Segment Routing Microloop Avoidance – 微环避免
对于SR的微环避免,很多人不是特别清楚细节,所以我将在此简单总结下,希望对阅读此篇文章的人有所帮助,我会围绕以下几个话题展开讨论:
- 微环路是什么?微环避免能做什么?
- 微环避免跟TI-LFA有什么关系?
- 微环避免和TI-LFA同时存在的情况下,是否都会有作用?
为了方便大家理解,我将用一个topology来讨论我们今天涉及的所有内容,关于这部分更详细的内容,可以参阅SR卷一的9.10章节,以及SR卷二的8.11.1章节;另外此分析只作为问题验证说明,不能直接拿到现网使用,如40s的delay等,这些需要根据IGP的Scales以及硬件的收敛性能来做调整
Topology
- R7和R4直接的IGP Metric为1000,其余所有Link的默认IGP Metric均为10;
- 橘黄色为收敛前路径,草绿色为收敛后路径
- Trex从R6到R4发送20Mbps(1200byte,2kpps)流量,激活流为2条,分别是L3VPN和EVPN流量,下面是流量速率情况
- 由于测试环境简单,为了模拟微环路的产生,会在某些设备上调慢路由收敛时间来模拟收敛时间的差异
- 测试开始前清除Trex中的所有统计,收敛完成后等1分钟时间,然后停止流量,截取统计
- 所有测试设备均为Xrv9k,版本7.0.1
什么是微环路
首先来看下什么是微环路?其实简单来说就是由于每台设备收敛时间不一致,导致了短暂的环路,这种问题一直伴随着IP的发展直到今天。有人可能会问,如果是同样的设备(具有同样的硬件)是不是就没有微环路了?其实即使设备硬件完全一致,也无法保证CPU及内存(不限于此,还有NP/Asic等其他组件)的消耗完全一致,所以在CPU及硬件计算IGP变化并发送更新这段时间内,就导致了速度差异,从而产生了微环路。
那在没有SR之前,业界是如何处理微环路的?确实业界想了很多方法,但都不是很满意,要么只能解决本地微环路,要么就是太复杂,不适合大规模部署(具体看前面说的SR卷一),直到 Segment Routing 的出现,才打破了僵局。
为什么现在提微环路
之前IGP的收敛时间较长(即使做了优化),微环路被整体收敛时间掩盖了,但有了Ti-LFA后,IGP收敛被降低到了50ms之内,所以此时微环路的影响就被放大了,从而再次跳进大众的视野
微环避免
在进入讨论前,简单总结下微环避免技术,在这里思科支持两种微环避免技术,远端微环避免(也叫SR微环避免)使用范围更广
- 本地微环避免:启动CLI为 “microloop avoidance”,在此模式下,该设备会延迟 RIB 更新时间,让Ti-LFA的路径保持到延迟超时,大概过程为 “该设备链路down -> Ti-LFA 保护 -> backup 路径保持设置的时间 -> 超时撤销并更新RIB表象”;注意此模式只能被Link Down触发
- 远端微环避免:启动CLI为“microloop avoidance segment-routing”,在此模式下,该设备不会延迟RIB更新,而是先收敛,然后安装一条无微环的显示路径,这个路径通过auto tunnel才完成,大概过程为“[该设备链路down -> Ti-LFA 保护 -> 收敛完成 -> 算出一条无微环路径, 并替换原来的Ti-LFA路径] -> 设置延迟超时后,撤销这个显示路径” ;此模式可以被多种场景触发:
- 链路 Down(包括 BFD down)
- 链路 Up
- Metric变更
- Overload bit 设置/清除
对于Ti-LFA,它可以在link down的场景中提供保护,让丢包影响降到最低(50ms);其他的场景如上面说的Link up,Metric变更及Overload bit变更,通过微环避免理论可以做到0丢包
默认情况,无Ti-LFA和微环避免
默认情况下,即没Ti-LFA,也没微环路避免,当R1和R8的链路发生故障,会发生什么?通过下面图例可以很容易理解之间的关系(注意这里标注的收敛时间,只是一个示例,因为比较容易说明问题),所以在默认情况下,业务影响会持续300ms(根据第1个测试结果,总共丢了184个报文)
开启Ti-LFA
Ok,那么我们来看下,如果我们在R8上开启了Ti-LFA,会有什么结果?可以看到T2的收敛时间减少到50ms以内,因为已经有backup的路径预先写进了R8的HW Cef,由于干净简单的测试环境,R7和R8基本同时完成了收敛,所以总共业务影响时间为50ms,Ti-LFA的切换时间(根据第2个测试结果,总共丢了0个报文)
Ti-LFA + 本地微环路场景
