Cisco IOS XE High Availability Configuration Guide, Release 2
NSF/SSO - MPLS VPN
Download this chapter
NSF/SSO - MPLS VPNNSF/SSO - MPLS VPN
Download the complete book
Cisco IOS XE High Availability Configuration Guide PDF, Release 2Cisco IOS XE High Availability Configuration Guide PDF, Release 2 (PDF - 850 KB)
give_us_feedback

Table Of Contents

NSF/SSO—MPLS VPN

Finding Feature Information

Contents

Prerequisites for NSF/SSO—MPLS VPN

Restrictions for NSF/SSO—MPLS VPN

Information About NSF/SSO—MPLS VPN

Elements That Enable NSF/SSO—MPLS VPN to Work

How VPN Prefix Information Is Checkpointed to the Backup Route Processor

How BGP Graceful Restart Preserves Prefix Information During a Restart

What Happens If a Router Does Not Have NSF/SSO—MPLS VPN Enabled

How to Configure NSF/SSO—MPLS VPN

Configuring NSF Support for Basic VPNs

Prerequisites

Verifying the NSF/SSO—MPLS VPN Configuration

Configuration Examples for NSF/SSO—MPLS VPN

NSF/SSO—MPLS VPN for a Basic MPLS VPN: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Feature Information for NSF/SSO—MPLS VPN


NSF/SSO—MPLS VPN

First Published: August 11, 2004
Last Updated: March 2, 2009

The NSF/SSO—MPLS VPN feature allows a provider edge (PE) router (with redundant Route Processors) to preserve data forwarding information in a Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) when the primary Route Processor (RP) restarts. This feature module describes how to enable Nonstop Forwarding in basic MPLS VPN networks.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for NSF/SSO—MPLS VPN" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Prerequisites for NSF/SSO—MPLS VPN

Restrictions for NSF/SSO—MPLS VPN

Information About NSF/SSO—MPLS VPN

How to Configure NSF/SSO—MPLS VPN

Configuration Examples for NSF/SSO—MPLS VPN

Additional References

Feature Information for NSF/SSO—MPLS VPN

Prerequisites for NSF/SSO—MPLS VPN

The NSF/SSO—MPLS VPN feature has the following prerequisites.

Before enabling Stateful Switchover (SSO), you must enable MPLS Label Distribution Protocol (LDP) Graceful Restart if you use LDP in the core. See the NSF/SSO-MPLS LDP and MPLS LDP Graceful Restart feature module for more information.

You must enable NSF on the routing protocols running between the provider (P) routers, PE routers, and customer edge (CE) routers. The routing protocols are:

Border Gateway Protocol (BGP)

Open Shortest Path First (OSPF)

Intermediate System-to-Intermediate System (IS-IS)

Cisco nonstop forwarding support must be configured on the routers for Cisco Express Forwarding. See the Cisco Nonstop Forwarding feature module for more information.

Before enabling the NSF/SSO—MPLS VPN feature, you must have a supported MPLS VPN network configuration. Configuration information is included in the "Part 4: MPLS Virtual Private Networks" module in the Cisco IOS XE Multiprotocol Label Switching Configuration Guide.

Restrictions for NSF/SSO—MPLS VPN

The NSF/SSO—MPLS VPN feature has the following restrictions:

Tag Distribution Protocol (TDP) sessions are not supported. Only LDP sessions are supported.

The NSF/SSO—MPLS VPN feature requires that neighbor networking devices be NSF-aware. Peer routers must support the graceful restart of the protocol used to communicate with the NSF/SSO—MPLS VPN-capable router.

The NSF/SSO—MPLS VPN feature cannot be configured on label-controlled ATM (LC-ATM) interfaces.

Information About NSF/SSO—MPLS VPN

To configure NSF/SSO—MPLS VPN, you need to understand the following concepts:

Elements That Enable NSF/SSO—MPLS VPN to Work

How VPN Prefix Information Is Checkpointed to the Backup Route Processor

How BGP Graceful Restart Preserves Prefix Information During a Restart

What Happens If a Router Does Not Have NSF/SSO—MPLS VPN Enabled

Elements That Enable NSF/SSO—MPLS VPN to Work

VPN NSF requires several elements to work:

VPN NSF uses the BGP Graceful Restart mechanisms defined in the Graceful Restart Internet Engineering Task Force (IETF) specifications and in the "Cisco Nonstop Forwarding" module. BGP Graceful Restart allows a router to create MPLS forwarding entries for VPNv4 prefixes in NSF mode. The forwarding entries are preserved during a restart. BGP also saves prefix and corresponding label information and recovers the information after a restart.

