لطفا منتظر باشید ...
• IndexDefinitive MPLS Network DesignsBy
Jim Guichard, François Le Faucheur, Jean-Philippe Vasseur Publisher: Cisco PressPub Date: March 14, 2005ISBN: 1-58705-186-9Pages: 552
Network Recovery Design
As with any network recovery design, you must first determine the requirements in terms of availability SLAs should a network element failure occur in the network. Therefore, Globenet conducted a detailed analysis covering several years of failure statistics. It turned out that the vast majority (more than 90 percent) of the failures had been link failures (fiber cut, local leased-line failures, and router interface failure to a much lesser extent). Unexpected router failures resulting in traffic loss were insignificant. On the other hand, planned router failure so as to perform software or hardware upgrades were handled by scripts that isolated the traffic from the elements to upgrade by increasing the attached link metrics of the router in question. Such operations have always been done during maintenance windows. During these times, the traffic load was low enough that all the traffic usually routed through the router in question could be rerouted to an alternate path while offering an equivalent QoS.Globenet's requirement was primarily to protect the traffic from link failures, with an objective of rerouting the traffic within a few tens of milliseconds whenever possible. Unexpected router failures were considered sufficiently rare to tolerate longer rerouting times. Moreover, upon single-link failure, the equivalent QoS along the alternate path must be provided at least to all important CoSs (ATM pseudowire, VPN Voice, VPN Video, VPN Business Latency, and VPN Business Throughput).Chapter 4), Globenet leases its circuits. This leads Globenet to always require diversely routed links from its leased-line providers or to lease capacity from different providers to increase its chances of having diverse links. Thus, SRLG protection was not required. Note that in the past, multiple links provided by different service providers simultaneously failed because of a shared network element failure (such as a transatlantic fiber). Such a shared risk is usually outside Globenet's knowledge and thus is impossible to protect against. However, such an event is rare.Based on the considerations just discussed, Globenet adopted the following network recovery design:Use MPLS Traffic Engineering Fast Reroute as its network recovery technology of choice on unprotected SONET-SDH circuits, protected SONET-SDH circuits (in case of router interface failure), unprotected DWDM links, and Ethernet links (intra-POP). This protects against any single-link failure. Note that both inter-POP and intra-POP links are protected by means of Fast Reroute, although most of the failures relate to inter-POP link failures.In the AsiaPac region, where routers are interconnected by means of ATM PVCs, link failures are handled by both PNNI and MPLS TE Fast Reroute. Upon ATM VC failure, both PNNI and MPLS TE Fast Reroute trigger some recovery actions but operate at different time scales. As discussed later, a design that triggers recovery actions at both layers was Globenet's preferred option. When (or if) the ATM VC is restored, MPLS Traffic Engineering starts reusing it by means of MPLS TE reoptimization.Tune the IS-IS parameters to achieve 5 seconds of rerouting time in case of unexpected node failure or multiple link failures that could not be handled by MPLS TE Fast Reroute.
MPLS TE Fast Reroute Design Within Globenet Regions
This section presents the detailed design of Fast Reroute as deployed in all regions of the Globenet network.
Failure Detection
Considering the broad set of link types, Globenet had to adopt different strategies in terms of failure detection mechanisms based on the Layer 2 protocol in use:SONET-SDH links The SONET-SDH layer provides a very efficient failure detection mechanism whereby an alarm is usually received within a few milliseconds (usually less than 10 ms). Thus, for Globenet's network in North America, OC-3 and OC-48 link failures are detected within a few milliseconds.
[BFD]) protocol with a hello period of 100 ms and a dead timer (hold time) of 400 ms. Thus, a failure will be detected within at most 400 ms regardless of the failure's root cause.Gigabit Ethernet links When two pieces of equipment are interconnected by point-to-point Ethernet links, failure detection times similar to SONET-SDH can be achieved. Conversely, the use of Layer 2 Gigabit Ethernet switches drastically increases the failure detection time if a router port fails since failure detection is performed by means of IGP hello-based protocol. Similar to the ATM case, Globenet elected to use BFD as its failure detection mechanism of choice for its Gigabit Ethernet links with the same set of parameters.Router failures Various router failure types can lead to different failure detection times and have different impacts on the forwarding traffic. For instance, the case of a power supply failure on a router is equivalent to the simultaneous failures of its entire set of attached links. Therefore, the failure detection time is similar to the link failure case. A control plane failure on a distributed router architecture has no impact on the traffic forwarding. The routing protocol detects the failure, and the traffic is smoothly rerouted to an alternate path without any traffic disruption. Conversely, a route processor failure on a centralized router architecture affects both the control and forwarding planes. In turn, this provokes a traffic disruption until the routing protocol converges, because MPLS TE Fast Reroute is just used for link protection. Globenet considered the latter case sufficiently rare to not justify any particular special measures to handle such failures.
Set of Backup Tunnels
Because MPLS TE Fast Reroute protects the traffic from link failures, just next-hop backup tunnels are required in the network. Furthermore, as mentioned previously, the Globenet network does not contain any SRLG. Because the vast majority of the links are leased, Globenet managed to lease its circuit to different regional providers to get diverse links.
