Introducing IP Loop Free Alternates (LFA) with OSPFv2

This blog series will explain how network devices can independently calculate backup paths, known as LFAs in this context, to protect against network failures.

Author: Nicholas Russo


This is the first of five articles in a series about LFA.

Fast convergence after a network failure has always been an important design consideration. This blog series will explain how network devices can independently calculate backup paths, known as LFAs in this context, to protect against such network failures. RFC5286 explains the basic logic of how LFAs work, and most importantly, defines four inequalities that determine the characteristics of LFAs.

A word of warning: IP LFA is an advanced networking topic that assumes readers have experience with link-state routing protocols and their corresponding databases. Furthermore, these blogs contain a fair amount of math, although it’s generally limited to addition and inequality comparisons. Later in the series, Multi-protocol Label Switching (MPLS) is introduced as a mechanism to improve LFA coverage, so readers are encouraged to have MPLS experience. If you’re lacking in these areas, consider watching my popular Cisco Advanced Routing series and Cisco MPLS course at Pluralsight before continuing.

Examine the topology below. There are 8 routers and a single layer-2 switch, creating a multi-access network between R2, R3, and R4. All devices run OSPFv2 in area 0 on all depicted interfaces, and each device contributes a single loopback prefix. The GigabitEthernet interface numbers are shown in orange, and the link costs are shown in purple. Both the interface numbers and link costs are symmetric for simplicity. All loopbacks use the default cost value of 1. Unfortunately, not all LFA features are available in IPv6, so this blog series focuses exclusively on IPv4.

Introducing IP Loop Free Alternates (LFA) with OSPFv2

Like many modern technologies, LFA is simple to configure but challenging to comprehend. Currently, all routers are configured with per-prefix LFA within area 0 for “high” priority prefixes. By default, these are /32 routes but can be adjusted using a route-map. Alternatively, an engineer could enable protection for “low” priority prefixes as well, which includes any OSPF-learned route by default. In the vast majority of designs, protecting only the /32 prefixes implies protecting device loopbacks, which serve as MPLS label switched path (LSP) endpoints. If you aren’t running MPLS, you might want to protect user LAN segments, so adjusting the prefix-priorities accordingly may be appropriate. Here’s a real life example of protecting transit links in a leaf/spine data center fabric to improve the availability of a BGP traffic engineering design.

The “keep-all-paths” command is optional and tells OSPF to retain any unused LFAs in the OSPF RIB. This isn’t operationally useful and might even be a hindrance as it consumes memory to no benefit. However, it’s educationally useful when there are multiple LFAs available since the router must select one. We’ll examine those complex cases in future blogs, but let’s enable the LFA retention feature now.

# All routers
router ospf 1
 fast-reroute per-prefix enable area 0 prefix-priority high
 fast-reroute keep-all-paths

With LFA configured, let’s focus on the mathematical logic. The word “inequality” refers to an algebraic expression that is satisfied when the two terms on either side of the operator are unequal. In the context of LFA, the routers need to ensure that certain distances are less than other distances across the network. It is by this logic that devices determine which paths are actually loop-free. The first inequality defined in the RFC is used to determine whether a candidate path is an LFA:

Inequality 1: dist(N,D) < dist(S,D) + dist(N,S)

This looks supremely confusing at a glance. Let’s quickly define these terms:

  1. dist(X,Y): measures the path cost, or “distance”, between X and Y.
  2. S: source router
  3. E: primary next-hop router (not present in Inequality 1 but appears later)
  4. N: candidate next-hop router
  5. D: destination IP prefix

LFAs are best understood using examples that correlate topology visualization, command line verification, and mathematical proof. Starting on R1, let’s manually compute the shortest path to 10.0.0.6/32, which is R6’s loopback prefix. Routing via R2, the shortest path to R6’s loopback will be 21, including two hops with a cost of 10 (R1-R2 and R2-R6) plus the R6 loopback cost of 1.

R1#show ip route ospf | include 10.0.0.6/32
O        10.0.0.6/32 [110/21] via 10.1.2.2, 02:39:57, GigabitEthernet2

Can R3 be used an LFA if the R1-R2 link fails? Let’s apply Inequality 1. The source router (S) is R1 and the destination prefix (D) is 10.0.0.6/32. The primary next-hop router (E) is R2 but that doesn’t factor into this inequality. The candidate next-hop router (N) is R3. Measuring the shortest distance from R3 to R6, we get 21, since R3 routes via R2 over the broadcast network and then from R2 to R6 directly.