The NSF/SSO—MPLS VPN feature also uses NSF for the label distribution protocol in the core network (either MPLS Label Distribution Protocol, traffic engineering, or static labeling).

The NSF/SSO—MPLS VPN feature uses NSF for the Interior Gateway Protocol (IGP) used in the core (OSPF or IS-IS).

The NSF/SSO—MPLS VPN feature uses NSF for the routing protocols between the PE and customer CE routers.

How VPN Prefix Information Is Checkpointed to the Backup Route Processor

When BGP allocates local labels for prefixes, it checkpoints the local label binding in the backup Route Processor. The checkpointing function copies state information from the active Route Processor to the backup Route Processor, thereby ensuring that the backup Route Processor has an identical copy of the latest information. If the active Route Processor fails, the backup Route Processor can take over with no interruption in service. Checkpointing begins when the active Route Processor does a bulk synchronization, which copies all of the local label bindings to the backup Route Processor. After that, the active Route Processor dynamically checkpoints individual prefix label bindings when a label is allocated or freed. This allows forwarding of labeled packets to continue before BGP reconverges.

How BGP Graceful Restart Preserves Prefix Information During a Restart

When a router that is capable of BGP Graceful Restart loses connectivity, the following happens to the restarting router:

1. The router establishes BGP sessions with other routers and relearns the BGP routes from other routers that are also capable of Graceful Restart. The restarting router waits to receive updates from the neighboring routers. When the neighboring routers send end-of-Routing Information Base (RIB) markers to indicate that they are done sending updates, the restarting router starts sending its own updates.

2. The restarting router accesses the checkpoint database to find the label that was assigned for each prefix. If it finds the label, it advertises it to the neighboring router. If it does not find the label, it allocates a new label and advertises it.

3. The restarting router removes any stale prefixes after a timer for stale entries expires.

When a peer router that is capable of BGP Graceful Restart encounters a restarting router, it does the following:

1. The peer router sends all of the routing updates to the restarting router. When it has finished sending updates, the peer router sends an end-of RIB marker to the restarting router.

2. The peer router does not immediately remove the BGP routes learned from the restarting router from its BGP routing table. As it learns the prefixes from the restarting router, the peer refreshes the stale routes if the new prefix and label information matches the old information.

What Happens If a Router Does Not Have NSF/SSO—MPLS VPN Enabled

If a router is not configured for the NSF/SSO—MPLS VPN feature and it attempts to establish a BGP session with a router that is configured with the NSF/SSO—MPLS VPN feature, the two routers create a normal BGP session but do not have the ability to perform the NSF/SSO—MPLS VPN feature.

How to Configure NSF/SSO—MPLS VPN

This section contains the following procedures:

Configuring NSF Support for Basic VPNs (required)

Verifying the NSF/SSO—MPLS VPN Configuration (required)

Configuring NSF Support for Basic VPNs

Perform this task to configure NSF support for basic VPNs.

Prerequisites

Route Processors must be configured for SSO. See the Stateful Switchover feature module for more information.

If you use LDP in the core or in the virtual routing and forwarding (VRF) instances for MPLS VPN Carrier Supporting Carrier configurations, you must enable the MPLS LDP: NSF/SSO Support and Graceful Restart feature. See the NSF/SSO-MPLS LDP and MPLS LDP Graceful Restart feature module for more information.

You must enable Nonstop Forwarding on the routing protocols running between the P, PE, and CE routers. The routing protocols are OSPF, IS-IS, and BGP. See the Cisco Nonstop Forwarding feature module for more information.

