Example for Configuring an SRv6-TE Policy for Route Recursion in a Dual-Device Hot Backup Scenario
This section provides an example for configuring an SRv6-TE protection tunnel for route recursion in a dual-device hot backup scenario.
Networking Requirements
In the dual-device hot backup scenario shown in Figure 1, the user side is connected to BRAS1 and BRAS2 in the BGP networking through SW1 (LAN switch). A VRRP group is configured to allow BRAS1 and BRAS2 to back up each other. An SRv6-TE protection tunnel is configured on the network-side transit node Device. In normal cases, the network side delivers traffic to the master device (BRAS1). If interface 2 on the master device fails, network-side traffic is delivered to the backup device (BRAS2). BRAS2 rapidly and reliably forwards user services to BRAS1 through the SRv6-TE protection tunnel deployed on the network-side transit node Device.
In this example, interface1 and interface2 represent GE0/1/9 and GE0/1/8, respectively.
Device |
Interface |
IP Address |
|---|---|---|
BRAS1 |
GE0/1/9.1 |
10.1.1.1/24 (IP address of the interface running VRRP) |
BRAS1 |
GE0/1/9.333 |
Interface through which users go online |
BRAS1 |
Loopback1 |
10.1.2.1/32 (IP address of BRAS1's interface with an RBS deployed) |
BRAS2 |
GE0/1/9.1 |
10.1.1.2/24 (IP address of the interface running VRRP) |
BRAS2 |
GE0/1/9.332 |
Interface through which users go online |
BRAS2 |
Loopback1 |
10.1.2.2/32 (IP address of BRAS2's interface with an RBS deployed) |
Configuration Roadmap
The configuration roadmap is as follows:
Configure VRRP and BFD on the access side of the master and backup BRASs (BRAS1 and BRAS2) to determine the master/backup status and implement fault association.
Configure basic user access functions and ensure that the two devices for backup have the same configuration. The configuration includes configuring AAA schemes, a RADIUS server group, and an IPv6 address pool.
Configure an AAA domain and bind the IPv6 address pool to it.
Configure a BAS interface and enable IPv6 on the interface.
Configure an RBS and an RBP.
Configure an SRv6-TE Policy on the public network.
- Configure a protection tunnel between the master and backup devices.
Data Preparation
To complete the configuration, you need the following data:
VRRP parameters (such as the VRRP ID and preemption delay)
BFD parameters (such as the local and remote discriminators of a BFD session and the expected minimum intervals at which BFD Control packets are sent and received)
IP address of each interface on BRAS1 and BRAS2
Backup ID, which works together with an RBS to identify an RBP to which users belong
User access parameters
Procedure
- Configure VRRP and BFD on the access side of the master and backup BRASs (BRAS1 and BRAS2) to determine the master/backup status and implement fault association.
The configuration on BRAS2 is similar to the configuration on BRAS1. The configuration on BRAS1 is used in this example. For details about the configuration on BRAS2, see the configuration file of BRAS2.
# Configure a BFD session to rapidly detect interface or link faults and trigger a master/backup VRRP switchover.
<HUAWEI> system-view [~HUAWEI] sysname BRAS1 [*BRAS1] commit [~BRAS1] bfd [*BRAS1] quit [*BRAS1] bfd bfd1 bind peer-ip 10.1.1.2 [*BRAS1-bfd-session-bfd1] discriminator local 8 [*BRAS1-bfd-session-bfd1] discriminator remote 6 [*BRAS1-bfd-session-bfd1] commit [~BRAS1-bfd-session-bfd1] quit
# Configure a VRRP group on an interface (GE0/1/9.1 is used as an example), and configure VRRP to track the BFD session and network-side interfaces.
