7. SR Linux routing functions

This chapter describes key elements of SR Linux routing functions: network-instances, support for standard routing protocols including BGP and IS-IS, as well as ACLs, routing policies. and Quality of Service.

7.1. Network-instances

On the SR Linux, you can configure one or more virtual routing instances, known as “network-instances”. Each network-instance has its own interfaces, its own protocol instances, its own route table, and its own FIB.

When a packet arrives on a subinterface associated with a network-instance, it is forwarded according to the FIB of that network-instance. Transit packets are normally forwarded out another subinterface of the network-instance.

SR Linux supports the following types of network-instances:

  1. default
  2. ip-vrf
  3. mac-vrf

The initial startup configuration for SR Linux has a single default network-instance. By default, there are no ip-vrf or mac-vrf network-instances; these must be created by explicit configuration. The ip-vrf network-instances are the building blocks of Layer 3 IP VPN services, and mac-vrf network-instances are the building blocks of EVPN services.

Within a network-instance, you can configure BGP and IS-IS protocol options that apply only to that network-instance. See the SR Linux Configuration Basics Guide for configuration information.

7.2. Static routes

Within a network-instance, you can configure static routes. Each static route is associated with an IPv4 prefix or an IPv6 prefix, which represents the packet destinations matched by the static route. Each static route belongs to a specific network-instance. Different network-instances can have overlapping routes (static or otherwise) since each network-instance installs its own routes into its own set of route tables and FIBs.

Each static route must be associated with a statically configured next-hop group, which determines how matching packets are handled: either perform a blackhole discard action or a forwarding action. The next-hop group can specify a list of one or more next-hops, each identified by an IPv4 or IPv6 address and a resolve flag. If the resolve flag is set to false, only a direct route can be used to resolve the IPv4 or IPv6 next-hop address; if the resolve flag is set to true, any route in the FIB can be used to resolve the IPv4 or IPv6 next-hop address.

Each static route has a specified metric and preference. The metric is the IGP cost to reach the destination. The preference specifies the relative degree this static route is preferred compared to other static and non-static routes available for the same IP prefix in the same network-instance.

A static route is installed in the FIB for the network-instance if the following conditions are met:

  1. The route has the lowest preference value among all routes (static and non-static) for the IP prefix.
  2. The route has the lowest metric value among all static routes for the IP prefix.

If BGP is running in a network-instance, all static routes of that same network-instance are automatically imported into the BGP local RIB, so that they can be redistributed as BGP routes, subject to BGP export policies.

See the “Network Instances” chapter of the SR Linux Configuration Basics Guide for configuration information.

7.3. Aggregate routes

You can specify aggregate routes for a network-instance. Each aggregate route is associated with an IPv4 prefix or an IPv6 prefix, which represents the packet destinations matched by the aggregate route. As with static routes, each aggregate route belongs to a specific network-instance, though different network-instances can have overlapping routes since each network-instance installs its own routes into its own set of route tables and FIBs.

An aggregate route can become active when it has one or more contributing routes. A route contributes to an aggregate route if all of the following conditions are met:

  1. The prefix length of the contributing route is greater than the prefix length of the aggregate route.
  2. The prefix bits of the contributing route match the prefix bits of the aggregate route up to the prefix length of the aggregate route.
  3. There is no other aggregate route that has a longer prefix length that meets the previous two conditions.
  4. The contributing route is actively used for forwarding and is not an aggregate route itself.

That is, a route can only contribute to a single aggregate route, and that aggregate route cannot recursively contribute to a less-specific aggregate route.

Aggregate routes have a fixed preference value of 130. If there is no route to the aggregate route prefix with a numerically lower preference value, then the aggregate route, when activated by a contributing route, is installed into the FIB with a blackhole next-hop. It is not possible to install an aggregate route into the route-table or as a BGP route without also installing it in the FIB.

The aggregate routes are commonly advertised by BGP or another routing protocol so that the individual contributing routes no longer need to be advertised.

This can speed up routing convergence and reduce RIB and FIB sizes throughout the network. If BGP is running in a network-instance, all active aggregate routes of that network-instance are automatically imported into the BGP local RIB so they can be redistributed as BGP routes, subject to BGP export policies.