R3#show ip route ospf | include 10.0.0.6/32
O        10.0.0.6/32 [110/21] via 10.0.234.2, 02:39:39, GigabitEthernet3

Then, we include the end-to-end distance from source (R1) to destination (R6’s loopback prefix) that we already knew to be 21 when we computed our original shortest path. Last, we add the distance from R3 (N) back to R1 (S). This step is important because it measures the reverse cost from the candidate next-hop router back to the source router. The output below and the diagram both indicate that this cost is 10.

R3#show ip ospf interface brief | include ^Int|Gi1
Interface    PID   Area            IP Address/Mask    Cost  State Nbrs F/C
Gi1          1     0               10.1.3.3/24        10    P2P   1/1

In this example, Inequality 1 is satisfied, so R3 is an LFA from R1’s perspective towards R6’s loopback prefix. This is great news!

dist(N,D) < dist(S,D) + dist(N,S)
dist(R3,R6) < dist(R1,R6) + dist(R3,R1)
21 < 21 + 10
21 < 31

Here’s a visual representation. You can clearly see that if the R1-R2 link fails, R1 can safely send traffic to R3 without any additional SPF computations because R3 was not relying on the R1-R2 for its primary path towards 10.0.0.6/32. This is the minimum requirement for any LFA and is the sole purpose of evaluating Inequality 1.

Introducing IP Loop Free Alternates (LFA) with OSPFv2

A useful CLI command for measuring LFA coverage towards a specific destination is “show ip ospf rib”. The example below queries 10.0.0.6/32 (D) from the perspective of R1 (S). The primary next-hop (E) is R2 via 10.1.2.2 and the LFA next-hop (N) is R3 via 10.1.3.3. For now, just focus on the fundamental LFA logic; future blogs will discuss the LFA “flags” in greater detail.

R1#show ip ospf rib 10.0.0.6 255.255.255.255

            OSPF Router with ID (10.0.0.1) (Process ID 1)

                Base Topology (MTID 0)

OSPF local RIB
Codes: * - Best, > - Installed in global RIB
LSA: type/LSID/originator

*>  10.0.0.6/32, Intra, cost 21, area 0
     SPF Instance 80, age 00:10:08
     Flags: RIB, HiPrio
      via 10.1.2.2, GigabitEthernet2
       Flags: RIB
       LSA: 1/10.0.0.6/10.0.0.6
       Source: 10.0.0.6 (area 0)
      repair path via 10.1.3.3, GigabitEthernet1 cost 31
       Flags: RIB, Repair, IntfDj, BcastDj
       LSA: 1/10.0.0.6/10.0.0.6

If you want to see the low-level logic of LFA evaluation, use the debugging technique shown below. It’s wise to include an access control list (ACL) to limit to scope of the debug, which can be quite extensive in large networks. The ACL matches R6’s loopback prefix and is fed into the debug command. The output reveals two possible paths to R6: one via R2 and one via R3. The D(N,D) value in this context is evaluating R2’s (S) distance to 10.0.0.6/32 (D), which is 11, and R3’s (N) distance to the same prefix, which is 21. This is consistent with our manual calculations from earlier. The debug further indicates that 10.1.2.2 is the primary path via R2 and that 10.1.3.3 is a repair path, or LFA, via R3.

# R1 configuration
ip access-list standard 6
 10 permit 10.0.0.6

R1#debug ip ospf fast-reroute rib 6
OSPF Loop-free FastReroute local RIB debugging is on for access list 6

R1#clear ip ospf force-spf
OSPF-1 FRRIB: Add to LRIB repair path 10.0.0.6/255.255.255.255 via neighbor 10.0.0.2,
              area 0, type Intra, D(N,D)=11, ext2 metric 0
OSPF-1 FRRIB: Finished processing LFA, added 0 repair paths

OSPF-1 FRRIB: Add to LRIB repair path 10.0.0.6/255.255.255.255 via neighbor 10.0.0.3,
              area 0, type Intra, D(N,D)=21, ext2 metric 0
OSPF-1 FRRIB: For primary path via 10.1.2.2 Gi2 dist 21 repair path
              via 10.1.3.3 Gi1 flags are (Repair, IntfDj, BcastDj)
OSPF-1 FRRIB: Adding repair path after path via 10.1.2.2 GigabitEthernet2, flags (RIB)
OSPF-1 FRRIB: Finished processing LFA, added 1 repair paths

Rather than individually querying every possible destination, engineers may check the source router to ask about its general LFA coverage. This command indicates that 100% of the high priority prefixes are protected, which is the ideal outcome. Given R1’s location in the network, this is unsurprising, as it is unlikely that R2 or R3 would ever choose to route via R1 to reach a destination other than 10.0.0.1/32, which is the R1 loopback prefix. Generally speaking, the more densely connected a network is, the better the LFA coverage will be. If you see a number less than 100%, you can walk the OSPF RIB to look for unprotected entries.