Before enabling the NSF/SSO—MPLS VPN feature, you must have a supported MPLS VPN network configuration. Configuration information is included in the "Part 4: MPLS Virtual Private Networks" module in the Cisco IOS XE Multiprotocol Label Switching Configuration Guide.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip cef [distributed]

4. router bgp as-number

5. bgp graceful-restart restart-time secs

6. bgp graceful-restart stalepath-time secs

7. bgp graceful-restart

8. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip cef [distributed]

Example:

Router(config)# ip cef distributed

Enables Cisco Express Forwarding

Use this command if Cisco Express Forwarding is not enabled by default on the router.

Step 4 

router bgp as-number

Example:

Router(config)# router bgp 1

Configures a BGP routing process and enters router configuration mode.

The as-number argument indicates the number of an autonomous system that identifies the router to other BGP routers and tags the routing information passed along.

Valid numbers are from 0 to 65535. Private autonomous system numbers that can be used in internal networks range from 64512 to 65535.

Step 5  

bgp graceful-restart restart-time secs
Example: 
Router(config-router)# bgp graceful-restart 
restart-time 200

(Optional) Specifies the maximum time to wait for a graceful-restart-capable neighbor to come back up after a restart.

The default is 120 seconds. The valid range is from 1 to 3600 seconds.

Step 6  

bgp graceful-restart stalepath-time secs
Example: 
Router(config-router)# bgp graceful-restart 
stalepath-time 400

(Optional) Specifies the maximum time to hold on to the stale paths of a gracefully restarted peer.

All stale paths are deleted after the expiration of this timer.

The default is 360 seconds. The valid range is from 1 to 3600 seconds.

Step 7  

bgp graceful-restart
Example: 
Router(config-router)# bgp graceful-restart

Enables BGP Graceful Restart on the router.

Step 8 

end

Example:

Router(config-router)# end

(Optional) Exits to privileged EXEC mode.


Verifying the NSF/SSO—MPLS VPN Configuration

This section explains how to verify a configurative that has the NSF/SSO—MPLS VPN feature.

See the "Cisco Nonstop Forwarding" module for verification procedures for BGP, OSPF, and IS-IS.

See the NSF/SSO-MPLS LDP and MPLS LDP Graceful Restart feature module for verification procedures for the MPLS LDP: NSF/SSO feature

See the verification information included in the "Part 4: MPLS Virtual Private Networks" module in the Cisco IOS XE Multiprotocol Label Switching Configuration Guide.

SUMMARY STEPS

1. show ip bgp vpnv4 all labels

2. show ip bgp vpnv4 all neighbors

3. show ip bgp labels

4. show ip bgp neighbors

DETAILED STEPS

Step 1 show ip bgp vpnv4 all labels

This command displays incoming and outgoing BGP labels for each route distinguisher. The following is sample output from the command: 

Router# show ip bgp vpnv4 all labels 


Network          Next Hop      In label/Out label

Route Distinguisher: 100:1 (vpn1)

   10.3.0.0/16      10.0.0.5        25/20

                    10.0.0.1        25/23

                    10.0.0.2        25/imp-null

   10.0.0.9/32      10.0.0.1        24/22

                    10.0.0.2        24/imp-null

Step 2 show ip bgp vpnv4 all neighbors

This command displays whether the BGP peers are capable of Graceful Restart. The following is sample output from the command: 

Router# show ip bgp vpnv4 all neighbors


BGP neighbor is 10.0.0.1,  remote AS 100, internal link

  BGP version 4, remote router ID 10.0.0.1

  BGP state = Established, up for 02:49:47

  Last read 00:00:47, hold time is 180, keepalive interval is 60 seconds

  Neighbor capabilities:

    Route refresh: advertised and received(new)

    Address family VPNv4 Unicast: advertised and received

    Graceful Restart Capabilty: advertised and received

      Remote Restart timer is 120 seconds

      Address families preserved by peer:

        VPNv4 Unicast

.

.

.

