SR-TE Pt. 4 (Automated Steering)

The main method for steering traffic into an SR-TE policy is by using Automated Steering. With Automated Steering, the color of a BGP route determines the SR-TE policy that is used for traffic matching the given route. The color is an extcommunity attribute, which is extcommunity type 11. Remember that the color is just a numerical value.

Upon receiving a BGP route with a color value, the router checks whether it has a matching SR-TE policy. The color of the policy must match the color value on the route, and the policy’s endpoint must match the BGP route’s nexthop. If there is a match, the router installs a route towards that BGP destination via the SR-TE policy, not via the nexthop.

The idea behind this is that a modern service provider network will use BGP for all services. It will use EVPN for L2VPN and of course vpnv4 for L3VPN. Therefore, any traffic that you’d like to steer into an SR-TE policy should have a BGP route in which you can set the color value.

With Automated Steering, the ingress PE does not need any extra configuration besides the SR-TE policies themselves. The egress PE is the router which sets the color extcommunity value on a route. The route may be received from a CE or be an L2VPN route. The PE advertises this to the RR which reflects it to all other PEs. You can think of this as the egress PE saying “I want this traffic to reach me via this SR-TE policy.”

The beauty in this method is that a full mesh of TE tunnels is no longer needed, as with RSVP-TE. A single router can signal to all other PEs in the network to use a particular policy. In fact, the customer themselves could set SLA preference on their routes by setting the color value on routes advertised to the PE. Similar to the SP giving the customer a set of communities for BGP TE purposes (set localpref, etc), the SP could give the customer a set of color values (10=low delay, etc) which the customer could use. The more likely scenario would actually be to give the customer a list of communities and the PE would match these communities and set color accordingly.

Let’s explore this in the lab to fully understand how this works.

Lab

In order to demonstrate Automated Steering, we need BGP service routes. Using the topology from the previous article, we will add a customer VRF called CUSTOMER_A and two CEs, CE1 and CE2. R2 will be the RR.

Here is the additional config:

#CE1
hostname CE1
!
int Gi1
 ip address 100.64.0.2 255.255.255.252
 no shut
!
int lo0
 ip address 10.1.1.1 255.255.255.0
!
router bgp 65000
 neighbor 100.64.0.1 remote-as 100
 network 10.1.1.0 mask 255.255.255.0

#CE2
hostname CE2
!
int Gi1
 ip address 100.64.0.6 255.255.255.252
 no shut
!
int lo0
 ip address 10.1.2.1 255.255.255.0
!
router bgp 65001
 neighbor 100.64.0.5 remote-as 100
 network 10.1.2.0 mask 255.255.255.0

#R1
vrf CUSTOMER_A
 address-family ipv4 unicast
  import route-target 100:1
  export route-target 100:1
!
int Gi0/0/0/1
 vrf CUSTOMER_A
 ip address 100.64.0.1/30
 no shut
!
router bgp 100
 address-family ipv4 unicast
 address-family vpnv4 unicast
 neighbor 2.2.2.2
  remote-as 100
  update-source lo0
   address-family vpnv4 unicast
 vrf CUSTOMER_A
  rd 100:1
  address-family ipv4 unicast
  neighbor 100.64.0.2
   remote-as 65000
   address-family ipv4 unicast
    route-policy PASS in
    route-policy PASS out
!
route-policy PASS
 pass
end-policy

#R2
router bgp 100
 address-family vpnv4 unicast
 neighbor 1.1.1.1
  remote-as 100
  update-source lo0
  address-family vpnv4 unicast
   route-reflector-client
 neighbor 6.6.6.6
  remote-as 100
  update-source lo0
  address-family vpnv4 unicast
   route-reflector-client

#R6
vrf CUSTOMER_A
 address-family ipv4 unicast
  import route-target 100:1
  export route-target 100:1
!
int Gi0/0/0/2
 vrf CUSTOMER_A
 ip address 100.64.0.5/30
 no shut
!
router bgp 100
 address-family ipv4 unicast
 address-family vpnv4 unicast
 neighbor 2.2.2.2
  remote-as 100
  update-source lo0
   address-family vpnv4 unicast
 vrf CUSTOMER_A
  rd 100:1
  address-family ipv4 unicast
  neighbor 100.64.0.6
   remote-as 65001
   address-family ipv4 unicast
    route-policy PASS in
    route-policy PASS out
!
route-policy PASS
 pass
end-policy

The route received from R6 is currently not valid on R1, because R1 does not have a route to 6.6.6.6 in its global table. Same for the route received from R1 on R6.

