Protection and Restoration

One of the most popular applications of MPLS TE is fast reroute. FRR is the capability to reroute traffic quickly onto a backup link, path, or tunnel when the primary path fails due to link, node, or primary path failure.

Here is how it works: MPLS allows label stacking where one application label can be stacked onto another label, providing a nested hierarchy of LSPs. This technique is exploited in the fast reroute application to set up a short backup or bypass tunnel around a network element (link, node, or path). When the primary link, node, or path fails, the node detecting the failure quickly reroutes traffic onto the backup tunnela tunnel that is set up for this purpose. This reroute can happen very quickly (in 50ms or less), which is comparable to SONET Automatic Protection Switching (APS)reroute times.

The sections that follow describe the three main types of fast reroute: link protection, node protection, and path protection.

Link Protection

As evident by the name itself, link protection involves protecting against link failures. These days, links have become more reliable, but statistics still show that most unplanned failures in the network occur because of link failures. So, protecting against link failures is necessary in any network. To protect against link failures, you can use multiple circuits or SONET APSprotected circuits. This can result in expensive circuits. Because providing circuits is usually a recurring costespecially if the fiber circuit is not owned by the carrieryou might want to reduce the operating cost by eliminating the redundant circuits if fast reroute of traffic can be done by using other paths in the network. Link protection enables you to send traffic to the next hop on a backup tunnel should the primary link fail. Off-course link protection does not work if the only means of reaching the next hop is through the primary link (singly connected cases). How does this work?

FRR link protection is an ingenious technique. A node must be configured for link protection, and a backup tunnel is established around the link that needs to be protected to the same next hop. When the link fails, the node detects the link failure and, without changing the labels of the primary tunnels, imposes the backup tunnel label on top of the MPLS packet. When the packet comes out of the backup tunnel, the primary tunnel label is exposed. Because the backup tunnel always terminates onto the next hop, for link protection, the receiving node understands the primary tunnel label and switches the packet onto the destination. This is shown in Figure 8-4.

Figure 8-4. Link Protection

For illustration purposes, we have chosen the same topology discussed earlier. In this example, we are trying to protect the link between Denver and Chicago. Primary tunnels flow between other cities via Denver and Chicago over the link to be protected. More than one primary tunnel can be flowing over the link between Denver and Chicago. A backup tunnel is now preestablished between Denver and Chicago via Dallas and is configured to protect the link between Denver and Chicago in Figure 8-4, irrespective of the number of tunnels traversing that link.

When the failure occurs, the following steps follow: The Denver router detects the failure either via loss of carrier or SONET alarm. Then the Denver router takes the MPLS packets destined for Chicago on all the tunnels and imposes a new label on top for the backup tunnel. The Denver router then forwards it toward Dallas. The Dallas router can then swap the backup tunnel label to implicit null due to PHP and forward the MPLS packets to the Chicago router with the primary tunnel label exposed. Finally, the Chicago router looks up the incoming label and switches the packet toward the destination normally.

Node Protection

In link protection, the backup tunnel is always set up to the next hop node and the failure detection is performed based on loss of carrier or SONET alarms. In node protection, the mechanism described is similar to the link protection except that the backup tunnel is always set up to the node beyond the next hopthat is, next-next hop.

Upon detection of failure via a hello timeout, the point of local repair (PLR) node reroutes traffic onto the backup tunnel to the next-next-hop (nnhop). However, when MPLS packets emerge at the tail of the nnhop backup tunnel, they might not have the right labels for the merge point to carry the traffic further. To avoid discarding traffic at the tail of the backup tunnel, the head of the backup tunnel (also known as the point of local repair) swaps the primary tunnel label to the label expected by the merge point and then imposes the backup tunnel label. This ensures that the MPLS packets coming out of the backup tunnel carry the correct labels and hence are switched to the correct destination. This is illustrated by the example shown in Figure 8-5.

Figure 8-5. Node Protection

Again for simplicity, we consider the same topology as before. In this example, we are trying to protect against the failure of the Chicago node. So, from the Denver node, the primary tunnels always flow through the Chicago node. Assume node protection is set up. The Denver node and the Chicago node are configured for hellos and a backup tunnel is placed between the Denver router and New York router via Dallas and Atlanta.

