Configure the head-end router as PCEP Path Computation Client (PCC) to establish a connection to the PCE. The PCC and PCE
addresses must be routable so that TCP connection (to exchange PCEP messages) can be established between PCC and PCE.
Configure the PCC to Establish a Connection to the PCE
Use the segment-routing traffic-eng pcc command to configure the PCC source address, the SR-PCE address, and SR-PCE options.
A PCE can be given an optional precedence. If a PCC is connected to multiple PCEs, the PCC selects a PCE with the lowest precedence
value. If there is a tie, a PCE with the highest IP address is chosen for computing path. The precedence value range is from 0 to 255.
Router(config)# segment-routing
Router(config-sr)# traffic-eng
Router(config-sr-te)# pcc
Router(config-sr-te-pcc)# source-address ipv6 ipv6-local-source-address
Router(config-sr-te-pcc)# pce address ipv6 ipv6-PCE-address[precedence value]
Configure PCEP Authentication
TCP Message Digest 5 (MD5) authentication has been used for authenticating PCEP (TCP) sessions by using a clear text or encrypted
password. This feature introduces support for TCP Authentication Option (TCP-AO), which replaces the TCP MD5 option.
TCP-AO uses Message Authentication Codes (MACs), which provides the following:
-
Protection against replays for long-lived TCP connections
-
More details on the security association with TCP connections than TCP MD5
-
A larger set of MACs with minimal system and operational changes
TCP-AO is compatible with Master Key Tuple (MKT) configuration. TCP-AO also protects connections when using the same MKT across
repeated instances of a connection. TCP-AO protects the connections by using traffic key that are derived from the MKT, and
then coordinates changes between the endpoints.
Note
|
TCP-AO and TCP MD5 are never permitted to be used simultaneously. TCP-AO supports IPv6, and is fully compatible with the proposed
requirements for the replacement of TCP MD5.
|
TCP Message Digest 5 (MD5) Authentication
Use the password {clear | encrypted} LINE command to enable TCP MD5 authentication for all PCEP peers. Any TCP segment coming from the PCC that does not contain a
MAC matching the configured password will be rejected. Specify if the password is encrypted or clear text
Router(config-sr-te-pcc)# pce address ipv6 ipv6-PCE-address[password {clear | encrypted} LINE]
TCP Authentication Option (TCP-AO)
Use the tcp-ao
key-chain [include-tcp-options] command to enable TCP Authentication Option (TCP-AO) authentication for all PCEP peers. Any TCP segment coming from the
PCC that does not contain a MAC matching the configured key chain will be rejected. Use the include-tcp-options keyword to include other TCP options in the header for MAC calculation.
Router(config-sr-te-pcc)# pce address ipv6 ipv6-PCE-address tcp-ao key-chain [include-tcp-options]
Configure PCEP-Related Timers
Use the timers keepalive command to specify how often keepalive messages are sent from PCC to its peers. The range is from 0 to 255 seconds; the default
value is 30.
Router(config-sr-te-pcc)# timers keepalive seconds
Use the timers deadtimer command to specify how long the remote peers wait before bringing down the PCEP session if no PCEP messages are received
from this PCC. The range is from 1 to 255 seconds; the default value is 120.
Router(config-sr-te-pcc)# timers deadtimer seconds
Use the timers delegation-timeout command to specify how long a delegated SR policy can remain up without an active connection to a PCE. The range is from
0 to 3600 seconds; the default value is 60.
Router(config-sr-te-pcc)# timers delegation-timeout seconds
PCE-Initiated SR Policy Timers
Use the timers initiated orphans command to specify the amount of time that a PCE-initiated SR policy will remain delegated to a PCE peer that is no longer
reachable by the PCC. The range is from 10 to 180 seconds; the default value is 180.
Router(config-sr-te-pcc)# timers initiated orphans seconds
Use the timers initiated state command to specify the amount of time that a PCE-initiated SR policy will remain programmed while not being delegated to
any PCE. The range is from 15 to 14440 seconds (24 hours); the default value is 600.
Router(config-sr-te-pcc)# timers initiated state seconds
To better understand how the PCE-Initiated SR policy timers operate, consider the following example:
-
PCE A instantiates SR policy P at head-end N.
-
Head-end N delegates SR policy P to PCE A and programs it in forwarding.
-
If head-end N detects that PCE A is no longer reachable, then head-end N starts the PCE-initiated orphan and state timers for SR policy P.
-
If PCE A reconnects before the orphan timer expires, then SR policy P is automatically delegated back to its original PCE (PCE A).
-
After the orphan timer expires, SR policy P will be eligible for delegation to any other surviving PCE(s).
-
If SR policy P is not delegated to another PCE before the state timer expires, then head-end N will remove SR policy P from its forwarding.
Enable SR-TE SYSLOG Alarms
Use the logging policy status command to enable SR-TE related SYSLOG alarms.
Router(config-sr-te)# logging policy status
Enable PCEP Reports to SR-PCE
Use the report-all command to enable the PCC to report all SR policies in its database to the PCE.
Router(config-sr-te-pcc)# report-all
Customize MSD Value at PCC
Use the maximum-sid-depth
value command to customize the Maximum SID Depth (MSD) signaled by PCC during PCEP session establishment.
The MSD is expressed as a number uSIDs. The number of uSID is expressed as a number of carriers and the number of uSID per
carrier.
