hjp: doc: RFC Basic Specification for IP Fast Reroute: Loop-Free Alternates
You are here: Home / Blog / Loop-Free Alternate Routes technique called Loop -Free Alternate Fast ReRoute (LFA-FRR), a.k.a. IP Fast. This document describes how the IP Fast Reroute (FRR) provides fast Loop Free Alternate (LFA) is similar to Multiprotocol Label Switching. Routing optimization for IP networks with loop-free alternates ABSTRACT. Loop-free alternates (LFAs) have been developed for fast reroute (FRR) in intradomain IP networks. They are simple .. Publication Date, (yyyy- mm-dd).
Each is dual-homed directly either to C1 and C2 Section 3. The analyzed access region forms a level-1 L1 domain. The core is the level-2 L2 domain. We assume that the link between C1 and C2, if it exists, is configured as L1L2. We assume that the loopbacks of the C routers are part of the L2 topology. If path P1 is lost, then it will prefer path P2. C1, E2, and P.
Node protection for route C1 is not applicable. If C1 goes down, traffic destined to C1 is lost anyway. It is node- protecting, because eq2: It is node-protecting if eq2: This relationship between e and c is an important aspect of the analysis, which is discussed in detail in Sections 3.
All impacted destinations are protected against link failure. Node protection upon E1's failure is not applicable, as the only impacted traffic is sinked at E1 and hence is lost anyway.
Node protection is not applicable. De facto node protection is not applicable. This is particularly the case for dual-plane core or two-tiered IGP metric design; see Sections 3. The IGP convergence does not cause any uLoop. A1, C1, E2, and P. Node protection for route A1 is not applicable. If A1 goes down, traffic to A1 is lost anyway. Node protection for route C1 is guaranteed: Node protection is guaranteed: De facto node protection is provided for all destinations except to A1, which is not applicable.
If C1 goes down, traffic to C1 is lost anyway. It is de facto protected against node failure if eq2: A1, E1, and E2. E2 behaves like E1 and hence is not analyzed further. Node protection upon A1's failure is not applicable, as the traffic to A1 is lost anyway.
Node protection upon A1's failure is guaranteed, because eq2: Node protection is guaranteed where applicable. De facto node protection is available. They benefit from node protection upon failure of A nodes. Node protection for traffic to A1 upon A1 node failure is not applicable. This LFA is guaranteed to be node-protecting, because eq2: E1's primary route to P is via E1A1. Its LFA is via A2, because eq1: C1, A3, E3, and P. Node protection is not applicable for traffic to C1 when C1 fails.
It is node-protecting, because eq2: The LFA is via A2, because eq1: This LFA is node-protecting from the viewpoint of A1 computing eq2 if eq2: Note that A3 benefits from de facto node protection. E2's analysis is the same as E1 and hence is omitted. C1 has no LFA for A1. Indeed, its neighbors C2 and A3 have a shortest path to A1 via C1. It provides node protection, because eq2: Indeed, there are many more destinations reachable over A1C1 than over C1A1.
Typically, most of the traffic traversing link C1A1 is directed to these E nodes; hence, the lack of per-prefix LFAs for the destination A1 might be insignificant. It definitely has a negative impact upon per-link LFAs. The number of destinations impacted by A1C1 failure is much larger than the direction C1A1; hence, the protection is provided for the wrong direction.
Some backbone topologies will lead to very good protection coverage, while some others might provide very poor coverage. Such a study likely requires a planning tool, as each remote destination P would have a different e value exception: C1 has no per-prefix LFA to A1. Second, when per-prefix LFA provides node protection eq2 is satisfiedper-link LFA provides effective de facto node protection. A Square Might Become a Full Mesh If the vertical links of the square are made of parallel links at the IP topology or belowthen one should consider splitting these "vertical links" into "vertical and crossed links".
The topology becomes "full mesh". A typical scenario in which this is prevented would be when the A1C1 bandwidth may be within a building while the A1C2 is between buildings.
