced and terminating within AS300
with differentiated service appropriate to the content being transported. In this
example, ASBR1 and ASBR2 mark the DSCP of packets terminating and sourced,
respectively, in AS300 so that other nodes within the ISP’s network do not need to
rely on QPPB to determine the correct forwarding-class to use for the traffic. The
DSCP or other COS markings could be left unchanged in the ISP’s network and
QPPB used on every node.
Peer
AS 200 ASBR 2
PE 1 ASBR 1
P
OSSG639
2.2.1.7 QPPB
• The ability to associate a forwarding-class and priority with specific routes in the
routing table.
• The ability to classify an IP packet arriving on a specific IP interface to the
forwarding-class and priority associated with the route that best matches the
packet.
This feature uses the fc command in the route-policy hierarchy to set the forwarding
class and, optionally, the priority associated with routes accepted by a route-policy
entry. The command has the following structure:
config>router>policy-options
begin
community gold members 300:100
policy-statement qppb_policy
entry 10
from
protocol bgp
community gold
exit
action accept
fc h1 priority high
exit
exit
exit
commit
The fc command is supported with all existing from and to match conditions in a route
policy entry, with any action other than reject, and with next-entry, next-policy, and
accept actions. If a next-entry or next-policy action results in multiple matching
entries, then the last entry with a QPPB action determines the forwarding class and
priority.
A route policy that includes the fc command in one or more entries can be used in
any import or export policy, but the fc command has no effect except in the following
types of policies:
As shown, QPPB route policies support routes learned from RIP and BGP neighbors
of a VPRN, as well as for routes learned from RIP and BGP neighbors of the base/
global routing instance.
QPPB is supported for BGP routes belonging to any of the following address families:
A VPN-IP route may match both a VRF import policy entry and a BGP import policy
entry (if vpn-apply-import is configured in the base router BGP instance). In this case,
the VRF import policy is applied first, then the BGP import policy, so the QPPB QoS
is based on the BGP import policy entry.
This feature also provides the ability to associate a forwarding-class and, optionally,
priority with IPv4 and IPv6 static routes. This is achieved by specifying the
forwarding-class within the static-route-entry next-hop or indirect context.
Priority is optional when specifying the forwarding class of a static route, but when
configured it can only be deleted and returned to unspecified by deleting the entire
static route.
The following commands are enhanced to show the forwarding-class and priority
associated with the displayed routes:
PE1_to_PE2 0
h1, high
-------------------------------------------------------------------------------
No. of Routes: 1
===============================================================================
A:Dut-A#
Currently, QPPB is not supported for ingress MPLS traffic on network interfaces or
on CsC PE’-CE’ interfaces (config>service>vprn>nw-if).
Note: QPPB based on a source IP address is not supported for ingress subscriber
management traffic on a group interface.
In some cases (IP VPN inter-AS model C, Carrier Supporting Carrier, indirect static
routes, and so on), an IPv4 or IPv6 packet may arrive on a QPPB-enabled interface
and match a route A1 whose next-hop N1 is resolved by a route A2 with next-hop
N2. Similarly, N2 is resolved by a route A3 with next-hop N3, and so on. In Release
9.0, the QPPB result is based only on the forwarding-class and priority of route A1.
If A1 does not have a forwarding-class and priority association, the QoS classification
is not based on QPPB, even if routes A2, A3, and so on, have forwarding-class and
priority associations.
When ECMP is enabled, some routes may have multiple equal-cost next-hops in the
forwarding table. When an IP packet matches such a route, the next-hop selection is
typically based on a hash algorithm that tries to load balance traffic across all the
next-hops while keeping all packets of a flow on the same path. The QPPB
configuration model described in Associating an FC and Priority with a Route allows
different QoS information to be associated with the different ECMP next-hops of a
route. The forwarding-class and priority of a packet matching an ECMP route is
based on the next-hop used to forward the packet.
When Edge PIC [1] is enabled, some BGP routes may have a backup next-hop in the
forwarding table, as well as the one or more primary next-hops representing the
equal-cost best paths allowed by the ECMP/multipath configuration. When an IP
packet matches such a route, a reachable primary next-hop is selected (based on
the hash result) but if all the primary next-hops are unreachable, the backup next-hop
is used. The QPPB configuration model described in Associating an FC and Priority
with a Route allows the forwarding-class and priority associated with the backup path
to be different from the QoS characteristics of the equal-cost best paths. The
forwarding class and priority of a packet forwarded on the backup path is based on
the fc and priority of the backup route.
When an IPv4 or IPv6 packet with destination address arrives on an interface with
both QPPB and policy-based-routing enabled:
Source-address based QPPB is not supported on any SAP or spoke SDP interface
of a VPRN configured with the grt-lookup command.
When QPPB is enabled on a SAP IP interface, the forwarding class of a packet may
change from fc1 (the original fc determined by the SAP ingress QoS policy) to fc2,
the new fc determined by QPPB. In the ingress datapath, SAP ingress QoS policies
are applied in the first P chip and route lookup/QPPB occurs in the second P chip.
This has the following implications:
• Ingress remarking (based on profile state) is always based on the original fc (fc1)
and sub-class (if defined).
• The profile state of a SAP ingress packet that matches a QPPB route depends
on the configuration of fc2 only. If the de-1-out-profile flag is enabled in fc2, and
fc2 is not mapped to a priority mode queue, the packet will be marked out of
profile if its DE bit = 1. If the profile state of fc2 is explicitly configured (in or out)
and fc2 is not mapped to a priority mode queue, the packet is assigned this
profile state. In both cases, there is no consideration of whether fc1 was mapped
to a priority mode queue.