Step 3 show ip bgp labels

This command displays information about MPLS labels in the Exterior Border Gateway Protocol (EBGP) route table. The following is sample output from the command: 


Router# show ip bgp labels


   Network          Next Hop      In label/Out label

   10.3.0.0/16      10.0.0.1        imp-null/imp-null

                    0.0.0.0         imp-null/nolabel

   10.0.0.9/32      10.0.0.1        21/29

   10.0.0.11/32     10.0.0.1        24/38

   10.0.0.13/32     0.0.0.0         imp-null/nolabel

   10.0.0.15/32     10.0.0.1        29/nolabel

                    10.0.0.1        29/21

Step 4 show ip bgp neighbors

This command displays whether the BGP peers are capable of Graceful Restart. The following is sample output from the command: 

Router# show ip bgp neighbors


BGP neighbor is 10.0.0.1,  remote AS 100, external link

  BGP version 4, remote router ID 10.0.0.5

  BGP state = Established, up for 02:54:19

  Last read 00:00:18, hold time is 180, keepalive interval is 60 seconds

  Neighbor capabilities:

    Route refresh: advertised and received(new)

    Address family IPv4 Unicast: advertised and received

    ipv4 MPLS Label capability: advertised and received

    Graceful Restart Capabilty: advertised and received

      Remote Restart timer is 120 seconds

      Address families preserved by peer:

        IPv4 Unicast

.

.

.

Configuration Examples for NSF/SSO—MPLS VPN

The following configuration example shows a basic MPLS VPN configuration.

NSF/SSO—MPLS VPN for a Basic MPLS VPN: Example

NSF/SSO—MPLS VPN for a Basic MPLS VPN: Example

In this example, the NSF/SSO—MPLS VPN feature is enabled on the existing MPLS VPN configuration.

Enabling SSO

The following commands are used to enable SSO:

redundancy

mode sso

Enabling NSF

The following commands are used to enable NSF for the routing protocols, such as BGP and OSPF, and for the label distribution protocols, such as BGP and LDP:

bgp graceful-restart restart-time

bgp graceful-restart stalepath-time

bgp graceful-restart

nsf enforce global

Note In the configuration example, the NSF/SSO commands are bold-faced and any platform-specific commands are highlighted by arrows.

Figure 1 shows the configuration of the NSF/SSO—MPLS VPN feature on the PE and CE routers.

Router PE1 represents a Cisco ASR 1000 Series Router.

Figure 1 MPLS VPN Configuration with MPLS VPN: NSF/SSO

Note LDP is the default MPLS label protocol.

The following configuration examples show the configuration of the NSF/SSO—MPLS VPN feature on the CE and PE routers.

CE1 Router 

ip cef

no ip domain-lookup

!

interface Loopback0

 ip address 10.10.10.10 255.255.255.255

!

interface GigabitEthernet1/0/4

 ip address 10.0.0.1 255.0.0.0

 media-type 10BaseT

!

router ospf 100

 redistribute bgp 101

 nsf enforce global

 passive-interface GigabitEthernet1/0/4

 network 10.0.0.0 0.255.255.255 area 100

!

router bgp 101

 no synchronization

 bgp graceful-restart restart-time 120 

 bgp graceful-restart stalepath-time 360 

 bgp graceful-restart network 10.0.0.0

 network 10.0.0.0

 neighbor 10.0.0.2 remote-as 100

PE1 Router 

redundancy 

mode sso 

!

ip cef distributed

mpls ldp graceful-restart 

mpls label protocol ldp


ip vrf vpn1

 rd 100:1

 route-target export 100:1

 route-target import 100:1

no mpls aggregate-statistics

!

interface Loopback0

 ip address 10.12.12.12 255.255.255.255

!

interface GigabitEthernet1/0/4

 ip vrf forwarding vpn1

 ip address 10.0.0.2 255.0.0.0

 !

 mpls ip


interface ATM3/0/0

 no ip address

!

interface ATM3/0/0.1 point-to-point

 ip unnumbered Loopback0

 mpls ip

!

router ospf 100

 passive-interface GigabitEthernet1/0/4

 nsf enforce global

 network 10.0.0.0 0.255.255.255 area 100

!

router bgp 100

 no synchronization

 bgp graceful-restart restart-time 120 

 bgp graceful-restart stalepath-time 360 

 bgp graceful-restart 


 no bgp default ipv4-unicast

 neighbor 10.14.14.14 remote-as 100

 neighbor 10.14.14.14 update-source Loopback0

!

 address-family ipv4 vrf vpn1

 neighbor 10.0.0.1 remote-as 101

 neighbor 10.0.0.1 activate

 exit-address-family

!

 address-family vpnv4

 neighbor 10.14.14.14 activate

 neighbor 10.14.14.14 send-community extended

 exit-address-family

PE2 Router 

redundancy 

mode sso 

!

ip cef distributed

mpls ldp graceful-restart 

mpls label protocol ldp

!

ip vrf vpn1

 rd 100:1

 route-target export 100:1

 route-target import 100:1

no mpls aggregate-statistics

!

