Intro to Segment Routing with OSPF#

Organizations rely on MPLS to deliver mission-critical applications and services and provide Layer 3
segmentation and Fast Reroute. Segment Routing (SR) is the next-generation technology that
replaces MPLS, and here we look at configuring Segment Routing MPLS with OSPF on Cisco Routers.

Segment Routing MPLS or SR-MPLS makes the network more scalable and intelligent while improving
capacity utilization, lowering cost, and greater user satisfaction. SR-MPLS leverages source routing by
providing a simple, stateless mechanism to program the path a packet takes through the network. It
is highly robust and delivers greater control and flexibility than ever before. This lab provides a
hands-on introduction to the basic steps for configuring Segment Routing with OSPF on Cisco routers
running IOS XR.

Using a Cisco XRv virtual router network, this lab will take you through the initial OSPF configuration
along with enabling SR-MPLS. You will deploy SR-MPLS in combination with Layer 3 and Laye 2 VPNs.
In addition, we will expose you to the benefits of Fast Reroute, known as TI-LFA or Topology
Independent Loop-Free Alternate.

The purpose of this lab is to provide a hands-on lab environment that will familiarize the user with
basic routing configuration and Segment Routing MPLS (SR-MPLS) running on Cisco routers. The lab
assumes the user has little or no knowledge of MPLS or L3VPNs and L2VPNs. The exercises in this lab
are designed to guide the user through the basic SR-MPLS over OSPF and BGP L3VPN and L2VPN
setup on Cisco XRv9000 virtual routers. The lab exercises are based on the basic SR-MPLS
configuration and commands available in Cisco IOS XR.

SR-MPLS simplifies service deployment by using the MPLS data plane and advertising Prefix labels
using standard extensions to the ISIS and OSPF routing protocols, thus eliminating the need for
Classical LDP. This lab will focus on SR-MPLS with OSPF, but the same principles apply to ISIS and is
available in an alternate lab.

This lab guide will walk the user through the basic configuration of OSPF and Segment Routing MPLS,
including L3VPN and L2VPN service provisioning. The lab demonstrates how the SR-MPLS concepts
are configured and deployed on Cisco IOS XR using IOS XRv9000 instances in vCloud. This
environment utilizes six IOS XRv9000 v7.1.1 routers.

This document is composed of the following chapters:

1. IP Addressing

2. OSPF

3. SR-MPLS

4. L3VPN Services

5. L2VPN Services

6. TI-LFA
In this lab, you will learn how to configure Segment Routing SR-MPLS over an OSPF IGP along with
L3VPN and L2VPN. The routers are preconfigured with IP addresses.

The Figure below displays the physical topology of the lab. It consists of a single OSPF area. There are
six virtual Cisco IOS XRv 9000 instances in this topology and three Ubuntu instances running in a
vApp on vCloud. The topology consists of the following nodes: R1, R2, R3, R4, R5, R6, H1, H4, and H5.

An interface numbering convention is used to simplify troubleshooting. The router interfaces and
Loopback0 IPv4 addresses are derived from the private IP blocks 172.16.0.0/16. The 4 th octet in the
IPv4 address represents the node address corresponding to the router number. The 3 rd octet of the
IPv4 interface address represents a concatenation of the two connected routers node numbers, e.g.,
the 3rd octet of the IPv4 address on the interface between nodes R1 and R2 is “12,” and the 4 th octet
represents either R1 or R4; 172.16.12.1 and 172.16.12.2 respectively.

Each device in the Core has an IP assigned for Loopback0, 172.16.0.x. As can be seen in figure 1, the
last octet in the IP maps to the node number. The entire topology diagram is available throughout
the lab.

Figure 1: Physical Topology including all interfaces and IP addresses used in the lab

 IP address connectivity and validation

 Enable and validate OSPF routing
 Enable Segment Routing SR-MPLS
 Validate SR-MPLS label forwarding
 Configure L3VPN with BGP
 Configure L2VPN VPWS
 Test IP Fast Reroute - TI-LFA
"Loopback" Interfaces and Addressing#
The loopback interface IP addresses have been already assigned and are
listed in the table below.

Router Loopbacks

Loopback IP Router Name

172.16.0.1 R1

172.16.0.2 R2

172.16.0.3 R3

172.16.0.4 R4

172.16.0.5 R5

172.16.0.6 R6

Router 1 OSPF Configuration Example#

Following will be configured with same manner.

Confirm the configuration:

show run router ospf ron

show ospf interface brief

show ospf neighbor

show route ospf

SR-MPLS#

MPLS is a mechanism that takes incoming IP packets, applies a label to them based on their
destination IP address, then frowards the packets through the network based on that label. Using
labels rather than the packets destination IP address provides more flexibility for how packets
traverse the network. MPLS enables VPNs for traffic (customer) segmentation, traffic steering, and
fast re-route path protection.