[~BRAS1] interface GigabitEthernet 0/1/9.1 [*BRAS1-GigabitEthernet0/1/9.1] vlan-type dot1q 1 [*BRAS1-GigabitEthernet0/1/9.1] ip address 10.1.1.1 255.255.255.0 [*BRAS1-GigabitEthernet0/1/9.1] vrrp vrid 1 virtual-ip 10.1.1.100 [*BRAS1-GigabitEthernet0/1/9.1] admin-vrrp vrid 1 [*BRAS1-GigabitEthernet0/1/9.1] vrrp vrid 1 priority 180 [*BRAS1-GigabitEthernet0/1/9.1] vrrp vrid 1 preempt-mode timer delay 60 [*BRAS1-GigabitEthernet0/1/9.1] vrrp vrid 1 track interface GigabitEthernet 0/1/9 reduced 50 [*BRAS1-GigabitEthernet0/1/9.1] vrrp vrid 1 track bfd-session 8 peer [*BRAS1-GigabitEthernet0/1/9.1] vrrp recover-delay 20 [*BRAS1-GigabitEthernet0/1/9.1] commit [~BRAS1-GigabitEthernet0/1/9.1] quit
- Configure AAA schemes.
- Configure a RADIUS server group.
[~BRAS1] radius-server group radius [*BRAS1-radius-radius] radius-server authentication 192.168.7.249 1812 [*BRAS1-radius-radius] radius-server accounting 192.168.7.249 1813 [*BRAS1-radius-radius] radius-server shared-key-cipher huawei_123 [*BRAS1-radius-radius] commit [*BRAS1-radius-radius] quit
- Configure IPv6 address pools.
- Configure an AAA domain and bind the IPv6 address pool to it.
[~BRAS1] aaa [~BRAS1-aaa] domain dom1 [*BRAS1-aaa-domain-dom1] authentication-scheme radius [*BRAS1-aaa-domain-dom1] accounting-scheme radius [*BRAS1-aaa-domain-dom1] radius-server group radius [*BRAS1-aaa-domain-dom1] commit [~BRAS1-aaa-domain-dom1] ipv6-pool pool1 [~BRAS1-aaa-domain-dom1] quit [~BRAS1-aaa] quit
- Configure a BAS interface and enable IPv6 on the interface.
[~BRAS1] interface GigabitEthernet 0/1/9.333 [*BRAS1-GigabitEthernet0/1/9.333] commit [~BRAS1-GigabitEthernet0/1/9.333] ipv6 enable [*BRAS1-GigabitEthernet0/1/9.333] ipv6 address auto link-local [*BRAS1-GigabitEthernet0/1/9.333] commit [~BRAS1-GigabitEthernet0/1/9.333] user-vlan 5 [~BRAS1-GigabitEthernet0/1/9.333-vlan-5] bas [*BRAS1-GigabitEthernet0/1/9.333-bas] access-type layer2-subscriber default-domain authentication dom1 [*BRAS1-GigabitEthernet0/1/9.333-bas] authentication-method-ipv6 bind [*BRAS1-GigabitEthernet0/1/9.333-bas] commit [~BRAS1-GigabitEthernet0/1/9.333-bas] quit [~BRAS1-GigabitEthernet0/1/9.333] quit
- Configure an RBS and an RBP.
# Configure an IP address for the protection tunnel interface.
[~BRAS1] interface loopback1 [*BRAS1-loopback1] ip address 10.1.2.1 255.255.255.255 [*BRAS1-loopback1] commit [~BRAS1-loopback1] quit
# Configure an RBS.
[~BRAS1] remote-backup-service rui [*BRAS1-rm-backup-srv-rui] peer 10.1.2.2 source 10.1.2.1 port 6001 [*BRAS1-rm-backup-srv-rui] track interface GigabitEthernet0/1/8 [*BRAS1-rm-backup-srv-rui] ipv6-pool pool1 [*BRAS1-rm-backup-srv-rui] commit [~BRAS1-rm-backup-srv-rui] quit