• The priority of a SAP ingress packet that matches a QPPB route depends on
several factors. If the de-1-out-profile flag is enabled in fc2 and the DE bit is set
in the packet, priority will be low regardless of the QPPB priority or fc2 mapping
to profile mode queue, priority mode queue, or policer. If fc2 is associated with
a profile mode queue, the packet priority will be based on the explicitly
configured profile state of fc2 (in profile = high, out profile = low, undefined =
Profile mode Profile mode From new From QPPB, unless From new From original FC
queue queue base FC packet is marked in or base FC and sub-class
unless out of profile in which
overridden by case follows profile.
DE=1 Default: high priority.
Priority mode Priority mode Ignored If DE=1 override then From new From original FC
queue queue low otherwise from base FC and sub-class
QPPB. If no DEI or
QPPB overrides then
from original dot1p/
exp/DSCP mapping or
policy default.
Policer Policer From new If DE=1 override then From new From original FC
base FC low otherwise from base FC and sub-class
unless QPPB. If no DEI or
overridden by QPPB overrides then
DE=1 from original dot1p/
exp/DSCP mapping or
policy default.
Priority mode Policer From new If DE=1 override then From new From original FC
queue base FC low otherwise from base FC and sub-class
unless QPPB. If no DEI or
overridden by QPPB overrides then
DE=1 from original dot1p/
exp/DSCP mapping or
policy default.
Profile mode Priority mode Ignored If DE=1 override then From new From original FC
queue queue low otherwise from base FC and sub-class
QPPB. If no DEI or
QPPB overrides then
follows original FC’s
profile mode rules.
Priority mode Profile mode From new From QPPB, unless From new From original FC
queue queue base FC packet is marked in or base FC and sub-class
unless out of profile in which
overridden by case follows profile.
DE=1 Default: high priority.
Profile mode Policer From new If DE=1 override then From new From original FC
queue base FC low otherwise from base FC and sub-class
unless QPPB. If no DEI or
overridden by QPPB overrides then
DE=1 follows original FC’s
profile mode rules.
Policer Profile mode From new From QPPB, unless From new From original FC
queue base FC packet is marked in or base FC and sub-class
unless out of profile in which
overridden by case follows profile.
DE=1 Default: high priority.
2.2.2 Router ID
The router ID, a 32-bit number, uniquely identifies the router within an autonomous
system (AS) (see Autonomous Systems (AS)). In protocols such as OSPF, routing
information is exchanged between areas—groups of networks that share routing
information. It can be set to be the same as the loopback address. The router ID is
used by both OSPF and BGP routing protocols in the routing table manager instance.
There are several ways to obtain the router ID. On each router, the router ID can be
obtained in the following ways.
• Define the value in the config>router router-id context. The value becomes the
router ID.
• Configure the system interface with an IP address in the
config>router>interface ip-int-name context. If the router ID is not manually
configured in the config>router router-id context, the system interface acts as
the router ID.
• If neither the system interface or router ID are implicitly specified, the router ID
is inherited from the last four bytes of the MAC address.
• The router can be obtained from the protocol level; for example, BGP.
Routing in the AS takes place on two levels, depending on whether the source and
destination of a packet reside in the same area (intra-area routing) or different areas
(inter-area routing). In intra-area routing, the packet is routed solely on information
obtained within the area; no routing information obtained from outside the area can
be used. This protects intra-area routing from the injection of bad routing information.
Routers that belong to more than one area are called area border routers. All routers
in an AS do not have an identical topological database. An area border router has a
separate topological database for each area it is connected to. Two routers, which
are not area border routers, belonging to the same area, have identical area
topological databases.
2.2.4 Confederations
Configuring confederations is optional and should only be implemented to reduce the
IBGP mesh inside an AS. An AS can be logically divided into smaller groupings
called sub-confederations and then assigned a confederation ID (similar to an
autonomous system number). Each sub-confederation has fully meshed IBGP and
connections to other ASs outside of the confederation.
Confederation 2002
AS 200 AS 300
Confederation Member 1 Confederation Member 3
ALA-A
ALA-D ALA-G
AS 400
Confederation Member 2
AS 500
ALA-H
SRSG005
Typical routers only support proxy ARP for directly attached networks; the router is
targeted to support proxy ARP for all known networks in the routing instance where
the virtual interface proxy ARP is configured.
To support DSLAM and other edge-like environments, proxy ARP supports policies
that allow the provider to configure prefix lists that determine for which target
networks proxy ARP will be attempted and prefix lists that determine for which source
hosts proxy ARP will be attempted.
Also, the proxy ARP implementation will support the ability to respond for other hosts
within the local subnet domain. This is needed in environments such as DSL where
multiple hosts are in the same subnet but can not reach each other directly.
Static ARP is used when a Nokia router needs to know about a device on an interface
that cannot or does not respond to ARP requests. The configuration can state that,
if it has a packet with a specific IP address, to send it to the corresponding ARP
address. Use proxy ARP so the router responds to ARP requests on behalf of
another device.
• Improved support for extensions and options — Changes in the way IP header
options are encoded allows for more efficient forwarding, less stringent limits on
the length of options, and greater flexibility for introducing options in the future.
• Flow labeling capability — The capability to enable the labeling of packets
belonging to traffic flows for which the sender requests special handling, such
as non-default quality of service or “real-time” service was added in IPv6.
• Authentication and privacy capabilities — Extensions to support authentication,
data integrity, and (optional) data confidentiality are specified for IPv6.
Source Address
Destination Address
al_0892
Field Description
Payload Length 16-bit unsigned integer. The length of payload, for example, the rest of the packet
following the IPv6 header, in octets. If the value is zero, the payload length is carried
in a jumbo payload hop-by-hop option.
Next Header 8-bit selector. Identifies the type of header immediately following the IPv6 header.
This field uses the same values as the IPv4 protocol field.
Field Description
Hop Limit 8-bit unsigned integer. Decremented by 1 by each node that forwards the packet. The
packet is discarded if the hop limit is decremented to zero.
