SRv6 TE SR-Policy is Inactive - "Policy has no source address"

Laurent Ost · ‎06-02-2023

Hi,

I'm trying to setup an SRv6 domain with seven XRd routers with traffic engineering enabled. I've configured affinity rules on some interfaces to exclude certains links as constraints. The domain has the two PEs XR1 and XR7 at each end with END.DT4 behaviours and a route reflector in the middle. The setup does not use a PCE. The dynamic configuration is marked as "inactive" in the policy on both site with an IGP (IS-IS) metric count of 0.

RP/0/RP0/CPU0:XR-1#show segment-routing traffic-eng policy color 50

SR-TE policy database
---------------------

Color: 50, End-point: fcfe::7
Name: srte_c_50_ep_fcfe::7
Status:
Admin: up Operational: down for 22:12:23 (since Jun 1 13:19:08.046)
Candidate-paths:
Preference: 100 (configuration) (inactive)
Name: trusted_paths
Requested BSID: dynamic
Constraints:
Protection Type: protected-preferred
Affinity:
exclude-any:
red
Maximum SID Depth: 5
Dynamic (inactive)
Metric Type: IGP, Path Accumulated Metric: 0
Attributes:
Forward Class: 0
Steering labeled-services disabled: no
Steering BGP disabled: no
IPv6 caps enable: yes
Invalidation drop enabled: no

When enabling the debug mode, the logs contain:
xtc_agent[1183]: DBG-Policy-Event:_xtc_policy_check:1911 [POL-ID: 3] [C: 50, EP: fcfe::7] Processing check
xtc_agent[1183]: DBG-Policy-State:_xtc_policy_check:1915 Policy has no source address

But the source address is set in both policies. Source and Endpoint address are the loopback addresses of the PEs.
Here is the XR1 config:

vrf Customer1
address-family ipv4 unicast
import route-target
97:97
!
export route-target
97:97
!
interface Loopback0
ipv6 address fcfe::1/128
!
interface Loopback97
vrf Customer1
ipv4 address 192.168.97.1 255.255.255.255
!
interface MgmtEth0/RP0/CPU0/0
ipv4 address 192.168.250.11 255.255.255.0
!
interface GigabitEthernet0/0/0/0
description to XR3
ipv6 address 2001:db8:13::1/64
!
interface GigabitEthernet0/0/0/1
description to XR-2
ipv6 address 2001:db8:12::1/64
!
router static
address-family ipv4 unicast
0.0.0.0/0 192.168.250.1
!
!
router isis core
is-type level-2-only
net 49.0000.0000.0001.00
distribute link-state
address-family ipv6 unicast
metric-style wide
segment-routing srv6
locator MAIN
!
!
!
interface Loopback0
passive
address-family ipv6 unicast
!
!
interface GigabitEthernet0/0/0/0
point-to-point
address-family ipv6 unicast
!
!
interface GigabitEthernet0/0/0/1
point-to-point
address-family ipv6 unicast
!
!
!
router bgp 64097
bgp router-id 97.0.0.1
address-family vpnv4 unicast
segment-routing srv6
locator MAIN
!
!
neighbor fcfe::4
remote-as 64097
update-source Loopback0
address-family vpnv4 unicast
!
!
vrf Customer1
rd 97:97
address-family ipv4 unicast
segment-routing srv6
locator MAIN
alloc mode per-vrf
!
redistribute connected
!
!
!
segment-routing
traffic-eng
interface GigabitEthernet0/0/0/1
affinity
name red
!
!
srv6
locator MAIN binding-sid dynamic behavior ub6-insert-reduced
!
candidate-paths
all
source-address ipv6 fcfe::1
!
!
maximum-sid-depth 5
policy trusted_paths
color 50 end-point ipv6 fcfe::7
candidate-paths
preference 100
dynamic
metric
type igp
!
!
constraints
affinity
exclude-any
name red
!
!
!
!
!
!
affinity-map
name red bit-position 1
!
!
srv6
locators
locator MAIN
prefix fc00:0:1::/64
!
!
!
!