为了模拟真实环境,增加R7的LSP更新时间,这样会导致R7的收敛时间大于R8的收敛时间,由于R8完成收敛后,会撤销Ti-LFA的路径(R7的Prefix-sid,R7跟R4的Adj-sid),所以R8会基于更新后的路径(R4的Prefix-sid)转发,但此时R7还没更新完,在R7上R4的Prefix-sid仍然从R8学来,所以就造成了微环路。因此将会有100ms的业务影响,总共业务影响时间为150ms。因此即使有Ti-LFA的保护,有时候也会因为微环路导致收敛时间大于50ms(根据第3个测试结果,总共丢了21499个报文)
Ti-LFA + 本地微环避免
我们来看看本地微环避免机制,在这个场景中,这个微环对R8来说属于本地微环,R8上开启本地微环避免后,路由RIB更新将delay一定时间x,Ti-LFA的路径保持x s后才撤销,所以微环被避免了,因为Ti-LFA的备份路径已经考虑微环的可能性了,因此理论上业务影响时间只跟Ti-LFa 硬件表项切换的时间相等,所以应该在50ms以内(根据第4个测试结果,总共丢了0个报文)
Ti-LFA + 远端微环路场景
上面讨论的是本地微环及避免机制,现在我们来聊聊远端微环路,那么什么是远端微环路?用下图说明会相对简单,在 R2开启了本地微环避免和Ti-LFA,跟刚才R8的场景类似,故障发生时,R2会延迟Rib更新走Ti-LFA,这样对数据增加了两个标签<16007, 24003>做保护,但对于中间设备R1、R8和R7来说,即使都开了本地微环路避免,但由于这些设备的链路没有down,所以不会触发本地微环避免机制,那么仍然会指向R2,所以R1,R8和R7在完成收敛前都会导致微环路(根据第5个测试结果,总共丢了20716个报文)
Ti-LFA + 远端微环避免
让我们在R2和R8上开启远端微环路。开启后,该设备都会根据自身情况独自完成各自的微环避免,与路径上设备的收敛顺序无关。这样为大规模部署提供了前提(如果避免机制需要依赖并同步完成,那么无法避免“同步收敛”的问题)。R2微环避免的触发是通过link down,而R8则是通过路由收敛触发远端微环避免。触发后,R2和R8独自完成收敛,并使用自动计算的路径(这个路径跟Ti-LFA计算的路径一致<16007,24003>,无微环),延迟超时后,切换到收敛后的路径即可。在只有R2和R8实现微环避免,并在现有场景中,整个收敛影响被控制在50ms内(更详细的信息可以看第6个测试,测试结果只丢了1018个报文)
为了达到最好的微环避免效果,全网开启SR微环避免,分析后整个处理过程如下图所示,注意标红的那根时间线,也就是说网络设备中最差的收敛延迟应该 < = T1 + T2 + T3,如果大于这个值,那么微环路有可能仍然存在;另外因为行为是独立的,所以在不同时间段,流量走向也会不尽相同,打个比方,如果R6先于R8收敛完并安装了显示路径,那么流量会直接被调度到R7并根据<16007, 24003>传给R4,这期间流量不会再从R8->R1,但R8仍然会走完远端微环避免的流程,因为此时可能会有流量从R8到R4,而不是只有R6到R4;(更详细的信息可以看第7个测试,测试结果总共丢了0个报文)
微环避免之链路UP
前面一直在讨论链路down的场景,链路up的微环路是什么情况?我们可以看下面的图例,最坏的收敛场景:T1 -> T2 -> T3 -> T4,那么随之而来的就是R8和R1,R1和R2之间的微环路。为了达到测试效果,关闭SR微环避免并根据最坏收敛场景来改变LSP update的时间(R8 10s; R1 20s; R2 30s; ),CLI为“spf-interval maximum-wait 60000 initial-wait x0000”,测试结果符合预期,丢包大小为“41627”(更详细的信息可以看第8个测试,测试结果总共丢了41627个报文)
这种场景Ti-LFA是不能解决的,本地微环避免也不能解决,所以只能通过SR微环避免来解决。我们在上面实验的基础上启动SR微环避免,LSP更新延迟不改变,在这种情况下打开R2和R4之间的链路,我们发现已经没有业务影响了,因为微环路已经被避免了(更详细的信息可以看第9个测试,测试结果总共丢了0个报文)
实际测试结果
1st. 默认情况下
2nd. 在R8开启Ti-LFA
RP/0/RP0/CPU0:R8(config)#show config Sat Mar 7 09:50:04.004 UTC Building configuration... !! IOS XR Configuration 7.0.1 router isis srte interface GigabitEthernet0/0/0/1 address-family ipv4 unicast fast-reroute per-prefix fast-reroute per-prefix ti-lfa ! ! interface GigabitEthernet0/0/0/2 address-family ipv4 unicast fast-reroute per-prefix