Destination Address 128-bit address of the intended recipient of the packet (possibly not the ultimate
recipient if a routing header is present).
IPv6 uses a 128-bit address, as opposed to the IPv4 32-bit address. Unlike IPv4
addresses, which use the dotted-decimal format, with each octet assigned a decimal
value from 0 to 255, IPv6 addresses use the colon-hexadecimal format
X:X:X:X:X:X:X:X, where each X is a 16-bit section of the 128-bit address. For
example:
2001:0DB8:0000:0000:0000:0000:0000:0000
Leading zeros must be omitted from each block in the address. A series of zeros can
be replaced with a double colon. For example:
2001:DB8::
The IPv6 prefix is the part of the IPv6 address that represents the network identifier,
which appears at the beginning of the address. The IPv6 prefix length, which begins
with a forward slash (/), shows how many bits of the address make up the network
identifier. For example, the address 1080:6809:8086:6502::1/64 means that the first
64 bits of the address represent the network identifier; the remaining 64 bits
represent the node identifier.
Note: In SR OS 12.0.R4 and later, any function that displays an IPv6 address or prefix
changes to reflect rules described in RFC 5952, A Recommendation for IPv6 Address Text
Representation. Specifically, hexadecimal letters in IPv6 addresses are now represented in
lowercase, and the correct compression of all leading zeros is displayed. This changes
visible display output compared to previous SR OS releases. Previous SR OS behavior can
cause issues with operator scripts that use standard IPv6 address expressions and with
libraries that have standard IPv6 parsing as per RFC 5952 rules.
IPv6 IX
ISP A ISP B
Peering
IPIPE_007
• IPv6 transit services — Figure 5 shows IPv6 transit services provided by an ISP.
Customer 1
2001:0410:0001:/48
ISP
2001:0410::/32
Customer 2
2001:0410:0002:/4
IPIPE_008
• IPv6 services to enterprise customers and home users — Figure 6 shows IPv6
services to enterprise and home broadband users.
Enterprise
ISP
IPIPE_009
• IPv6 over IPv4 relay services — IPv6 over IPv4 tunnels are one of many IPv6
transition methods to support IPv6 in an environment where not only IPv4 exists
but native IPv6 networks depend on IPv4 for greater IPv6 connectivity. Nokia
routers support dynamic IPv6 over IPv4 tunneling. The IPv4 source and
destination address are taken from configuration, the source address is the IPv4
system address and the IPv4 destination is the next hop from the configured
IPv6 over IPv4 tunnel.
IPv6 over IPv4 is an automatic tunnel method that gives a prefix to the attached
IPv6 network. Figure 7 shows IPv6 over IPv4 tunneling to transition from IPv4 to
IPv6.
Dual-stack Dual-stack
IPv6 Host router router IPv6 Host
Fig_29a
2.2.8.3 DNS
The DNS client is extended to use IPv6 as transport and to handle the IPv6 address
in the DNS AAAA resource record from an IPv4 or IPv6 DNS server. An assigned
name can be used instead of an IPv6 address because IPv6 addresses are more
difficult to remember than IPv4 addresses.
When SeND is enabled on an interface, CGAs must be enabled and static GUA/LLA
IPv6 addressing is not supported. In this case, the router will generate a CGA from
the configured prefix (GUA, LLA) and use that address for all communication. The
router will validate NS/ND messages from other nodes on the network segment, and
only install them in the neighbor cache if they pass validation.
A number of potential use-cases for SeND exist in order to secure the network from
deliberate or accidental tampering during neighbor discovery, SeND can prevent
hijacking of in-use IPv6 addressing or man-in-the-middle attacks, but also to validate
whether a node is permitted to participate in neighbor discovery, or validate which
routers are permitted to act as default gateways.
PE-A PE-B
2001:DB8:A1CA:7E1:DA24:1FF:FE01:2/64 2001:DB8:A1CA:7E1:DA25:1FF:FE01:2/64
PE-A PE-B
2001:DB8:A1CA:7E1:DA24:1FF:FE01:2/64 2001:DB8:A1CA:7E1:DA25:1FF:FE01:2/64
al_0747
1. PE-A sends an NS message to the solicited node multicast address for PE-B's
address with the CGA option, RSA signature option, timestamp option, and
nonce option.
2. PE-B processes the NS message and, because it is configured for SeND
operation, processes the NS. PE-B will validate the source address of the packet
to ensure it is a valid CGA, then validate the cryptographic signature embedded
in the NS message.
3. PE-B generates an NA message, which is sent back to PE-A with the solicited
bit, router bit set. The source address is that of PE-B, while the destination
address is that of PE-A from the NS message. The timestamp is generated from
PE-B, while the nonce is copied from PE-A's NS message.
If all steps process correctly, both nodes will install each other’s addresses into their
neighbor cache database.
To keep the same CGAs after a reboot from a saved configuration file:
To generate an RSA key pair, use the admin certificate gen-keypair command:
For example:
To import a generated RSA key pair, use the admin certificate secure-nd-import
command:
For example:
• Because SeND only uses RSA key pairs, the command is refused if the imported
key type is not RSA.
• Because SeND only supports key size 1024, the command is refused if the
imported key size is not 1024.
• The password has to be specified when an offline generated file in pkcs12
format has to be imported.
• key-rollover keyword: see the RSA key pair rollover mechanism section that
follows.
• This command creates the file cfx:\system-pki\secureNdKey (fixed directory and
file name) and saves the imported key in that file in encrypted der format (same
as the admin certificate import command).
• The RSA key pair is uploaded in the memory of SeND.
For example:
admin certificate secure-nd-import cf1:\myDir\myOtherRsaKeyPair format der key-
rollover
• While handling a key rollover, SeND keeps track of which interface uses which
RSA key pair. Temporarily, SeND can have two RSA key pairs in use. At all
times, only the latest RSA key pair is stored in the file
cfx:\system-pki\secureNdKey. When the rollover is finished, the RSA key pair
that is no longer referred to, is deleted from SeND’s memory.