Does anyone know what is missing? XR7 has the same policy but different source and endpoint addresses. I can ping between the Loopbacks 97 in the VRF over SRv6.

Thanks in advance.

Harold Ritter · ‎06-02-2023

Hi @Laurent Ost ,

As per this document, the dynamic path calculation is currently only supported via a PCE.

"A SID list can be either the result of a dynamic path computation by a PCE or a user configured explicit path. See SRv6-TE Policy Path Types for more information."

https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/segment-routing/79x/b-segment-routing-cg-ncs5500-79x/configure-srv6-traffic-engineering.pdf

Regards,

Laurent Ost · ‎06-02-2023

Hi @Harold Ritter

Thank you for the clarification.

If I am understanding this right, constraints with affinity rules only work with dynamic path computation. They do not apply to explicit paths.
I am going to configure PCE on the route reflector and see if the path selection avoids the interfaces with affinity rules.

Regards,

Laurent Ost

Laurent Ost · ‎06-02-2023

Hi @Harold Ritter,

I've configured the PCE but I still get the same log entry:
xtc_agent[1183]: DBG-Policy-State:_xtc_po licy_check:1915 Policy has no source address

segment-routing
traffic-eng
interface GigabitEthernet0/0/0/1
affinity
name red
!
!
srv6
locator MAIN binding-sid dynamic behavior ub6-insert-reduced
!
candidate-paths
all
source-address ipv6 fcfe::1
!
!
maximum-sid-depth 5
policy trusted_paths
color 50 end-point ipv6 fcfe::7
candidate-paths
preference 100
dynamic
metric
type igp
!
!
constraints
affinity
exclude-any
name red
!
!
!
!
!
!
affinity-map
name red bit-position 1
!
pcc
source-address ipv6 fcfe::1
pce address ipv6 fcfe::4
!
report-all
!
!
srv6
locators
locator MAIN
prefix fc00:0:1::/64
!
!
!
!

show segment-routing traffic-eng pcc ipv6 peer brief

Address Precedence State Learned From
-------------------- ------------ ------------ ---------------
fcfe::4 255 up config

#show segment-routing traffic-eng pcc ipv6 peer detail

PCC's peer database:
--------------------

Peer address: fcfe::4
Precedence: 255, (best PCE)
State up
Capabilities: Stateful, Update, Segment-Routing, Instantiation, SRv6
PCEP has been up for: 00:21:13
Local keepalive timer is 30 seconds
Remote keepalive timer is 30 seconds
Local dead timer is 120 seconds
Remote dead timer is 120 seconds
Authentication: None
Statistics:
Open messages: rx 1 | tx 1
Close messages: rx 0 | tx 0
Keepalive messages: rx 43 | tx 42
Error messages: rx 0 | tx 0
Report messages: rx 0 | tx 2
Update messages: rx 0 | tx 0
Initiate messages: rx 0

I added the following configuration to XR4 (RR).

pce
address ipv6 fcfe::4

The topology indicates the domain has 14 routers. There are actually only 7:

show pce ipv6 topology summary

PCE's topology database summary:
--------------------------------

Topology nodes: 14
Prefixes: 14
Prefix SIDs:
Total: 0
Regular: 0
Strict: 0
Links:
Total: 48
EPE: 0
Adjacency SIDs:
Total: 0
Unprotected: 0
Protected: 0
EPE: 0

Private Information:
Lookup Nodes 0
Consistent no

Update Stats (from IGP and/or BGP):
Nodes added: 14
Nodes deleted: 0
Links added: 48
Links deleted: 0
Prefix added: 83
Prefix deleted: 0

Topology Ready Summary:
Ready: yes
PCEP allowed: yes
Last HA case: migration
Timer value (sec): 40
Timer:
Running: no