# Configure an RBP.
[~BRAS1] remote-backup-profile p1 [*BRAS1-rm-backup-prf-p1] service-type bras [*BRAS1-rm-backup-prf-p1] backup-id 101 remote-backup-service rui [*BRAS1-rm-backup-prf-p1] peer-backup hot [*BRAS1-rm-backup-prf-p1] vrrp-id 1 interface gigabitethernet 0/1/9.1 [*BRAS1-rm-backup-prf-p1] commit [~BRAS1-rm-backup-prf-p1] quit
# Bind the RBP to the interface through which users go online.
[~BRAS1] interface gigabitethernet 0/1/9.333 [*BRAS1-GigabitEthernet0/1/9.333] remote-backup-profile p1 [*BRAS1-GigabitEthernet0/1/9.333] commit [~BRAS1-GigabitEthernet0/1/9.333] quit
- Configure an SRv6-TE Policy for the public network. For details, see Configuring an SRv6 TE Policy (Manual Configuration).
Currently, only public network SRv6-TE Policies that support USD recursion can be used as RUI traffic protection tunnels. Ensure that the SRv6-TE Policy tunnel mode is Encaps or Insert&Encaps and the egress of the tunnel supports the USD capability.
- Configure the SRv6 protection tunnel to work as the protection tunnel between the master and backup devices.
[~BRAS1] remote-backup-service rui [*BRAS1-rm-backup-srv-rui] protect srv6 tunnel-policy p1 endpoint 3::3 color 101 [*BRAS1-rm-backup-srv-rui] commit [~BRAS1-rm-backup-srv-rui] quit
- Verify the configuration.
# Display the status of the SRv6-TE Policy.
<BRAS1> display srv6-te policy policy-name policy1 PolicyName : policy1 Color : 101 Endpoint : 3::3 TunnelId : 1 Binding SID : 10::100 TunnelType : SRv6-TE Policy DelayTimerRemain : - Policy State : Up State Change Time : 2021-03-11 01:40:48 Admin State : Up Traffic Statistics : Disable Backup Hot-Standby : Disable BFD : Disable Interface Index : - Interface Name : - Interface State : - Encapsulation Mode : Insert&Encaps Candidate-path Count : 1 Candidate-path Preference : 100 Path State : Active Path Type : Primary Protocol-Origin : Configuration(30) Originator : 0, 0.0.0.0 Discriminator : 100 Binding SID : 10::100 GroupId : 1 Policy Name : policy1 Template ID : 0 Path Verification : Enable DelayTimerRemain : - Segment-List Count : 1 Segment-List : list1 Segment-List ID : 2 XcIndex : 8193 List State : Up DelayTimerRemain : - Verification State : Up SuppressTimeRemain : - PMTU : 9600 Active PMTU : 9600 Weight : 1 BFD State : - SID : 20::1:0:7C 30::200# Display whether the egress of the SRv6-TE Policy supports the USD capability.
