SRTE SRv6 configuration¶
Below a list of the necessary elements to know when forging an SRv6 policy.
Basic segment routing policy configuration¶
SRv6 configuration and color configuration¶
The configured services rely on a SRv6 configuration with the IS-IS protocol.
The rt1 device will be configured to steer the fd00:200::/64 traffic to the rt4
device.
Basic topology example to illustrate segment routing ipv6 policies configuration.¶
The configuration of the rt1, rt2, rt3 and rt4 devices is given below.
Like for SR-TE configuration for MPLS, coloring is necessary, and applies to incoming
BGP routes received. Reversely, the return traffic originating from rt4 will be
steered to rt1 with a policy, thanks to a color extended community attached to the
outgoing BGP route fd00:100::/64.
rt1
rt1 running config# vrf main
rt1 running vrf main# routing bgp
rt1 running bgp#! as 65500
rt1 running bgp# router-id 1.1.1.1
rt1 running bgp# network-import-check false
rt1 running bgp# address-family ipv6-unicast network fd00:100::/64
rt1 running network fd00:100::/64# / vrf main routing bgp neighbor 4:4::4:4 remote-as 65500
rt1 running bgp# neighbor 4:4::4:4::4 update-source loop1
rt1 running bgp# neighbor 4:4::4:4 address-family ipv4-unicast enabled false
rt1 running bgp# neighbor 4:4::4:4 address-family ipv6-unicast enabled true
rt1 running bgp# neighbor 4:4::4:4 address-family ipv6-unicast route-map in route-map-name rmap
rt1 running bgp#! neighbor 4:4::4:4 address-family ipv6-unicast route-map out route-map-name rmap_out
rt1 running bgp#! / routing route-map rmap
rt1 running route-map rmap#! seq 10 policy permit
rt1 running route-map rmap#! seq 10 set sr-te color 15
rt1 running route-map rmap#! / routing route-map rmap_out
rt1 running route-map rmap#! seq 10 policy permit
rt1 running route-map rmap# seq 10 set extcommunity color 25
rt1 running route-map rmap# / vrf main interface physical eth1
rt1 running physical eth1#! port pci-b0s4
rt1 running physical eth1# ipv6 address fd00:100::1/64
rt1 running physical eth1# .. physical eth2
rt1 running physical eth2#! port pci-b0s5
rt1 running physical eth2# ipv6 address fd00:130::1/64
rt1 running physical eth2# .. physical eth3
rt1 running physical eth3#! port pci-b0s6
rt1 running physical eth3# ipv6 address fd00:125::1/64
rt1 running physical eth3# .. loopback loop1
rt1 running loopback loop1# ipv6 address 1:1::1:1/128
rt1 running loopback loop1# ipv4 address 1.1.1.1/32
rt1 running physical eth3# .. loopback loop2
rt1 running loopback loop1# ipv6 address 2001:db8:1::/48
rt1 running loopback loop1# .. .. routing
rt1 running routing# interface loop1
rt1 running interface loop1# isis
rt1 running isis#! area-tag 1
rt1 running isis#! ipv6-routing true
rt1 running isis#! hello interval level-1 1
rt1 running isis#! hello multiplier level-1 3
rt1 running isis#! .. ..
rt1 running routing#! interface eth2
rt1 running interface eth2#! isis
rt1 running isis#! area-tag 1
rt1 running isis#! ipv6-routing true
rt1 running isis#! hello interval level-1 1
rt1 running isis#! hello multiplier level-1 3
rt1 running isis#! metric level-1 5
rt1 running isis#! .. ..
rt1 running routing#! interface eth3
rt1 running interface eth3#! isis
rt1 running isis#! area-tag 1
rt1 running isis#! ipv6-routing true
rt1 running isis#! hello interval level-1 1
rt1 running isis#! hello multiplier level-1 3
rt1 running isis#! .. ..
rt1 running routing#! isis instance 1
rt1 running instance 1# is-type level-1
rt1 running instance 1# area-address 49.0000.0007.e901.1111.00
rt1 running instance 1# multi-topology ipv6-unicast
rt1 running ipv6-unicast# .. ..