Hence, while from a router-port viewpoint the operation is cost-neutral, from a cost-of-bandwidth viewpoint it is not. A Full Mesh Might Be More Economical Than a Square In a full mesh, the vertical and crossed links play the dominant role, as they support most of the primary and backup paths.
The capacity of the horizontal links can be dimensioned on the basis of traffic destined to a single C node or a single A node, and to a single E node. Extended U For the Extended U topology, we define the following terminology: This loopback is in L2.
There might be an L2 link between C1 and C2. This is not relevant, as this is not seen from the viewpoint of the L1 topology, which is the focus of our analysis. It is guaranteed that there is a path from C1LO to C2LO within the L2 topology except if the L2 topology partitions, which is very unlikely and hence not analyzed here. We call "c" its path cost. Once again, as the source and destination addresses are the loopbacks of C1 and C2 and these loopbacks are in L2 only, it is guaranteed that the tunnel does not transit via the L1 domain.
A router supporting such an extension learns that it has one additional potential neighbor in topology level-1 when checking for LFAs. The metric advertised by C2L1 is bigger than the metric advertised by C1L1 by "c".
The metric advertised by C2L1 is bigger than the metric advertised by C1L1 by "e". Node protection is guaranteed, because eq2: Node protection is possible, because eq2: Same as that for the square topology. C1, E3, and P. Indeed, eq1 is true: Remember that the tunnel is not seen by IS-IS for computing primary paths! Node protection is not applicable for traffic to A1 when A1 fails. Node resistance is applicable for traffic to E1 and E2. Conclusion The Extended U topology is as good as the square topology.
It does not require any crossed links between the A and C nodes within an aggregation region. It does not need an L1 link between the C routers in an access region. Note that a link between the C routers might exist in the L2 topology. Assuming such an IGP metric allocation, the following properties are guaranteed: Then, we show that all of the other cases do not have uLoop potential.
It can be shown that all of the other routing transitions following a link failure in the analyzed topologies do not have uLoop potential. Indeed, in each case, for all destinations affected by the failure, the rerouting nodes deviate their traffic directly to adjacent nodes whose paths towards these destinations do not change.
As a consequence, all of these routing transitions cannot undergo transient forwarding loops.
For example, in the square topology, the failure of directed link A1C1 does not lead to any uLoop. The destinations reached over that directed link are C1 and P. A1's and E1's shortest paths to these destinations after the convergence go via A2.
IP FRR and Micro-loops Part 1
Summary In this section, we summarize the applicability of LFAs detailed in the previous sections. For link protection, we use "Full" to refer to the applicability of LFAs for each destination, reached via any link of the topology. For node protection, we use "Yes" to refer to the fact that node protection is achieved for a given node. In practice, this means that per-prefix LFAs will be used. The main optimization objectives for backbone topology design are cost, latency, and bandwidth, constrained by the availability of fiber.
Optimizing the design for local IP restoration is more likely to be considered as a non-primary objective. For example, the way the fiber is laid out and the resulting cost to change it lead to ring topologies in some backbone networks. Also, the capacity-planning process is already complex in the backbone. The process needs to make sure that the traffic matrix demand is supported by the underlying network capacity under all possible variations of the underlying network what-if scenario related to one-SRLG failure.
Classically, "supported" means that no congestion is experienced and that the demands are routed along the appropriate latency paths. Selecting the LFA method as a deterministic FRR solution for the backbone would require enhancement of the capacity-planning process to add a third constraint: Each variation of the underlying network should lead to sufficient LFA coverage. We detail this aspect in Section 7. On the other hand, the access network is based on many replications of a small number of well-known well-engineered topologies.
In practice, we believe that there are three profiles for the backbone applicability of the LFA method: In the first profile, the designer plans all of the network resilience on IGP convergence. In such a case, the LFA method is a free bonus. If an LFA is available, then the loss of connectivity is likely reduced by a factor of 10 50 msec vs.
The LFA method should be very successful here, as it provides a significant improvement without any additional cost. Link-Protecting Alternates Causing Loop on Node Failure Micro-looping of traffic via the alternates caused when a more extensive failure than planned for occurs can be prevented via selection of only downstream paths as alternates.