The first time an interface becomes SeND enabled, SeND needs an RSA key pair to
generate or check a modifier and to generate a CGA.
If the operator did not import an RSA key pair for SeND, an auto-generated RSA key
pair will be used as a fallback.
The auto-generated RSA key pair is synchronized to the standby CPM, but will not
be written to the CF. Therefore, all CGAs generated via an auto-generated RSA key
pair are not persistent. A warning will be raised whenever a non-persistent CGA is
generated.
See the section Making non-persistent CGAs persistent for more information about
the procedure to make non-persistent CGAs persistent.
HA
For the synchronization of the RSA key pair file in cfx:\system-pki\ used by SeND,
the following commands for manual and automatic certificate synchronization are
used:
SeND also synchronizes the RSA key pair to the standby CPM.
The modifier used during the CGA generation will be saved in the configuration file.
The CGA itself is not stored.
Based on the stored modifier and RSA key pair, the same CGA can be regenerated.
By storing the modifier in the configuration file, the operator can also configure an
offline generated modifier (possibly with a security parameter > 1).
=> A modifier is generated based on the actual RSA key pair (that is, imported or
auto-generated). The modifier is used to generate a link-local CGA.
exit
address 2000:1::/64
=> A modifier is generated based on the actual RSA key pair. The modifier is used
to generate the global CGA.
=> The offline generated modifier is used to generate the link-local CGA:
no shutdown
exit
address 3000:1::/64
=> A modifier is generated based on the actual RSA key pair. The modifier is used
to generate the global CGA.
=> The same offline generated modifier as the preceding link-local address is used
for the generation of a global address:
=> Another offline generated modifier (*) is used for the generation of a global
address.
• The operator forgot to configure an RSA key pair for SeND, so hence the CGAs
were generated based on an auto-generated RSA key pair.
• The operator forgot to synchronize an RSA key pair file to the stand-by CPM and
a switch-over happens.
• The CGAs were generated by a software version not having persistent CGAs
(such as, ISSU).
• The system was booted from a configuration file generated by a software
version not having persistent CGAs.
Key rollover
You can import a new RSA key pair for SeND with the key-rollover keyword. This
will result in the regeneration of all CGAs on all interfaces.
Another method that does not result in the regeneration of the CGAs is to export the
RSA key pair that is currently in use by SeND to the system-pki directory via an
admin command:
This command will write the RSA key pair to the file cfx:\system-pki\secureNdKey in
encrypted der format.
The configuration file should contain a modifier for each address on a SeND enabled
interface.
Modifiers in the configuration file are checked against the current RSA key pair. If the
check fails, a new modifier and CGA is generated and a warning is raised that a new
CGA is generated.
If a modifier is missing from the configuration file for an IPv6 /64 prefix on a SeND
enabled interface, a new modifier and CGA will be generated based on the active
RSA key pair.
The file cfx:\system-pki\secureNdKey does not exist nor does the configuration file
contain a modifier for any of the IPv6 /64 prefixes on secure-nd enabled interfaces.
New CGAs have to be generated (from the CLI context). Follow one of the
procedures described in section Making non-persistent CGAs persistent to make the
non-persistent CGA's persistent.
6PE allows IPv6 domains to communicate with each other over an IPv4 MPLS core
network. Because forwarding is based on MPLS labels, backbone infrastructure
upgrades and core router re-configuration is not required in this architecture. 6PE is
a cost-effective solution for IPv6 deployment.
6PE 6PE
145:950.0 v4 P P v6 2001:0421
2001:0621 v6 P P
6PE 6PE
CE IPv4
MPLS
Fig_30
The ingress 6PE router can push two or more MPLS labels to send the packets to
the egress 6PE router. The top labels are associated with resolving the transport
tunnels. The bottom label is advertised in MP-BGP by the remote 6PE router.
Typically, the IPv6 explicit null (value 2) label is used, but any arbitrary value can be
received when the remote 6PE router is not an SR OS router.
The egress 6PE router pops the top transport labels. When the IPv6 explicit null label
is exposed, the egress 6PE router knows that an IPv6 packet is encapsulated. It pops
the IPv6 explicit null label and performs an IPv6 route lookup to find the next hop for
the IPv6 packet.
If resolution is set to any, any supported tunnel type in static route context will be
selected following TTM preference.
The following tunnel types are supported in a static route context: LDP, RSVP-TE,
Segment Routing (SR) Shortest Path, and Segment Routing Traffic Engineering
(SR-TE):
• LDP
The ldp value instructs the code to search for an LDP LSP with a FEC prefix
corresponding to the address of the indirect next-hop. Both LDP IPv4 FEC and
LDP IPv6 FEC can be used as the tunnel next-hop. However, only an indirect
next-hop of the same family (IPv4 or IPv6) as the prefix of the route can use an
LDP FEC as the tunnel next-hop. In other words, an IPv4 (IPv6) prefix can only
be resolved to an LDP IPv4 (IPv6) FEC.
• RSVP-TE
The rsvp-te value instructs the code to search for the set of lowest metric RSVP-
TE LSPs to the address of the indirect next-hop. The LSP metric is provided by
MPLS in the tunnel table. The static route treats a set of RSVP-TE LSPs with the
same lowest metric as an ECMP set.
The user has the option of configuring a list of RSVP-TE LSP names to be used
exclusively instead of searching in the tunnel table. In that case, all LSPs must
have the same LSP metric in order for the static route to use them as an ECMP
set. Otherwise, only the LSPs with the lowest common metric value are
selected.
A P2P auto-lsp that is instantiated via an LSP template can be selected in TTM
when resolution is set to any. However, it is not recommended to configure an
auto-lsp name explicitly under the rsvp-te node as the auto-generated name
can change if the node reboots, which will blackhole the traffic of the static route.