MPLS by itself is a powerful data forwarding technology and is widely used by service providers and
large enterprises. However, within the past few years, it has become even more powerful,
programmable and flexible with the introduction of Segment Routing.

Typically, each router has to look up the destination of each packet and forward the packets out the
assigned interface. Segment Routing instructs each packet on how to get to its destination, by
encoding the path when the packet enters the network. By combining Segment Routing with MPLS,
known as SR-MPLS, we have all the benefits of MPLS plus the ability to predetermine and program
each packet’s path, enabling unprecedented control of how traffic traverses the network.
SR-MPLS Configuration#

We will enable SR-MPLS on all of the routers in our network, building upon the configuration from
the previous step. Using R1 as an example below, all the comnfigrtuation lines in green were
completed in the last step, and the configuration lines in black will be added in this step.

Two key items you will see in the configuration below and as we traverse the lab, are Segment
Identifiers (SIDs) and Topology-Independent Loop-Free Alternate (TI-LFA). SIDs identify routers and
paths in the network and are used to guide packets to their destinations. TI-LFA is the IP Fast-Reroute
mechanism that will provide sub 50 ms path restoration if the primary path fails.
SR-MPLS Operational Verification#

We specified each router’s Loopback0 interface in the routing protocol configuration to be the
router’s identifier. We also assigned a Segment Identifier (SID) to each Loopback0 interface for the
SR-MPLS configuration. The SID to IP address correlation is stored in the Segment Routing Label
Table. Segment Routing uses static Prefix SIDs or labels, unlike MPLS, which uses dynamic labels.
Static labels mean every router uses the same label value to identify its peers, making
troubleshooting much more straightforward.

Use the show OSPF segment-routing label table on all the routers and confirm each router has the
label information for the other routers.
With traditional MPLS, label values change at every hop. Thus, the labels are random and
dynamically generated. In contrast, SR-MPLS has static label values or SIDs associated with each
router’s loopback address. This results in every router utilizing the same label to reach any particular
router. In our case, 16006 will be used at every hop from R1 to R6. Employing static SIDs using SR-
MPLS enables simplified traffic engineering and troubleshooting.

Based on the MPLS forwarding table, our packets local label 16006 is swapped with the outgoing
label 16006, then forwarded out interface Gi0/0/0/1 to R4 (172.16.24.4).

Below is R4's MPLS forwarding table. Looking at the row for label 16006, we see the next set of
instructions for our packet. Again, you might expect 16006 to be the outgoing label because R6 is our
destination, but this time it says "Pop.” This is because R4 is the last router before we reach R6, our
destination router. This is referred to as penultimate hop popping.
In traditional and SR-MPLS, the second to last router removes ("pops") the label from the packet,
then the packet is forwarded, unlabeled to the destination router. But why? When an MPLS switched
packet arrives at the packet’s destination, router MPLS forwarding ends, and layer 3 (IP) routing takes
over. Because the packet is not labeled, it will be routed via the OSPF routing table to the packet’s
destination IP address.

We save the destination router and extra processing step by popping instead of swapping the label at
the penultimate hop router. In our case, R4 will "pop" the label making it a standard IP packet again,
then forward the packet out interface Gi0/0/02 to R6 (172.16.46.6).

Now, R6 receives the non-labeled packet and refers to the packet’s destination IP address and R6's
OSPF routing table for instruction. Remember that our final destination is R6's Loopback interface;
therefore, R6 does a look-up for 172.16.0.6. The router sees that 172.16.0.6 is a directly connected
interface and forwards it to that interface.

L3VPN Services#

There are two types of VPNs deployed in an MPLS transport network, Layer 3 VPNs (L3VPN) and
Layer 2 VPNs (L2VPN). L3VPNs require routing between the sites and interfaces within the VPN. The
transport and customer networks must share routing information with a routing protocol or use
static routes for reachability. L2VPNs create a switched environment between the sites and interfaces
within the VPN. As a result, the devices connected to the L2VPN appear as if all the devices are on
the same LAN.

Both have their place in the network and their advantages and disadvantages. L3VPNs were more
widely deployed in the past because they provide greater scalability. The downside is that they are
more complex to configure and maintain. When offered by Service Providers to customers, higher
skill level support engineers are needed.
On the other hand, L2VPNs are simple for transport network customers to deploy and implement
because they mimic a switch; essentially, the customer can "plug and play." For this reason, they
have gained tremendous popularity. The downside is that numerous, large L2VPNs on the transport
network can create scalability issues. Customers might be required to configure L2 redundancy
protocols like Spanning tree, which can lead to catastrophic implementation mistakes.

