Author: Nicholas Russo
We are streaming LIVE now on Twitch. Join us!
This blog is the third in a series covering IP Loop Free Alternate (LFA) paths using OSPFv2. In the previous blog, we covered downstream and node-protecting LFAs, as well as tie-breaking criteria. This blog covers the fourth inequality, which is specific to multi-access networks. The topology remains unchanged and is depicted below.
Inequality 4 is comparable to Inequality 3 that defined node protection. In fact, the logic is quite similar; node protection guarantees that the primary next-hop (E) is not traversed by a given LFA. Broadcast disjointedness guarantees that the pseudo-node (pn) is not traversed by a given LFA. This is computed by adding N’s distance to the pseudo-node and the pseudo-node’s distance to D.
Inequality 4 for broadcast disjointedness: dist(N,D) < dist(N,pn) + dist(pn,D)
This time, we’ll examine the path from R3 to R7. The shortest path from R3 (S) to R7’s loopback (D) is via R2 (E) as shown in the output below. R1 and R8 are candidate next-hop routers (N).
R3#show ip route ospf | include 10.0.0.7/32
O 10.0.0.7/32 [110/16] via 10.0.234.2, 06:02:44, GigabitEthernet3
Here are the variable assignments for reference. Neither R1 nor R8 uses R3 as a primary next-hop to reach 10.0.0.7/32, so both are worth evaluating as LFAs.
S = R3
E = R2
N = R1 or R8
D = R7's loopback0 prefix of 10.0.0.7/32
R1#show ip route ospf | include 10.0.0.7/32
O 10.0.0.7/32 [110/16] via 10.1.2.2, 06:03:16, GigabitEthernet2
R8#show ip route ospf | include 10.0.0.7/32
O 10.0.0.7/32 [110/21] via 10.4.8.4, 00:00:10, GigabitEthernet1
We’ll begin by evaluating N=R1 using all four inequalities. R1 is an LFA thanks to Inequality 1 being satisfied, providing basic link-protection at a minimum. The LFA is not downstream because both R1 and R3 are equidistant to R7’s loopback. The LFA does not provide node protection because both R1 and R3 traverse R2 (E) along their best paths to R7’s loopback. The LFA is broadcast disjoint because R1 does not traverse the pseudo-node, represented by the layer-2 switch in the diagram, along its shortest path to R6. Note that the logic of Inequality 4 is pessimistic; it assumes that the entire broadcast network fails. It’s possible that only a single link fails while the broadcast network remains mostly intact, but this is a poor assumption in a failure scenario.
let N=R1
ineq1: dist(N,D) < dist(S,D) + dist(N,S)
dist(R1,R7) < dist(R3,R7) + dist(R1,R3)
16 < 16 + 10 --> TRUE, it is an LFA
ineq2: dist(N,D) < dist(S,D)
dist(R1,R7) < dist(R3,R7)
16 < 16 --> FALSE, it is not downstream
ineq3: dist(N,D) < dist(N,E) + dist(E,D)
dist(R1,R7) < dist(R1,R2) + dist(R2,R7)
16 < 10 + 6 --> FALSE, it is not node protecting
ineq4: dist(N,D) < dist(N,pn) + dist(pn,D)
dist(R1,R7) < dist(R1,pn) + dist(pn,R7)
16 < 20 + 6 --> TRUE, it is broadcast disjoint
Next, consider R8 as an LFA candidate. R8 is farther away from R7 than R1 is, so it probably won’t be selected as the best LFA, even though it does satisfy Inequality 1. R8 is neither downstream nor node-protecting as Inequalities 2 and 3 are unsatisfied, respectively. Even worse, R8 is not broadcast disjoint. R3’s (S) best path to R7’s loopback (D) traverses the pseudo-node (pn) as does R8’s (N) best path to the same destination. If the switch fails, the entire broadcast network collapses, making R8 a less useful LFA. If only the link between R3 and the switch failed, R8 would be a suitable LFA, but that’s an optimistic outcome. Broadcast disjointedness, at least in this small network, protects against a switch node failure.