• SR Shortest Path
When the sr-isis or sr-ospf value is enabled, an SR tunnel to the indirect next-
hop is selected in the TTM from the lowest preference ISIS or OSPF instance,
and if many instances have the same lowest preference, it is selected from the
lowest numbered IS-IS or OSPF instance. Both SR-ISIS IPv4 and SR-ISIS IPv6
tunnels can be used as tunnel next-hops. However, only an indirect next-hop of
the same family (IPv4 or IPv6) as the prefix of the route can use an SR-ISIS
tunnel as a tunnel next-hop. In other words, an IPv4 (IPv6) prefix can only be
resolved to a SR-ISIS IPv4 (IPv6).
• SR-TE
The sr-te value instructs the code to search for the set of lowest metric SR-TE
LSPs to the address of the indirect next-hop. The LSP metric is provided by
MPLS in the tunnel table. The static route treats a set of SR-TE LSPs with the
same lowest metric as an ECMP set.
The user has the option of configuring a list of SR-TE LSP names to be used
exclusively instead of searching in the tunnel table. In that case, all LSPs must
have the same LSP metric in order for the static route to use them as an ECMP
set. Otherwise, only the LSPs with the lowest common metric value are
selected.
If one or more explicit tunnel types are specified using the resolution-filter option,
only these tunnel types will be selected again following the TTM preference.
The user must set resolution to filter to activate the list of tunnel-types configured
under resolution-filter.
If disallow-igp is enabled, the static route will not be activated using IP next-hops in
RTM if no tunnel next-hops are found in TTM.
• ECMP is supported when resolving in RTM multiple static routes of the same
prefix with multiple user-entered indirect IP next-hops. The system picks as
many direct next-hops as available in RTM beginning from the first indirect next-
hop and up to the value of the ecmp option in the system.
• ECMP is also supported when resolving in TTM a static route to a single indirect
next-hop using a LDP tunnel when LDP has multiple direct next-hops.
• ECMP is supported when resolving in TTM a static route to a single indirect next-
hop using a RSVP-TE tunnel type when there is more than one RSVP LSP with
the same lowest metric to the indirect next-hop.
• ECMP is supported when resolving in TTM a static route to a single indirect next-
hop using a list of user-configured RSVP-TE LSP names when these LSPs have
the same metric to the indirect next-hop.
• ECMP is supported when resolving in TTM multiple static routes of the same
prefix with multiple user-entered indirect next-hops, each binding to a tunnel
type. The system picks as many tunnel next-hops as available in TTM beginning
from the first indirect next-hop and up to the value of the ecmp option in the
system. The spraying of flow packets is performed over the entire set of resolved
next-hops that correspond to the selected indirect next-hops.
• ECMP is supported when resolving concurrently in RTM and TTM multiple static
routes of the same prefix with multiple user-entered indirect tunnel next-hops.
There is no support for mixing IP and tunnel next-hops for the same prefix using
different indirect next-hops. Tunnel next-hops are preferred over IP next-hops.
This feature does not modify the route calculation: the same set of ECMP next-hops
is computed for a prefix. The feature also does not change the hash routine; only the
spraying of the flows over the tunnel next-hops is modified to reflect the normalized
weight of each tunnel next-hop.
Static route implementation supports ECMP over a set of equal-cost MPLS LSPs.
The user can allow automatic selection or specify the names of the equal-metric
MPLS LSPs in TTM to be used in the ECMP set. For more information, see Static
Route Resolution Using Tunnels.
The user must have the IGP shortcut or forwarding adjacency feature enabled in one
or more IGP instances:
config>router>ospf(isis)>igp-shortcut
config>router>ospf(isis)>advertise-tunnel-link
The user can also disable specific MPLS LSPs from being used in IGP shortcut or
forwarding adjacency by configuring the following:
config>router>mpls>lsp>no igp-shortcut
The user enables the weighted load balancing feature using the following router level
command:
config>router>weighted-ecmp
When this command is enabled, packets of IGP, BGP, and static route prefixes
resolved to a set of ECMP tunnel next-hops are sprayed proportionally to the weights
configured for each MPLS LSP in the ECMP set.
The user can configure a weight for each LSP using the following command:
config>router>mpls>lsp>load-balancing-weight <32-bit-integer>
For an auto-LSP signaled via an LSP template, the weight is configured using the
following command:
config>router>mpls>lsp-template>load-balancing-weight <32-bit-
integer>
There is no default weight value for an LSP. If any LSP in the ECMP set of a prefix
does not have a weight configured, the regular ECMP spraying for the prefix will be
performed. The user-entered weight is normalized to the closest integer value that
represents the number of entries in the ingress prefix hash table assigned to the LSP
for the purpose of spraying packets of all prefixes resolved to this LSP. The higher
the normalized weight, the more entries will be assigned to the LSP, the more
packets will be sent to this LSP.
This section describes the behavior of the weighted load-balancing feature for IGP,
BGP, and static route prefixes resolved in RTM to IGP shortcuts.
When an IGP, BGP, or a static route prefix is resolved in RTM to a set of ECMP
tunnel next-hops of type RSVP-TE, and the router level weighted-ecmp option is
enabled, the ingress hash table for the next-hop selection is populated with a number
of tunnel next-hop entries for each LSP equal to the normalized LSP weight value.
All prefixes resolving to the same set of ECMP tunnel next-hops use the same table.
1. MPLS populates the user-configured LSP weight in TTM. When the global
command weighted-ecmp is enabled, and any LSP in the ECMP set of a prefix
does not have a weight configured, the regular ECMP spraying for the prefix will
be performed.
2. IGP computes the normalized weight for each prefix tunnel next-hop. The
minimum value of the normalized weight is 1 and the maximum is 64. IGP
updates the route in RTM with the set of tunnel next-hops and normalized
weights. RTM downloads the information to IOM for inclusion in the FIB.