The default MSD value is equal to the maximum MSD supported by the platform (12 — 2 carriers, 6 uSIDs per carrier).
Router(config-sr-te-srv6)# maximum-sid-depth value
For cases with path computation at PCE, a PCC can signal its MSD to the PCE in the following ways:
After path computation, the resulting uSID stack size is verified against the MSD requirement.
-
If the uSID stack size is larger than the MSD and path computation is performed by PCE, then the PCE returns a "no path" response
to the PCC.
-
If the uSID stack size is larger than the MSD and path computation is performed by PCC, then the PCC will not install the
path.
Note
|
A sub-optimal path (if one exists) that satisfies the MSD constraint could be computed in the following cases:
-
For a dynamic path with TE metric, when the PCE is configured with the pce segment-routing te-latency command or the PCC is configured with the segment-routing traffic-eng te-latency command.
-
For a dynamic path with LATENCY metric
-
For a dynamic path with affinity constraints
For example, if the PCC MSD is 4 and the optimal path (with an accumulated metric of 100) requires 5 uSIDs, but a sub-optimal
path exists (with accumulated metric of 110) requiring 4 uSIDs, then the sub-optimal path is installed.
|
Customize the SR-TE Path Calculation
Use the te-latency command to enable ECMP-aware path computation for TE metric.
Router(config-sr-te)# te-latency
Note
|
ECMP-aware path computation is enabled by default for IGP and LATENCY metrics.
|
Configure PCEP Redundancy Type
Use the redundancy pcc-centric command to enable PCC-centric high-availability model. The PCC-centric model changes the default PCC delegation behavior
to the following:
-
After LSP creation, LSP is automatically delegated to the PCE that computed it.
-
If this PCE is disconnected, then the LSP is redelegated to another PCE.
-
If the original PCE is reconnected, then the delegation fallback timer is started. When the timer expires, the LSP is redelegated
back to the original PCE, even if it has worse preference than the current PCE.
Router(config-sr-te-pcc)# redundancy pcc-centric
Configuring Head-End Router as PCEP PCC and Customizing SR-TE Related Options: Example
The following example shows how to configure an SR-TE head-end router with the following functionality:
-
Enable the SR-TE head-end router as a PCEP client (PCC) with 2 PCEP servers (PCE) with different precedence values. The PCE
with IP address cafe:0:2::2 is selected as BEST.
-
Enable SR-TE related syslogs.
-
Set the Maximum SID Depth (MSD) signaled during PCEP session establishment to 10.
-
Enable PCEP reporting for all policies in the node.
Node1(config)# segment-routing
Node1(config-sr)# traffic-eng
Node1(config-sr-te)# pcc
Node1(config-sr-te-pcc)# source-address ipv6 cafe:0:1::1
Node1(config-sr-te-pcc)# pce address ipv6 cafe:0:2::2
Node1(config-pcc-pce)# precedence 10
Node1(config-pcc-pce)# exit
Node1(config-sr-te-pcc)# pce address ipv6 cafe:0:3::3
Node1(config-pcc-pce)# precedence 20
Node1(config-pcc-pce)# exit
Node1(config-sr-te-pcc)# report-all
Node1(config-sr-te-pcc)# exit
Node1(config-sr-te)# srv6
Node1(config-sr-te-srv6)# maximum-sid-depth 10
Node1(config-sr-te-srv6)# exit
Node1(config-sr-te)# logging
Node1(config-sr-te-log)# policy status
Node1(config-sr-te-log)# exit
Node1(config-sr-te)#
Running Config
segment-routing
traffic-eng
srv6
maximum-sid-depth 10
!
logging
policy status
!
pcc
source-address ipv6 cafe:0:1::1
pce address ipv6 cafe:0:2::2
precedence 10
!
pce address ipv6 cafe:0:3::3
precedence 20
!
report-all
!
!
!
Verification
Node1# show segment-routing traffic-eng pcc ipv6 peer brief
Address Precedence State Learned From
-------------------- ------------ ------------ ---------------
cafe:0:2::2 10 up config
cafe:0:3::3 20 up config
Node1# show segment-routing traffic-eng pcc ipv6 peer detail
PCC's peer database:
--------------------
Peer address: cafe:0:2::2
Precedence: 10, (best PCE)
State up
Capabilities: Stateful, Update, Segment-Routing, Instantiation
PCEP has been up for: 01:22:23
Local keepalive timer is 30 seconds
Remote keepalive timer is 30 seconds
Local dead timer is 120 seconds
Remote dead timer is 120 seconds
Authentication: None
Statistics:
Open messages: rx 1 | tx 1
Close messages: rx 0 | tx 0
Keepalive messages: rx 164 | tx 163
Error messages: rx 0 | tx 0
Report messages: rx 0 | tx 110
Update messages: rx 36 | tx 0
Peer address: cafe:0:3::3
Precedence: 20
State up
Capabilities: Stateful, Update, Segment-Routing, Instantiation
PCEP has been up for: 01:21:48
Local keepalive timer is 30 seconds
Remote keepalive timer is 30 seconds
Local dead timer is 120 seconds
Remote dead timer is 120 seconds
Authentication: None
Statistics:
Open messages: rx 1 | tx 1
Close messages: rx 0 | tx 0
Keepalive messages: rx 164 | tx 162
Error messages: rx 0 | tx 0
Report messages: rx 0 | tx 82
Update messages: rx 0 | tx 0