let N=R8
ineq1: dist(N,D) < dist(S,D) + dist(N,S)
dist(R8,R7) < dist(R3,R7) + dist(R8,R3)
21 < 16 + 10 --> TRUE, it is an LFA
ineq2: dist(N,D) < dist(S,D)
dist(R8,R7) < dist(R3,R7)
21 < 16 --> FALSE, it is not downstream
ineq3: dist(N,D) < dist(N,E) + dist(E,D)
dist(R8,R7) < dist(R8,R2) + dist(R2,R7)
21 < 15 + 6 --> FALSE, it is not node protecting
ineq4: dist(N,D) < dist(N,pn) + dist(pn,D)
dist(R8,R7) < dist(R8,pn) + dist(pn,R7)
21 < 15 + 6 --> FALSE, it is not broadcast disjoint
We won’t adjust any tie-breaks in this network because R1 is clearly the superior LFA choice. It is both lower cost and offers slightly better protection given its broadcast disjointedness. We can confirm these attributes by querying the OSPF RIB and examining the LFA flags.
R3#show ip ospf rib 10.0.0.7 255.255.255.255
*> 10.0.0.7/32, Intra, cost 16, area 0
SPF Instance 83, age 00:30:09
Flags: RIB, HiPrio
via 10.0.234.2, GigabitEthernet3
Flags: RIB
LSA: 1/10.0.0.7/10.0.0.7
Source: 10.0.0.7 (area 0)
repair path via 10.1.3.1, GigabitEthernet1, cost 26
Flags: RIB, Repair, IntfDj, BcastDj, CostWon
LSA: 1/10.0.0.7/10.0.0.7
repair path via 10.3.8.8, GigabitEthernet2, cost 31
Flags: Ignore, Repair, IntfDj
LSA: 1/10.0.0.7/10.0.0.7
We’ve spent a lot of time examining situations where LFAs exist. Any LFA is better than no LFA, after all. What happens when some destinations cannot be protected due to an inability to satisfy Inequality 1? R2 offers one such example. Given the current topology, R2 does not have an LFA to 10.0.0.4/32 despite having three potential backup paths. It’s useful to examine the “prefix-summary” coverage at a high level first. Notice that high priority prefixes only have 85% coverage. Since R2 learns seven remote loopbacks, we can assume that only one is unprotected since 6/7 is approximately 85%. Inspecting the OSPF RIB, we confirm that 10.0.0.4/32 is the prefix in question.
R2#show ip ospf fast-reroute prefix-summary
OSPF Router with ID (10.0.0.2) (Process ID 1)
Base Topology (MTID 0)
Area 0:
Interface Protected Primary paths Protected paths Percent protected
All High Low All High Low All High Low
Lo0 Yes 0 0 0 0 0 0 0% 0% 0%
Gi4 Yes 1 1 0 1 1 0 100% 100% 0%
Gi1 Yes 5 2 3 2 2 0 40% 100% 0%
Gi2 Yes 2 1 1 1 1 0 50% 100% 0%
Gi3 Yes 7 3 4 2 2 0 28% 66% 0%
Area total: 15 7 8 6 6 0 40% 85% 0%
Process total: 15 7 8 6 6 0 40% 85% 0%
R2#show ip ospf rib 10.0.0.4 255.255.255.255
*> 10.0.0.4/32, Intra, cost 11, area 0
SPF Instance 78, age 00:04:50
Flags: RIB, HiPrio
via 10.0.234.4, GigabitEthernet3
Flags: RIB
LSA: 1/10.0.0.4/10.0.0.4
Source: 10.0.0.4 (area 0)
For practice, I’d recommend you stop reading here and manually evaluate Inequality 1 for each potential N value of R1, R6, and R7 from R2 (S) to 10.0.0.4/32 (D). Once you’re done, you can confirm it using some debugging. The ACL limits the output to 10.0.0.4/32 and we can trigger a recalculation to examine the result. For each potential N, R2 evaluates Inequality 1, and the output clearly indicates that none of these alternate paths satisfy the condition. Take some time to read the output as these terms should be very familiar by now. This is bad news!