<BRAS1> display segment-routing ipv6 local-sid end 30::200 forwarding My Local-SID End Forwarding Table --------------------------------- SID : 30::200/128 FuncType : End Flavor : PSP USP USD LocatorName : as1 LocatorID : 1 ProtocolType: STATIC ProcessID : -- UpdateTime : 2021-03-10 14:36:31.973 Total SID(s): 1
Configuration Files
- BRAS1 configuration file
# sysname BRAS1 # radius-server group radius radius-server shared-key-cipher %^%#glhJ;yPG#$=tC&(Is%q!S_";(k.Ef$:978$$e:TY%^% radius-server authentication 192.168.7.249 1812 weight 0 radius-server accounting 192.168.7.249 1813 weight 0 # bfd # ipv6 prefix prefix1 local prefix 2001::/64 # ipv6 pool pool1 bas local prefix prefix1 # remote-backup-service rui peer 10.1.2.2 source 10.1.2.1 port 6001 track interface GigabitEthernet0/2/1 protect srv6 tunnel-policy p1 endpoint 3::3 color 101 ipv6-pool pool1 # remote-backup-profile p1 service-type bras backup-id 1 remote-backup-service rui peer-backup hot vrrp-id 1 interface GigabitEthernet0/2/1.1 # aaa authentication-scheme radius accounting-scheme radius # domain dom1 authentication-scheme radius accounting-scheme radius radius-server group radius ipv6-pool pool1 # segment-routing ipv6 locator PE1 ipv6-prefix 2001:DB8:11::10 64 static 32 opcode ::200 end psp-usp-usd srv6-te-policy locator PE1 srv6-te-policy path verification enable segment-list list1 index 5 sid ipv6 2001:DB8:120::10 index 10 sid ipv6 2001:DB8:21::10 srv6-te policy policy1 endpoint 3::3 color 101 binding-sid 10::100 candidate-path preference 100 segment-list list1 # interface GigabitEthernet0/2/1.1 vlan-type dot1q 1 ip address 10.1.1.1 255.255.255.0 vrrp vrid 1 virtual-ip 10.1.1.100 admin-vrrp vrid 1 vrrp vrid 1 priority 180 vrrp vrid 1 preempt-mode timer delay 60 vrrp vrid 1 track interface GigabitEthernet0/2/1 reduced 50 vrrp vrid 1 track bfd-session 8 peer vrrp recover-delay 20 # interface GigabitEthernet0/2/1.333 ipv6 enable ipv6 address auto link-local statistic enable user-vlan 5 remote-backup-profile p1 bas # access-type layer2-subscriber default-domain authentication dom1 authentication-method-ipv6 bind # # interface LoopBack1 ipv6 enable ip address 10.1.2.1 255.255.255.255 ipv6 address 1::1/64 # bgp 100 router-id 1.1.1.1 peer 22.22.22.23 as-number 100 peer 22.22.22.23 connect-interface LoopBack1 peer 3::3 as-number 100 peer 3::3 connect-interface LoopBack1 # ipv4-family unicast undo synchronization import-route direct import-route unr unicast-route recursive-lookup tunnel-v6 tunnel-selector slave segment-routing ipv6 locator as1 segment-routing ipv6 traffic-engineer peer 22.22.22.23 enable peer 3::3 enable peer 3::3 route-policy p1 import peer 3::3 advertise-ext-community peer 3::3 prefix-sid # ipv6-family unicast undo synchronization preference 255 1 255 import-route direct import-route unr unicast-route recursive-lookup tunnel-v6 tunnel-selector slave segment-routing ipv6 locator as1 segment-routing ipv6 traffic-engineer peer 3::3 enable peer 3::3 route-policy p1 import peer 3::3 advertise-ext-community peer 3::3 prefix-sid # route-policy p1 permit node 10 apply extcommunity color 0:101 # route-policy rui permit node 1 if-match ip-prefix 192 apply cost 10 # ip ip-prefix 192 index 10 permit 1.1.1.0 24 # tunnel-policy p1 tunnel select-seq ipv6 srv6-te-policy load-balance-number 1 # bfd bfd1 bind peer-ip 10.1.1.2 discriminator local 8 discriminator remote 6 # return BRAS2 configuration file
# sysname BRAS2 # radius-server group radius radius-server shared-key-cipher %^%#glhJ;yPG#$=tC&(Is%q!S_";(k.Ef$:978$$e:TY%^% radius-server