The fast hellos between the Denver node and Chicago node time out when the Chicago node fails. The Denver node had previously recorded the labels used by nodes downstream, such as those used by Chicago, Boston, and New York. Thus, the Denver node now swaps the primary tunnel label to the label expected by the New York node instead of the label for the Chicago node (because it has failed). The Denver node then imposes the label for the backup nnhop tunnel and forwards the packet toward Dallas. When the packets appear at New York from Atlanta, they have the primary tunnel label; therefore, the New York node is now able to switch the traffic to the destination without any problems.

Path Protection

The last type of protection mechanism, called path protection, is the ability to protect one or more end-to-end paths via a preestablished or predetermined backup tunnel. This is always end-to-end protection and is similar to the shadow PVC model often used in the ATM networks of today. The backup tunnel is link and node diverged from the primary tunnel, such that if any element (link or node) along the primary path fails, the head end reroutes the traffic onto the backup path, as shown in Figure 8-6.

Figure 8-6. Path Protection

Many schemes for backup can be used, such as 1 to N or 1 to 1. In the 1-to-N scheme, there is one backup tunnel for N primary tunnels between the same pair of routers. The 1-to-1 back up implies that for every primary tunnel a backup tunnel exists. The number of backup tunnels needed for path protection is twice the number of primary tunnels.

However, the failure detection time is the longest in the path protection mechanism. This is due to the fact that if any network element fails along the path, the notification for this failure has to reach the head end of the TE tunnel for the traffic to be rerouted.

Usage Scenarios

MPLS FRR can be deployed with or without PE-to-PE or P-to-P traffic engineering. As stated earlier, backup tunnels are set up in the network based on the network element, link, or node to be protected. For traffic to be rerouted onto backup tunnels, it must be associated with a primary tunnel. The primary tunnel can be end to end or be one hop or two hops.

One-hop tunnel implies that the primary tunnel is only to the next hop and no further. Due to PHP, there are no labels for the primary tunnela backup tunnel is set up around the link to be protected. When the link fails, the primary tunnel to the next hop fails and the node reroutes traffic onto the backup tunnel. This method of one-hop tunnel can be used to easily deploy link protection. Several details about MPLS FRR deployment are explained in Traffic Engineering with MPLS.

Scalability of Protection Mechanisms

In choosing a protection mechanism, you must consider the scalability of each of these mechanisms. Link protection is the simplest approach. It requires only explicitly creating TE tunnels around the failed links and tying them to either one-hop tunnels or PE/P-to-PE/P tunnels. The number of backup tunnels required for link protection is approximately equal to the number of links in the network. More tunnels might be needed should bandwidth protection be required. This is because multiple backups can be required to back up a single link due to the unavailability of a single back tunnel with the same bandwidth as the link being protected. If only connectivity protection is desired, with no bandwidth guarantees during failures, a single backup tunnel backing up all the primary tunnels is sufficient.

In node protection, for each node protected with p degree of connectivity, the number of backup tunnels required is exactly p tunnels assuming no bandwidth protection is needed. So, for a complete network with n nodes, the total number of backup tunnels required is as follows:

np_ifor n, where p_i is the degree of connectivity of the ith node.

In approximation, if the degree of connectivity is a constant p, the number of backup tunnels required is n*p. Link protection requires fewer backup tunnels than node protection.

In path protection, the number of backup tunnels corresponds to the number of primary tunnels depending on the protection scheme used. If 1-for-1 protection is deployed, the number of backup tunnels needed is equal to the number of primary tunnels. If an N:1 protection mechanism is required, the number of backup tunnels depends on the number of parallel tunnels between two pairs of nodes. Irrespective of the path protection scheme used, the number of tunnels required is far more than for link and node protection methods. For example, let us consider a network with n nodes.

The number of primary tunnels in the network is n(n-1) n² number of tunnels. If a 1-to-1 backup schema is used, the number of backup tunnels required is also equal to n². For a small number of n, the number of tunnels for each scheme might be small and manageable; however, for a reasonable number of nodes, the total number of tunnels needed with path protection is 2n².

Path protection, though, is a well-understood model and is analogous to the shadow PVCs model used in ATM/Frame Relay networks of today. Providers have more experience with the shadow PVC model and have developed tools to place PVCs in today's ATM or Frame Relay networks.