Support for TI-LFA FRR using IS-IS Segment Routing

eos.arista.com/eos-4-22-1f/support-for-ti-lfa-frr-using-is-is-segment-routing

By Sandeep Kopuri Kopuri

Contents [hide]

Description
Feature History
Platform Compatibility
Configuration
Configuring link/node protection globally on all interfaces
Configuring link/node protection on a specific interface
Configuring a local LFIB convergence delay for protected node/adjacency segments
Making locally-originated Adjacency segments backup eligible
Enable SRLG protection
Sample configuration
Show Commands
show isis segment-routing prefix-segments/adjacency-segments
show isis interface
show isis local-convergence-delay
show isis ti-lfa path
show isis segment-routing tunnel
show isis ti-lfa tunnel
show tunnel fib
show mpls lfib route
show ip route
Troubleshooting
Tracing
Limitations
Resources

Description
Topology Independent Fast Reroute, or TI-LFA, uses IS-IS SR to build loop-free alternate paths along the post-convergence path. These
loop-free alternates provide fast convergence in the range of sub-50 ms.

The PLR ( point of local repair – the router where TI-LFA is configured ) switches to these loop-free alternate backup paths in the event of a
link down ( link-protection ) or BFD neighbor down (node-protection) event, protecting traffic destined to IS-IS SR node segments, adjacency
segments, and anycast segments while the IGP converges and the post-convergence paths are computed. Anycast segment protection is
restricted to those segments which are attached to prefixes with host mask (/32 for V4 address and /128 for v6 address). Note that unlike
node segments, anycast segments do not have the ‘N’ flag set described in section 2.1.1.2 of RFC8667.

The backup paths are only installed for IS-IS SR labeled routes and tunnels corresponding to node segments, adjacency segments, and
anycast segments. When node-protection is requested, and no node-protecting LFAs are available, a link-protecting LFA is computed
instead. This feature is available with the multi-agent routing protocol model and the ribd routing protocol model.

Other traffic that resolves over IS-IS SR tunnels, such as LDP pseudowires, BGP LU tunnels, BGP IP routes, L2 EVPN, MPLS L3 VPN, etc
are also protected by the TI-LFA tunnel that protects the resolving IS-IS SR tunnel.

Feature History

Release Update

EOS-4.22.1F Initial support for Node and Link protection for SR LFIB routes

EOS-4.23.1F Added support for MPLS SR Tunnels

EOS-4.24.1F Added support for protecting SR Anycast segments

EOS-4.24.2F Added support for SRLG protection of ISIS SR segments

1/9
Platform Compatibility
TI-LFA FRR using IS-IS SR is supported on Arista 7500R, 7500R2, 7500R3, 7280R, 7280R2, 7280R3 and 7800R3 family of switches
(platforms supporting HFEC).

Configuration

Configuring link/node protection globally on all interfaces

To enable link/node protection for node segments and Adjacency segments of a specific address-family learned on all IS-IS interfaces, the
following command is used in the address-family sub-mode of the router isis mode.

DUT(config-router-isis-af)# fast-reroute ti-lfa mode [({link-protection|node-protection} [level-1|level-2]) | disabled]

FRR using TI-LFA is disabled globally by default in the router IS-IS address-family sub-modes.

Configuring link/node protection on a specific interface

To enable link/node protection for node segments and Adjacency segments learned on a specific IS-IS interface, the following command is
used in the interface configuration mode.

DUT(config-if-Et1)# [no|default] isis fast-reroute ti-lfa mode {link-protection|node-protection|disabled} [level-1|level-2]

The interface TI-LFA configuration inherits the address-family sub-mode configuration by default.

On an L1-L2 router, the [level-1|level2] optional keyword in both the router IS-IS address-family sub-mode and interface configuration mode
CLIs is used to restrict protection to node segments and Adjacency segments learned through either level-1 or level-2 topologies only.

Configuring a local LFIB convergence delay for protected node/adjacency segments

The point of local repair (PLR) switches to the TI-LFA backup path on link failure or BFD neighbor failure but switches back to the post-
convergence path once the PLR computes SPF and updates its LFIB. This sequence of events can lead to micro-loops in the topology if the
PLR converges faster than other routers along the post-convergence path. So a configuration option is provided to apply a delay, after which
the LFIB route being protected by the TI-LFA loop-free repair path will be replaced by the post-convergence LFIB route.

To configure a convergence delay only to LFIB routes that are being protected, the following command is used either in the router IS-IS mode
or the router IS-IS address-family sub-mode.

