Example for Configuring RSVP Authentication Based on Manual TE FRR
Networking Requirements
As shown in Figure 1, the primary CR-LSP is along the path LSRA -> LSRB -> LSRC -> LSRD, and the link between LSRB and LSRC needs to be protected by TE FRR.
A bypass CR-LSP is set up along the path LSRB -> LSRE -> LSRC. LSRB functions as the PLR and LSRC functions as the MP.
The primary and bypass MPLS TE tunnels are set up by using explicit paths. RSVP-TE is used as the signaling protocol.
RSVP authentication needs to be configured on LSRB and LSRC.
In this scenario, to avoid loops, ensure that all connected interfaces have STP disabled and connected interfaces are removed from VLAN 1. If STP is enabled and VLANIF interfaces of switches are used to construct a Layer 3 ring network, an interface on the network will be blocked. As a result, Layer 3 services on the network cannot run normally.
Configuration Roadmap
The configuration roadmap is as follows:
Configure manual TE FRR.
Configure RSVP authentication on LSRB and LSRC to prevent forged Resv messages from consuming network resources.
Procedure
- Configure MPLS TE FRR.
Configure the primary and bypass MPLS TE tunnels according to Example for Configuring Manual TE FRR, and then bind the two tunnels.
- Configure RSVP authentication on LSRB and LSRC.
The Handshake function and local password are configured to check whether RSVP authentication is configured successfully.
The neighbor node is identified by its LSR-ID, therefore, you must enable CSPF on two neighboring devices where RSVP authentication is required.
# Configure RSVP authentication on LSRB.
[LSRB] mpls rsvp-te peer 3.3.3.9 [LSRB-mpls-rsvp-te-peer-3.3.3.9] mpls rsvp-te authentication cipher Huawei@1234 [LSRB-mpls-rsvp-te-peer-3.3.3.9] mpls rsvp-te authentication handshake [LSRB-mpls-rsvp-te-peer-3.3.3.9] quit
# Configure RSVP authentication on LSRC.
[LSRC] mpls [LSRC-mpls] mpls te cspf [LSRC-mpls] quit [LSRC] mpls rsvp-te peer 2.2.2.9 [LSRC-mpls-rsvp-te-peer-2.2.2.9] mpls rsvp-te authentication cipher Huawei@1234 [LSRC-mpls-rsvp-te-peer-2.2.2.9] mpls rsvp-te authentication handshake [LSRC-mpls-rsvp-te-peer-2.2.2.9] quit
- Verify the configuration.
Run the display mpls rsvp-te statistics global command on LSRB. You can view the status of RSVP authentication. If the command output shows that the values of SendChallengeMsgCounter, RecChallengeMsgCounter, SendResponseMsgCounter, and RecResponseMsgCounter are not zero, the PLR and the MP successfully shake hands with each other and RSVP authentication is configured successfully.
[LSRB] display mpls rsvp-te statistics global LSR ID: 2.2.2.9 LSP Count: 2 PSB Count: 2 RSB Count: 2 RFSB Count: 1 Total Statistics Information: PSB CleanupTimeOutCounter: 0 RSB CleanupTimeOutCounter: 1 SendPacketCounter: 81 RecPacketCounter: 82 SendCreatePathCounter: 12 RecCreatePathCounter: 16 SendRefreshPathCounter: 41 RecRefreshPathCounter: 12 SendCreateResvCounter: 3 RecCreateResvCounter: 6 SendRefreshResvCounter: 11 RecRefreshResvCounter: 26 SendResvConfCounter: 0 RecResvConfCounter: 0 SendHelloCounter: 0 RecHelloCounter: 0 SendAckCounter: 0 RecAckCounter: 0 SendPathErrCounter: 0 RecPathErrCounter: 0 SendResvErrCounter: 0 RecResvErrCounter: 0 SendPathTearCounter: 7 RecPathTearCounter: 5 SendResvTearCounter: 1 RecResvTearCounter: 1 SendSrefreshCounter: 3 RecSrefreshCounter: 6 SendAckMsgCounter: 3 RecAckMsgCounter: 3 SendChallengeMsgCounter: 1 RecChallengeMsgCounter: 1 SendResponseMsgCounter: 1 RecResponseMsgCounter: 1 SendErrMsgCounter: 0 RecErrMsgCounter: 0 SendRecoveryPathMsgCounter: 0 RecRecoveryPathMsgCounter: 0 SendGRPathMsgCounter: 0 RecGRPathMsgCounter: 0 ResourceReqFaultCounter: 0 RecGRPathMsgFromLSPMCounter: 0 Bfd neighbor count: 3 Bfd session count: 0# Shut down the protected outbound interface on the LSRB.
[LSRB] interface vlanif 200 [LSRB-Vlanif200] shutdown [LSRB-Vlanif200] quit
Run the display interface tunnel 1 command on LSRA. You can view the status of the primary CR-LSP and that the status of the tunnel interface is still Up.[LSRA] display interface tunnel 1 Tunnel1 current state : UP Line protocol current state : UP Last line protocol up time : 2013-01-21 10:58:49 Description: ...