A micro-loop due to the use of alternates can be avoided by using downstream paths because each succeeding router in the path to the destination must be closer to the destination than its predecessor according to the topology prior to the failures. Although use of downstream paths ensures that the micro-looping via alternates does not occur, such a restriction can severely limit the coverage of alternates.
In Figure 2, S would be able to use N as a downstream alternate, but N could not use S; therefore, N would have no alternate and would discard the traffic, thus avoiding the micro-loop. As shown above, the use of either a node-protecting LFA described in Section 3. There are topologies where there may be either a node-protecting LFA, a downstream path, both, or neither.
A node may select either a node-protecting LFA or a downstream path without risk of causing micro-loops in the event of neighbor node failure. While a link-and-node-protecting LFA guarantees protection against either link or node failure, a downstream path provides protection only against a link failure and may or may not provide protection against a node failure depending on the protection available at the downstream node, but it cannot cause a micro-loop.
For example, in Figure 2, if S uses N as a downstream path, although no looping can occur, the traffic will not be Atlas, et al. Loop-Free Alternates September protected in the event of the failure of node E because N has no viable repair path, and it will simply discard the packet. However, if N had a link-and-node-protecting LFA or downstream path via some other path not shownthen the repair may succeed.
If there are any destinations for which a link-and-node- protecting LFA is not available, then by definition the path to all of those destinations from any neighbor of the computing router S must be through the node E being protected otherwise there would be a node protecting LFA for that destination. It may be desirable to find an alternate that can protect against other correlated failures of which node failure is a specific instance. General SRLGs may add unacceptably to the computational complexity of finding a loop-free alternate.
However, a sub-category of SRLGs is of interest and can be applied only during the selection of an acceptable alternate. This sub- category is to express correlated failures of links that are connected to the same router, for example, if there are multiple logical sub-interfaces on the same physical interface, such as VLANs on an Ethernet interface, if multiple interfaces use the same physical port because of channelization, or if multiple interfaces share a correlated failure because they are on the same line-card.
A local-SRLG has all of its member links with one end connected to the same router. Thus, router S could select a loop-free alternate that does not use a link in the same local-SRLG as the primary next-hop.
If an SRLG contains links in multiple areas, then separate SRLG-protecting alternates would be required in each area that is traversed by the affected traffic.
In order to avoid micro-looping and ensure required coverage, certain constraints are applied to multi-area OSPF networks: Loop-free alternates should not be used in the backbone area if there are any virtual links configured unless, for each transit area, there is a full mesh of virtual links between all Area Border Routers ABRs in that area. Loop-free alternates may be used in non-backbone areas regardless of whether there are virtual links configured.
Loop-free alternates should not be used for inter-area routes in an area that contains more than one alternate ABR [RFC]. Loop-free alternates should not be used in a non-backbone area of a network for AS External routes where an AS External prefix is advertised with the same type of external metric by multiple ASBRs, which are in different non-backbone areas, with a forwarding address of 0.
Loop-Free Alternates September 3. Alternate Next-Hop Calculation In addition to the set of primary next-hops obtained through a shortest path tree SPT computation that is part of standard link- state routing functionality, routers supporting IP Fast Reroute also calculate a set of backup next-hops that are engaged when a local failure occurs.
These backup next-hops are calculated to provide the required type of protection i. Such next-hops are called loop-free alternates or LFAs throughout this specification. In general, to be able to calculate the set of LFAs for a specific destination D, a router needs to know the following basic pieces of information: Only that set of SRLGs could cause a local failure; the calculating router only computes alternates to handle a local failure.
Information about local link SRLG membership is manually configured. The following sections provide information required for calculation of LFAs. Basic Loop-Free Condition Alternate next hops used by implementations following this specification MUST conform to at least the loop-freeness condition stated above in Inequality 1.
This condition guarantees that forwarding traffic to an LFA will not result in a loop after a link failure.