Backup Tunnel Constraints
The first constraint that backup tunnels must meet is, of course, to be diverse from the protected link.The second backup tunnel constraint is related to the bandwidth. When a backup tunnel path must be computed to protect a facility such as a link, the backup tunnel can be provisioned with bandwidth equivalent to the protected link. (Another example is a specific bandwidth pool (such as BC1) if the decision is made to provide an equivalent QoS to the TE LSPs of class type CT1.) Although quite efficient in terms of QoS, such an approach would require the use of a sophisticated backup tunnel path computation tool to maximize the bandwidth sharing between backup tunnels that protect independent links. As a reminder, the backup tunnel is used during rerouting timesin other words, from the time the node immediately upstream of the failure triggers Fast Reroute to the reoptimization of the TE LSP by its headend router. In the case of the Globenet network, such rerouting times have been evaluated to likely be less than 1 second in the worst case. This means that such a backup tunnel would be used for at most 1 second. The second aspect of the study consisted of evaluating for each link failure the potential congestion that may occur along a backup tunnel provisioned with zero bandwidth. The simulations showed that even in Asia, where links (ATM VCs) are sized upon the traffic demands (with some margin) and link utilizations are pretty high, worst-case scenarios implied getting up to 80 percent of real-time traffic and 120 percent of non-real-time traffic onto some links during the rerouting period (less than 1 second). Globenet considered this satisfactory with respect to its SLAs. Thus, it chose to provision the set of next-hop backup tunnels with zero bandwidth. (The backup tunnels would then follow the IGP shortest path that avoids the protected link.)Figure 5-45 shows the set of configured backup tunnels for the node of Washington. It shows a set of next-hop backup tunnels configured to protect the traffic from the failure of any of the attached links of the Washington node. Note that two backup tunnels are required for each protected link (one in each direction), although just one of them is shown in Figure 5-45 for the sake of clarity.
Figure 5-45. Set of Next-Hop Backup Tunnels to Protect the Attached Links of the Washington Node (One Direction Is Shown)
[View full size image]
Figure 5-46. One-Hop Tunnel Used to Protect the Intra-POP Link with Fast Reroute
Chapter 3. In a nutshell, for each link to protect, a one-hop TE LSP (in each direction) is configured to protect the intra-POP link. For example, as shown in Figure 5-46, a primary TE LSP is configured between PE1 and P1 as a fast reroutable TE LSP. Note that because of the PHP operation, no additional label is added to the traffic forwarded along such a link. In addition, a next-hop backup tunnel is configured that avoids the protected link (the next-hop backup tunnel shown in Figure 5-46).In case of a PE-P link failure, upon failure detection by means of the BFD protocol (because such links are Gigabit Ethernet VLANs), the affected traffic is rerouted onto the backup tunnel. (An additional label corresponding to the backup tunnel is pushed in case of failure.)
Provisioning the Set of Backup Tunnels
Chapter 3 and therefore are not described again here. As a reminder, very few commands are configured on each router for the automatic configuration of unconstrained one-hop and next-hop backup tunnels. This dynamically determines the set of next hops by means of the IGP (the set of active routing adjacencies). It also automatically computes a diversely routed backup tunnel path for each link to protect, should at least a fast reroutable TE LSP traverse the protected link in question.
Configuring a Hold-Off Timer
Hold-off timers are sometimes required when network recovery mechanisms coexist at different layers, as explained in detail in Chapter 2. The aim of such a hold-off timer is to increase the chance of restoring a failed resource at Layer n before triggering any restoration at Layer n + 1. Although this may lead to increased rerouting times, should Layer n fail to restore the failed resource, this avoids race network recovery attempts, which may lead to unpredictable and undesirable results (see [NET-RECOV] for detailed explanation on this topic).In the case of unprotected links (2-Mbps leased lines, OC-3 and OC-48 links (North America and EMEA), and Gigabit Ethernet links), MPLS TE Fast Reroute must be triggered as soon as the failure is detected. Thus, no hold-off timer is required.Conversely, there are various situations in which hold-off timers are required in the Globenet network:Protected OC-3 links (by SDH) Because such links are protected by means of SONET-SDH, a hold-off timer must be set to a value slightly larger than the worst-case recovery time by the SONET-SDH layer. Indeed, the objective is first to rely on SONET-SDH protection to recover the failed resource without attempting to reroute the traffic by means of Fast Reroute. In the vast majority of the cases in the Globenet network, such rerouting times do not exceed 100 ms. Thus, Globenet decided to set the hold-off timer to 120 ms.