R1#show ip ospf fast-reroute prefix-summary

            OSPF Router with ID (10.0.0.1) (Process ID 1)
                    Base Topology (MTID 0)

Area 0:

Interface        Protected    Primary paths    Protected paths Percent protected
                             All  High   Low   All  High   Low    All High  Low
Lo0                    Yes     0     0     0     0     0     0     0%   0%   0%
Gi2                    Yes    13     5     8     5     5     0    38% 100%   0%
Gi1                    Yes     7     3     4     3     3     0    42% 100%   0%

Area total:                   20     8    12     8     8     0    40% 100%   0%

Process total:                20     8    12     8     8     0    40% 100%   0%

In summary, LFAs enable a device to examine the entire the link-state database to find shortest paths to remote destinations from the perspective of other nodes in addition to itself. Said another way, R1 (S) can determine R3’s (N) shortest path to 10.0.0.6/32 (D), and by way of Inequality 1, can guarantee that this shortest path does not loop through R1. We are just scratching the surface of LFAs, but I’d suggest you perform your own manual calculations, and then check your work using “show” and “debug” commands. Load the configurations below and experiment! You might find some LFA coverage gaps …


In This Series:

  1. Introducing IP Loop Free Alternates (LFA) with OSPFv2 (this article)
  2. Exploring Downstream and Node-protecting IP LFAs using OSPFv2
  3. Examining Broadcast Disjointedness and IP LFA Coverage with OSPFv2
  4. Improving IP LFA Coverage using Remote LFA with MPLS and OSPFv2
  5. Maximizing IP LFA Coverage using Topology-independent LFA and Segment Routing

Reference Configurations:

# R1
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
no ip domain lookup
ip domain name lab.local
!
!
!
interface Loopback0
 ip address 10.0.0.1 255.255.255.255
!
interface GigabitEthernet1
 ip address 10.1.3.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf cost 10
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet2
 ip address 10.1.2.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf cost 10
 negotiation auto
 no mop enabled
 no mop sysid
!
!
router ospf 1
 fast-reroute per-prefix enable area 0 prefix-priority high
 fast-reroute keep-all-paths
 network 0.0.0.0 255.255.255.255 area 0
!
!
ip ssh version 2
!
!
ip access-list standard 6
 10 permit 10.0.0.6
!
!
!
end
# R2
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
no ip domain lookup
ip domain name lab.local
!
!
!
!
interface Loopback0
 ip address 10.0.0.2 255.255.255.255
!
interface GigabitEthernet1
 ip address 10.2.7.2 255.255.255.0
 ip ospf network point-to-point
 ip ospf cost 5
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet2
 ip address 10.1.2.2 255.255.255.0
 ip ospf network point-to-point
 ip ospf cost 10
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet3
 ip address 10.0.234.2 255.255.255.0
 ip ospf network broadcast
 ip ospf priority 0
 ip ospf cost 10
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet4
 ip address 10.2.6.2 255.255.255.0
 ip ospf network point-to-point
 ip ospf cost 10
 negotiation auto
 no mop enabled
 no mop sysid
!
!
router ospf 1
 fast-reroute per-prefix enable area 0 prefix-priority high
 fast-reroute keep-all-paths
 network 0.0.0.0 255.255.255.255 area 0
!
!
ip ssh version 2
!
!
!
!
end
# R3
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
no ip domain lookup
ip domain name lab.local
!
!
!
!
interface Loopback0
 ip address 10.0.0.3 255.255.255.255
!
interface GigabitEthernet1
 ip address 10.1.3.3 255.255.255.0
 ip ospf network point-to-point
 ip ospf cost 10
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet2
 ip address 10.3.8.3 255.255.255.0
 ip ospf network point-to-point
 ip ospf cost 10
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet3
 ip address 10.0.234.3 255.255.255.0
 ip ospf network broadcast
 ip ospf priority 0
 ip ospf cost 10
 negotiation auto
 no mop enabled
 no mop sysid
!
!
router ospf 1
 fast-reroute per-prefix enable area 0 prefix-priority high
 fast-reroute keep-all-paths
 network 0.0.0.0 255.255.255.255 area 0
!
!
ip ssh version 2
!
!
end
# R4
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
no ip domain lookup
ip domain name lab.local
!
!
!
!
interface Loopback0
 ip address 10.0.0.4 255.255.255.255
!
interface GigabitEthernet1
 ip address 10.4.8.4 255.255.255.0
 ip ospf network point-to-point
 ip ospf cost 5
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet2
 ip address 10.4.5.4 255.255.255.0
 ip ospf network point-to-point
 ip ospf cost 10
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet3
 ip address 10.0.234.4 255.255.255.0
 ip ospf network broadcast
 ip ospf cost 10
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet4
 ip address 10.4.7.4 255.255.255.0
 ip ospf network point-to-point
 ip ospf cost 25
 negotiation auto
 no mop enabled
 no mop sysid
!
!
router ospf 1
 fast-reroute per-prefix enable area 0 prefix-priority high
 fast-reroute keep-all-paths
 network 0.0.0.0 255.255.255.255 area 0
!
ip ssh version 2
!
!
!
end
# R5
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname R5
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
no ip domain lookup
ip domain name lab.local
!
!
!
!
interface Loopback0
 ip address 10.0.0.5 255.255.255.255
!
!
interface GigabitEthernet2
 ip address 10.4.5.5 255.255.255.0
 ip ospf network point-to-point
 ip ospf cost 10
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet3
 ip address 10.5.7.5 255.255.255.0
 ip ospf network point-to-point
 ip ospf cost 10
 negotiation auto
 no mop enabled
 no mop sysid
!
!
router ospf 1
 fast-reroute per-prefix enable area 0 prefix-priority high
 fast-reroute keep-all-paths
 network 0.0.0.0 255.255.255.255 area 0
!
ip ssh version 2
!
!
!
end
# R6
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname R6
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
no ip domain lookup
ip domain name lab.local
!
!
interface Loopback0
 ip address 10.0.0.6 255.255.255.255
!
!
interface GigabitEthernet4
 ip address 10.2.6.6 255.255.255.0
 ip ospf network point-to-point
 ip ospf cost 10
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet5
 ip address 10.6.7.6 255.255.255.0
 ip ospf network point-to-point
 ip ospf cost 10
 negotiation auto
 no mop enabled
 no mop sysid
!
!
router ospf 1
 fast-reroute per-prefix enable area 0 prefix-priority high
 fast-reroute keep-all-paths
 network 0.0.0.0 255.255.255.255 area 0
!
!
ip ssh version 2
!
!
!
end
# R7
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname R7
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
no ip domain lookup
ip domain name lab.local
!
!
!
interface Loopback0
 ip address 10.0.0.7 255.255.255.255
!
interface GigabitEthernet1
 ip address 10.2.7.7 255.255.255.0
 ip ospf network point-to-point
 ip ospf cost 5
 negotiation auto
 no mop enabled
 no mop sysid
!
!
interface GigabitEthernet3
 ip address 10.5.7.7 255.255.255.0
 ip ospf network point-to-point
 ip ospf cost 10
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet4
 ip address 10.4.7.7 255.255.255.0
 ip ospf network point-to-point
 ip ospf cost 25
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet5
 ip address 10.6.7.7 255.255.255.0
 ip ospf network point-to-point
 ip ospf cost 10
 negotiation auto
 no mop enabled
 no mop sysid
!
!
router ospf 1
 fast-reroute per-prefix enable area 0 prefix-priority high
 fast-reroute keep-all-paths
 network 0.0.0.0 255.255.255.255 area 0
!
!
ip ssh version 2
!
!
!
!
end
# R8
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname R8
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
no ip domain lookup
ip domain name lab.local
!
!
interface Loopback0
 ip address 10.0.0.8 255.255.255.255
!
interface GigabitEthernet1
 ip address 10.4.8.8 255.255.255.0
 ip ospf network point-to-point
 ip ospf cost 5
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet2
 ip address 10.3.8.8 255.255.255.0
 ip ospf network point-to-point
 ip ospf cost 10
 negotiation auto
 no mop enabled
 no mop sysid
!
router ospf 1
 fast-reroute per-prefix enable area 0 prefix-priority high
 fast-reroute keep-all-paths
 network 0.0.0.0 255.255.255.255 area 0
!
!
ip ssh version 2
!
!
!
end


Related tags:

it-ops   networking   cisco  
About the author

Nicholas (Nick) Russo, CCDE #20160041 and CCIE #42518, is an internationally recognized expert in IP/MPLS networking and design. To grow his skillset, Nick has been focused advancing Network DevOps via automation for his clients. Recently, Nick has been sharing his knowledge through online video training and speaking at industry conferences. Nick also holds a Bachelor’s of Science in Computer Science from the Rochester Institute of Technology (RIT). Nick lives in Maryland, USA with his wife, Carla, and daughter, Olivia.

10-day free trial

Sign Up Now