Every node exists twice with a different AS (64097 and 0):

show pce ipv6 topology

Node 7
Host name: XR-7
ISIS system ID: 0000.0000.0007 level-2 Area-id: 49 ASN: 0
SR Algo INFO:
ISIS system ID: 0000.0000.0007 level-2 Area-id: 49 ASN: 0
SR Algo Participation:
0, 1
uN SIDs:
SID[0]: ISIS system ID: 0000.0000.0007 level-2 Area-id: 49 ASN: 0 domain ID: 0
SID: fc00:0:7:0:1:: Behavior: End (PSP/USD) (29)
LBL:40 LNL:24 FL:16 AL:0 Algo:0
Link[0]: local address 2001:db8:57::7, remote address 2001:db8:57::5
Metric: IGP 10, TE 10, Latency 10 microseconds
Bandwidth: Total 125000000 Bps, Reservable 0 Bps
Admin-groups: 0x00000000
uA SIDs:
SID[0]: fc00:0:7:0:40:: (unprotected) Behavior: End.X (PSP/USD) (33)
LBL:40 LNL:24 FL:16 AL:0 Algo:0
Local node:
ISIS system ID: 0000.0000.0007 level-2 Area-id: 49 ASN: 0
Remote node:
Host name: XR-5
ISIS system ID: 0000.0000.0005 level-2 Area-id: 49 ASN: 0
Link[1]: local address 2001:db8:67::7, remote address 2001:db8:67::6
Metric: IGP 10, TE 10, Latency 10 microseconds
Bandwidth: Total 125000000 Bps, Reservable 0 Bps
Admin-groups: 0x00000000
uA SIDs:
SID[0]: fc00:0:7:0:41:: (unprotected) Behavior: End.X (PSP/USD) (33)
LBL:40 LNL:24 FL:16 AL:0 Algo:0
Local node:
ISIS system ID: 0000.0000.0007 level-2 Area-id: 49 ASN: 0
Remote node:
Host name: XR-6
ISIS system ID: 0000.0000.0006 level-2 Area-id: 49 ASN: 0

....
Node 14
Host name: XR-7
ISIS system ID: 0000.0000.0007 level-2 Area-id: 49 ASN: 64097
SR Algo INFO:
ISIS system ID: 0000.0000.0007 level-2 Area-id: 49 ASN: 64097
SR Algo Participation:
0, 1
uN SIDs:
SID[0]: ISIS system ID: 0000.0000.0007 level-2 Area-id: 49 ASN: 64097 domain ID: 0
SID: fc00:0:7:0:1:: Behavior: End (PSP/USD) (29)
LBL:40 LNL:24 FL:16 AL:0 Algo:0
Link[0]: local address 2001:db8:57::7, remote address 2001:db8:57::5
Metric: IGP 10, TE 10, Latency 10 microseconds
Bandwidth: Total 125000000 Bps, Reservable 0 Bps
Admin-groups: 0x00000000
uA SIDs:
SID[0]: fc00:0:7:0:40:: (unprotected) Behavior: End.X (PSP/USD) (33)
LBL:40 LNL:24 FL:16 AL:0 Algo:0
Local node:
ISIS system ID: 0000.0000.0007 level-2 Area-id: 49 ASN: 64097
Remote node:
Host name: XR-5
ISIS system ID: 0000.0000.0005 level-2 Area-id: 49 ASN: 64097
Link[1]: local address 2001:db8:67::7, remote address 2001:db8:67::6
Metric: IGP 10, TE 10, Latency 10 microseconds
Bandwidth: Total 125000000 Bps, Reservable 0 Bps
Admin-groups: 0x00000000
uA SIDs:
SID[0]: fc00:0:7:0:41:: (unprotected) Behavior: End.X (PSP/USD) (33)
LBL:40 LNL:24 FL:16 AL:0 Algo:0
Local node:
ISIS system ID: 0000.0000.0007 level-2 Area-id: 49 ASN: 64097
Remote node:
Host name: XR-6
ISIS system ID: 0000.0000.0006 level-2 Area-id: 49 ASN: 64097