NoteThe use of a hold-off timer implies that an interface failure (which cannot be recovered at the SONET-SDH layer) will not be restored before 120 ms plus the Fast Reroute rerouting time.ATM VCs (AsiaPac) As already pointed out, ATM VC recovery is first handled by PNNI, which usually converges within a few seconds. This leads to the two following possibilities:
- - Set the Fast Reroute hold-off timer to the PNNI worst-case rerouting time to give the ATM layer a chance to recover the affected VCs before triggering any action attempt at the Fast Reroute level. The advantage of such an approach would be to rely on the restoration of the affected ATM VC. This would provide an equivalent QoS at the price of a longer traffic disruption compared to a few hundreds of milliseconds with Fast Reroute.
- - Do not use an FRR hold-off timer. With this approach, the traffic disruption would be minimized (limited to a few hundreds of milliseconds), but potential congestion may occur for the non-real-time traffic during the rerouting periods. This was the approach Globenet chose in combination with the use of appropriate timers so as to reuse the restored ATM VC as soon as possible. This can be achieved thanks to the combination of two mechanisms:
- - The IS-IS LSP origination in case of a second new event is set to 20 ms to speed up the advertisement of a restored ATM VC.
- - A reoptimization trigger in case of a link-up event.
IS-IS Routing Design
IS-IS handles node failures with the objective of achieving a rerouting time of 5 seconds, should a node fail or multiple failures occur that cannot be handled by FRR. To that end, IS-IS had to be tuned appropriately because the default configuration is usually to adopt a hello period frequency of 10 seconds and a hold time period of 30 seconds.The first set of parameters to be adjusted is related to the IS-IS hello protocol. Globenet decided to set the hello and hold time timers to 1 second and 4 seconds, respectively.The second parameter category is related to the SPF triggering and LSP origination. As explained in detail in Chapter 2, modern routers provide the ability to use dampening algorithms to allow for quick reaction in terms of LSP origination and SPF triggering while protecting the network in case of unstable conditions. To that end, Globenet decided to set the related parameters as shown in Example 5-24.
Example 5-24. Fast IS-IS Configuration Example
When a network element failure occurs, a router waits for 10 ms before originating a new IS-IS LSP. If a second state change occurs, a new IS-IS LSP is originated after 20 ms. The maximum time between the origination of two consecutive LSP originations will never exceed 5 seconds in case of an unstable link (according to the dampening algorithm described in Chapter 2).Note that the initial waiting time before triggering an SPF has been set to 80 ms. The failure of a node (which is of a particular interest in this case, because traffic recovery exclusively relies on IS-IS to handle such failures) generates the origination of several IS-IS LSPs (by each neighbor of the failing router). Because the network is sometimes sparse in some regions of the world, the reception of such IS-IS LSPs by other routers may be spaced by several tens of milliseconds. Hence, waiting for 80 ms before triggering the first SPF allows for the increased likelihood of computing a new routing table based on an accurate topology.Additionally, all the Globenet routers have been configured to prioritize the IS-IS LSP flooding against SPF triggering. They also provide the relevant QoS to IS-IS control packets to avoid loss of routing adjacency if a link gets congested. This reduces the failure notification time up to a rerouting node.The use of incremental SPF was also considered. However, it would not have significantly reduced the overall convergence time compared to the other components, such as the failure detection time, LSP propagation, and so on.Given this, the set of parameters shown in Example 5-24 allows for the achievement of the rerouting time target of 5 seconds, should an unplanned node failure occur in the network.
hostname Globenet.Newyork.P1
!
interface pos3/0
isis hello-interval 1
isis hello-multiplier 4
!
router isis
lsp-gen 5 10 20
spf-interval 5 80 20
prc-interval 5 80 20
Failure of a PE Router Supporting ATM Pseudowires
PNNI handles the failure of a PE router supporting ATM pseudowires. First the failure detection can be determined by means of local signaling (alarm indication signal (AIS)) or switch-to-switch ATM OAM flow (cells F4 and F5), which are transparently carried onto the pseudowire.As soon as the failure has been detected, PNNI converges and appropriately reroutes the set of affected ATM VCs along some alternate paths. In some cases, these alternate ATM paths may themselves transit via interswitch trunks that are supported as other pseudowires. An interesting consequence to note is that such traffic shifts caused by rerouting may imply that some pseudowires receive some unexpected peak load, at least for the duration of the failure. But because all the TE LSPs carrying the pseudowires have been dimensioned on the expected ATM peak load, this should not pose any problem unless such failures occur during busy hours. Furthermore, even in this case, although such TE LSPs would carry more traffic than they have been dimensioned for, the real-time EF queue would be able to absorb the extra traffic without any severe QoS degradation.
Network Recovery for IPv6 VPN
Because the 6VPE approach relies on recursion over the IPv4 BGP next-hop address of the PE routers, the exact same IPv4 LSPs are used to transport IPv6 VPN traffic over the core (from PE router to PE router) as those used to transport the IPv4 VPN traffic or IPv4 Internet traffic. This means that the IPv6 VPN traffic automatically inherits the benefits of core features applied to these IPv4 LSPs. In particular, the IPv6 VPN traffic is automatically protected in Globenet's network by MPLS Fast Reroute (and fast IS-IS convergence) exactly like the IPv4 VPN traffic without any additional mechanisms or configuration needed.
