Sub Second Inter Chassis Failover

SecGW support 3 modes of ICSR (intra chassis L2, inter chassis L2 ICSR and inter chassis L3 ICSR). based on the type of failure and ICSR mode.

BFD permits much more aggressive detection time compared to existing SRP protocols. This BFD monitoring is already implemented and integrated with SRP, which can be used in SecGW to reduce the SecGW switchover time to 1-3 seconds. This section will explain the configuration details for different modes.

The BFD configuration can be done for single-hop and multi-hop SRP links. In an L2 setup, the SRP link can be part of same network so a single hop configuration is valid. And for rest of the cases, a multi-hop BFD configuration needs to be used.

Single-hop config example:

context srp 
    bfd-protocol 
    #exit 
    service-redundancy-protocol 
      hello-interval 3 
      configuration-interval 60 
      dead-interval 15 
      checkpoint session duration non-ims-session 30 
      route-modifier threshold 10 
      priority 10 
      monitor bfd context srp 71.71.71.5 chassis-to-chassis 
      monitor hsrp interface BVI1871 afi-type IPv4 hsrp-group 4 
      peer-ip-address 71.71.71.5 
      bind address 71.71.71.4 
    #exit 
    interface icsr 
      ip address 71.71.71.4 255.255.255.0 
      bfd interval 50 min_rx 50 multiplier 3 
    #exit 
    subscriber default 
    exit 
    aaa group default 
    #exit 
    ip route static bfd  icsr 71.71.71.5 
  #exit

Multi Hop Config Example

context srp 
    bfd-protocol 
      bfd multihop-peer 81.81.81.4 interval 50 min_rx 50 multiplier 3 
    #exit 
    service-redundancy-protocol 
      hello-interval 3 
      configuration-interval 60 
      dead-interval 15 
      checkpoint session duration non-ims-session 30 
      route-modifier threshold 10 
      priority 10 
      monitor bfd context srp 81.81.81.4 chassis-to-chassis 
     monitor hsrp interface GigabitEthernet0/0/0/5 afi-type IPv4 hsrp-group 4 
      peer-ip-address 81.81.81.4 
      bind address 71.71.71.4 
    #exit 
    interface ifSRP 
      ip address 71.71.71.4 255.255.255.0 
    #exit 
    ip route static multihop bfd  mbfd 71.71.71.4 81.81.81.4 
    ip route 81.81.81.0 255.255.255.0 71.71.71.5 ifSRP 
    #exit 
  #exit

HSRP Switchover Improvement

Below are the changes to improve the HSRP Switchover:

Bridge together the external and VSM interfaces for all the paths (ike and clear).
Configure SRP activated loopback interfaces in both SecGWs and assign address from the same network (The loopback address will be up only in active SecGW.).
Add RRI routes with nexthop as the loopback address.
For encrypted traffic, forward the packets towards the loopback address from L2-Switch. This makes sure the packets are always forwarded to the chassis where SRP is active even if HSRP is not.
For clear traffic, forward the packets towards the hsrp address from L2-Switch as the RRI routes are added in chassis (not forwarded to L2 switch). If SecGW is not active in that chassis (SRP-HSRP not in sync), packets will be forwarded towards the other chassis (towards the loopback address).