DUT(config-router-isis-af)# timers local-convergence-delay [<delay_in_seconds>] protected-prefixes

A default of 10 seconds is used when the command is used without an explicitly specified delay.

Making locally-originated Adjacency segments backup eligible

The PLR computes backup paths for an adjacency segment only if the Adjacency SID sub-TLV has the B-flag (backup flag) set.

To set the B-flag in originated Adjacency SID sub-TLVs corresponding to adjacency segments dynamically allocated on the router, the
following command is used in the segment-routing MPLS sub-mode in the router IS-IS mode.

DUT(config-router-isis-sr-mpls)# t

To set the B-flag in originated Adjacency SID sub-TLVs corresponding to adjacency segments statically configured on the router, the following
command is used in the interface configuration mode.

DUT(config-if-Et1)# adjacency-segment {ipv4|ipv6} p2p [multiple] {label <label>|index <index>} backup-eligible

backup-eligible is the newly introduced optional keyword in both the CLIs mentioned above that controls the setting of the B-flag in the
Adjacency SID sub-TLV.

Enable SRLG protection

2/9
To enable SRLG protection on all interfaces, the following command can be used. This command is used in addition to configuring link-
protection or node-protection. If SRLG protection is enabled, the backup paths will be computed after excluding all the links that share the
same SRLG with the active link that is being used by all prefix segments and adjacency segments.

DUT(config-router-isis-af)# fast-reroute ti-lfa srlg [strict]

The following command can be used to enable protection selectively on a specific interface. This command will only enable SRLG protection
for prefix segments and adjacency segments enabled on this interface.

DUT(config-intf-et1)#isis [ipv4|ipv6] fast-reroute ti-lfa srlg [strict]

If the optional argument strict is configured, the backup path is only programmed only if a backup path that excludes all the SRLGs
configured on the primary interface. If the keyword is not provided and an SRLG excluding path is not available, TI-LFA will program the
backup path that excluded the maximum number of SRLGs possible.

To selectively disable SRLG protection on an interface, the following command can be used. This is useful if SRLG protection is enabled
globally for all interfaces but needs to be selectively disabled for a specific interface.

DUT(config-intf-et1)#isis [ipv4|ipv6] fast-reroute ti-lfa srlg disabled

Sample configuration

The above topology will be used to demonstrate the configuration and show command output. Here we will see the backup paths that the
PLR computes to protect the node segments of R1 and R2, the global adjacency segment on R2, and the local adjacency segment on the
Vlan2387 on the PLR.

Here is a snippet of the configuration on the PLR.

3/9
!
interface Vlan2138
ip address 10.1.1.1/24
isis enable inst1
isis metric 11
isis network point-to-point
!
interface Vlan2387
ip address 10.1.2.1/24
isis enable inst1
isis network point-to-point
adjacency-segment ipv4 p2p label 965537 backup-eligible
!
interface Vlan2968
ip address 10.1.3.1/24
isis enable inst1
isis network point-to-point
isis fast-reroute ti-lfa mode disabled
!
…
…
router isis inst1
net 49.0001.1111.1111.1001.00
router-id ipv4 252.252.1.252
is-type level-2
timers local-convergence-delay 5000 protected-prefixes
!
address-family ipv4 unicast
fast-reroute ti-lfa mode node-protection
!
segment-routing mpls
no shutdown
adjacency-segment allocation sr-peers backup-eligible
!
end

The protection of anycast segments does not need any new configuration. The above configuration should enable protection of anycast
segments.

To demonstrate the protection of anycast segments consider the following topology.

R1 and R4 are originators of the host prefix 10.10.10.1/32 and advertise prefix segment 900010. Note that this should be configured as a
prefix segment and not a node segment.

R1 and R4’s configuration should look like this:

router isis inst1

...
!
interface Loopback0
ip address 10.10.10.1/32
isis enable inst1
!

...
!
segment-routing mpls
prefix-segment 10.10.10.1/32 index 10
!

4/9
The prefix in the prefix-segment command should belong to an interface enabled with IS-IS or should be an active route in the RIB of another
protocol redistributed into IS-IS.

If link or node protection is configured on the PLR then the primary path to the segment 900010 will be PLR – R1 and the backup path will be
PLR – R2 – R3 – R4. In other words, the destination in the backup path will be the segment originated by R4 as the segment originated by
R1 will not be reachable when link PLR-R1 or the node R1 goes down.

Show Commands

show isis segment-routing prefix-segments/adjacency-segments

The show isis segment-routing prefix-segments and show isis segment-routing adjacency-segments output has a field
called ‘ Protection ’ that displays the protection type requested by a node or adjacency segment, which is one of unprotected, node or
link . If SRLG protection is enabled, it will also be shown here.