Cisco Version: IOS XR Configuration 7.8.2

Regards,

Laurent Ost

Harold Ritter · ‎06-02-2023

Hi @Laurent Ost ,

You need to add the pcep keyword to the dynamic policy to tell the PCC to send the request to the PCE for path calculation, as follow:

 candidate-paths
    preference 100
     dynamic
      pcep

https://xrdocs.io/design/blogs/latest-converged-sdn-transport-srv6

Regards,

Laurent Ost · ‎06-03-2023

Hi @Harold Ritter ,

Thank you, I have overlooked that. However, I still the same log entry and dynamic is inactive:

XR-1#show segment-routing traffic-eng policy color 50
Sat Jun 3 07:40:11.105 UTC

SR-TE policy database
---------------------

Color: 50, End-point: fcfe::7
Name: srte_c_50_ep_fcfe::7
Status:
Admin: up Operational: down for 1d18h (since Jun 1 13:19:08.046)
Candidate-paths:
Preference: 100 (configuration) (inactive)
Name: trusted_paths
Requested BSID: dynamic
PCC info:
Symbolic name: cfg_trusted_paths_discr_100
PLSP-ID: 5
Constraints:
Protection Type: protected-preferred
Affinity:
exclude-any:
red
Maximum SID Depth: 5
Dynamic (pce fcfe::4) (inactive)
Metric Type: IGP, Path Accumulated Metric: 0
Attributes:
Forward Class: 0
Steering labeled-services disabled: no
Steering BGP disabled: no
IPv6 caps enable: yes
Invalidation drop enabled: no
Max Install Standby Candidate Paths: 0

XR-1#show segment-routing traffic-eng pcc ipv6 peer detail
Sat Jun 3 07:41:41.986 UTC

PCC's peer database:
--------------------

Peer address: fcfe::4
Precedence: 255, (best PCE)
State up
Capabilities: Stateful, Update, Segment-Routing, Instantiation, SRv6
PCEP has been up for: 13:34:24
Local keepalive timer is 30 seconds
Remote keepalive timer is 30 seconds
Local dead timer is 120 seconds
Remote dead timer is 120 seconds
Authentication: None
Statistics:
Open messages: rx 1 | tx 1
Close messages: rx 0 | tx 0
Keepalive messages: rx 1629 | tx 1628
Error messages: rx 0 | tx 0
Report messages: rx 0 | tx 4
Update messages: rx 1 | tx 0
Initiate messages: rx 0

There are two entries in the topology for every node:

show pce ipv6 topology summary

PCE's topology database summary:
--------------------------------

Topology nodes: 14
Prefixes: 14
Prefix SIDs:
Total: 0
Regular: 0
Strict: 0
Links:
Total: 48
EPE: 0
Adjacency SIDs:
Total: 0
Unprotected: 0
Protected: 0
EPE: 0

Private Information:
Lookup Nodes 0
Consistent no

Update Stats (from IGP and/or BGP):
Nodes added: 14
Nodes deleted: 0
Links added: 48
Links deleted: 0
Prefix added: 83
Prefix deleted: 0

Topology Ready Summary:
Ready: yes
PCEP allowed: yes
Last HA case: migration
Timer value (sec): 40
Timer:
Running: no

XR-2#show run

Coud something be wrong with IS-IS?
Here the config of a P router (XR2):