3. The normalized weights of route tunnel next-hops are updated in the following
cases:
When the main SPF is run following a trigger, for example, network failure,
and updates a route with a modified set of tunnel next-hops. This will trigger
a route re-download to the IOM and all users of RTM are notified.
The user adds or changes the weight of one or more LSPs. In this case,
RTM will perform a route download to IOM, but other users of RTM are not
notified because the route resolution did not change.
4. The weighted load balancing feature is only applied to a prefix when all the
tunnel next-hops in the ECMP set have the same endpoint. If an IGP prefix
resolves in RTM to a set of ECMP tunnel next-hops that do not terminate on the
same endpoint, the regular ECMP spraying is performed. If BGP performs BGP
ECMP to a set of BGP ECMP next-hops for a prefix (weighted-bgp-ecmp-prd),
regular ECMP spraying is performed toward a BGP next-hop if the subset of its
tunnel next-hops does not terminate on the same endpoint.
5. Regular ECMP spraying is also applied if a prefix is resolved in RTM to an ECMP
set that consists of a mix of IP and tunnel next-hops.
6. This feature is not supported in the following contexts:
Packets of BGP prefix with the BGP next-hop resolved in TTM to RSVP LSP
(BGP shortcut).
CPM generated packets, including OAM packets, which are looked-up in
RTM and which are forwarded over tunnel next-hops. These will be
forwarded using either regular ECMP or by selecting one next-hop from the
set.
The weight assigned to an LSP affects only the forwarding decision, not the routing
decision. It does not change the selection of the set of ECMP tunnel next-hops of a
prefix when more next-hops exist than the value of the router ecmp option. This
selection continues to follow the algorithm used in the IGP shortcut feature.
After the set of tunnel next-hops is selected, the LSP weight is used to modulate the
amount of packets forwarded over each next-hop.
The configuration of the resolution of a static route prefix to set of MPLS LSPs is
described in Static Route Resolution Using Tunnels which also provides the
selection rules among multiple LSP types: RSVP-TE, SR-TE, LDP, SR-ISIS, and SR-
OSPF. A static route of a prefix can only be resolved to a set of tunnel next-hops of
the same type though, for each indirect next-hop.
To perform ECMP over a set of configured MPLS LSPs, the user must enter two or
more LSP names to be used as tunnel next-hops. If automatic selection is performed,
ECMP is performed if two or more MPLS LSPs are in TTM to the indirect next-hop of
the static route. However, all LSPs must have the same LSP metric; otherwise, only
the tunnel next-hops with the same lowest metric will be activated for the static route.
The user can force the metric of an LSP to a constant value using the following
command:
If the user enters, for the same static route, more LSP names with the same LSP
metric than the value of the router level ecmp option, only the first configured LSPs
equal to the ecmp value will be selected. The remaining tunnel next-hops for the
route will not be activated. When automatic MPLS LSP selection is performed in
TTM, the lowest tunnel ID is used as a tie-breaker among the same lowest metric
LSPs.
To perform weighted load-balancing over the set of MPLS LSPs, either when the
LSP names are provided or when auto-selection in TTM is performed, the user must
also enable the weighted ECMP globally like for static, IGP, and BGP prefixes
resolving to IGP shortcuts:
The behavior of this feature in terms of RTM and IOM is exactly the same as in the
case of BGP, IGP, and static route prefixes resolving to IGP shortcuts. See Feature
Behavior for more information. In this case, the static route module computes the
normalized weight for each prefix tunnel next-hop of the static route indirect next-
hop. The minimum value of the normalized weight is 1 and the maximum is 64. The
static route module updates the route in RTM with the set of tunnel next-hops and
normalized weights. RTM downloads the information to IOM for inclusion in the FIB.
If any LSP in the ECMP set of a prefix static route does not have a weight configured,
the regular ECMP spraying for the prefix will be performed.
ECMP is also supported when resolving in TTM the same static route with multiple
user-entered indirect next-hops, each binding to the same or different tunnel types.
The system picks as many tunnel next-hops as available in RTM, beginning from the
first indirect next-hop and up to the value of the ecmp option in the system. In this
case, the weighted load-balancing will be applied directly using the weights of the
selected set of tunnel next-hops. If any LSP in the ECMP set of a prefix static route
does not have a weight configured, or if any of the indirect next-hops binds to an LDP
LSP, the regular ECMP spraying for the prefix will be performed.
If the same prefix is resolved via both a static route and an IGP shortcut route, the
RTM default protocol preference will install the static route only. Therefore, the set of
ECMP tunnel next-hops and the weighted load balancing behavior will be
determined by the static route configuration and not by the IGP shortcut
configuration.
BFD can provide a mechanism used for failure detection over any media, at any
protocol layer, with a wide range of detection times and overhead, to avoid a
proliferation of different methods.
If multiple protocols are running between the same two BFD endpoints, only a single
BFD session is established, and all associated protocols will share the single BFD
session.
As well as the typical asynchronous mode, there is also an echo function defined
within RFC 5880, Bidirectional Forwarding Detection, that allows either of the two
systems to send a sequence of BFD echo packets to the other system, which loops
them back within that system’s forwarding plane. If a number of these echo packets
are lost, the BFD session is declared down.
Also, the TTL of all transmitted BFD packets must have an IP TTL of 255. All BFD
packets received must have an IP TTL of 255 if authentication is not enabled. If
authentication is enabled, the IP TTL should be 255, but can still be processed if it is
not (assuming the packet passes the enabled authentication mechanism).
If multiple BFD sessions exist between two nodes, the BFD discriminator is used to
de-multiplex the BFD control packet to the appropriate BFD session.
My Discriminator
Your Discriminator
Field Description
Vers The version number of the protocol. The initial protocol version is 0.