Arista#show isis segment-routing prefix-segments

...
Prefix SID Type System ID Level Protection
----------------- --------- ---------- ... --------------- -------- -----------
* 10.1.1.1/32 0 Node ... 1111.1111.1001 L2 unprotected
10.1.1.2/32 1 Node ... 1111.1111.1002 L2 node with SRLG loose
10.1.1.3/32 4 Node ... 1111.1111.1005 L2 node with SRLG strict
10.1.1.4/32 10 Prefix ... 1111.1111.1004 L1 node

Arista#show isis segment-routing adjacency-segments

...
Locally Originated Adjacency Segments
Adj IP Address Local Intf SID Flags Protection
----------------- ---------- -------- --------------------- ------------
10.1.0.1 Vl2138 100001 F:0 B:1 V:1 L:1 S:0 node
10.1.0.2 Vl2968 100002 F:0 B:1 V:1 L:1 S:0 node with SRLG loose
10.1.0.3 Vl2387 965537 F:0 B:1 V:1 L:1 S:0 node with SRLG strict

Received Global Adjacency Segments

SID Originator Neighbor Flags Protection
--------- -------------------- -------------------- ------------------------- ----------
5 1111.1111.1005 1111.1111.1004 F:0 B:1 V:0 L:0 S:0 node

show isis interface

The show isis interface output has a per-IS-level field that displays the state of TI-LFA protection for IPv4/IPV6 prefixes learned on that
IS-IS interface.

Arista#show isis interface Vlan2387

IS-IS Instance: inst1 VRF: default

Interface Vlan2387:
Index: 36 SNPA: P2P
MTU: 1497 Type: point-to-point
BFD IPv4 is Disabled
BFD IPv6 is Disabled
Hello Padding is Enabled
Level 2:
Metric: 10, Number of adjacencies: 1
Link-ID: 24
Authentication mode: None
TI-LFA node protection with SRLG loose protection is enabled for the following IPv4 segments: node segments, adjacency
segments
TI-LFA protection is disabled for IPv6

show isis local-convergence-delay

‘ show isis local-convergence-delay ’ shows the current/last attempt at delaying the convergence of protected routes on a link
down/BFD neighbor down event. If the timer was aborted for some reason ( topology change causing a new SPF, etc ), the attempt is
considered failed.

5/9
Arista#sh isis local-convergence-delay

IS-IS Instance: inst1 VRF: default

System ID: 1111.1111.1001
IPv4 local convergence delay configured, 5000 msecs
IPv6 local convergence delay configured, 5000 msecs
Level 1 attempts 0, failures 0
Level 2 attempts 3, failures 1

Level 2 in progress due to LINK DOWN on Vlan2138

TI-LFA node protection is enabled for IPv4
IPv4 Routes delayed: 0
Delay timer started at: 2019-07-25 23:16:33
Delay timer expires in 2 secs
TI-LFA protection is disabled for IPv6

Level 2 last attempt due to LINK DOWN on Vlan2138, Succeeded

TI-LFA node protection is enabled for IPv4
IPv4 Routes delayed: 3
Delay timer started at: 2019-07-25 23:14:51
Delay timer stopped at: 2019-07-25 23:14:56
TI-LFA protection is disabled for IPv6

The ‘ detail ’ keyword also lists all the routes that have been delayed.

Arista#sh isis local-convergence-delay detail

...
Level 2 last attempt due to LINK DOWN on Vlan2138, Succeeded
TI-LFA node protection is enabled for IPv4
IPv4 Routes delayed: 3
Delay timer started at: 2019-07-25 23:14:51
Delay timer stopped at: 2019-07-25 23:14:56
Delayed routes:
10.0.7.1/32
10.0.9.1/32
10.0.10.1/32
TI-LFA protection is disabled for IPv6

show isis ti-lfa path

‘ show isis ti-lfa path ’ shows the repair path with the list of all the system IDs from the P-node to the Q-node for every
destination/constraint tuple. You will see that even though node protection is configured a link protecting LFA is computed too. This is to
fallback to link protecting LFAs whenever the node protecting LFA becomes unavailable.

Arista#show isis ti-lfa path ?