rt1 running instance 1# segment-routing ipv6
rt1 running ipv6#! locator loc1
rt1 running ipv6# / vrf main routing segment-routing ipv6
rt1 running ipv6# locator loc1
rt1 running locator loc1#! prefix 2001:db8:1::/48
rt1 running locator loc1# block-length 24
rt1 running locator loc1#
rt2
rt2 running config# vrf main
rt2 running vrf main# interface physical eth1
rt2 running physical eth1#! port pci-b0s4
rt2 running physical eth1# ipv6 address fd00:125::2/64
rt2 running physical eth1# .. physical eth2
rt2 running physical eth2#! port pci-b0s5
rt2 running physical eth2# ipv6 address fd00:126::2/64
rt2 running physical eth2# .. physical eth3
rt2 running physical eth3#! port pci-b0s6
rt2 running physical eth3# ipv6 address fd00:131::2/64
rt2 running physical eth3# .. loopback loop1
rt2 running loopback loop1# ipv6 address 2:2::2:2/128
rt2 running loopback loop1# ipv4 address 2.2.2.2/32
rt2 running loopback loop1# .. .. routing
rt2 running routing# interface loop1
rt2 running interface loop1# isis
rt2 running isis#! area-tag 1
rt2 running isis#! ipv6-routing true
rt2 running isis#! hello interval level-1 1
rt2 running isis#! hello multiplier level-1 3
rt2 running isis#! .. .. interface eth1
rt2 running interface eth1#! isis
rt2 running isis#! area-tag 1
rt2 running isis#! ipv6-routing true
rt2 running isis#! hello interval level-1 1
rt2 running isis#! hello multiplier level-1 3
rt2 running isis#! .. .. interface eth2
rt2 running interface eth2#! isis
rt2 running isis#! area-tag 1
rt2 running isis#! ipv6-routing true
rt2 running isis#! hello interval level-1 1
rt2 running isis#! hello multiplier level-1 3
rt2 running isis#! .. .. interface eth3
rt2 running interface eth3#! isis
rt2 running isis#! area-tag 1
rt2 running isis#! ipv6-routing true
rt2 running isis#! hello interval level-1 1
rt2 running isis#! hello multiplier level-1 3
rt2 running isis#! .. ..
rt2 running routing#! isis instance 1
rt2 running instance 1# is-type level-1
rt2 running instance 1# area-address 49.0000.0007.e901.2222.00
rt2 running instance 1# multi-topology ipv6-unicast
rt2 running ipv6-unicast# .. ..
rt2 running instance 1# segment-routing ipv6
rt2 running ipv6#! locator loc1
rt2 running ipv6# / vrf main routing segment-routing ipv6
rt2 running ipv6# locator loc1
rt2 running locator loc1#! prefix 2001:db8:2::/48
rt2 running locator loc1# block-length 24
rt2 running locator loc1#
rt3
rt3 running config# vrf main
rt3 running vrf main# interface physical eth1
rt3 running physical eth1#! port pci-b0s4
rt3 running physical eth1# ipv6 address fd00:130::3/64
rt3 running physical eth1# .. physical eth2
rt3 running physical eth2#! port pci-b0s5
rt3 running physical eth2# ipv6 address fd00:126::3/64
rt3 running physical eth2# .. physical eth3
rt3 running physical eth3#! port pci-b0s6
rt3 running physical eth3# ipv6 address fd00:127::3/64
rt3 running physical eth3# .. loopback loop1
rt3 running loopback loop1# ipv6 address 3:3::3:3/128
rt3 running loopback loop1# ipv4 address 3.3.3.3/32
rt3 running loopback loop1# .. .. routing
rt3 running routing# interface loop1
rt3 running interface loop1# isis
rt3 running isis#! area-tag 1
rt3 running isis#! ipv6-routing true
rt3 running isis#! hello interval level-1 1
rt3 running isis#! hello multiplier level-1 3
rt3 running isis#! .. .. interface eth1
rt3 running interface eth1#! isis
rt3 running isis#! area-tag 1
rt3 running isis#! ipv6-routing true
rt3 running isis#! hello interval level-1 1
rt3 running isis#! hello multiplier level-1 3
rt3 running isis#! metric level-1 5
rt3 running isis#! .. .. interface eth2
rt3 running interface eth2#! isis
rt3 running isis#! area-tag 1
rt3 running isis#! ipv6-routing true
rt3 running isis#! hello interval level-1 1
rt3 running isis#! hello multiplier level-1 3
rt3 running isis#! .. .. interface eth3
rt3 running interface eth3#! isis
rt3 running isis#! area-tag 1
rt3 running isis#! ipv6-routing true
rt3 running isis#! hello interval level-1 1
rt3 running isis#! hello multiplier level-1 3
rt3 running isis#! metric level-1 20
rt3 running isis#! .. ..