RP/0/RP0/CPU0:R1#show bgp vrf CUSTOMER_A | beg Network
Tue Sep  6 20:08:36.311 UTC
   Network            Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf CUSTOMER_A)
*> 10.1.1.0/24        100.64.0.2               0             0 65000 i
* i10.1.2.0/24        6.6.6.6                  0    100      0 65001 i

To work around this, R1 and R6 will each advertise their own Lo0 with the label-index value set to their prefix SID index. This is essentially Unified MPLS but using SR instead of dynamically allocated label values. Remember that the SRGB must be set globally in order to allow BGP to reserve a label in the SRGB based on the received index value of the route.

With inter-domain SR, we technically do not need labeled reachability between the PEs in other domains if we have a PCE. We could get away with a null0 route for each /32 on R1 and R6 in order to make the BGP routes valid. Each PE would ask the PCE to calculate the policy and reachability would be achieved using SR-TE. Better than using a null0 route would be to use the BGP knob nexthop validation color-extcomm sr-policy (but this does not appear to be available in XRv9k). However, doing Unified MPLS with SR is good practice.

#R1
segment-routing global-block 16000 23999
!
route-policy SID($SID)
 set label-index $SID
end-policy
!
router bgp 100
 address-family ipv4 unicast
  network 1.1.1.1/32 route-policy SID(1)
  allocate-label all
 neighbor 2.2.2.2
  address-family ipv4 labeled-unicast

#R2
segment-routing global-block 16000 23999
!
router bgp 100
 ibgp policy out enforce-modifications
 address-family ipv4 unicast
  allocate-label all
 neighbor 1.1.1.1
  address-family ipv4 labeled-unicast
   route-reflector-client
   next-hop-self
 neighbor 6.6.6.6
  address-family ipv4 labeled-unicast
   route-reflector-client
   next-hop-self

#R6
segment-routing global-block 16000 23999
!
route-policy SID($SID)
 set label-index $SID
end-policy
!
router bgp 100
 address-family ipv4 unicast
  network 6.6.6.6/32 route-policy SID(6)
  allocate-label all
 neighbor 2.2.2.2
  address-family ipv4 labeled-unicast

The route is now accepted at each PE. The CEs have reachability to each other.

CE1#traceroute 10.1.2.1 source lo0 probe 1
Type escape sequence to abort.
Tracing the route to 10.1.2.1
VRF info: (vrf in name/id, vrf out name/id)
  1 100.64.0.1 5 msec
  2 10.1.2.2 [AS 65001] [MPLS: Labels 16006/24002 Exp 0] 16 msec
  3 10.2.5.5 [MPLS: Labels 16006/24002 Exp 0] 30 msec
  4 10.5.6.6 [MPLS: Label 24002 Exp 0] 17 msec
  5 100.64.0.6 9 msec

Let’s create an inbound policy on R6 that sets routes from CE2 to have the color red (which is a value of 20). The LSP from R1 to R6 should then take the path R1-R2-R3-R4-R6 for routes received from R6.

#R6
extcommunity-set opaque RED
 20
end-set
!
route-policy SET_COLOR_RED
 set extcommunity color RED
end-policy
!
router bgp 100
 vrf CUSTOMER_A
  neighbor 100.64.0.6
   address-family ipv4 unicast
    route-policy SET_COLOR_RED in

On R1, no configuration is needed in order for traffic matching the 10.1.2.0/24 route to be steered into the RED policy. We can see that the route has the “color 20” extcommunity value. R1 finds that BSID 24005 corresponds to this policy.

• Pcap of the route reflected from R6 to R1 with the color value set. (0x14 in hex is 20).