IDENTIFIER System Identifier or hostname of the destination
detail Show detailed path information
> Redirect output to URL
>> Append redirected output to URL
| Command output pipe filters
<cr>

Arista#show isis ti-lfa path 1111.1111.1005

TI-LFA paths for IPv4 address family
Topo-id: Level-2
Destination Constraint Path
1111.1111.1005 exclude node 1111.1111.1002 1111.1111.1003
1111.1111.1004
exclude Vlan2387 1111.1111.1002
SRLG strict

Arista#show isis ti-lfa path 10.10.10.1/32

TI-LFA paths for IPv4 address family
Topo-id: Level-1
Destination Constraint Path
------------------- --------------------------------- --------------
10.10.10.1/32 exclude Vlan2387 1111.1111.1002
1111.1111.1003
exclude node 1111.1111.1004 1111.1111.1002
SRLG strict 1111.1111.1003

show isis segment-routing tunnel

6/9
The show isis segment-routing tunnel command displays all the IS-IS SR tunnels. The field ‘TI-LFA tunnel index’ shows the index of
the TI-LFA tunnel protecting the SR tunnel. The same TI-LFA tunnel that protects the LFIB route also protects the corresponding IS-IS SR
tunnel.

DUT# show isis segment-routing tunnel 10.0.10.1/32

Index Endpoint Nexthop Interface Labels TI-LFA
tunnel index
----------- ---------------- ------------------ --------------- ---------------- ------------
4 10.0.10.1/32 10.0.0.2 Vlan2387 [ 900004 ] 0

show isis ti-lfa tunnel

The TI-LFA repair tunnels are just internal constructs that are shared by multiple LFIB routes that compute similar repair paths. show isis
ti-lfa tunnel is a command that displays TI-LFA repair tunnels with the primary and backup via information.

Arista#show isis ti-lfa tunnel ?

<0-17592186044415> Tunnel Index
> Redirect output to URL
>> Append redirected output to URL
| Command output pipe filters
<cr>

Arista#show isis ti-lfa tunnel 1

Tunnel Index 1
via 10.0.1.2, 'Vlan2968'
label stack 3
backup via 10.0.0.2, 'Vlan2387'
label stack 900004 900002

show tunnel fib

The show tunnel fib command that displays tunnels programmed in the tunnel FIB also includes the TI-LFA tunnels along with protected
IS-IS SR tunnels.

Arista#show tunnel fib ti-lfa 1

Type 'TI-LFA', index 1, forwarding None

via 10.0.1.2, 'Vlan2968'
label stack 3
backup via 10.0.0.2, 'Vlan2387'
label stack 900004 900002

Arista# sh tunnel fib isis segment-routing

Type 'IS-IS SR', index 1, endpoint 2002::b00:201/128, forwarding Primary

via TI-LFA tunnel index 3 label 3
via fe80::200:76ff:fe01:0, 'Ethernet30/1' label 900002
backup via fe80::200:76ff:fe03:0, 'Ethernet26/1' label 132769

Type 'IS-IS SR', index 2, endpoint 2002::b00:101/128, forwarding Primary

via TI-LFA tunnel index 4 label 3
via fe80::200:76ff:fe01:0, 'Ethernet30/1' label 3
backup via fe80::200:76ff:fe03:0, 'Ethernet26/1' label 132769 900001

show mpls lfib route

‘ show mpls lfib route ’ displays the backup information along with the primary vias for all node or adjacency segments that have TI-LFA
backup paths computed. The following is the ‘ show mpls lfib route ’ output for the sample topology depicted above.

7/9
Arista#sh mpls lfib route 900005
...
IP 900004 [1], 10.0.10.1/32
via TI-LFA tunnel index 0, swap 900004
payload autoDecide, ttlMode uniform, apply egress-acl
via 10.0.0.2, Vlan2387, label imp-null(3)
backup via 10.0.1.2, Vlan2968, label 100001

Arista#sh mpls lfib route 900005

...
IA 900005 [1]
via TI-LFA tunnel index 0, swap 900005
payload autoDecide, ttlMode uniform, apply egress-acl
via 10.0.0.2, Vlan2387, label imp-null(3)
backup via 10.0.1.2, Vlan2968, label 100001

Arista#sh mpls lfib route 900002

...
IP 900002 [1], 10.0.8.1/32
via TI-LFA tunnel index 1, pop
payload autoDecide, ttlMode uniform, apply egress-acl
via 10.0.1.2, Vlan2968, label imp-null(3)
backup via 10.0.0.2, Vlan2387, label 900004 900002

show ip route
When services like LDP pseudowires, BGP LU, L2 EVPN or L3 MPLS VPN use IS-IS SR tunnels as an underlay, these services are
automatically protected by TI-LFA tunnels that protect the IS-IS SR tunnels. The ‘ show ip route ’ command displays the hierarchy of the
overlay-underlay-TI-LFA tunnels like below.