rt3 running routing#! isis instance 1
rt3 running instance 1# is-type level-1
rt3 running instance 1# area-address 49.0000.0007.e901.3333.00
rt3 running instance 1# multi-topology ipv6-unicast
rt3 running ipv6-unicast# .. ..
rt3 running instance 1# segment-routing ipv6
rt3 running ipv6#! locator loc1
rt3 running ipv6# / vrf main routing segment-routing ipv6
rt3 running ipv6# locator loc1
rt3 running locator loc1#! prefix 2001:db8:3::/48
rt3 running locator loc1# block-length 24
rt3 running locator loc1#
rt4
rt4 running config# vrf main
rt4 running vrf main# routing bgp
rt4 running bgp#! as 65500
rt4 running bgp# router-id 1.1.1.1
rt4 running bgp# network-import-check false
rt4 running bgp# address-family ipv6-unicast network fd00:200::/64
rt4 running network fd00:200::/64# / vrf main routing bgp neighbor 1:1::1:1 remote-as 65500
rt4 running bgp# neighbor 1:1::1:1 update-source loop1
rt4 running bgp# neighbor 1:1::1:1 address-family ipv4-unicast enabled false
rt4 running bgp# neighbor 1:1::1:1 address-family ipv6-unicast enabled true
rt4 running bgp# .. interface physical eth1
rt4 running physical eth1#! port pci-b0s4
rt4 running physical eth1# ipv6 address fd00:200::4/64
rt4 running physical eth1# .. physical eth2
rt4 running physical eth2#! port pci-b0s5
rt4 running physical eth2# ipv6 address fd00:127::4/64
rt4 running physical eth2# network-stack
rt4 running network-stack# ipv6
rt4 running ipv6# accept-segment-routing true
rt4 running ipv6# .. ..
rt4 running physical eth2# .. loopback loop1
rt4 running loopback loop1# ipv6 address 4:4::4:4/128
rt4 running loopback loop1# ipv4 address 4.4.4.4/32
rt4 running loopback loop1# .. loopback loop2
rt4 running loopback loop2# ipv6 address 2001:db8:4::/48
rt4 running loopback loop2# .. .. routing
rt4 running routing# interface loop1
rt4 running interface loop1# isis
rt4 running isis#! area-tag 1
rt4 running isis#! ipv6-routing true
rt4 running isis#! hello interval level-1 1
rt4 running isis#! hello multiplier level-1 3
rt4 running isis#! .. .. interface eth2
rt4 running interface eth2#! isis
rt4 running isis#! area-tag 1
rt4 running isis#! ipv6-routing true
rt4 running isis#! hello interval level-1 1
rt4 running isis#! hello multiplier level-1 3
rt3 running isis#! metric level-1 20
rt4 running isis#! .. .. interface eth3
rt4 running interface eth3#! isis
rt4 running isis#! area-tag 1
rt4 running isis#! ipv6-routing true
rt4 running isis#! hello interval level-1 1
rt4 running isis#! hello multiplier level-1 3
rt4 running isis#! .. ..
rt4 running routing#! isis instance 1
rt4 running instance 1# is-type level-1
rt4 running instance 1# area-address 49.0000.0007.e901.4444.00
rt4 running instance 1# multi-topology ipv6-unicast
rt4 running ipv6-unicast# .. ..