Diag A diagnostic code specifying the local system’s reason for the last transition of the
session from Up to some other state.
Possible values are:
0-No diagnostic
1-Control detection time expired
2-Echo function failed
3-Neighbor signaled session down
4-Forwarding plane reset
5-Path down
6-Concatenated path down
7-Administratively down
P Bit The poll bit. If set, the transmitting system is requesting verification of connectivity,
or of a parameter change.
F Bit The final bit. If set, the transmitting system is responding to a received BFD control
packet that had the poll (P) bit set.
Rsvd Reserved bits. These bits must be zero on transmit and ignored on receipt.
My Discriminator A unique, non-zero discriminator value generated by the transmitting system, used
to demultiplex multiple BFD sessions between the same pair of systems.
Your Discriminator The discriminator received from the corresponding remote system. This field reflects
back the received value of my discriminator, or is zero if that value is unknown.
Field Description
Desired Min TX Interval This is the minimum interval, in microseconds, that the local system would like to use
when transmitting BFD control packets.
Required Min RX Interval This is the minimum interval, in microseconds, between received BFD control
packets that this system is capable of supporting.
Required Min Echo RX This is the minimum interval, in microseconds, between received BFD echo packets
Interval that this system is capable of supporting. If this value is zero, the transmitting system
does not support the receipt of BFD echo packets.
All encapsulation types supporting IPv4 and IPv6 are supported because all BFD
packets are carried in IPv4 and IPv6 packets; this includes Frame Relay and ATM.
The following interfaces are supported only on the 7750 SR and 7450 ESS:
• VSM interfaces
• POS interfaces (including APS)
• Channelized interfaces (PPP, HDLC, FR, and ATM) on ASAP (priority 1) and
channelized MDAs (priority 2) including link bundles and IMA
The echo function is useful when the local router does not have sufficient CPU power
to handle a periodic polling rate at a high frequency. Therefore, it relies on the echo
sender to send a high rate of BFD echo messages through the receiver node, which
is only processed by the receiver’s forwarding path. This allows the echo sender to
send BFD echo packets at any rate.
SR OS does not support the sending of echo requests, only the response to echo
requests.
One application for a central BFD implementation is so BFD can be supported over
spoke SDPs used to inter-connect IES or VPRN interfaces. When there are spoke
SDPs for inter-connections over an MPLS network between two routers, BFD is used
to speed up failure detections between nodes so re-convergence of unicast and
multicast routing information can begin as quickly as possible.
The MPLS LSP associated with the spoke SDP can enter or egress from multiple
interfaces on the router. BFD for these types of interfaces cannot exist on the
IOMXCM by itself.
IES/ IES/
VPRN VPRN
Primary Path
Spoke Spoke
Headend SDP SDP
Router
Headend
Router Secondary Path
IES/ IES/
Note: VPRN VPRN
In this case BFD is run between
the IES/VPRN interfaces Metro Metro
independent of the SPD/LSP paths POP 4 POP 3
Fig_31
L2 Switch
IES/ IES/
VPRN VPRN
LAG i/f LAG i/f
2 2
4
BFD BFD
LAG i/f
Note: IES/
In this case BFD is run between the VPRN
IES/VPRN interfaces independent
of the LAG or its members
Fig_32
BFD is supported over MPLS-TP, RSVP, and LDP LSPs, as well as over
pseudowires that support Layer 2 services such as Epipe VPLS spoke-SDPs and
mesh-SDPs using centralized BFD. See the 7450 ESS, 7750 SR, and 7950 XRS
MPLS Guide and 7450 ESS, 7750 SR, and 7950 XRS Layer 2 Services and EVPN
Guide: VLL, VPLS, PBB, and EVPN for more information.
This feature invalidates a static route based on the reachability of the next-hop in the
ARP cache when the validate-next-hop command is enabled within the static-
route-entry>next-hop context for an IPv4 static route.
In this case, when the ARP entry for the next-hop is INVALID or not populated, the
static route must remain invalid/inactive. When an ARP entry for the next-hop is
populated based on a gratuitous ARP received or periodic traffic destined for it and
the usual ARP who-has procedure, the static route becomes valid/active and is
installed.
This feature invalidates a static route based on the reachability of the next-hop in the
neighbor cache when the validate-next-hop command is enabled within the static-
route-entry>next-hop context for an IPv6 static route.
In this case, when the Neighbor Cache entry for next-hop is INVALID or not
populated, the static route must remain invalid/inactive. When an NC entry for next-
hop is populated based on a neighbor advertisement received, or periodic traffic
destined for it and the usual NS/NA procedure, the static route becomes valid/active
and is installed.
When LDP shortcut is enabled, LDP populates the RTM with next-hop entries
corresponding to all prefixes for which it activated an LDP FEC. For an activated
prefix, two route entries are populated in RTM. One corresponds to the LDP shortcut
next-hop and has an owner of LDP. The other one is the regular IP next-hop. The
LDP shortcut next-hop always has preference over the regular IP next-hop for
forwarding user packets and specified control packets over a specific outgoing
interface to the route next-hop.
The prior activation of the FEC by LDP is done by performing an exact match with an
IGP route prefix in RTM. It can also be done by performing a longest prefix match
with an IGP route in RTM if the aggregate-prefix-match option is enabled globally in
LDP ldp-interarea-prd.
The LDP next-hop entry is not exported to the LDP control plane or to any other
control plane protocols except OSPF, IS-IS, and an OAM control plane specified in
Handling of Control Packets.
This feature is not restricted to /32 IPv4 prefixes or /128 IPv6 FEC prefixes. However,
only /32 IPv4 and /128 IPv6 FEC prefixes will be populated in the tunnel table for use
as a tunnel by services.
All user and specified control packets for which the longest prefix match in RTM
yields the FEC prefix will be forwarded over the LDP LSP. The following is an
example of the resolution process.