authentication 192.168.7.249 1812 weight 0 radius-server accounting 192.168.7.249 1813 weight 0 # bfd # ipv6 prefix prefix1 local prefix 2001::/64 # ipv6 pool pool1 bas local prefix prefix1 # remote-backup-service rui peer 10.1.2.1 source 10.1.2.2 port 6001 track interface GigabitEthernet0/2/1 protect srv6 tunnel-policy p1 endpoint 3::3 color 101 ipv6-pool pool1 # remote-backup-profile p1 service-type bras backup-id 1 remote-backup-service rui peer-backup hot vrrp-id 1 interface GigabitEthernet0/2/1.1 # aaa authentication-scheme radius accounting-scheme radius # domain dom1 authentication-scheme radius accounting-scheme radius radius-server group radius ipv6-pool pool1 # segment-routing ipv6 locator PE2 ipv6-prefix 2001:DB8:21:: 64 static 32 opcode ::200 end psp-usp-usd srv6-te-policy locator PE2 srv6-te-policy path verification enable segment-list list1 index 5 sid ipv6 2001:DB8:120::10 index 10 sid ipv6 2001:DB8:11::10 srv6-te policy policy1 endpoint 3::3 color 101 binding-sid 10::100 candidate-path preference 100 segment-list list1 # interface GigabitEthernet0/2/1.1 vlan-type dot1q 1 ip address 10.1.1.2 255.255.255.0 vrrp vrid 1 virtual-ip 10.1.1.100 admin-vrrp vrid 1 vrrp vrid 1 priority 180 vrrp vrid 1 preempt-mode timer delay 60 vrrp vrid 1 track interface GigabitEthernet0/2/1 reduced 50 vrrp vrid 1 track bfd-session 8 peer vrrp recover-delay 20 # interface GigabitEthernet0/2/1.332 ipv6 enable ipv6 address auto link-local statistic enable user-vlan 5 remote-backup-profile bas # access-type layer2-subscriber default-domain authentication dom1 authentication-method-ipv6 bind # # interface LoopBack1 ipv6 enable ip address 10.1.2.2 255.255.255.255 ipv6 address 1::1/64 # bgp 100 router-id 1.1.1.1 peer 22.22.22.23 as-number 100 peer 22.22.22.23 connect-interface LoopBack1 peer 3::3 as-number 100 peer 3::3 connect-interface LoopBack1 # ipv4-family unicast undo synchronization import-route direct import-route unr unicast-route recursive-lookup tunnel-v6 tunnel-selector slave segment-routing ipv6 locator as1 segment-routing ipv6 traffic-engineer peer 22.22.22.23 enable peer 3::3 enable peer 3::3 route-policy p1 import peer 3::3 advertise-ext-community peer 3::3 prefix-sid # ipv6-family unicast undo synchronization preference 255 1 255 import-route direct import-route unr unicast-route recursive-lookup tunnel-v6 tunnel-selector slave segment-routing ipv6 locator as1 segment-routing ipv6 traffic-engineer peer 3::3 enable peer 3::3 route-policy p1 import peer 3::3 advertise-ext-community peer 3::3 prefix-sid # route-policy p1 permit node 10 apply extcommunity color 0:101 # route-policy rui permit node 1 if-match ip-prefix 192 apply cost 10 # ip ip-prefix 192 index 10 permit 1.1.1.0 24 # tunnel-policy p1 tunnel select-seq ipv6 srv6-te-policy load-balance-number 1 # bfd bfd1 bind peer-ip 10.1.1.1 discriminator local 8 discriminator remote 6 # return- Network-side configuration file (intermediate node of the SRv6-TE tunnel):
# sysname PE # segment-routing ipv6 encapsulation source-address 2001:DB8:2::2 locator PE ipv6-prefix 2001:DB8:120:: 64 static 32 opcode ::10 end psp # isis 1 is-level level-1 cost-style wide network-entity 10.0000.0000.0001.00 # ipv6 enable topology ipv6 segment-routing ipv6 locator aa # # interface GigabitEthernet0/1/0 undo shutdown ipv6 enable ipv6 address 2001:DB8:10::2/64 isis ipv6 enable 1 # interface GigabitEthernet0/1/8 undo shutdown ipv6 enable ip address 2001:DB8:20::1/64 # interface LoopBack1 ipv6 enable ipv6 address 2001:DB8:2::2/64 isis ipv6 enable 1 # return