rt4 running instance 1# segment-routing ipv6
rt4 running ipv6#! locator loc1
rt4 running ipv6# / vrf main routing segment-routing ipv6
rt4 running ipv6# locator loc1
rt4 running locator loc1#! prefix 2001:db8:4::/48
rt4 running locator loc1# block-length 24
rt4 running locator loc1#
rt1
rt1# show bgp ipv6
BGP table version is 2, local router ID is 1.1.1.1, vrf id 0
Default local pref 100, local AS 65500
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> fd00:100::/64 ::/0 0 32768 i
*>ifd00:200::/64 4:4::4:4 0 100 0 i
Displayed 2 routes and 2 total paths
Without the SRv6 policy, the path to the fd00:200::/64 network reuses the
path returned by the IGP network. When SR-TE is off, the color of the
fd00:200::/64 prefix has no impact on the path computed.
rt1
rt1# show ipv6-routes
Codes: K - kernel route, C - connected, S - static, R - RIPng,
O - OSPFv3, I - IS-IS, B - BGP, N - NHRP, T - Table,
A - Babel, D - SHARP, F - PBR, f - OpenFabric,
t - Table-Direct,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure
C>* 1:1::1:1/128 is directly connected, loop1, 11:55:17
[..]
I>* 3:3::3:3/128 [115/20] via fe80::dced:1ff:fea0:b22b, ntfp3, weight 1, 00:05:22
I>* 4:4::4:4/128 [115/30] via fe80::dced:1ff:fea0:b22b, ntfp3, weight 1, 00:05:22
I>* 2001:db8:1::/128 [115/0] is directly connected, sr0, seg6local End USP, weight 1, 00:06:20
I>* 2001:db8:1:1::/128 [115/0] is directly connected, ntfp3, seg6local End.X nh6 fe80::dced:1ff:fea0:b22b, weight 1, 00:05:51
I>* 2001:db8:2::/48 [115/10] via fe80::dced:1ff:fea0:b22b, ntfp3, weight 1, 00:05:22
I>* 2001:db8:3::/48 [115/20] via fe80::dced:1ff:fea0:b22b, ntfp3, weight 1, 00:05:22
I>* 2001:db8:4::/48 [115/30] via fe80::dced:1ff:fea0:b22b, ntfp3, weight 1, 00:05:22
C>* fd00:100::/64 is directly connected, ntfp1, 00:05:22
B> fd00:200::/64 [200/0] via 4:4::4:4 (recursive), weight 1, 00:00:17
* via fe80::dced:1ff:fea0:b22b, ntfp3, weight 1, 00:00:17
[..]
Candidate Path configuration¶
The below configuration illustrates an SR policy used to steer traffic going
to the 4:4::4:4 endpoint, and with a color set to 15. An explicit SRv6
segment-list is used and applied to colored traffic heading to the 4:4::4:4
endpoint.
rt1
rt1 running vrf main# routing segment-routing enabled true
rt1 running vrf main# routing segment-routing traffic-engineering
rt1 running traffic-engineering# policy color 15 endpoint 4:4::4:4
rt1 running policy color 15 endpoint 4:4::4:4# name fd00_200_to_node4
rt1 running policy color 15 endpoint 4:4::4:4# candidate-path 10 type explicit name force_lsp segment-list igp_lsp_srv6
rt1 running policy color 15 endpoint 4:4::4:4#! ..
rt1 running traffic-engineering#! segment-list igp_lsp_srv6
rt1 running segment-list igp_lsp_srv6# segment 10 ipv6-sid 2001:db8:3::
rt1 running segment-list igp_lsp_srv6# segment 20 ipv6-sid 2001:db8:4::
rt1 running segment-list igp_lsp_srv6#
In SRv6, the top segment stands for the first IPv6 address that is used when
entering an SRv6 network. The associated candidate path will be Active if that
IPv6 address is reachable in the IPv6 routing table of the SR network.
rt1
rt1> show segment-routing te-policies
Endpoint Color Name BSID Status
----------------------------------------------------
4:4::4:4 15 fd00_200_to_node4 - Active
The above SR policy is active because the 2001:db8:3:: IP address is reachable
in the IPv6 routing table. The resulting fd00:200::/64 traffic is steered
to the 4:4::4:4 network by being encapsulated wih an SRH that contains two
segment entries: 2001:db8:3:: and 2001:db8:4::.