We will utilize the SR-MPLS network we built as the MPLS transport for L3VPN and L2VPN services.
The only difference between the SR-MPLS transport network and an MPLS LDP transport network is
the control plane and how the labels are distributed. From a L3VPN and L2VPN services perspective,
there is no difference between the LDP and SR control planes.
Same configuration will be followed with R4 and R5.

L3VPN Operational Verification#

Verify you see the routers or neighbors that belong in our VPN. Using R1 as an example below, using
show bgp vpnv4 unicast summary command the we can verify R4 and R5 are neighbors.

show bgp vpnv4 unicast summary

show ipv4 interface brief

L2VPN Services#

L2VPNs are the most straightforward method for the customers of a transport network. They are
functionally very similar to an optical network circuit. Once a L2VPN is provisioned for a customer on
the transport network, the customer simply connects their devices on either end of the circuit, and
they will have connectivity.
There are two types of L2VPNs, Private Wire Service (VPWS) and Virtual Private LAN Services (VPLS).
VPWS, also known as Point-to-Point Service, provides a private point-to-point connection between
specific ports on each router. VPWS is used when the customer needs connectivity only between two
locations. VPLS is used when a customer needs connectivity between multiple locations on the same
LAN. VPLS services function as a large L2 switch; numerous sites connect devices and have L2
communications between them.

For this lab, we will focus on VPWS point-to-point services.

VPWS Components#

L2VPNs, just like L3VPNs, utilize P and PE router roles but with one distinct difference. A L3VPN PE
interface (the port the customer connects to) will have an IP address. Since L2VPNs are switched and
not routed, an IP address is not provisioned on the PE interface. The other distinct difference for
VPWS is that VPWS is a Point-to-Point service and will consist of only two PEs, whereas L3VPN and
VPLS L2VPN services support multi-site connectivity.

The image below is the topology for our L2VPN-VPWS. Host 1 and Host 4 are on the same IP subnet
of 10.0.145.x, which will enable them to communicate once connected by the VPWS. Unlike the
L3VPN, no routing is required between the PE interface (G0/0/0/4) and the host. We only need to
add config to R1 and R4 because they are the PEs for our hosts. Our SR-MPLS transport network is
already configured and operational.

Pseudowire technology is what makes VPWS possible. A pseudowire emulates an Ethernet (L2)
connection between two ports on two separate routers across the MPLS network. Pseudowires are
identified by a unique user-selected pseudowire ID (pw-ID). By configuring the same pw-ID on each
router and associating that ID with a physical interface, in our case G0/0/0/4, we establish the point-
to-point Ethernet (L2) connection.

The VPWS point-to-point services utilizes a targeted LDP (Label Distribution Protocol) session. The
LDP session is used toe advertise the L2VPN service label between routers. You can also use static
labels but when you create and xconnect session IOS XR enables LDP only on the targeted session.
Same Configuration will be configured on R4.
🔧 VXLAN EVPN Sample Topology (Cisco NX-OS)
+-------------------+

| Spine-1 |

| Route Reflector |

+--------+----------+

+---------------+---------------+

| |

+-----+-----+ +-----+-----+

| Leaf-1 | | Leaf-2 |

| VTEP-1 | | VTEP-2 |

+-----+-----+ +-----+-----+

| |

+-----+-----+ +-----+-----+

| Host-A | | Host-B |

| 192.10.1.10/24 | 192.10.1.11/24

+-----------+ +-----------+

→ Both Leaf-1 and Leaf-2 have:

- Same Anycast Gateway IP: 192.10.1.1

- Same Anycast MAC: 0001.aaaa.bbbb

- Connected to Spine-1 via iBGP for EVPN (MP-BGP AFI/SAFI 25/70)

🔧 Sample Cisco NX-OS Config (Leaf-1 & Leaf-2 – almost

identical)
1. EVPN BGP Setup

feature nv overlay

feature ospf

feature bgp
feature pim

feature vn-segment-vlan-based

feature interface-vlan

router bgp 65001

router-id 1.1.1.1 ! Change accordingly

address-family l2vpn evpn

neighbor 2.2.2.2 activate ! Spine BGP RR

advertise l2vpn evpn

2. NVE Interface (VXLAN)

interface nve1
no shutdown
host-reachability protocol bgp
source-interface loopback1
member vni 10101
ingress-replication protocol bgp
suppress-arp

3. Loopback for VTEP

interface loopback1

ip address 10.1.1.1/32 ! VTEP IP

4. Anycast Gateway MAC

fabric forwarding anycast-gateway-mac 0001.aaaa.bbbb

5. VLAN + SVI + VNI Binding

vlan 10

vn-segment 10101

interface Vlan10
ip address 192.10.1.1/24

no shutdown

fabric forwarding mode anycast-gateway

6. BGP EVPN Advertisement

evpn

vni 10101 l2

rd auto

route-target both auto

advertise-mac-ip