See the Network Instances chapter of the SR Linux Configuration Basics Guide for configuration information.

7.4. BGP feature support

As with other functions on SR Linux, BGP operates as a modular application. The BGP manager application is responsible for running the BGP control plane. It subscribes to the IDB for configuration updates and listens for network instance and routing policy updates.

SR Linux supports the following BGP features:

Basic features

  1. Global AS configuration with local AS override per session. SR Linux always advertises 4-byte ASN capability.
  2. Local-address/source selection per neighbor
  3. EBGP and IBGP sessions
  4. Peer groups
  5. Configurable route table preference, with separate control for EBGP and IBGP routes
  6. Configurable TCP MSS per-neighbor
  7. EBGP split-horizon (always enabled)
  8. BGP import and export policies
  9. IPv4/IPv6 default originate independent from default routes in the FIB
  10. AS path loop detection, with configurable threshold
  11. RFC 7606 error handling
  12. Tools commands to hard reset peer or soft reset with ROUTE_REFRESH
  13. Configurable traceoptions
  14. Routing policy actions to replace AS_PATH
  15. Options for handling the AS_PATH in received BGP routes
  16. BGP route reflection

Failure detection features

  1. Session KEEPALIVEs, with configurable hold-time and keepalive
  2. BGP next-hop tracking
  3. Fast failover (subinterface down)
  4. BFD for single-hop and multi-hop IPv4 and IPv6 sessions

Convergence features

  1. Configurable min-route-advertisement interval
  2. Rapid-withdrawal
  3. Option to wait for FIB install before advertising reachability
  4. Option to delay route advertisement until the address family has reached converged state (or timeout occurs)

Graceful restart

  1. Helper/receiving router role

Dynamic/unconfigured BGP neighbors

  1. Accept incoming sessions from allowed prefix/AS ranges
  2. Initiate outgoing sessions based on LLDP auto-discovery (draft-acee-idr-lldp-peer-discovery)

Address family support

  1. IPv4 unicast address family with IPv4 next-hops
  2. IPv4 unicast address family with IPv6 next-hops: requires MP_REACH_NLRI encoding and RFC 5549 capability advertisement
  3. IPv6 unicast address family with IPv6 next-hops
  4. Configurable limits on received routes per session per-AF > log when any threshold is exceeded

Multipath/ECMP

  1. Each BGP route supports multiple ECMP next-hops
  2. Two-level ECMP: Level1 selects BGP path/next-hop, Level2 selects a next-hop of the route that resolves the BGP next-hop
  3. Max Level1 next-hops per route and max Level2 next-hops per BGP next-hop are configurable per NLRI address family

See the SR Linux Configuration Basics Guide for a BGP configuration example. See the SR Linux Advanced Solutions Guide for a sample BGP underlay routing example.

7.5. IS-IS feature support

The SR Linux IS-IS manager application includes support for the following features:

  1. Level 1, Level 2, and Level 1/2 IS types
  2. Configurable network entity title (NET) per IS-IS instance
  3. Support for IPv4/v6 routing
  4. ECMP support per destination
  5. IS-IS export policies (redistribution of other types of routes into IS-IS)
  6. Authentication of CSNP, PSNP, and IIH PDUs with authentication type and key, configurable per instance and per instance level. Authentication type and key for IIH PDUs are also configurable per interface and level.
  7. Support for authentication keychains
  8. Purge Originator ID TLV (RFC 6232)
  9. Options to ignore and suppress the attached bit
  10. Ability to set the overload bit immediately or to set the bit after each subsequent restart of the IS-IS manager application and leave it on for a configurable duration each time
  11. Control over the Link-state PDU (LSP) MTU size, with range from 490 bytes to 9490 bytes
  12. Configuration control over timers related to LSP lifetime, LSP refresh interval, SPF calculation triggers, and LSP generation
  13. Support for hello padding (strict, loose and adaptive modes)
  14. Support for graceful restart, but only acting as a helper of the restarting router
  15. Level 1 to Level 2 route summarization
  16. BFD for fast failure detection
  17. Configurable hello timer/multiple per interface and level
  18. Support for wide metrics (configurable per level)
  19. Configurable route preference for each route type: Level 1-internal, Level 1-external, Level 2-internal and Level 2-external.
  20. Use of route policies to add/remove/replace one IS-IS route tag.