Run the tracert lsp te tunnel 1 command on LSRA. You can view the path that the tunnel passes.
[LSRA] tracert lsp te tunnel 1 LSP Trace Route FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel1 , press CTRL_C t o break. TTL Replier Time Type Downstream 0 Ingress 172.1.1.2/[1037 ] 1 172.1.1.2 1 ms Transit 172.4.1.2/[1045 1027 ] 2 172.4.1.2 1 ms Transit 172.5.1.2/[3 ] 3 172.5.1.2 2 ms Transit 172.3.1.2/[3 ] 4 4.4.4.9 2 ms Egress
The preceding information shows that services on the link have been switched to the bypass CR-LSP.
Run the display mpls te tunnel name Tunnel1 verbose command on LSRB. You can see that the bypass CR-LSP is in use.
[LSRB] display mpls te tunnel name Tunnel1 verbose No : 1 Tunnel-Name : Tunnel1 Tunnel Interface Name : - TunnelIndex : 1 LSP Index : 2049 Session ID : 100 LSP ID : 8 LSR Role : Transit Ingress LSR ID : 1.1.1.9 Egress LSR ID : 4.4.4.9 In-Interface : Vlanif100 Out-Interface : Vlanif200 Sign-Protocol : RSVP TE Resv Style : SE IncludeAnyAff : 0x0 ExcludeAnyAff : 0x0 IncludeAllAff : 0x0 ER-Hop Table Index : - AR-Hop Table Index: 2 C-Hop Table Index : - PrevTunnelIndexInSession: - NextTunnelIndexInSession: - PSB Handle : 8562 Created Time : 2013-09-16 19:14:37+00:00 RSVP LSP Type : - -------------------------------- DS-TE Information -------------------------------- Bandwidth Reserved Flag : Unreserved CT0 Bandwidth(Kbit/sec) : 0 CT1 Bandwidth(Kbit/sec): 0 CT2 Bandwidth(Kbit/sec) : 0 CT3 Bandwidth(Kbit/sec): 0 CT4 Bandwidth(Kbit/sec) : 0 CT5 Bandwidth(Kbit/sec): 0 CT6 Bandwidth(Kbit/sec) : 0 CT7 Bandwidth(Kbit/sec): 0 Setup-Priority : 7 Hold-Priority : 7 -------------------------------- FRR Information -------------------------------- Primary LSP Info TE Attribute Flag : 0x63 Protected Flag : 0x1 Bypass In Use : In Use Bypass Tunnel Id : 1280021547 BypassTunnel : Tunnel Index[Tunnel2], InnerLabel[1045] Bypass LSP ID : 4 FrrNextHop : 172.5.1.2 ReferAutoBypassHandle : - FrrPrevTunnelTableIndex : - FrrNextTunnelTableIndex: - Bypass Attribute(Not configured) Setup Priority : - Hold Priority : - HopLimit : - Bandwidth : - IncludeAnyGroup : - ExcludeAnyGroup : - IncludeAllGroup : - Bypass Unbound Bandwidth Info(Kbit/sec) CT0 Unbound Bandwidth : - CT1 Unbound Bandwidth: - CT2 Unbound Bandwidth : - CT3 Unbound Bandwidth: - CT4 Unbound Bandwidth : - CT5 Unbound Bandwidth: - CT6 Unbound Bandwidth : - CT7 Unbound Bandwidth: - -------------------------------- BFD Information -------------------------------- NextSessionTunnelIndex : - PrevSessionTunnelIndex: - NextLspId : - PrevLspId : -
# Run the display mpls rsvp-te peer command to check whether the bypass CR-LSP is successfully set up.
[LSRB] display mpls rsvp-te peer Remote Node id Neighbor Neighbor Addr: ----- SrcInstance: 0x60128590 NbrSrcInstance: 0x0 PSB Count: 1 RSB Count: 0 Hello Type Sent: NONE SRefresh Enable: NO Last valid seq # rcvd: NULL Remote Node id Neighbor Neighbor Addr: 3.3.3.9 SrcInstance: 0x60128590 NbrSrcInstance: 0x0 PSB Count: 0 RSB Count: 1 Hello Type Sent: NONE SRefresh Enable: NO Last valid seq # rcvd: NULL Interface: Vlanif100 Neighbor Addr: 172.1.1.1 SrcInstance: 0x60128590 NbrSrcInstance: 0x0 PSB Count: 1 RSB Count: 0 Hello Type Sent: NONE SRefresh Enable: NO Last valid seq # rcvd: NULL Interface: Vlanif400 Neighbor Addr: 172.4.1.2 SrcInstance: 0x60128590 NbrSrcInstance: 0x0 PSB Count: 0 RSB Count: 1 Hello Type Sent: NONE SRefresh Enable: NO Last valid seq # rcvd: NULLThe command output shows that the number of RSBs on neighbor of LSRB is not zero. This indicates that RSVP authentication is successful on LSRB and its neighbor LSRC, and resources are successfully reserved.
