[j-nsp] Prefix independent convergence and FIB backup path

adamv0025 at netconsultings.com adamv0025 at netconsultings.com
Thu Feb 8 10:28:01 EST 2018


> Of Mark Smith
> Sent: Thursday, February 08, 2018 12:02 PM
> 
> Hi list,
> 
> Test topology below. 2x MX80 with dual ip transit (full table ~600k
prefixes).
> TRA1 preferred over TRA2 (Localpref 200 set by PE1 import policy). Plain
> unlabeled inet.0, no mpls in use. In lab topology both transits belong to
same
> AS65502.
> 
> What I'm trying to accomplish is somewhat faster failover time in case of
> primary transit failure. In case of no tuning the failover (FIB
> programming) can take up to 10 minutes.
> 
> 
> --------        --------
> | TRA1 |        | TRA2 |   AS65502
> --------        --------
>    | xe-1/3/0      | xe-1/3/0
> -------         -------
> | PE1 | --ae0-- | PE2 |    AS65501
> -------         -------
>    |
> -----------
> | test pc |
> -----------
> 
> In the lab PE1 and PE2 are MX80s running 15.1R6.7.
> I have configured BGP add-path and PIC edge (routing-options protect
> core) on both PEs.

Ok so first of all,
In order to achieve (Cisco term BGP PIC Edge), which seems like what you are
looking for in your setup you need to be using Juniper's "Provider Edge Link
Protection"  (that I know only the "for Layer 3 VPNs" and "for BGP Labeled
Unicast Paths" incarnation -so seems like it's not supported for inet.0.
This feature as to be combined with:
1) advertise-external on iBGP sessions on backup or both PEs -to allow
backup PE advertise the external transit routes to primary PE even when
those are not considered as overall best paths on the backup PE.
2) add-path on iBGP sessions from RRs to PEs (in inet.0) 
3) eBGP protocol preference set to less than 170 -this is needed to avoid
the looping of packets from backup PE back to primary PE (if per VRF label
is used).

How it works:
Thanks to advertise-external and add-path primary PE gets to know about the
alternative path via backup PE and thanks to "Provider Edge Link Protection"
will install this path as backup (metric 0x4000) into FIB.
Data-plane wise if primary PE loses connection to transit it will (in sub
50ms) start sending packets towards the backup PE once these packets arrive
on backup PE either with VPN label defining egress interface or with VPN
label defingin VRF in which case lookup in VRF table is done and thanks to
eBGP path having a better preference the backup PE can forward the packets
to transit -instead of looping them back to primary PE.



Juniper PIC Edge (Cisco PIC Core) (routing-options protect core)
Would be enabled on PE3 that is connected to both PE1 and PE2 in your setup.
This would allow PE3 to install primary as well as backup path into FIB,
again you need to enable advertise-external (and add-path in case of RRs)
(no need to tweak protocol distance as you're comparing two iBGP paths). 
How it works:
Thanks to advertise-external and add-path ingress PE3 gets to know about the
alternative path via backup PE and thanks to " protect core" will install
this path as backup (metric 0x4000) into FIB.
If the whole primary PE goes down or is severed from the rest of the core,
then IGP will notify PE3 that the BGP next-hop for the primary path is
unavailable at which point PE3 can switch all affected iBGP prefixes (in sub
50ms) to point to backup PE. 
Hence you also need to tweak your IGP routing change propagation timers so
that the information about the primary PE loopback is propagated across the
network to all ingress PEs (PE3 in this case) as soon as possible to
minimize the downtime.


adam

netconsultings.com
::carrier-class solutions for the telecommunications industry::



More information about the juniper-nsp mailing list