fast-reroute per-prefix ti-lfa ! ! interface GigabitEthernet0/0/0/3 address-family ipv4 unicast fast-reroute per-prefix fast-reroute per-prefix ti-lfa ! ! ! end RP/0/RP0/CPU0:R8#sh isis fast-reroute 192.168.0.4/32 Sat Mar 7 09:56:45.863 UTC L2 192.168.0.4/32 [30/115] via 18.1.1.1, GigabitEthernet0/0/0/3, R1, SRGB Base: 16000, Weight: 0 Backup path: TI-LFA (link), via 78.1.1.7, GigabitEthernet0/0/0/2 R7, SRGB Base: 16000, Weight: 0, Metric: 1010 P node: R7.00 [192.168.0.7], Label: ImpNull Q node: R4.00 [192.168.0.4], Label: 24003 Prefix label: ImpNull Backup-src: R4.00
3rd. 在R7模拟微环路
RP/0/RP0/CPU0:R7(config)#show config Sat Mar 7 10:07:09.335 UTC Building configuration... !! IOS XR Configuration 7.0.1 router isis srte address-family ipv4 unicast spf-interval maximum-wait 20000 initial-wait 10000 ! ! end
4th. 在R8开启本地微环避免
RP/0/RP0/CPU0:R8(config-isis-af)#show config Tue Mar 10 23:37:08.614 UTC Building configuration... !! IOS XR Configuration 7.0.1 router isis srte address-family ipv4 unicast microloop avoidance microloop avoidance rib-update-delay 40000 ! ! end RP/0/RP0/CPU0:R8(config-isis-af)#commit Tue Mar 10 23:37:15.376 UTC RP/0/RP0/CPU0:R8(config-isis-af)#do sh isis | i "Microloop|RIB|State" Tue Mar 10 23:37:49.019 UTC Microloop avoidance: Enabled Configuration: Type: All prefixes, RIB update delay: 40000 msec
从下面可以看到,当R8的link down时,RIB的信息保持不变,因为RIB暂时被抑制了,但硬件中其实已经被Ti-LFA保护了,所以测试结果是0丢包
RP/0/RP0/CPU0:R8(config)#int gi0/0/0/3 RP/0/RP0/CPU0:R8(config-if)#shut RP/0/RP0/CPU0:R8(config-if)#commit Tue Mar 10 23:52:04.200 UTC <<< RP/0/RP0/CPU0:R8(config-if)#do sh route 192.168.0.4 Tue Mar 10 23:52:12.660 UTC <<< Routing entry for 192.168.0.4/32 Known via "isis srte", distance 115, metric 30, labeled SR, type level-2 Installed Mar 10 23:51:28.804 for 00:00:44 <<< not update, delay Routing Descriptor Blocks 18.1.1.1, from 192.168.0.4, via GigabitEthernet0/0/0/3, Protected Route metric is 30 78.1.1.7, from 192.168.0.4, via GigabitEthernet0/0/0/2, Backup (TI-LFA) Repair Node(s): 192.168.0.7, 192.168.0.4 Route metric is 1010 No advertising protos.
