IOSXRv9000 SRv6 TE traffic steering is not working

goodcoffee · ‎09-14-2025

Hi,

I am playing with a sample topo from one Cisco Live presentation, basically 2 PEs : one advertises a colored VPNv4 prefixes and another has SRv6-TE policy to add SID to steer traffic to a FW, ipv6 connectivity in between:

Side 1

RP/0/RP0/CPU0:CGW#show bgp vpnv4 unicast vrf blue 8.8.8.0/24
Thu Jul 24 21:19:31.776 UTC
BGP routing table entry for 8.8.8.0/24, Route Distinguisher: 100:1
Versions:
  Process           bRIB/RIB   SendTblVer
  Speaker                 15           15
Last Modified: Jul 24 21:19:23.168 for 00:00:08
Paths: (1 available, best #1)
  Not advertised to any peer
  Path #1: Received by speaker 0
  Not advertised to any peer
  Local
    2001:0:9::3 from 2001:0:9::3 (10.10.10.103)
      Received Label 0xe0000
      Origin incomplete, metric 0, localpref 100, valid, internal, best, group-best, import-candidate, imported
      Received Path ID 0, Local Path ID 1, version 15
      Extended community: Color:10 RT:100:1 <----
      PSID-Type:L3, SubTLV Count:1
       SubTLV:
        T:1(Sid information), Sid:2001:0:9::(Transposed), Behavior:63, SS-TLV Count:1
         SubSubTLV:
          T:1(Sid structure):
      Source AFI: VPNv4 Unicast, Source VRF: blue, Source Route Distinguisher: 100:1

PSID-Type:L3, SubTLV Count:1
SubTLV:
T:1(Sid information), Sid:2001:0:9::(Transposed), Behavior:63, SS-TLV Count:1
SubSubTLV:
T:1(Sid structure):
Source AFI: VPNv4 Unicast, Source VRF: blue, Source Route Distinguisher: 100:1

RP/0/RP0/CPU0:CGW#show segment-routing srv6 sid
Thu Jul 24 21:06:31.622 UTC

*** Locator: 'cgw' ***

SID Behavior Context Owner State RW
-------------------------- ---------------- -------------------------------- ------------------ ----- --
2001:0:8:: uN (PSP/USD) 'default':8 sidmgr InUse Y
2001:0:8:e001:: uDT4 'blue' bgp-100 InUse Y
2001:0:8:e002:: uB6 (Insert.Red) 'srte_c_10_ep_2001:0:10::' (10, 2001:0:10::) xtc_srv6 InUse Y


RP/0/RP0/CPU0:CGW#show segment-routing traffic-eng policy color 10
Thu Jul 24 21:07:41.039 UTC

SR-TE policy database
---------------------

Color: 10, End-point: 2001:0:10::
  Name: srte_c_10_ep_2001:0:10::
  Status:
    Admin: up  Operational: up for 00:01:13 (since Jul 24 21:06:27.490)
  Candidate-paths:
    Preference: 100 (configuration) (active)
      Name: FW
      Requested BSID: dynamic
      Constraints:
        Protection Type: protected-preferred
        Maximum SID Depth: 13
      Explicit: segment-list FW1 (valid)
        Weight: 1, Metric Type: TE
          SID[0]: 2001:0:10::/48
                  Format: f3216
                  LBL:32 LNL:16 FL:0 AL:80
      SRv6 Information:
        Locator: cgw
        Binding SID requested: Dynamic
        Binding SID behavior: uB6 (Insert.Red)
  Attributes:
    Binding SID: 2001:0:8:e002::
    Forward Class: Not Configured
    Steering labeled-services disabled: no
    Steering BGP disabled: no
    IPv6 caps enable: yes
    Invalidation drop enabled: no
    Max Install Standby Candidate Paths: 0
    Path Type: SRV6