rt1# show ipv6-routes protocol bgp
Codes: K - kernel route, C - connected, S - static, R - RIPng,
O - OSPFv3, I - IS-IS, B - BGP, N - NHRP, T - Table,
A - Babel, D - SHARP, F - PBR, f - OpenFabric,
t - Table-Direct,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure
B> fd00:200::/64 [200/0] via 4:4::4:4 (recursive), weight 1, 00:08:26
* via fe80::dced:1ff:fea0:b22b, ntfp3, seg6 2001:db8:3::,2001:db8:4::, weight 1, 00:08:26
A similar SR-TE policy has been done at on the rt4 device, so that the return
traffic is also encapsulated in an SRv6 packet.
rt1
rt4 running vrf main# routing segment-routing enabled true
rt4 running vrf main# routing segment-routing traffic-engineering
rt4 running traffic-engineering# policy color 25 endpoint 1:1::1:1
rt4 running policy color 25 endpoint 1:1::1:1# name fd00_200_to_node4
rt4 running policy color 25 endpoint 1:1::1:1# candidate-path 10 type explicit name force_lsp segment-list igp_lsp_srv6
rt4 running policy color 25 endpoint 1:1::1:1#! ..
rt4 running traffic-engineering#! segment-list igp_lsp_srv6
rt4 running segment-list igp_lsp_srv6# segment 10 ipv6-sid 2001:db8:2::
rt4 running segment-list igp_lsp_srv6# segment 20 ipv6-sid 2001:db8:1::
rt4 running segment-list igp_lsp_srv6#
The reception of SRv6 local traffic mandates to enable SRv6 at ingress side of each interfaces.
rt1
rt1 running vrf main# interface physical eth3
rt1 running physical eth3# network-stack ipv6 accept-segment-routing true
rt1 running physical eth3#
rt4
rt2 running vrf main# interface physical eth2
rt2 running physical eth3# network-stack ipv6 accept-segment-routing true
rt2 running physical eth3#
BSID configuration¶
SR-TE policies that use SRv6 policies can use the binding-ipv6-sid keyword
to define a specific ipv6 SID. As for the MPLS, BSIDs are very useful
when crossing TE traffic between domains. When received by the local device, the
packet is encapsulated with a new IPv6 header and an SRH defined by the local
SR policy.
The SID value must be uniquely identified from the local IS-IS locator. It is recommended to configure the BSID for each SR policy, like shown below:
rt1
rt1 running vrf main# routing segment-routing enabled true
rt1 running vrf main# routing segment-routing traffic-engineering
rt1 running traffic-engineering# policy color 15 endpoint 4:4::4:4
rt1 running policy color 15 endpoint 4:4::4:4# binding-ipv6-sid 2001:db8:100::
rt1 running policy color 15 endpoint 4:4::4:4#
The above configuration creates a seg6local route, that will be used by external
traffic passing through the rt1 device and heading to the fd00:200::/64 network.
rt1
rt1# show ipv6-routes protocol bgp
[..]
p>* 2001:db8:100::/128 [150/0] is directly connected, eth3, seg6local End.B6.Encap nh6 2001:db8:100::, seg6 2001:db8:3::,2001:db8:4::, weight 1, 00:44:31
The End.B6.Encap operation is defined by RFC 8986, and defines how incoming traffic
heading to the 2001:db8:100:: address is used. Specifically, to use that operation,
the incoming packets must have multiple SID list in its SRH. Then, by following the
seg6local route, the segments left field of the SRH is decremented, and the packet
is encapsulated with an extra IPv6 header with the 2001:db8:3:: and 2001:db8:4::
SIDs. The below configuration shows how to use Virtual Service Router as connected host located
behind rt1 to send traffic heading to the fd00:200::/64 network, and using the
End.B6.Encap 2001:db8:100:: address. The 2001:db9:100:: SID is a given address
located behind rt4.
host
host running vrf main# interface physical eth1
host running physical eth1#! port pci-b0s4
host running physical eth1# ipv6 address fd00:100::2/64
host running physical eth1# / vrf main
host running vrf main# routing static ipv6-route fd00:200::/64 next-hop fd00:100::1 ipv6-sid 2001:db8:100:: ipv6-sid 2001:db9:100::
host running vrf main# routing static ipv6-route 2001:db8:100::/128 next-hop fd00:100::1