5th. R2上的本地微环避免和Ti-LFA
在R2上开启微环避免和Ti-LFA,backup 路径的第一跳在R7上,注意R7上的lsp delay我没去掉,就是为了验证
RP/0/RP0/CPU0:R2(config-isis-af)#show config Wed Mar 11 00:01:30.588 UTC Building configuration... !! IOS XR Configuration 7.0.1 router isis srte address-family ipv4 unicast microloop avoidance microloop avoidance rib-update-delay 40000 ! interface GigabitEthernet0/0/0/0 address-family ipv4 unicast fast-reroute per-prefix fast-reroute per-prefix ti-lfa ! ! interface GigabitEthernet0/0/0/2 address-family ipv4 unicast fast-reroute per-prefix fast-reroute per-prefix ti-lfa ! ! ! end RP/0/RP0/CPU0:R2(config-isis-af)#commit Wed Mar 11 00:01:52.481 UTC RP/0/RP0/CPU0:R2(config-isis-af)#end RP/0/RP0/CPU0:R2#sh isis fast-reroute 192.168.0.4/32 Wed Mar 11 00:01:58.034 UTC L2 192.168.0.4/32 [10/115] via 24.1.1.4, GigabitEthernet0/0/0/2, R4, SRGB Base: 16000, Weight: 0 Backup path: TI-LFA (link), via 12.1.1.1, GigabitEthernet0/0/0/0 R1, SRGB Base: 16000, Weight: 0, Metric: 1030 P node: R7.00 [192.168.0.7], Label: 16007 <<< Q node: R4.00 [192.168.0.4], Label: 24003 <<< Prefix label: ImpNull Backup-src: R4.00
关闭R2与R4之间的链路,可以看到只有R2的RIB被抑制了
RP/0/RP0/CPU0:R2(config-if)#show config Wed Mar 11 00:17:16.306 UTC Building configuration... !! IOS XR Configuration 7.0.1 interface GigabitEthernet0/0/0/2 shutdown ! end RP/0/RP0/CPU0:R2(config-if)#commit Wed Mar 11 00:17:31.271 UTC <<< shutdown time RP/0/RP0/CPU0:R2(config-if)#end RP/0/RP0/CPU0:R2# RP/0/RP0/CPU0:R2#sh route 192.168.0.4/32 det Wed Mar 11 00:17:34.813 UTC <<< Routing entry for 192.168.0.4/32 Known via "isis srte", distance 115, metric 10, labeled SR, type level-2 Installed Mar 10 23:59:26.405 for 00:18:08 <<< update delay Routing Descriptor Blocks 12.1.1.1, from 192.168.0.4, via GigabitEthernet0/0/0/0, Backup (TI-LFA) Repair Node(s): 192.168.0.7, 192.168.0.4 Route metric is 1030 Labels: 0x3e87 0x5dc3 (16007 24003) Tunnel ID: None Binding Label: None Extended communities count: 0 Path id:65 Path ref count:1 NHID:0x1(Ref:16) 24.1.1.4, from 192.168.0.4, via GigabitEthernet0/0/0/2, Protected Route metric is 10 Label: 0x3 (3) Tunnel ID: None Binding Label: None Extended communities count: 0 Path id:1 Path ref count:0 NHID:0x2(Ref:15) Backup path id:65 Route version is 0x19 (25) ......
我们来看看R8的信息,它也配置了本地微环避免,由于不是R8本身的事件,所以没有触发,符合我们的预期,因此本地微环无法解决这种场景
RP/0/RP0/CPU0:R8#sh route 192.168.0.4/32 det Wed Mar 11 00:17:33.650 UTC <<< Routing entry for 192.168.0.4/32 Known via "isis srte", distance 115, metric 1010, labeled SR, type level-2 Installed Mar 11 00:17:30.484 for 00:00:03 <<< updated Routing Descriptor Blocks 78.1.1.7, from 192.168.0.4, via GigabitEthernet0/0/0/2 Route metric is 1010 Label: 0x3e84 (16004) Tunnel ID: None Binding Label: None Extended communities count: 0 Path id:1 Path ref count:0 NHID:0x2(Ref:6) Route version is 0x1a (26) Local Label: 0x3e84 (16004) ......
6th. 在R2和R8上开启SR微环避免
远端微环避免CLI跟本地类似,只是要把SR的关键字加上,另外根据平台的不同,加上“ipv4 unnumbered mpls traffic-eng Loopback0”,如NCS5500不需要加,但ASR9k/Xrv9k需要加(我手里没有NCS5500,如果以后有机会验证,到时再更新下),如下所示:
(config-isis-af)#show config Wed Mar 11 00:35:51.194 UTC Building configuration... !! IOS XR Configuration 7.0.1 ipv4 unnumbered mpls traffic-eng Loopback0 <<< router isis srte address-family ipv4 unicast microloop avoidance segment-routing microloop avoidance rib-update-delay 40000 !