Configuration Files
LSRA configuration file
# sysname LSRA # vlan batch 100 # mpls lsr-id 1.1.1.9 mpls mpls te mpls rsvp-te mpls te cspf # explicit-path pri-path next hop 172.1.1.2 next hop 172.2.1.2 next hop 172.3.1.2 next hop 4.4.4.9 # isis 1 is-level level-2 cost-style wide network-entity 00.0005.0000.0000.0001.00 traffic-eng level-2 # interface Vlanif100 ip address 172.1.1.1 255.255.255.0 isis enable 1 mpls mpls te mpls rsvp-te # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 100 # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 isis enable 1 # interface Tunnel1 ip address unnumbered interface LoopBack1 tunnel-protocol mpls te destination 4.4.4.9 mpls te tunnel-id 100 mpls te record-route label mpls te path explicit-path pri-path mpls te fast-reroute mpls te commit # return
LSRB configuration file
# sysname LSRB # vlan batch 100 200 400 # mpls lsr-id 2.2.2.9 mpls mpls te mpls te timer fast-reroute 120 mpls rsvp-te mpls te cspf # explicit-path by-path next hop 172.4.1.2 next hop 172.5.1.2 next hop 3.3.3.9 # mpls rsvp-te peer 3.3.3.9 mpls rsvp-te authentication cipher %^%#P>Z{S["[&0D+~^McJ#GX~ij}D%N|y;w4*D;M!WJE%^%# mpls rsvp-te authentication handshake # isis 1 is-level level-2 cost-style wide network-entity 00.0005.0000.0000.0002.00 traffic-eng level-2 # interface Vlanif100 ip address 172.1.1.2 255.255.255.0 isis enable 1 mpls mpls te mpls rsvp-te # interface Vlanif200 ip address 172.2.1.1 255.255.255.0 isis enable 1 mpls mpls te mpls rsvp-te # interface Vlanif400 ip address 172.4.1.1 255.255.255.0 isis enable 1 mpls mpls te mpls rsvp-te # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 100 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 200 # interface GigabitEthernet0/0/3 port link-type trunk port trunk allow-pass vlan 400 # interface LoopBack1 ip address 2.2.2.9 255.255.255.255 isis enable 1 # interface Tunnel2 ip address unnumbered interface LoopBack1 tunnel-protocol mpls te destination 3.3.3.9 mpls te tunnel-id 300 mpls te record-route mpls te path explicit-path by-path mpls te bypass-tunnel mpls te protected-interface Vlanif200 mpls te commit # return
LSRC configuration file
# sysname LSRC # vlan batch 200 300 500 # mpls lsr-id 3.3.3.9 mpls mpls te mpls rsvp-te mpls te cspf # mpls rsvp-te peer 2.2.2.9 mpls rsvp-te authentication cipher %^%#ro:\V)kWU-"TK!'1!SZH&}Lv~B3:".zv!'R;!JyC%^%# mpls rsvp-te authentication handshake # isis 1 is-level level-2 cost-style wide network-entity 00.0005.0000.0000.0003.00 traffic-eng level-2 # interface Vlanif200 ip address 172.2.1.2 255.255.255.0 isis enable 1 mpls mpls te mpls rsvp-te # interface Vlanif300 ip address 172.3.1.1 255.255.255.0 isis enable 1 mpls mpls te mpls rsvp-te # interface Vlanif500 ip address 172.5.1.2 255.255.255.0 isis enable 1 mpls mpls te mpls rsvp-te # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 200 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 300 # interface GigabitEthernet0/0/3 port link-type trunk port trunk allow-pass vlan 500 # interface LoopBack1 ip address 3.3.3.9 255.255.255.255 isis enable 1 # return
LSRD configuration file
# sysname LSRD # vlan batch 300 # mpls lsr-id 4.4.4.9 mpls mpls te mpls rsvp-te # isis 1 is-level level-2 cost-style wide network-entity 00.0005.0000.0000.0004.00 traffic-eng level-2 # interface Vlanif300 ip address 172.3.1.2 255.255.255.0 isis enable 1 mpls mpls te mpls rsvp-te # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 300 # interface LoopBack1 ip address 4.4.4.9 255.255.255.255 isis enable 1 # returnLSRE configuration file
# sysname LSRE # vlan batch 400 500 # mpls lsr-id 5.5.5.9 mpls mpls te mpls rsvp-te # isis 1 is-level level-2 cost-style wide network-entity 00.0005.0000.0000.0005.00 traffic-eng level-2 # interface Vlanif400 ip address 172.4.1.2 255.255.255.0 isis enable 1 mpls mpls te mpls rsvp-te # interface Vlanif500 ip address 172.5.1.1 255.255.255.0 isis enable 1 mpls mpls te mpls rsvp-te # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 400 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 500 # interface LoopBack1 ip address 5.5.5.9 255.255.255.255 isis enable 1 # return