# R2 configuration
ip access-list standard 4
10 permit 10.0.0.4
R2#debug ip ospf fast-reroute rib 4
OSPF Loop-free FastReroute local RIB debugging is on for access list 4
R2#clear ip ospf force-spf
OSPF-1 FRRIB: Refreshing router 10.0.0.4 route: intra-area path, distance 20
OSPF-1 FRRIB: Add to LRIB repair path 10.0.0.4/255.255.255.255 via neighbor 10.0.0.6,
area 0, type Intra, D(N,D)=21, ext2 metric 0
OSPF-1 FRRIB: Not an LFA; D(N,D)=21, D(N,S)=10, D(S,D)=11
OSPF-1 FRRIB: Refreshing router 10.0.0.4 route: intra-area path, distance 15
OSPF-1 FRRIB: Add to LRIB repair path 10.0.0.4/255.255.255.255 via neighbor 10.0.0.7,
area 0, type Intra, D(N,D)=16, ext2 metric 0
OSPF-1 FRRIB: Not an LFA; D(N,D)=16, D(N,S)=5, D(S,D)=11
OSPF-1 FRRIB: Refreshing router 10.0.0.4 route: intra-area path, distance 20
OSPF-1 FRRIB: Add to LRIB repair path 10.0.0.4/255.255.255.255 via neighbor 10.0.0.1,
area 0, type Intra, D(N,D)=21, ext2 metric 0
OSPF-1 FRRIB: Not an LFA; D(N,D)=21, D(N,S)=10, D(S,D)=11
OSPF-1 FRRIB: Refreshing router 10.0.0.4 route: intra-area path, distance 0
OSPF-1 FRRIB: Add to LRIB repair path 10.0.0.4/255.255.255.255 via neighbor 10.0.0.4,
area 0, type Intra, D(N,D)=1, ext2 metric 0
OSPF-1 FRRIB: Finished processing LFA, added 0 repair paths
Suppose you don’t trust the debugging and show commands on R2. Head over to R1, R6, and R7 and ask them about their shortest path to reach R4. All of them route through R2, implying that none of these paths are loop-free. R2 cannot rely on any of its neighbors to reliably deliver traffic to R4 if the R2-switch link fails. Note that R1 load-shares towards 10.0.0.4/32 via R2 and R3, but this doesn’t matter; R1 cannot be considered loop free because there’s a 50% chance that traffic will loop back to R2.
R6#show ip route ospf | section 10.0.0.4/32
O 10.0.0.4/32 [110/21] via 10.2.6.2, 12:12:08, GigabitEthernet4
R7#show ip route ospf | section 10.0.0.4/32
O 10.0.0.4/32 [110/16] via 10.2.7.2, 12:12:38, GigabitEthernet1
R1#show ip route ospf | section 10.0.0.4/32
O 10.0.0.4/32 [110/21] via 10.1.3.3, 11:37:25, GigabitEthernet1
[110/21] via 10.1.2.2, 11:37:25, GigabitEthernet2
As a further proof, query R2’s FIB for some remote loopbacks. We know that 6 out of 7 loopbacks are LFA protected, so pick any other loopback in addition to 10.0.0.4/32. Choosing 10.0.0.1/32, we can see an LFA via R3 over the broadcast network that is installed as a repair path. However, for 10.0.0.4/32, no such repair path exists.