开启后,关闭R2与R4之间的链路,然后我们来看看R2上的信息,可以看到auto tunnel已经建立了,并使用了SR的label<16007, 24003>,RIB已经跟其关联;fast-reroute中我们可以看到针对不同IGP都会关联一个无微环的路径,保证从这个设备到其他节点的流量都被保护
RP/0/RP0/CPU0:R2(config)#int gi0/0/0/2 RP/0/RP0/CPU0:R2(config-if)#shut RP/0/RP0/CPU0:R2(config-if)#commit Wed Mar 11 01:21:16.016 UTC RP/0/RP0/CPU0:R2(config-if)#end RP/0/RP0/CPU0:R2#sh isis | i "Microloop|RIB|State" Wed Mar 11 01:21:19.919 UTC Microloop avoidance: Enabled Configuration: Type: Segment routing, RIB update delay: 40000 msec State: Active, Duration: 3824 ms, Event Link down, Near: R2.00 Far: R4.00 <<< RP/0/RP0/CPU0:R2#sh route 192.168.0.4/32 det Wed Mar 11 01:21:20.070 UTC Routing entry for 192.168.0.4/32 Known via "isis srte", distance 115, metric 1030, labeled SR, type level-2 Installed Mar 11 01:21:16.925 for 00:00:03 Routing Descriptor Blocks directly connected, via tunnel-te32774 <<< Route metric is 1030 Label: 0x3 (3) Tunnel ID: None Binding Label: None Extended communities count: 0 Path id:1 Path ref count:0 NHID:0x0(Ref:0) Route version is 0x2c (44) Local Label: 0x3e84 (16004) ...... RP/0/RP0/CPU0:R2#sh isis route 192.168.0.4/32 det Wed Mar 11 01:21:20.287 UTC L2 192.168.0.4/32 [1030/115] Label: 16004, medium priority via 12.1.1.1, GigabitEthernet0/0/0/0, R1, SRGB Base: 16000, Weight: 0 exp 12.1.1.1, GigabitEthernet0/0/0/0, R1, SRGB Base: 16000, Weight: 0 via tunnel tunnel-te32774 P node: R7.00 [192.168.0.7], Label: 16007 Q node: R4.00 [192.168.0.4], Label: 24003 src R4.00-00, 192.168.0.4, prefix-SID index 4, R:0 N:1 P:0 E:0 V:0 L:0, Alg:0, prefix-SID index 804, R:0 N:1 P:0 E:0 V:0 L:0, Alg:128 RP/0/RP0/CPU0:R2#sh isis fast-reroute tunnel Wed Mar 11 01:21:20.424 UTC IS-IS srte SRTE backup tunnels tunnel-te32775, state up, type primary-uloop Outgoing interface: GigabitEthernet0/0/0/0 Next hop: 12.1.1.1 Label stack: 16007 Prefix: 47.1.1.0/24 tunnel-te32772, state up, type primary-uloop Outgoing interface: GigabitEthernet0/0/0/0 Next hop: 12.1.1.1 Label stack: 16806 Prefix: 192.168.0.6/32(128) tunnel-te32773, state up, type primary-uloop Outgoing interface: GigabitEthernet0/0/0/0 Next hop: 12.1.1.1 Label stack: 16807 Prefix: 192.168.0.4/32(128) tunnel-te32774, state up, type primary-uloop <<< Outgoing interface: GigabitEthernet0/0/0/0 Next hop: 12.1.1.1 Label stack: 16007, 24003 <<< Prefix: 24.1.1.0/24 192.168.0.4/32
我们来看看R8的信息,远端微环避免触发,并保护
RP/0/RP0/CPU0:R8#sh isis | i "Microloop|RIB|State" Wed Mar 11 01:21:18.702 UTC Microloop avoidance: Enabled Configuration: Type: Segment routing, RIB update delay: 40000 msec State: Active, Duration: 3821 ms, Event Link down, Near: R2.00 Far: R4.00 RP/0/RP0/CPU0:R8#sh route 192.168.0.4/32 det Wed Mar 11 01:21:18.844 UTC Routing entry for 192.168.0.4/32 Known via "isis srte", distance 115, metric 1010, labeled SR, type level-2 Installed Mar 11 01:21:15.591 for 00:00:03 Routing Descriptor Blocks directly connected, via tunnel-te32773 <<< Route metric is 1010 Label: 0x3 (3) Tunnel ID: None Binding Label: None Extended communities count: 