B 2001:db8:3::/48 [200/0]
via 2002::b00:301/128, IS-IS SR tunnel index 3, label 122697
via TI-LFA tunnel index 5, label imp-null(3)
via fe80::200:76ff:fe03:0, Ethernet26/1, label imp-null(3)
backup via fe80::200:76ff:fe01:0, Ethernet30/1, label 900002 900003

Troubleshooting
When an IS-IS SR LFIB route or a tunnel corresponding to a node segment or an adjacency segment that is expected to have backup paths,
does not show backup paths in ‘ show mpls lfib route ’ or ‘ show tunnel fib ’, follow this sequence of steps to possibly find the reason
why a backup path hasn’t been computed.

Check the output of ‘ show isis segment-routing prefix-segment ’ or ‘ show isis segment-routing adjacency-segments ’
and confirm that the node or adjacency segment is eligible for protection. If the Protection field for a node segment or adjacency
segment is ‘ Unprotected ’ but TI-LFA is configured on the interface on which the segment is learned, go to the last step.
Check the output of ‘ show isis ti-lfa path <destination> ’ where destination is the system ID or hostname of the originator
of the node segment or global adjacency segment. If the adjacency segment being protected is a locally adjacency segment,
destination is the system ID or hostname of the router on the other side of the link where the adjacency segment is configured. If it
indicates, ‘ Path not found ’ for a destination/constraint tuple in the output, that would indicate there was no post-convergence path
available. If that is not true, go to the last step.
Verify that a segment-routing label stack can be built for the explicit backup path listed for the system ID in the output of the command
above. The output in the ‘ show isis ti-lfa path ’ lists the explicit repair path from the P-node to the Q-node.
Ensure that the P-node has a node segment associated with it, if it is not the neighbor of the PLR.
Ensure that there are adjacency segments that can be used to build a label stack to go from the P-node to the Q-node.
If the destination node segment/adjacency segment does not belong to the Q-node, ensure that the Q-node has a label binding (
See ‘ show mpls segment-routing bindings ’ ).
At this point, we have eliminated any topology related issues that could have caused the non-computation of backup paths. For further
debugging, collect
/var/log/qt/Rib*.qt, /var/log/qt/Isis*.qt, /var/log/qt/Mpls.qt,/var/log/qt/Cspf.qt
The output of show tech-support extended cspf
show tech-support ribd in ribd agent mode or show tech-support extended isis in multi agent mode.

Tracing
Disclaimer: In some cases, enabling tracing can seriously impact the performance of the switch. Please use it cautiously and seek advice
from an Arista representative before enabling it in any production environment.

Useful tracing for debugging issues in the backup path computation include:

8/9
 DUT(config)#trace Mpls setting
LfibGenSm/*,SrAdjacencyLfibGenSm/*,TiLfaCspfRequestSm/*,TiLfaCspfResponseSm/*,TiLfaDedupTunnelTable/*,TiLfaRoot/*
DUT(config)# trace <routing_agent_name> setting SegmentRoutingImpl/*
where routing_agent_name is Rib in single agent mode and Isis in multi-agent mode.
DUT(config)# trace Cspf setting
CspfAgent/,CspfVrfRoot/,CspfConstraintInfoSm/,CspfDedupPqInfo/,CspfImpl/,CspfPathSm/,TopoDb/*,CspfPqComputeSm/*
DUT(config)# trace Tunnel setting TunnelFibSm/*,TunnelRibSm/*

Limitations
Backup paths are not computed for prefix segments that do not have a host mask (/32 for v4 and /128 for v6).
When TI-LFA is configured, the number of anycast segments generated by a node cannot exceed 10
Computing TI-LFA backup paths for proxy node segments is not supported.
Backup paths are not computed for node segments corresponding to multi-homed prefixes. The multi-homing could be the result of
them being anycast node segments, loopback interfaces on different routers advertising SIDs for the same prefix, node segments
leaked between levels, and thus being seen as originated from multiple L1-L2 routers.
Backup paths are only computed for segments that are non-ECMP.
Only IS-IS interfaces that are using the point-to-point network type are eligible for protection.
Link/node protection is only supported in the default VRF owing to the lack of non-default VRF support for IS-IS segment-routing.
Backup paths are computed in the same IS-IS level topology as the primary path.
Even with IS-IS GR configured, ASU2, SSO, agent restart are not hitless events for IS-IS SR LFIB routes or tunnels being protected by
backup paths.

Resources
Topology Independent Fast Reroute using Segment Routing

IS-IS Segment Routing Extensions

IS-IS Segment Routing TOI

RFC 8667

9/9