R2#show ip cef 10.0.0.4/32
10.0.0.4/32
nexthop 10.0.234.4 GigabitEthernet3
R2#show ip cef 10.0.0.1/32
10.0.0.1/32
nexthop 10.1.2.1 GigabitEthernet2
repair: attached-nexthop 10.0.234.3 GigabitEthernet3
In summary, broadcast disjointedness offers an additional degree of protection by ensuring LFAs avoid the pseudo-node representing multi-access networks. It’s logically equivalent to node protection except applies to broadcast networks. Additionally, LFA is not a magic trick. Coverage is not guaranteed for all destinations just because you configured the command. The past three blogs have discussed “direct LFA” which derives its name from the selection of directly connected primary next-hops (E) and candidate next-hops (N). Perhaps we can achieve better LFA coverage by relaxing that rule.
In This Series:
- Introducing IP Loop Free Alternates (LFA) with OSPFv2
- Exploring Downstream and Node-protecting IP LFAs using OSPFv2
- Examining Broadcast Disjointedness and IP LFA Coverage with OSPFv2 (this article)
- Improving IP LFA Coverage using Remote LFA with MPLS and OSPFv2
- Maximizing IP LFA Coverage using Topology-independent LFA and Segment Routing
Reference Configurations:
# R1
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
no ip domain lookup
ip domain name lab.local
!
!
!
interface Loopback0
ip address 10.0.0.1 255.255.255.255
!
interface GigabitEthernet1
ip address 10.1.3.1 255.255.255.0
ip ospf network point-to-point
ip ospf cost 10
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 10.1.2.1 255.255.255.0
ip ospf network point-to-point
ip ospf cost 10
negotiation auto
no mop enabled
no mop sysid
!
!
router ospf 1
fast-reroute per-prefix enable area 0 prefix-priority high
fast-reroute keep-all-paths
network 0.0.0.0 255.255.255.255 area 0
!
!
ip ssh version 2
!
!
ip access-list standard 6
10 permit 10.0.0.6
!
!
!
end
# R2
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
no ip domain lookup
ip domain name lab.local
!
!
!
!
interface Loopback0
ip address 10.0.0.2 255.255.255.255
!
interface GigabitEthernet1
ip address 10.2.7.2 255.255.255.0
ip ospf network point-to-point
ip ospf cost 5
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 10.1.2.2 255.255.255.0
ip ospf network point-to-point
ip ospf cost 10
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
ip address 10.0.234.2 255.255.255.0
ip ospf network broadcast
ip ospf priority 0
ip ospf cost 10
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet4
ip address 10.2.6.2 255.255.255.0
ip ospf network point-to-point
ip ospf cost 10
negotiation auto
no mop enabled
no mop sysid
!
!
router ospf 1
fast-reroute per-prefix enable area 0 prefix-priority high
fast-reroute keep-all-paths
network 0.0.0.0 255.255.255.255 area 0
!
!
ip ssh version 2
!
!
ip access-list standard 4
10 permit 10.0.0.4
!
!
end
# R3
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
no ip domain lookup
ip domain name lab.local
!
!
!
!
interface Loopback0
ip address 10.0.0.3 255.255.255.255
!
interface GigabitEthernet1
ip address 10.1.3.3 255.255.255.0
ip ospf network point-to-point
ip ospf cost 10
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 10.3.8.3 255.255.255.0
ip ospf network point-to-point
ip ospf cost 10
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
ip address 10.0.234.3 255.255.255.0
ip ospf network broadcast
ip ospf priority 0
ip ospf cost 10
negotiation auto
no mop enabled
no mop sysid
!
!
router ospf 1
fast-reroute per-prefix enable area 0 prefix-priority high
fast-reroute keep-all-paths
network 0.0.0.0 255.255.255.255 area 0
!
!
ip ssh version 2
!
!
end
# R4
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
no ip domain lookup
ip domain name lab.local
!
!
!
!
interface Loopback0
ip address 10.0.0.4 255.255.255.255
!
interface GigabitEthernet1
ip address 10.4.8.4 255.255.255.0
ip ospf network point-to-point
ip ospf cost 5
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 10.4.5.4 255.255.255.0
ip ospf network point-to-point
ip ospf cost 10
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
ip address 10.0.234.4 255.255.255.0
ip ospf network broadcast
ip ospf cost 10
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet4
ip address 10.4.7.4 255.255.255.0
ip ospf network point-to-point
ip ospf cost 25
negotiation auto
no mop enabled
no mop sysid
!