See the SR Linux Configuration Basics Guide for an IS-IS configuration example.

7.6. Routing policies

The SR Linux supports policy-based routing. Policy-based routing controls the size and content of the routing tables, the routes that are advertised, and the best route to take to reach a destination. SR Linux routing policies allow for detailed control of IP routes learned and advertised by routing protocols such as BGP

Each routing policy has a sequence of rules (called entries or statements) and a default action. Each statement has numerical sequence identifier that determines its order relative to other statements in that policy. When a route is analyzed by a policy, it is evaluated by each statement in sequential order.

Each policy statement has zero or more match conditions and a base action (either accept or reject); the statement may also have route-modifying actions. A route matches a statement if it meets all of the specified match conditions.

The first statement that matches the route determines the actions that are applied to the route. If the route is not matched by any statements, the default action of the policy is applied. If there is no default action, then a protocol- and context-specific default action is applied.

See the Routing Policies chapter in SR Linux Configuration Basics Guide for a list of valid match conditions and policy actions, as well as configuration examples.

7.7. ECMP load balancing

Static and BGP routes to IPv4 and IPv6 destinations are programmed into the datapath by their respective applications, with multiple IP ECMP next-hops. SR Linux load-balances packets across these IP ECMP next hops.

When an IPv4/IPv6 packet is received on a subinterface, and it matches a route with a number of ECMP hops, the next-hop used to forward the packet is determined from a hash calculation based on the packet type (IPv4/IPv6, TCP/UDP).

SR Linux attempts to keep packets in the same flow on the same network path while distributing traffic so that each of the N ECMP next-hops carries approximately 1/Nth of the load.

SR Linux supports resilient hashing, which allows SR Linux to move as few flows as possible when removing or adding members to the ECMP set. Resilient hashing is particularly useful when the ECMP next hops of an IP route correspond to network appliances or host servers that maintain state for the flows that they service, and moving flows would require state to be rebuilt.

7.8. Access Control Lists

An Access Control List, or ACL, is an ordered set of rules that are evaluated on a packet-by-packet basis to determine whether access should be provided to a specific resource. ACLs can be used to drop unauthorized or suspicious packets from entering or leaving a routing device via specified interfaces.

SR Linux supports the following types of ACLs:

  1. Interface ACLs restrict the traffic allowed to pass through a specific set of subinterfaces. An interface ACL can be applied to the input and/or output traffic of one or more subinterfaces.
  2. CPM-filter ACLs filter IPv4 or IPv6 traffic that is locally terminating on the router, regardless of the subinterface, port or line card where it enters.
  3. Capture-filter ACLs filter all transit and terminating IPv4 or IPv6 traffic that is arriving on any subinterface of the router. Traffic matching a capture-filter ACL can be copied to the control plane for packet capture and analysis.

The rules of each ACL policy are evaluated in sequential order. Filter evaluation stops at the first matching entry where all match conditions are met, at which point the actions specified in the ACL are applied to the packet.

For information on configuring ACLs, see the SR Linux Configuration Basics Guide.

7.9. Quality of Service (QoS)

SR Linux supports policies for assigning traffic to forwarding classes or remarking traffic at egress before it leaves the router. DSCP classifier policies map incoming packets to the appropriate forwarding classes, and DSCP rewrite-rule policies mark outgoing packets with an appropriate DSCP value based on the forwarding class.

Each received packet is classified as belonging to one of eight forwarding classes. The classification depends on the packet type and subinterface configuration.

Egress queues are scheduled directly to the output port. In general, higher-numbered queues are serviced before lower-numbered queues.

Scheduling for each queue can be configured as either strict priority (SP) or weighted round robin (WRR). Queues configured as SP are served (in priority order from highest forwarding class to lowest) before any of the WRR queues, even if some of the WRR queues carry higher forwarding-class traffic than some of the SP queues. After the SP queues are served, the WRR queues use the remaining bandwidth according to their configured weights.

See the Quality of Service chapter of the SR Linux Configuration Basics Guide for details about how transit and router-originated traffic is processed, and for configuration information.