0 Path id:1 Path ref count:0 NHID:0x0(Ref:0) RP/0/RP0/CPU0:R8#sh isis route 192.168.0.4/32 det Wed Mar 11 01:21:19.051 UTC L2 192.168.0.4/32 [1010/115] Label: 16004, medium priority via 78.1.1.7, GigabitEthernet0/0/0/2, R7, SRGB Base: 16000, Weight: 0 exp 78.1.1.7, GigabitEthernet0/0/0/2, R7, SRGB Base: 16000, Weight: 0 via tunnel tunnel-te32773 P node: R7.00 [192.168.0.7], Label: ImpNull <<< Q node: R4.00 [192.168.0.4], Label: 24003 <<< src R4.00-00, 192.168.0.4, prefix-SID index 4, R:0 N:1 P:0 E:0 V:0 L:0, Alg:0, prefix-SID index 804, R:0 N:1 P:0 E:0 V:0 L:0, Alg:128 RP/0/RP0/CPU0:R8#sh isis fast-reroute tunnel Wed Mar 11 01:21:19.174 UTC IS-IS srte SRTE backup tunnels tunnel-te32773, state up, type primary-uloop Outgoing interface: GigabitEthernet0/0/0/2 Next hop: 78.1.1.7 Label stack: 24003 <<< Prefix: 24.1.1.0/24 192.168.0.4/32
我们来看下流量情况,奇怪的是我们发现有些丢包,这些丢包怎么来的?注意我们只在R2和R8上开启了SR微环避免,流量从R1转发到R2,R2最开始通过Ti-LFA保护后转给R1,此时R1还没收敛,仍然认为通过R2到R4是最优的,因此R1和R2之间的微环路导致了业务影响
7th. 全网开启SR微环避免
除了R2和R8外,在R6,R1和R7上开启SR微环避免,由于配置跟之前是一样的,所以在此省略。分析跟上面类似,在R6和R1上分别通过SR 微环避免保护,唯一要多说一句的,如果R6的收敛比R4和R8快,那么大部分流量会被直接发给R7(<16007, 24003>),而不会通过R8到R2,然后通过R2的Ti-LFA再绕回来,这也是SR微环避免的优势。我们直接来看下结果即可
注意R2关闭link的时间:
RP/0/RP0/CPU0:R2#config Wed Mar 11 02:09:54.798 UTC iRP/0/RP0/CPU0:R2(config)#int gi0/0/0/2 RP/0/RP0/CPU0:R2(config-if)#shut RP/0/RP0/CPU0:R2(config-if)#commit Wed Mar 11 02:09:59.041 UTC <<<
我们只看下R6的信息:
RP/0/RP0/CPU0:R6#sh isis | i "Microloop|RIB|State" Wed Mar 11 02:10:00.182 UTC Microloop avoidance: Enabled Configuration: Type: Segment routing, RIB update delay: 40000 msec State: Active, Duration: 2183 ms, Event Link down, Near: R2.00 Far: R4.00 RP/0/RP0/CPU0:R6#sh route 192.168.0.4/32 det Wed Mar 11 02:10:00.298 UTC Routing entry for 192.168.0.4/32 Known via "isis srte", distance 115, metric 1020, labeled SR, type level-2 Installed Mar 11 02:09:58.130 for 00:00:02 Routing Descriptor Blocks directly connected, via tunnel-te32777 <<< Route metric is 1020 Label: 0x3 (3) ...... RP/0/RP0/CPU0:R6#sh isis route 192.168.0.4/32 det Wed Mar 11 02:10:00.455 UTC L2 192.168.0.4/32 [1020/115] Label: 16004, medium priority via 68.1.1.8, GigabitEthernet0/0/0/0, R8, SRGB Base: 16000, Weight: 0 exp 68.1.1.8, GigabitEthernet0/0/0/0, R8, SRGB Base: 16000, Weight: 0 via tunnel tunnel-te32777 P node: R7.00 [192.168.0.7], Label: 16007 <<< Q node: R4.00 [192.168.0.4], Label: 24003 <<< src R4.00-00, 192.168.0.4, prefix-SID index 4, R:0 N:1 P:0 E:0 V:0 L:0, Alg:0, prefix-SID index 804, R:0 N:1 P:0 E:0 V:0 L:0, Alg:128 RP/0/RP0/CPU0:R6#sh isis fast-reroute tunnel Wed Mar 11 02:10:00.616 UTC IS-IS srte SRTE backup tunnels tunnel-te32776, state up, type primary-uloop Outgoing interface: GigabitEthernet0/0/0/0 Next hop: 68.1.1.8 Label stack: 16801 Prefix: 192.168.0.2/32(128) tunnel-te32777, state up, type primary-uloop <<< Outgoing interface: GigabitEthernet0/0/0/0 Next hop: 68.1.1.8 Label stack: 16007, 24003 Prefix: 24.1.1.0/24 192.168.0.4/32
8th. SR微环路 – 链路UP场景
关闭SR微环避免并延长LSP更新时间,然后看测试结果