RP/0/RP0/CPU0:R1#show bgp vrf CUSTOMER_A 10.1.2.0/24
Tue Sep  6 21:01:36.682 UTC
BGP routing table entry for 10.1.2.0/24, Route Distinguisher: 100:1
Versions:
  Process           bRIB/RIB  SendTblVer
  Speaker                 15          15
Last Modified: Sep  6 21:01:22.918 for 00:00:13
Paths: (1 available, best #1)
  Advertised to CE peers (in unique update groups):
    100.64.0.2      
  Path #1: Received by speaker 0
  Advertised to CE peers (in unique update groups):
    100.64.0.2      
  65001
    6.6.6.6 C:20 (bsid:24005) (metric 2) from 2.2.2.2 (6.6.6.6)
      Received Label 24002 
      Origin IGP, metric 0, localpref 100, valid, internal, best, group-best, import-candidate, imported
      Received Path ID 0, Local Path ID 1, version 15
      Extended community: Color:20 RT:100:1 
      Originator: 6.6.6.6, Cluster list: 2.2.2.2
      SR policy color 20, up, not-registered, bsid 24005

      Source AFI: VPNv4 Unicast, Source VRF: CUSTOMER_A, Source Route Distinguisher: 100:1

RP/0/RP0/CPU0:R1#show segment-routing traffic-eng policy tabular 
Tue Sep  6 21:02:55.177 UTC

 Color             Endpoint  Admin   Oper              Binding
                             State  State                  SID
------ -------------------- ------ ------ --------------------
    20              6.6.6.6     up     up                24005
    30              6.6.6.6     up     up                24003
    10              6.6.6.6     up   down                 None

If we examine CEF on R1 we can see the details of how the BGP route was translated to the CEF entry:

RP/0/RP0/CPU0:R1#show cef vrf CUSTOMER_A 10.1.2.0/24
Tue Sep  6 21:03:39.577 UTC
10.1.2.0/24, version 13, internal 0x5000001 0x30 (ptr 0xd78a708) [1], 0x0 (0xe13c9f0), 0xa08 (0xe87c2e8)
 Updated Sep  6 21:01:22.618
 Prefix Len 24, traffic index 0, precedence n/a, priority 3
   via local-label 24005, 3 dependencies, recursive [flags 0x6000]
    path-idx 0 NHID 0x0 [0xd8d19f8 0x0]
    recursion-via-label
    next hop VRF - 'default', table - 0xe0000000
    next hop via 24005/0/21
     next hop srte_c_20_ep labels imposed {ImplNull 24002}

Here is the process that took place on R1:

• R1 receives route 10.1.2.0/24 from R6 with color = 20

• R1 finds that it has a policy for color = 20, endpoint = R6 with BSID 24005

• R1 installs this into CEF with a request to do recursion via the label 24005

• CEF finds that the policy srte_c_20_ep_6.6.6.6 corresponds to this BSID. There is no nexthop, so the top label is ImplNull. The nexthop is really the policy, which pushes {16002, 16003, 16006}. The service label learned from R6 for 10.1.2.0/24 is 24002, which is the bottom label.

Remember that all of this took place on R1 with no intervention from the operator. As long as R1 has a matching SR-TE policy (color matches the BGP extcommunity value, and endpoint matches the BGP nexthop), this happens automatically. This is thanks to interworking between BGP, SR-TE, and the FIB. Now you can appreciate the meaning of the term “Automated Steering.”

We can see that traffic from CE1 destined for 10.1.2.0/24 is steered along the RED path:

CE1#traceroute 10.1.2.1 source lo0 probe 1
Type escape sequence to abort.
Tracing the route to 10.1.2.1
VRF info: (vrf in name/id, vrf out name/id)
  1 100.64.0.1 12 msec
  2 10.1.2.2 [AS 65001] [MPLS: Labels 16003/16006/24002 Exp 0] 34 msec
  3 10.2.3.3 [MPLS: Labels 16006/24002 Exp 0] 27 msec
  4 10.3.4.4 [MPLS: Labels 16006/24002 Exp 0] 36 msec
  5 10.4.6.6 [MPLS: Label 24002 Exp 0] 35 msec
  6 100.64.0.6 23 msec

Conclusion

The power of Automated Steering is scale. Imagine that this customer had many different locations, with the VRF defined on 30 different PEs. As long as the associated policy with the color and endpoint exists on each PE, all PEs will steer traffic using the corresponding SR-TE policy upon receiving the route with color=20. This eliminates the need for a full-mesh of TE tunnels as you would need in RSVP-TE.

But does this mean that each of the 30 PEs would need 29 different policies, one for each endpoint? Right now, the answer would be yes. But with On-Demand Nexthop (ODN), we can create a template that uses a “wildcard” endpoint. As long as the PE receiving the BGP route has an ODN SR-TE policy with a matching color value, the router will dynamically calculate a path using the BGP nexthop as the endpoint. We’ll explore ODN in the next article.