Traffic engineering and Protection (fast reroute) are the main advantages of both MPLS and segment routing networks. but both features are simpler and more understandable and more automatic in segment routing network to implement compared to MPLS network. with traffic engineering, we control the path of incoming traffic at the edge of the network, which is the topic of the next videos. With Protection, if a link or node in the network fails, traffic are rerouted to another path in less than 50ms which is the Topic of this video and also the next video. In this Video the theory of protection is discussed and in the next video the implementation and troubleshooting is shown.
Protection definition
What is Protection? Which types of Protection we have? Protection means fast reroute. in other words when a link or node fails in the network, the traffic going over the link or node are rerouted in another path in less that 50msec. we have three main types of protection: link protection, node protection and SRLG (Shared Risk Link Groups) protection.
To understand different types of protection, I have already prepared a topology. In this topology, the cost of all links are one, except for the links for which I have already written the value of the cost. For example, the cost between R1-R3 is 4.
segment routing protection detail concept
In our discussion we discuss different types of protection from R2 perspective and for a specific destination, R6. However, this discussion applies to all nodes and all destinations in the network.
Link Protection
As first type of protection, what is Link protection? when we protect a link, IGP in segment routing pre-calculate, the backup route that should be used when that link fails, and install the backup route in routing table before any failure. When that link fails. backup routes are used in less than 50 msec.
in our topology, we want to protect the link between R2-R4. for destination R6, the main path is R2-R4-R6 and the backup path is R2-R1-R3-R4-R6 which exclude protected link. Backup path is pre-calculated and installed in routing table before any failure. When R2-R4 link fails, the backup path is already in routing table and will be used immediately and in less than 50 msec.
probably you ask yourself why we do not implement this type of protection in IP network? Because in IP network, this method may causes loop. Why? What is the difference with segment routing network? In a few minutes and at the end of this video, you will get the answer of this question.
Node protection
What is node protection? node protection means if neighbor router in the best path, in other words, next-hop router is failed, then backup route replace in less than 50msec. backup route is pre-calculated and is installed in routing table before any failure.
To better understand, In the following topology, the main path for destination R6 is R2-R4-R6. When we enable node protection in R2, the neighbor router for destination R6 is R4 and the backup path will be pre-calculated supposing router R4 is failed and it is installed in routing table before R4 fails. When R4 router fails, the backup path will replace the main path in less than 50 msec since it is already in routing table.
SRLG Protection
Now it is the turn of SRLG. What is SRLG? SRLG stands for “Shared Risk Link Groups” and when we add some local links in the same SRLG groups, that means, they share hardware resources and when one of these links fails, the other links in the same group also fail. so the backup path must exclude all links in the same SRLG group. With SRLG Protection, new backup route excluding all links in SRLG, is pre-calculated and is installed in routing table before any failure. When any of the links in the same SRLG fails, then backup route will replace main path in less than 50msec.
In our example, we suppose R2-R4 and R1-R2 links are in the same SRLG. When we enable SRLG protection in node R2, the backup path R2-R3-R4-R6 which exclude both SRLG links is pre-calculated and installed in routing table. With failure of each of these two links, pre-calculated backup path will replace the main path immediately and less than 50 msec.
Currently, SRLG only supports local links. That means, if R2-R4 and R3-R4 links are in the same SRLG, we cannot implement SRLG protection in R2 because R3-R4 link is not local link in R2.
Multiple protection in one router
You can run more than one protection in a router. But notice that when more than one protection is enabled in the router, the link protection has always the lowest priority since when the next-hop node is protected, the outgoing link is also automatically protected.
But that does not mean that node protection is always better than link protection, since if outgoing link is failed but the node protection backup path is used, the backup path may not be the best path.
For example in the following topology, both link and node protection is enabled in R2, but node protection backup path is installed in routing table since it has higher Priority. But if the link fails, node protected backup path is not the best choice, since link protected backup path has lower metric.
When both node protection and SRLG protection are enabled. Then the backup path is chosen to protect both node and SRLG, but if that is not possible, one with higher priority (lower index value) is installed in the routing table.
For example in the following topology when link, node and SRLG protections are enabled in R2, then as you see the backup path protect all of them and exclude outgoing link, SRLG links and also next-hop router.
TI-LFA and post-convergence Path
Now the question is, which protocol in segment routing does protection? segment routing Protection is implemented using the TI-LFA protocol, which stands for “Topology Independent Loop Free Alternate”. TI-LFA, as the name suggests, it is topology independent and offers 100% protection in all topologies and it is completely automatic and based on the concept of “post-convergence path”. “post-convergence path” means, the path with the assumption that the link or node is failed. Based on this assumption, “post-convergence path” is calculated and installed in routing table as backup path.
For example if we configure link protection in R2, then for all destination, backup path is pre-calculated and installed in routing table with the assumption that outgoing link is failed.
Why IP does not use “post-convergence path“ protection?
Now the question is why IP does not use “post-convergence path“ protection when it is so easy. The answer: Because it may causes loop.
To better understand how this loop occurs in the same topology but in IP network, consider the same scenario but this time in IP network.
if we protect R2-R4 link. then for destination R6, R2-R4-R6 is the main path and R2-R1-R3-R4-R6 is the backup path and it is installed in routing table. now suppose that R2-R4 link fails. then the traffic will be forward to R1 which is the next-hop of backup path. the problem is that the routing table in the R1 is not still converged, and from R1 perspective, the best path for destination R6 is to give the traffic again to R2. So loop will occur.
How segment routing helps “post-convergence path“ protection to be implemented?
How segment routing helps the theory, “post-convergence path“ protection to be implemented? Thanks to segment routing that can encode the backup path or segments in the packet itself. So when R1 receive the packet, from the segments encoded inside the packet, it knows that the packet should be forwarded to R3 and not to R2. So there will be no loop.
So in segment routing, the backup path can be encoded in the packet itself when a link or node fails, so there will be no loop in segment routing.
How many segments is required to be encoded in the packet to prevent loop?
Now it is the question that How many segments is required to be encoded in the packet to prevent loop?
According to the research done, in link protection, 100% of backup path need two or less (zero, one or two) segments to be encoded inside packet to prevent the loop.
And in the node protection, 100% of backup path need four or less segments to be encoded into packet to prevent the loop. And it is interesting that in node protection, 99.72% of backup paths use only two or less segments.
So as you have seen, fast reroute or protection in segment routing is so simple to understand and operate and completely automatic. Although we have fast reroute in MPLS network but it is not the simple to configure and operate and not completely automatic.
We implement and trouble the same topology in the next video.