RP/0/RP0/CPU0:R6#config Wed Mar 11 02:22:46.662 UTC RP/0/RP0/CPU0:R6(config)#router isis srte RP/0/RP0/CPU0:R6(config-isis)# address-family ipv4 unicast RP/0/RP0/CPU0:R6(config-isis-af)#no microloop avoidance segment RP/0/RP0/CPU0:R6(config-isis-af)#no microloop avoidance rib-update-delay 40000 RP/0/RP0/CPU0:R6(config-isis-af)#commit RP/0/RP0/CPU0:R7(config)#router isis srte RP/0/RP0/CPU0:R7(config-isis)# address-family ipv4 unicast RP/0/RP0/CPU0:R7(config-isis-af)#no microloop avoidance segment RP/0/RP0/CPU0:R7(config-isis-af)#no microloop avoidance rib-update-delay 40000 RP/0/RP0/CPU0:R7(config-isis-af)#commit RP/0/RP0/CPU0:R8(config)#router isis srte RP/0/RP0/CPU0:R8(config-isis)# address-family ipv4 unicast RP/0/RP0/CPU0:R8(config-isis-af)#no microloop avoidance segment RP/0/RP0/CPU0:R8(config-isis-af)#no microloop avoidance rib-update-delay 40000 RP/0/RP0/CPU0:R8(config-isis-af)#spf-interval maximum-wait 60000 initial-wait 10000 <<< RP/0/RP0/CPU0:R8(config-isis-af)#commit RP/0/RP0/CPU0:R1(config)#router isis srte RP/0/RP0/CPU0:R1(config-isis)# address-family ipv4 unicast RP/0/RP0/CPU0:R1(config-isis-af)#no microloop avoidance segment RP/0/RP0/CPU0:R1(config-isis-af)#no microloop avoidance rib-update-delay 40000 RP/0/RP0/CPU0:R1(config-isis-af)# spf-interval maximum-wait 60000 initial-wait 20000 <<< RP/0/RP0/CPU0:R1(config-isis-af)#commit RP/0/RP0/CPU0:R2(config)#router isis srte RP/0/RP0/CPU0:R2(config-isis)# address-family ipv4 unicast RP/0/RP0/CPU0:R2(config-isis-af)#no microloop avoidance segment RP/0/RP0/CPU0:R2(config-isis-af)#no microloop avoidance rib-update-delay 40000 RP/0/RP0/CPU0:R2(config-isis-af)# spf-interval maximum-wait 60000 initial-wait 30000 <<< RP/0/RP0/CPU0:R2(config-isis-af)#commit
9th. SR微环避免 – 链路UP场景
在R8,R1,R2和R7上开启SR微环避免,LSP 延迟更新不去掉。当我们把R2和R4的link打开后到收敛前,没有任何业务影响,因为流量走正常路径,我们来看下收敛的情况
RP/0/RP0/CPU0:R2(config)#int gi0/0/0/2 RP/0/RP0/CPU0:R2(config-if)#no shut RP/0/RP0/CPU0:R2(config-if)#commit Wed Mar 11 07:11:07.631 UTC <<<
另外当R2的link up后,虽然路由没更新,但Adj-SID会立即分配
RP/0/RP0/CPU0:R2#sh mpls forwarding prefix 192.168.0.4/32 detail Wed Mar 11 07:11:12.563 UTC Local Outgoing Prefix Outgoing Next Hop Bytes Label Label or ID Interface Switched ------ ----------- ------------------ ------------ --------------- ------------ 16004 16004 SR Pfx (idx 4) Gi0/0/0/0 12.1.1.1 0 Updated: Mar 11 07:09:25.567 Version: 1084, Priority: 1 Label Stack (Top -> Bottom): { 16004 } NHID: 0x0, Encap-ID: N/A, Path idx: 0, Backup path idx: 0, Weight: 0 MAC/Encaps: 4/8, MTU: 1500 Outgoing Interface: GigabitEthernet0/0/0/0 (ifhandle 0x01000018) Packets Switched: 0 Traffic-Matrix Packets/Bytes Switched: 0/0 RP/0/RP0/CPU0:R2#sh mpls forwarding prefix 192.168.0.2/32 detail Wed Mar 11 07:11:12.937 UTC RP/0/RP0/CPU0:R2#sh mpls forwarding labels 24003 deta Wed Mar 11 07:11:13.223 UTC Local Outgoing Prefix Outgoing Next Hop Bytes Label Label or ID Interface Switched ------ ----------- ------------------ ------------ --------------- ------------ 24003 Pop SR Adj (idx 3) Gi0/0/0/2 24.1.1.4 0 <<< Updated: Mar 11 07:11:07.928 Version: 1185, Priority: 1 Label Stack (Top -> Bottom): { Imp-Null } NHID: 0x0, Encap-ID: N/A, Path idx: 0, Backup path idx: 0, Weight: 0 MAC/Encaps: 4/4, MTU: 1500 Outgoing Interface: GigabitEthernet0/0/0/2 (ifhandle 0x01000028) Packets Switched: 0