!
router ospf 1
fast-reroute per-prefix enable area 0 prefix-priority high
fast-reroute per-prefix tie-break primary-path index 10
fast-reroute per-prefix tie-break interface-disjoint index 20
fast-reroute per-prefix tie-break downstream index 25
fast-reroute per-prefix tie-break lowest-metric index 30
fast-reroute per-prefix tie-break linecard-disjoint index 40
fast-reroute per-prefix tie-break broadcast-interface-disjoint index 50
fast-reroute keep-all-paths
network 0.0.0.0 255.255.255.255 area 0
!
ip ssh version 2
!
!
!
end
# R5
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname R5
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
no ip domain lookup
ip domain name lab.local
!
!
!
!
interface Loopback0
ip address 10.0.0.5 255.255.255.255
!
!
interface GigabitEthernet2
ip address 10.4.5.5 255.255.255.0
ip ospf network point-to-point
ip ospf cost 10
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
ip address 10.5.7.5 255.255.255.0
ip ospf network point-to-point
ip ospf cost 10
negotiation auto
no mop enabled
no mop sysid
!
!
router ospf 1
fast-reroute per-prefix enable area 0 prefix-priority high
fast-reroute keep-all-paths
network 0.0.0.0 255.255.255.255 area 0
!
ip ssh version 2
!
!
!
end
# R6
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname R6
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
no ip domain lookup
ip domain name lab.local
!
!
interface Loopback0
ip address 10.0.0.6 255.255.255.255
!
!
interface GigabitEthernet4
ip address 10.2.6.6 255.255.255.0
ip ospf network point-to-point
ip ospf cost 10
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet5
ip address 10.6.7.6 255.255.255.0
ip ospf network point-to-point
ip ospf cost 10
negotiation auto
no mop enabled
no mop sysid
!
!
router ospf 1
fast-reroute per-prefix enable area 0 prefix-priority high
fast-reroute keep-all-paths
network 0.0.0.0 255.255.255.255 area 0
!
!
ip ssh version 2
!
!
!
end
# R7
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname R7
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
no ip domain lookup
ip domain name lab.local
!
!
!
interface Loopback0
ip address 10.0.0.7 255.255.255.255
!
interface GigabitEthernet1
ip address 10.2.7.7 255.255.255.0
ip ospf network point-to-point
ip ospf cost 5
negotiation auto
no mop enabled
no mop sysid
!
!
interface GigabitEthernet3
ip address 10.5.7.7 255.255.255.0
ip ospf network point-to-point
ip ospf cost 10
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet4
ip address 10.4.7.7 255.255.255.0
ip ospf network point-to-point
ip ospf cost 25
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet5
ip address 10.6.7.7 255.255.255.0
ip ospf network point-to-point
ip ospf cost 10
negotiation auto
no mop enabled
no mop sysid
!
!
router ospf 1
fast-reroute per-prefix enable area 0 prefix-priority high
fast-reroute keep-all-paths
network 0.0.0.0 255.255.255.255 area 0
!
!
ip ssh version 2
!
!
!
!
end
# R8
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname R8
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
no ip domain lookup
ip domain name lab.local
!
!
interface Loopback0
ip address 10.0.0.8 255.255.255.255
!
interface GigabitEthernet1
ip address 10.4.8.8 255.255.255.0
ip ospf network point-to-point
ip ospf cost 5
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 10.3.8.8 255.255.255.0
ip ospf network point-to-point
ip ospf cost 10
negotiation auto
no mop enabled
no mop sysid
!
router ospf 1
fast-reroute per-prefix enable area 0 prefix-priority high
fast-reroute keep-all-paths
network 0.0.0.0 255.255.255.255 area 0
!
!
ip ssh version 2
!
!
!
end