Traffic is passing but only using SRv6 SID 2001:0:9:: - this is just the BGP peer side 2 , no insertion happens

router bgp 100
 bgp router-id 10.10.10.100
 segment-routing srv6
  locator cgw
 !
 address-family vpnv4 unicast
  vrf all
   segment-routing srv6
    locator cgw
    alloc mode per-vrf
   !
  !
 !
 address-family ipv6 unicast
  aggregate-address 2001:0:8::/48 summary-only
  redistribute connected
 !
 neighbor 2002::
  remote-as 65100
  address-family ipv6 unicast
   route-policy PASS in
   route-policy PASS out
  !
 !
 neighbor 2001:0:9::3
  remote-as 100
  update-source Loopback0
  address-family vpnv4 unicast
  !
 !
 vrf blue
  rd 100:1
  address-family ipv4 unicast
   redistribute connected
  !
 !
!
segment-routing
 traffic-eng
  srv6
  !
  segment-lists
   srv6
    sid-format usid-f3216
   !
   segment-list FW1
    srv6
     index 10 sid 2001:0:10::
    !
   !
  !
  policy FW
   srv6
    locator cgw binding-sid dynamic behavior ub6-insert-reduced
   !
   color 10 end-point ipv6 2001:0:10::
   candidate-paths
    preference 100
     explicit segment-list FW1
     !
    !
   !
  !
 !
 srv6
  locators
   locator cgw
    micro-segment behavior unode psp-usd
    prefix 2001:0:8::/48
   !
  !
 !
!

Maybe I am missing something in the config? Seems like it should be steered automatically with the above

upd. I forgot to add one output :

RP/0/RP0/CPU0:CGW#show cef vrf blue 8.8.8.0/24
    Fri Jul 25 07:48:02.008 UTC
    8.8.8.0/24, version 5, SRv6 Headend, internal 0x5000001 0x30 (ptr 0xe6820a8) [1], 0x400 (0xe80b718), 0x0 (0xf971170)
     Updated Jul 25 07:47:22.559
     Prefix Len 24, traffic index 0, precedence n/a, priority 3
      gateway array (0xfdd0198) reference count 1, flags 0x10, source rib (7), 0 backups
                    [2 type 3 flags 0x8441 (0xe743828) ext 0x0 (0x0)]
      LW-LDI[type=3, refc=1, ptr=0xe80b718, sh-ldi=0xe743828]
      gateway array update type-time 1 Jul 25 07:47:22.559
     LDI Update time Jul 25 07:47:22.563
     LW-LDI-TS Jul 25 07:47:22.563

      Level 1 - Load distribution: 0
      [0] via 2001:0:8:e002::/128, recursive

       via local-srv6-sid 2001:0:8:e002::, 3 dependencies, recursive [flags 0x6000]
        path-idx 0 NHID 0x0 [0xe42cb00 0x0]
        recursion-via-/64
        next hop VRF - 'default', table - 0xe0800000
        next hop 2001:0:8:e002:: via 2001:0:8:e002::/64 <---- 
        SRv6 H.Encaps.Red SID-list {2001:0:9:e000::} <---- ? is this ok
          SRv6  SID-list {}

        Load distribution: 0 (refcount 2)

        Hash  OK  Interface                 Address
        0     Y   GigabitEthernet0/0/0/0    remote

I assume I need to inject 2001:0:10:: via static config , this prefix /48 is coming via BGP , might be the policy can't resolve it and skips it

Harold Ritter · ‎09-15-2025

Hi @goodcoffee ,

> Traffic is passing but only using SRv6 SID 2001:0:9:: - this is just the BGP peer side 2 , no insertion happens

How did you check that? Using tcpdump or wireshark?

The show cef vrf blue 8.8.8.0/24 output looks good.

2001:0:8:e002::/64 is the binding SID for the SR policy and 2001:0:9:e000:: is the End.DT4 SID for the VRF prefix. So the outcome is that the outgoing packets should include both 2001:0:9:e000:: and 2001:0:10::.

> I assume I need to inject 2001:0:10:: via static config , this prefix /48 is coming via BGP , might be the policy can't resolve it and > skips it

2001:0:10:: should definitely be reachable in your topology.

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

goodcoffee · ‎09-15-2025

Hi @Harold Ritter ,
thanks for your response
>>How did you check that? Using tcpdump or wireshark?

wireshark, I can capture in a linux bridge in between nodes in the topology (see example below as well)

>> 2001:0:10:: should definitely be reachable in your topology

it was, my point is - it needs also a SID attached

The whole problem here : I need to steer on a device which can process SRv6 but is not peering with Head and Tail end, there is no IGP, so only BGP fabric. So doing some trick with announcement from Tail I can see now that the policy works:

RP/0/RP0/CPU0:CGW#show cef vrf blue 8.8.8.0/24 detail
Fri Jul 25 13:12:14.267 UTC
8.8.8.0/24, version 37, SRv6 Headend, internal 0x5000001 0x30 (ptr 0xe6820a8) [1], 0x400 (0xe80b718), 0x0 (0xf971170)
Updated Jul 25 13:01:53.706
Prefix Len 24, traffic index 0, precedence n/a, priority 3
gateway array (0xfdd0198) reference count 1, flags 0x10, source rib (7), 0 backups
[2 type 3 flags 0x441 (0xe743828) ext 0x0 (0x0)]
LW-LDI[type=3, refc=1, ptr=0xe80b718, sh-ldi=0xe743828]
gateway array update type-time 1 Jul 25 13:01:53.707
LDI Update time Jul 25 13:06:25.073
LW-LDI-TS Jul 25 13:06:25.074

Level 1 - Load distribution: 0
[0] via 2001:0:8:e001::/128, recursive

via local-srv6-sid 2001:0:8:e001::, 3 dependencies, recursive [flags 0x6000]
path-idx 0 NHID 0x0 [0xe42c7a0 0x0]
recursion-via-/64
next hop VRF - 'default', table - 0xe0800000
next hop 2001:0:8:e001:: via 2001:0:8:e001::/64
SRv6 H.Encaps.Red SID-list {2001:0:9:e000::}
SRv6 H.Insert.Red SID-list {2001:0:10:e001::} <----

Load distribution: 0 (refcount 2)

Hash OK Interface Address
0 Y GigabitEthernet0/0/0/0 remote

Is there a way to configure kind of "static"/injected SID in the Head end ? So we have somewhere downstream SID 2001:0:10::

In docs I see we can do static SIDs, but that's for addresses of this router

Harold Ritter · ‎09-15-2025

Hi @goodcoffee ,

I am not sure why 2001:0:10:e001:: is being inserted in place of 2001:0:10:: as being seen in the SRv6 policy. That might have to do with the tricks you used on the tail end.

> Is there a way to configure kind of "static"/injected SID in the Head end ?

I am not aware of any such command.

Can you please let us know what is the CiscoLive presentation you are referring to?

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

Stefan Mihajlov · ‎09-15-2025

@goodcoffee

This is a resolution issue, not your color/steering. Your SRv6 policy is up and you have a uB6 binding SID, but the segment-list SID 2001:0:10::/48 is being learned via BGP, so XTC can’t resolve it in the IGP/locator space and the headend falls back to the regular path (you see CEF installing only the peer-side SID 2001:0:9:e000:: and no real insertion). Advertise 2001:0:10::/48 in the default VRF IGP (ISIS/OSPF) or add a static so the endpoint is resolvable as an SRv6 locator prefix; then the policy will program the SID-list and you’ll see CEF with the uB6 H.Encaps.Red list that includes 2001:0:10::… instead of just 2001:0:9:e000::. In short: make the policy endpoint prefix routable in IGP (not only BGP), keep uSID format aligned (f3216), and the steering will kick in.

–––
Best regards,
Stefan Mihajlov

Mark this post as Helpful if it helped you, and Accept as Solution if it resolved your question.

goodcoffee · ‎09-15-2025

@Harold Ritter
https://www.segment-routing.net/conferences/20250213-cleur-nebius-srv6-usid-dc-frontend-to-peering/

the interesting part is FW

>> I am not sure why 2001:0:10:e001:: is being inserted in place of 2001:0:10:: as being seen in the SRv6 policy.
from the presentation point of view the stack of sids is expected

@Stefan Mihajlov

there is no IGP, let's suppose it's a DC - just BGP, in the previous post I made it work via BGP

Harold Ritter · ‎09-15-2025

Hi @goodcoffee ,

Thanks for the preso. It certainly helps providing an answer.

> from the presentation point of view the stack of sids is expected

What the presentation uses for the SID-list is the adjacency SID for the interface to the FW. This is what you should use too in your testing.

This setup will not work if you do not use ISIS between the router and the FW.

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

goodcoffee · ‎09-16-2025

@Harold Ritter thanks, if we assume that 2001:0:10:: is an Adj SID somewhere in the network (or we just replace it like in the preso), the packet I sent is correct?

Harold Ritter · ‎09-16-2025

Hi @goodcoffee ,

The adjacency SID need to be advertised by the tail end router and it needs to be the adjacency SID pointing to the FW. The packet we see in the wireshark has two different SRv6 locators (1 for the adj SID and one for the End.DT4). It is possible for a device to use two locators, but you should normally only use one.

In short the destination address should look something like this
2001:0:9:e001:9:e000:: (the first one being the Adj SID and the second one the End.DT4 both owned by the tail end)

Regards,
Harold Ritter, CCIE #4168 (EI, SP)