我们来看R8,大约10s(22-7-6)后学到新的路由,符合设置的更新延迟,然后安装auto tunnel <16002, 24003>,这样直接规避了微环路,流量从R8去往R4的流量都会打上auto tunnel的SR标签,并得以保护
RP/0/RP0/CPU0:R8#sh isis | i "Microloop|RIB|State" Wed Mar 11 07:11:22.335 UTC Microloop avoidance: Enabled Configuration: Type: Segment routing, RIB update delay: 40000 msec State: Active, Duration: 5810 ms, Event Link up, Near: R2.00 Far: R4.00 RP/0/RP0/CPU0:R8#sh route 192.168.0.4/32 det Wed Mar 11 07:11:22.617 UTC <<< Routing entry for 192.168.0.4/32 Known via "isis srte", distance 115, metric 30, labeled SR, type level-2 Installed Mar 11 07:11:16.811 for 00:00:06 <<< Routing Descriptor Blocks directly connected, via tunnel-te32794 Route metric is 30 Label: 0x3 (3) Tunnel ID: None Binding Label: None Extended communities count: 0 Path id:1 Path ref count:0 NHID:0x0(Ref:0) Route version is 0x95 (149) Local Label: 0x3e84 (16004) ...... RP/0/RP0/CPU0:R8#sh isis route 192.168.0.4/32 det Wed Mar 11 07:11:22.981 UTC L2 192.168.0.4/32 [30/115] Label: 16004, medium priority via 18.1.1.1, GigabitEthernet0/0/0/3, R1, SRGB Base: 16000, Weight: 0 exp 18.1.1.1, GigabitEthernet0/0/0/3, R1, SRGB Base: 16000, Weight: 0 via tunnel tunnel-te32794 P node: R2.00 [192.168.0.2], Label: 16002 Q node: R4.00 [192.168.0.4], Label: 24003 src R4.00-00, 192.168.0.4, prefix-SID index 4, R:0 N:1 P:0 E:0 V:0 L:0, Alg:0, prefix-SID index 804, R:0 N:1 P:0 E:0 V:0 L:0, Alg:128 RP/0/RP0/CPU0:R8#sh isis fast-reroute tunnel Wed Mar 11 07:11:23.202 UTC IS-IS srte SRTE backup tunnels tunnel-te32794, state up, type primary-uloop Outgoing interface: GigabitEthernet0/0/0/3 Next hop: 18.1.1.1 Label stack: 16002, 24003 Prefix: 192.168.0.4/32 tunnel-te32793, state up, type primary-uloop Outgoing interface: GigabitEthernet0/0/0/2 Next hop: 78.1.1.7 Label stack: 16804, 24004 RP/0/RP0/CPU0:R8#sh mpls forwarding prefix 192.168.0.4/32 detail Wed Mar 11 07:11:23.781 UTC Local Outgoing Prefix Outgoing Next Hop Bytes Label Label or ID Interface Switched ------ ----------- ------------------ ------------ --------------- ------------ 16004 Pop SR Pfx (idx 4) tt32794 point2point 0 Updated: Mar 11 07:11:16.818 Version: 928, Priority: 1 Label Stack (Top -> Bottom): { Unlabelled Imp-Null } NHID: 0x0, Encap-ID: N/A, Path idx: 0, Backup path idx: 0, Weight: 0 MAC/Encaps: 0/0, MTU: 0 Outgoing Interface: tunnel-te32794 (ifhandle 0x000000fc) <<< Packets Switched: 0 Traffic-Matrix Packets/Bytes Switched: 0/0
总结
因此通过Ti-LFA + 微环避免机制,可以有效地避免微环路带来的业务影响,大大提升用户体验;对于微环避免机制的delay,可以根据现网最大的收敛时间来设定;另外部署常规保护机制,如端口抖动抑制机制(damping)等。还要注意的就是不管是Ti-LFA还是微环避免,都是针对单点故障。
版权声明:
本文链接:Segment Routing Microloop Avoidance – 微环避免
版权声明:本文为原创文章,仅代表个人观点,版权归 Frank Zhao 所有,转载时请注明本文出处及文章链接