ASR9K RSP configuration example

interface GigabitEthernet0/0/0/5 
        transceiver permit pid all 
        dot1q tunneling ethertype 0x9200 
      ! 
interface GigabitEthernet0/0/0/5.1259 l2transport 
 description “External port for SRP Traffic” 
 encapsulation dot1q 1259 
 rewrite ingress tag pop 1 symmetric 
! 
interface GigabitEthernet0/0/0/18 
 transceiver permit pid all 
 dot1q tunneling ethertype 0x9200 
! 
interface GigabitEthernet0/0/0/18.1871 l2transport 
 description "External port for IKE and ESP Traffic" 
 encapsulation dot1q 1871 
 rewrite ingress tag pop 1 symmetric 
! 
interface GigabitEthernet0/0/0/19 
 transceiver permit pid all 
 dot1q tunneling ethertype 0x9200 
! 
interface GigabitEthernet0/0/0/19.1881 l2transport 
 description “External port for Clear Traffic” 
 encapsulation dot1q 1881 
 rewrite ingress tag pop 1 symmetric 
! 
interface TenGigE0/5/1/0 
! 
interface TenGigE0/5/1/0.1871 l2transport 
 description “VSM port for IKE and ESP Traffic” 
 encapsulation dot1q 1871 
 rewrite ingress tag pop 1 symmetric 
! 
interface TenGigE0/5/1/1 
! 
interface TenGigE0/5/1/1.1259 l2transport 
 description “VSM port for SRP Traffic” 
 encapsulation dot1q 1259 
 rewrite ingress tag pop 1 symmetric 
! 
interface TenGigE0/5/1/1.1881 l2transport 
 description “VSM port for Clear Traffic” 
 encapsulation dot1q 1881 
 rewrite ingress tag pop 1 symmetric 
! 
interface BVI1259 
 description “BVI for SRP Traffic” 
 ipv4 address 71.71.71.9 255.255.255.0 
! 
interface BVI1871 
 description “BVI for IKE and ESP Traffic” 
 ipv4 address 187.0.1.12 255.255.255.0 
 ipv6 address 1871::12/64 
! 
interface BVI1881 
 description “BVI for Clear Traffic” 
 ipv4 address 188.0.1.12 255.255.255.0 
 ipv6 address 1881::12/64 
! 
       router static 
        address-family ipv4 unicast 
        35.35.35.35/32 187.0.1.20 
       #exit 
l2vpn 
 bridge group secgw 
  bridge-domain ike 
   interface TenGigE0/5/1/0.1871 
   ! 
   interface GigabitEthernet0/0/0/18.1871 
   ! 
   routed interface BVI1871 
  ! 
  bridge-domain srp 
   interface TenGigE0/5/1/1.1259 
   ! 
   interface GigabitEthernet0/0/0/5.1259 
   ! 
   routed interface BVI1259 
  ! 
  bridge-domain clear 
   interface TenGigE0/5/1/1.1881 
   ! 
   interface GigabitEthernet0/0/0/19.1881 
   ! 
   routed interface BVI1881 
  ! 
 ! 
!

SecGW Configuration Example

  context wsg 
    …….. 
    interface clear    —————————————> VSM Clear interface 
      ip address 188.0.1.10 255.255.255.0 
    #exit 
    interface clear-active loopback    —————————————> Clear interface active SecGW only 
      ip address 188.0.1.20 255.255.255.255 srp-activate 
    #exit 
    interface ike    —————————————> VSM IKE and ESP interface 
      ip address 187.0.1.10 255.255.255.0 
    #exit 
    interface ike-active loopback    —————————————> IKE and ESP interface active SecGW only 
      ip address 187.0.1.20 255.255.255.255 srp-activate 
    #exit 
    interface ike-loop loopback    —————————————> ipv4 SecGW ip 
      ip address 35.35.35.35 255.255.255.255 srp-activate 
    #exit 
    interface ike-loop-v6 loopback    —————————————> ipv6 SecGW ip 
      ipv6 address 2035::35/128 srp-activate 
    #exit 
    wsg-service ipv4 
      deployment-mode site-to-site 
      ip access-group acl1 
      bind address 35.35.35.35 crypto-template foo 
    #exit 
    wsg-service ipv6 
      deployment-mode site-to-site 
      ipv6 access-group acl1 
      bind address 2035::35 crypto-template foo-1 
    #exit 
    ip route 65.65.0.0 255.255.0.0 188.0.1.100 clear 
    ip route 92.0.0.0 255.0.0.0 187.0.1.11 ike 
    ip rri next-hop 188.0.1.20 interface clear-active 
  #exit 
  context srp 
    bfd-protocol 
    #exit 
    service-redundancy-protocol 
             hello-interval 3 
             configuration-interval 60 
             dead-interval 15 
             checkpoint session duration non-ims-session 30 
             route-modifier threshold 10 
             priority 10 
      monitor bfd context srp 71.71.71.5 chassis-to-chassis 
      monitor hsrp interface BVI1871 afi-type IPv4 hsrp-group 4 
      peer-ip-address 71.71.71.5 
      bind address 71.71.71.4 
    #exit 
    interface icsr 
      ip address 71.71.71.4 255.255.255.0 
      bfd interval 50 min_rx 50 multiplier 3 
    #exit 
    ip route static bfd  icsr 71.71.71.5 
  #exit 
  port ethernet 1/10 
    no shutdown 
    vlan 1871 
      no shutdown 
      bind interface ike wsg 
    #exit 
  #exit 
  port ethernet 1/11 
    no shutdown 
    vlan 1259 
      no shutdown 
      bind interface icsr srp 
    #exit 
    vlan 1881 
      no shutdown 
      bind interface clear wsg 
    #exit 
  #exit

SecGW Administration Guide, StarOS Release 21.18

Bias-Free Language

Book Title

SecGW Administration Guide, StarOS Release 21.18

Chapter Title