interface Loopback0
ipv6 address fcfe::2/128
!
interface MgmtEth0/RP0/CPU0/0
ipv4 address 192.168.250.12 255.255.255.0
!
interface GigabitEthernet0/0/0/0
description to XR1
cdp
ipv6 address 2001:db8:12::2/64
!
interface GigabitEthernet0/0/0/1
description to XR3
cdp
ipv6 address 2001:db8:23::2/64
!
interface GigabitEthernet0/0/0/2
description to XR4
cdp
ipv6 address 2001:db8:24::2/64
!
interface GigabitEthernet0/0/0/3
description to XR6
cdp
ipv6 address 2001:db8:26::2/64
!
router static
address-family ipv4 unicast
0.0.0.0/0 192.168.250.1
!
!
router isis core
is-type level-2-only
net 49.0000.0000.0002.00
distribute link-state
address-family ipv6 unicast
metric-style wide
segment-routing srv6
locator MAIN
!
!
!
interface Loopback0
passive
address-family ipv6 unicast
!
!
interface GigabitEthernet0/0/0/0
point-to-point
address-family ipv6 unicast
!
!
interface GigabitEthernet0/0/0/1
point-to-point
address-family ipv6 unicast
!
!
interface GigabitEthernet0/0/0/2
point-to-point
address-family ipv6 unicast
!
!
interface GigabitEthernet0/0/0/3
point-to-point
address-family ipv6 unicast
!
!
!
router bgp 64097
bgp router-id 97.0.0.2
address-family vpnv4 unicast
segment-routing srv6
locator MAIN
!
!
address-family link-state link-state
!
neighbor fcfe::4
remote-as 64097
update-source Loopback0
address-family vpnv4 unicast
!
address-family link-state link-state
!
!
!
segment-routing
srv6
locators
locator MAIN
prefix fc00:0:2::/64
!
!
!
!

Route Reflector:
XR-4# show run

pce
address ipv6 fcfe::4
!
interface Loopback0
ipv6 address fcfe::4/128
!
interface MgmtEth0/RP0/CPU0/0
ipv4 address 192.168.250.14 255.255.255.0
!
interface GigabitEthernet0/0/0/0
description to XR-3
ipv6 address 2001:db8:34::4/64
!
interface GigabitEthernet0/0/0/1
description to XR-2
ipv6 address 2001:db8:24::4/64
!
interface GigabitEthernet0/0/0/2
description to XR-5
ipv6 address 2001:db8:45::4/64
!
interface GigabitEthernet0/0/0/3
description to XR-6
ipv6 address 2001:db8:46::4/64
!
router static
address-family ipv4 unicast
0.0.0.0/0 192.168.250.1
!
!
router isis core
is-type level-2-only
net 49.0000.0000.0004.00
distribute link-state
address-family ipv6 unicast
metric-style wide
segment-routing srv6
locator MAIN
!
!
!
interface Loopback0
passive
address-family ipv6 unicast
!
!
interface GigabitEthernet0/0/0/0
point-to-point
address-family ipv6 unicast
!
!
interface GigabitEthernet0/0/0/1
point-to-point
address-family ipv6 unicast
!
!
interface GigabitEthernet0/0/0/2
point-to-point
address-family ipv6 unicast
!
!
interface GigabitEthernet0/0/0/3
point-to-point
address-family ipv6 unicast
!
!
!
router bgp 64097
bgp router-id 97.0.0.4
address-family vpnv4 unicast
segment-routing srv6
locator MAIN
!
!
address-family link-state link-state
!
neighbor-group SRv6-lab
remote-as 64097
update-source Loopback0
address-family vpnv4 unicast
route-reflector-client
!
address-family link-state link-state
!
!
neighbor fcfe::1
use neighbor-group SRv6-lab
!
neighbor fcfe::2
use neighbor-group SRv6-lab
!
neighbor fcfe::3
use neighbor-group SRv6-lab
!
neighbor fcfe::5
use neighbor-group SRv6-lab
!
neighbor fcfe::6
use neighbor-group SRv6-lab
!
neighbor fcfe::7
use neighbor-group SRv6-lab
!
!
segment-routing
traffic-eng
interface GigabitEthernet0/0/0/1
affinity
name red
!
!
affinity-map
name red bit-position 1
!
!
srv6
locators
locator MAIN
prefix fc00:0:4::/64
!
!
!
!

Regards,

Laurent Ost

Harold Ritter · ‎06-03-2023

Hi @Laurent Ost ,

A few suggestions:

1. You do not need to run link-state address-family between the RR and all the PEs, as link state information is propagated via the IS-IS. This is what is causing the topology to have double the number of devices.