In other words, N's path to D must not go through E. This is the case if Inequality 3 is true, where N is the neighbor providing a loop-free alternate. However, it is equally possible that one of N's paths goes through E, and the calculating router has no way to influence N's decision to use it.
Broadcast and Non-Broadcast Multi-Access NBMA Links Verification of the link-protection property of a next-hop in the case of a broadcast link is more elaborate than for a point-to-point link. This is because a broadcast link is represented as a pseudo- node with zero-cost links connecting it to other nodes. Because failure of an interface attached to a broadcast segment may mean loss of connectivity of the whole segment, the condition described for broadcast link protection is pessimistic and requires that the alternate is loop-free with regard to the pseudo-node.
Consider the example in Figure 3. If the primary next-hop uses a broadcast link, then an alternate SHOULD be loop-free with respect to that link's pseudo-node PN to provide link protection. This requirement is described in Inequality 4 below. Loop-Free Alternates September Because the shortest path from the pseudo-node goes through E, if a loop-free alternate from a neighbor N is node-protecting, the alternate will also be link-protecting unless the router S can only reach the alternate neighbor N via the same pseudo-node.
Since this is the only case for which a node-protecting LFA is not link- protecting, this implies that for point-to-point interfaces, an LFA that is node-protecting is always link-protecting. Because S can direct the traffic away from the shortest path to use the alternate N, traffic might pass through the same broadcast link as it would when S sent the traffic to the primary E.
To obtain link protection, it is necessary both that the path from the selected alternate next-hop does not traverse the link of interest and that the link used from S to reach that alternate next- hop is not the link of interest. The latter can only occur with non- point-to-point links. Therefore, if the primary next-hop is across a broadcast or NBMA interface, it is necessary to consider link protection during the alternate selection.
To clarify, consider the topology in Figure 3. For N to provide link protection, it is first necessary that N's shortest path to D does not traverse the pseudo- node PN. Second, it is necessary that the alternate next-hop selected by S does not traverse PN. In this example, S's shortest path to N is via the pseudo-node.
Thus, to obtain link protection, S must find a next-hop to N the point-to-point link from S to N in this example that avoids the pseudo-node PN. Similar consideration of the link from S to the selected alternate next-hop as well as the path from the selected alternate next-hop is also necessary for SRLG protection.
When a particular primary next-hop fails, alternate next-hops should be used to preserve the traffic. These alternate next-hops may themselves also be primary next-hops, but need not be.
Other primary next-hops are not guaranteed to provide protection against the failure scenarios of concern. The primary next-hop L2 to E1 can obtain link and node protection from L3 to E3, which is one of the other primary next-hops; L2 to E1 cannot obtain link protection from the other primary next-hop L2 to E2.
Similarly, the primary next-hop L2 to E2 can only get node protection from L2 to E1 and can only get link protection from L3 to E3. It is possible for both the primary next-hop L2 to E2 and the primary next-hop L2 to E1 to obtain an alternate next-hop that provides both link and node protection by using L1. Alternate next-hops are determined for each primary next-hop separately. As with alternate selection in the non-ECMP case, these alternate next-hops should maximize the coverage of the failure cases.
For those cases, it is also desirable not to have the router used on an alternate path. For a broadcast link, the reverse cost associated with a potential alternate next-hop is the cost towards the pseudo-node advertised by the next-hop router.
For point-to- point links, if a specific link from the next-hop router cannot be associated with a particular link, then the reverse cost considered is that of the minimum cost link from the next-hop router back to S. This preserves the desired behavior of diverting traffic away from a router that is following [RFC]and it also preserves the desired behavior when an operator sets the cost of a link to LSInfinity for maintenance that is not permitting traffic across that link unless there is no other path.
If a link or router that is costed out was the only possible alternate to protect traffic from a particular router S to a particular destination, then there should be no alternate provided for protection.
A router SHOULD NOT use an alternate next-hop that is along a link for which the link has been advertised with the attribute "link excluded from local protection path" or with the attribute "local maintenance required". Selection Procedure A router supporting this specification SHOULD attempt to select at least one loop-free alternate next-hop for each primary next-hop used for a given prefix.