!

interface Loopback0

 ip address 10.14.14.14 255.255.255.255

!

interface ATM1/0

 no ip address

!

interface ATM1/0.1 point-to-point

 ip unnumbered Loopback0

 mpls ip

!

interface FastEthernet3/0/0

 ip vrf forwarding vpn1

 ip address 10.0.0.1 255.0.0.0

 ip route-cache distributed

!

router ospf 100

 nsf enforce global

 passive-interface FastEthernet3/0/0

 network 10.0.0.0 0.255.255.255 area 100

!

router bgp 100

 no synchronization

 bgp graceful-restart restart-time 120 

 bgp graceful-restart stalepath-time 360 

 bgp graceful-restart 

 no bgp default ipv4-unicast

 neighbor 10.12.12.12 remote-as 100

 neighbor 10.12.12.12 update-source Loopback0

!

address-family ipv4 vrf vpn1

 neighbor 10.0.0.2 remote-as 102

 neighbor 10.0.0.2 activate

 exit-address-family

!

address-family vpnv4

 neighbor 10.12.12.12 activate

 neighbor 10.12.12.12 send-community extended

 exit-address-family

CE2 Router 

ip cef

!

interface Loopback0

 ip address 10.13.13.13 255.255.255.255

!

interface FastEthernet0/1

 ip address 10.0.0.2 255.0.0.0

 no ip mroute-cache

!

router ospf 100

 redistribute bgp 102

 nsf enforce global 

 passive-interface FastEthernet0/1

 network 10.0.0.0 0.255.255.255 area 100

!

router bgp 102

 no synchronization

 bgp graceful-restart restart-time 120 

 bgp graceful-restart stalepath-time 360 

 bgp graceful-restart 


 network 10.0.0.0

 network 10.0.0.0

 neighbor 10.0.0.1 remote-as 100

Additional References

The following sections provide additional information related to the NSF/SSO—MPLS VPN feature.

Related Documents

Related Topic
Document Title

Nonstop forwarding and BGP Graceful Restart

"Cisco Nonstop Forwarding" module in the Cisco IOS XE High Availability Configuration Guide

Stateful switchover

"Stateful Switchover" module in the Cisco IOS XE High Availability Configuration Guide

Basic MPLS VPNs

"Part 4: MPLS Virtual Private Networks" module in the Cisco IOS XE Multiprotocol Label Switching Configuration Guide


Standards

Standards
Title

draft-ietf-mpls-bgp-mpls-restart.txt

Graceful Restart Mechanism for BGP with MPLS

draft-ietf-mpls-idr-restart.txt

Graceful Restart Mechanism for BGP


MIBs

MIBs
MIBs Link

No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS XE Software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFCs
Title

RFC 1163

A Border Gateway Protocol

RFC 1164

Application of the Border Gateway Protocol in the Internet

RFC 2283

Multiprotocol Extensions for BGP-4

RFC 2547

BGP/MPLS VPNs


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport


Feature Information for NSF/SSO—MPLS VPN

Table 1 lists the release history for this feature.

Not all commands may be available in your Cisco IOS XE Software release. For release information about a specific command, see the command reference documentation.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS XE Software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Note Table 1 lists only the Cisco IOS XE Software release that introduced support for a given feature in a given Cisco IOS XE Software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE Software release train also support that feature.

Table 1 Feature Information for NSF/SSO—MPLS VPN 

Feature Name
Releases
Feature Information

NSF/SSO—MPLS VPN

Cisco IOS XE Release 2.1

This feature allows a provider edge (PE) router (with redundant Route Processors) to preserve data forwarding information in a Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) when the primary Route Processor restarts.

The following commands were introduced or modified: show ip bgp labels, show ip bgp vpnv4.


CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2004-2009 Cisco Systems, Inc. All rights reserved.