Assume that the egress LER advertised a FEC for some /24 prefix using the fec-
originate command. At the ingress LER, LDP resolves the FEC by checking in RTM
that an exact match exists for this prefix. After the LDP activates the FEC, it programs
the NHLFE in the egress data path and the LDP tunnel information in the ingress
data path tunnel table.
Next, LDP provides the shortcut route to RTM, which will associate it with the same
/24 prefix. There will be two entries for this /24 prefix: the LDP shortcut next-hop and
the regular IP next-hop. The latter was used by LDP to validate and activate the FEC.
RTM then resolves all user prefixes that succeed a longest prefix match against the
/24 route entry to use the LDP LSP.
Now assume that the aggregate-prefix-match was enabled and that LDP found a /16
prefix in RTM to activate the FEC for the /24 FEC prefix. In this case, RTM adds a
new, more-specific route entry of /24 and has the next-hop as the LDP LSP.
However, RTM will still not have a specific /24 IP route entry. RTM then resolves all
user prefixes that succeed a longest prefix match against the /24 route entry to use
the LDP LSP. All other prefixes that succeed a longest prefix match against the /16
route entry will use the IP next-hop. LDP shortcut will also work when using RIP for
routing.
After the LDP activates a FEC for a prefix and programs RTM, it also programs the
ingress tunnel table in IOM or on linecards with the LDP tunnel information.
The switching from the LDP shortcut next-hop to the regular IP next-hop when the
LDP FEC becomes unavailable depends on whether the next-hop is still available. If
it is (for example, the LDP FEC was withdrawn due to LDP control plane issues) the
switchover should be faster. If the next-hop determination requires IGP to re-
converge, this will take longer. However, no target is set.
The switching from a regular IP next-hop to an LDP shortcut next-hop will usually
occur only when both are available. However, the programming of the NHLFE by
LDP and the programming of the LDP tunnel information in the ingress IOM or
linecards tunnel table are asynchronous. If the tunnel table is configured first, it is
possible that traffic will be black-holed for some time.
When ECMP is enabled and multiple equal-cost next-hops exist for the IGP route,
the ingress IOM or linecard will spray the packets for this route based on the hashing
routine currently supported for IPv4 packets.
When the preferred RTM entry corresponds to an LDP shortcut route, spraying will
be performed across the multiple next-hops for the LDP FEC. The FEC next-hops
can either be direct link LDP neighbors or T-LDP neighbors reachable over RSVP
LSPs, in the case of LDP-over-RSVP, but not both. This is as per ECMP for LDP.
When the preferred RTM entry corresponds to a regular IP route, spraying will be
performed across regular IP next-hops for the prefix.
All control plane packets will not see the LDP shortcut route entry in RTM with the
exception of the following control packets, which will be forwarded over an LDP
shortcut when enabled:
• A locally generated or in transit ICMP ping and trace route of an IGP route. The
transit message appears as a user packet to the ingress LER node.
• A locally generated response to a received ICMP ping or trace route message.
All other control plane packets that require an RTM lookup and knowledge of which
destination is reachable over the LDP shortcut will continue to be forwarded over the
IP next-hop route in RTM.
If a multicast packet is received over the physical interface, the uRPF check will not
resolve to the LDP shortcut because the LDP shortcut route in RTM is not made
available to multicast application.
There is no interaction between an LDP shortcut for BGP next-hop resolution and the
LDP shortcut for IGP route resolution. BGP will continue to resolve a BGP next-hop
to an LDP shortcut if the user enabled the following option in BGP:
config>router>bgp>next-hop-res>shortcut-tunnel
family ipv4
resolution-filter ldp
A static route will continue to be resolved by searching an LDP LSP whose FEC
prefix matches the specified indirect next-hop for the route. In contrast, the LDP
shortcut for IGP route resolution uses the LDP LSP as a route. The most specific
route for a prefix will be selected and, if both a static and IGP routes exist, the RTM
route type preference will be used to select one.
For the LDP shortcut to be usable, SR OS must originate a <FEC, label> binding for
each IGP route it learns of even if it did not receive a binding from the next-hop for
that route. The router must assume that it is an egress LER for the FEC until the route
disappears from the routing table or the next-hop advertises a binding for the FEC
prefix. In the latter case, SR OS becomes a transit LSR for the FEC.
SR OS will originate a <FEC, label> binding for its system interface address only by
default. The only way to originate a binding for local interfaces and routes that are
not local to the system is by using the fec-originate capability.
You must use the fec-originate command to generate bindings for all non-local
routes for which this node acts as an egress LER for the corresponding LDP FEC.
Specifically, this feature must support the FEC origination of IGP learned routes and
subscriber/host routes statically configured or dynamically learned over subscriber
IES interfaces.
An LDP LSP used as a shortcut by IPv4 packets may also be tunneled using the
LDP-over-RSVP feature.
If a base router IPv4 or IPv6 BGP route has a BGP next-hop resolved by an ECMP
IS-IS route and ibgp-multipath is configured under BGP, traffic forwarded to the
BGP next-hop is sprayed according to the load-balancing weights of the interface
next-hops.
Public Tunnel
SAP
Private Private
Service Network
Public Public
Network Service
7750
VPN
Connectivity
OSSG340
In Figure 13, the public network is typically an unsecured network, such as public
Internet, over which packets belonging to the private network in the diagram cannot
be transmitted natively. Inside the 7750 SR, a public service instance (IES or VPRN)
connects to the public network, and a private service instance (typically a VPRN)
connects to the private network.
For GRE tunnels using PXC ports, the public and private services must be two
different services, and the PXC is the connection between the two services. Traffic
from the public network may require authentication and encryption inside an IPSec
tunnel to reach the private network. In this way, the authenticity, confidentiality, and
integrity of private network access can be enforced. If authentication and
confidentiality are not required, then access to the private network may be provided
through GRE or IP-IP tunnels.