2. You should refine you locators to /48 on all devices.

srv6
locators
locator MAIN
prefix fc00:0:x::/48 (where x is the local value)

3. Make sure you use the latest XR version available (7.9.1 currently)

Regards,

Laurent Ost · ‎06-06-2023

Hi @Harold Ritter

I implemented all suggestions but received the same log entry and output.

I tried to move the SRv6 Binding SID definition down to the policy. I also removed canditate-paths with the source-address.

segment-routing
 traffic-eng
  interface GigabitEthernet0/0/0/1
   affinity
    name red
   !
  !
  srv6
   locator MAIN binding-sid dynamic behavior ub6-insert-reduced
  !
  candidate-paths
   all
    source-address ipv6 fcfe::1
   !
  !
  maximum-sid-depth 5
  policy trusted_paths
   source-address ipv6 fcfe::1

After:

segment-routing
 traffic-eng
  interface GigabitEthernet0/0/0/1
   affinity
    name red
   !
  !
  maximum-sid-depth 5
  policy trusted_paths
   srv6
     locator MAIN binding-sid dynamic behavior ub6-insert-reduced
   !
   source-address ipv6 fcfe::1

This made it work on both sides:

XR-1#show segment-routing traffic-eng policy color 50
Tue Jun 6 11:49:19.895 UTC

SR-TE policy database
---------------------

Color: 50, End-point: fcfe::7
Name: srte_c_50_ep_fcfe::7
Status:
Admin: up Operational: up for 04:41:15 (since Jun 6 07:08:04.631)
Candidate-paths:
Preference: 100 (configuration) (active)
Name: trusted_paths
Requested BSID: dynamic
PCC info:
Symbolic name: cfg_trusted_paths_discr_100
PLSP-ID: 2
Constraints:
Protection Type: protected-preferred
Affinity:
exclude-any:
red
Maximum SID Depth: 19
Dynamic (pce fcfe::4) (valid)
Metric Type: IGP, Path Accumulated Metric: 40
SID[0]: fc00:0:3::/48 Behavior: uN (PSP/USD) (48)
Format: f3216
LBL:32 LNL:16 FL:0 AL:80
SID[1]: fc00:0:4::/48 Behavior: uN (PSP/USD) (48)
Format: f3216
LBL:32 LNL:16 FL:0 AL:80
SID[2]: fc00:0:5::/48 Behavior: uN (PSP/USD) (48)
Format: f3216
LBL:32 LNL:16 FL:0 AL:80
SID[3]: fc00:0:7::/48 Behavior: uN (PSP/USD) (48)
Format: f3216
LBL:32 LNL:16 FL:0 AL:80
SRv6 Information:
Locator: MAIN
Binding SID requested: Dynamic
Binding SID behavior: uB6 (Insert.Red)
Attributes:
Binding SID: fc00:0:1:e003::
Forward Class: Not Configured
Steering labeled-services disabled: no
Steering BGP disabled: no
IPv6 caps enable: yes
Invalidation drop enabled: no
Max Install Standby Candidate Paths: 0

The traffic engineering works now as expected and it does not go through interfaces with affinity rules.

I have two additional questions:

1. You mentioned that the BGP LS family was not needed on the RR for the PE routers. Did you also mean it for the other P routers as it is a single domain topology? IS-IS would be sufficient for a single domain like in this case.

2. How does the PCE handle interface failures? I shut down a link on the P router next to the destination PE and the last SID in the segment list was just removed instead of being replaced with an alternative. This makes the routing decision based on best effort at the end. I took the maximum SID depth into account.

Thank you for your great help. I really appreciate it!

Regards,

Laurent Ost

Harold Ritter · ‎06-25-2023

Hi @Laurent Ost ,

I am glad it is nor working for you. Please see my comments for you specific questions.

1. Yes, there is not need to use BGP LS at all within a single domain. BGP LS is normally used when multiple domains are involved.

2. It is hard to comment without having a full view of your topology and configurations. The short answer is that the LSP should be reoptimized if a node goes down.

Regards,