A router MAY decide to not use an available loop-free alternate next-hop. A reason for such a decision might be that the loop-free alternate next-hop does not provide protection for the failure scenario of interest.
The alternate selection should maximize the coverage of the failure cases. When calculating alternate next-hops, the calculating router S applies the following rules. If no loop-free node-protecting alternate is available, then S MAY select a loop-free link-protecting alternate. Loop-Free Alternates September 2. If S has a choice between a loop-free link-and-node-protecting alternate and a loop-free node-protecting alternate that is not link-protecting, S SHOULD select a loop-free link-and-node- protecting alternate.
This can occur as explained in Section 3. If S has multiple primary next-hops, then S SHOULD select as a loop-free alternate either one of the other primary next-hops or a loop-free node-protecting alternate if available. If no loop- free node-protecting alternate is available and no other primary next-hop can provide link-protection, then S SHOULD select a loop-free link-protecting alternate. Implementations SHOULD support a mode where other primary next- hops satisfying the basic loop-free condition and providing at least link or node protection are preferred over any non-primary alternates.
This mode is provided to allow the administrator to preserve traffic patterns based on regular ECMP behavior.
Loop-Free Alternate Routes - EtherealMind
Following the above rules maximizes the level of protection and use of primary ECMP next-hops. Each next-hop is associated with a set of non-mutually-exclusive characteristics based on whether it is used as a primary next-hop to a particular destination D, and the type of protection it can provide relative to a specific primary next-hop E: Primary Path - The next-hop is used by S as primary.
If the primary next-hop uses a broadcast link, then this next-hop satisfies Inequality 4. An alternate path may also provide none, some, or complete SRLG protection as well as node and link or link protection.
The alternate path might avoid other links in G1 but not G2, in which case the alternate would only provide partial SRLG protection. Loop-Free Alternates September Below is an algorithm that can be used to calculate loop-free alternate next-hops. The algorithm is given for informational purposes, and implementations are free to use any other algorithm as long as it satisfies the rules described above.
The following procedure describes how to select an alternate next- hop. The procedure is described to determine alternate next-hops to use to reach each router in the topology. Prefixes that are advertised by a single router can use the alternate next-hop computed for the router to which they are attached. The same procedure can be used to reach a prefix that is advertised by more than one router when the logical topological transformation described in Section 6.
S is the computing router. A candidate next-hop is indicated by outgoing link, neighbor and the outgoing link must be bidirectionally connected, as is determined by the IGP. Recall that S may have multiple next-hops over different interfaces to a neighbor. S should follow the below procedure for every primary next-hop selected to reach D. Initialize variables as follows: Otherwise, skip it and continue to the next candidate next-hop.
Skip it and continue to the next candidate next-hop. Loop-Free Alternates September If so, goto Step Continue to the next candidate next-hop.
LFA Types and Trade-Offs LFAs can provide different amounts of protection, and the decision about which type to prefer is dependent upon network topology and other techniques in use in the network. This section describes the different protection levels and the trade-offs associated with each. When there are equal-cost primary next-hops, using one as an alternate is guaranteed not to cause micro-loops involving S.
Traffic flows across the paths that the network will converge to, but congestion may be experienced on the primary paths since traffic is sent across fewer. All primary next-hops are downstream paths. A downstream path, unlike an LFA, is guaranteed not to cause a micro-loop involving S regardless of the actual failure detected. However, the expected coverage of such alternates in a network is expected to be poor.
All downstream paths are LFAs. An LFA can have good coverage of a network, depending on topology.
However, it is possible to get micro-loops involving S if an unprotected failure occurs e. If such an alternate exists, it gives protection against all failures. LP and NP only: Many networks may handle SRLG failures via another method or may focus on node and link failures as being more common.
A network may handle node failures via a high- availability technique and be concerned primarily about protecting the more common link failure case. These only exist on interfaces that aren't point-to- point.