This post describes how to run a pre-configured lab topology with Traffic Dictator and Cisco XRd or Arista cEOS. It is a good way to get familiar with Traffic Dictator and Segment Routing.
For more custom configurations, please check Traffic Dictator Documentation.
Pre-requisites
1. Setup Docker and Containerlab as described here: https://containerlab.dev/install/
2. Download and import the container images that you will use.
Cisco XRd: https://containerlab.dev/manual/kinds/xrd/
https://xrdocs.io/virtual-routing/tutorials/2022-08-22-xrd-images-where-can-one-get-them/
Note: a Cisco account and contract are required to download XRd images; or use your creativity to get them elsewhere
Arista cEOS: https://containerlab.dev/manual/kinds/ceos/
cEOS-lab is available for download from Arista website after registration; no contract is required
3. Download Traffic Dictator container image from https://vegvisir.ie/downloads/ and import it:
sudo docker load -i traffic-dictator-1.2.tar.gz
Verify:
dima@container-lab:~$ sudo docker images REPOSITORY TAG IMAGE ID CREATED SIZE traffic_dictator 1.2 24cbb5dc47b1 2 hours ago 1.56GB
Very simple lab with Cisco XRd and OSPF
This lab features:
- OSPF topology of just 6 routers, IPv4 only
- 2 Egress Peers with BGP Peer SID
- BGP-LS is used to collect IGP and EPE topology information, BGP SR-TE is used to install policies
- A variety of SR-TE policies with different constraints, endpoint and path types
Topology diagram
Lab configs
Download lab configs from: https://vegvisir.ie/wp-content/uploads/dist/XRd_ospf_very_simple.tar.gz
Upload to your containerlab host and extract the archive:
sudo tar -xvf XRd_ospf_very_simple.tar.gz
Edit the file “TD_ospf_very_simple.clab.yml” to change your XRd container image name to appropriate release (if it’s not 7.10.2).
Run the lab
First run the Traffic Dictator (change the home directory name to yours) :
sudo docker run --name traffic-dictator --hostname TD1 -v /home/dima/TD_ospf_very_simple/TD_config_OSPF_very_simple:/usr/local/td/startup-config --privileged -d traffic_dictator:1.2
Then run the containerlab:
sudo containerlab deploy
Wait for several minutes for all nodes to start.
Use the lab
Connect to Traffic Dictator:
sudo docker exec -ti traffic-dictator /bin/bash
From inside container, verify TD is running:
root@TD1:/# systemctl status td ● td.service - Vegvisir Systems Traffic Dictator Loaded: loaded (/etc/systemd/system/td.service; enabled; preset: enabled) Active: active (running) since Tue 2024-06-11 07:49:47 UTC; 11min ago Docs: https://vegvisir.ie/ Main PID: 10653 (traffic_dictato) Tasks: 23 (limit: 10834) Memory: 143.5M CPU: 24.677s CGroup: /system.slice/td.service ├─10653 /bin/bash /usr/local/td/traffic_dictator_start.sh ├─10655 /usr/local/td/td_policy_engine ├─10662 python3 /usr/local/td/traffic_dictator.py ├─10667 python3 /usr/local/td/traffic_dictator.py ├─10678 python3 /usr/local/td/traffic_dictator.py ├─10692 python3 /usr/local/td/traffic_dictator.py ├─10694 python3 /usr/local/td/traffic_dictator.py └─10696 python3 /usr/local/td/traffic_dictator.py
Connect to TDCLI and verify policies:
root@TD1:/# tdcli ### Welcome to the Traffic Dictator CLI! ### TD1#show traffic-eng policy Traffic-eng policy information Status codes: * valid, > active, e - EPE only, s - admin down, m - multi-topology Policy name Headend Endpoint Color/Service loopback Protocol Reserved bandwidth Priority Status/Reason *> R1_ISP2_BLUE_ONLY 1.1.1.1 10.100.9.102 104 SR-TE/direct 100000000 7/7 Active *> R1_NULL_YELLOW_ONLY 1.1.1.1 0.0.0.0 105 SR-TE/direct 100000000 7/7 Active *> R1_R3_YELLOW_ONLY 1.1.1.1 3.3.3.3 103 SR-TE/direct 100000000 7/7 Active *> R1_R5_EXPLICIT 1.1.1.1 5.5.5.5 101 SR-TE/direct 100000000 7/7 Active *> R1_R6_BLUE_ONLY 1.1.1.1 6.6.6.6 102 SR-TE/direct 100000000 7/7 Active
Configure and verify an SR-TE policy
Take for example policy “R1_R6_BLUE_ONLY”:
TD1#show run | sec R1_R6_BLUE_ONLY policy R1_R6_BLUE_ONLY headend 1.1.1.1 topology-id 101 endpoint 6.6.6.6 color 102 binding-sid 15102 priority 7 7 install direct srte 192.168.0.101 ! candidate-path preference 100 affinity-set BLUE_ONLY bandwidth 100 mbps
Verify policy state:
TD1#show traffic-eng policy R1_R6_BLUE_ONLY detail Detailed traffic-eng policy information: Traffic engineering policy "R1_R6_BLUE_ONLY" Valid config, Active Headend 1.1.1.1, topology-id 101, Maximum SID depth: 10 Endpoint 6.6.6.6, color 102 Endpoint type: Node, Topology-id: 101, Protocol: ospf, Router-id: 6.6.6.6 Setup priority: 7, Hold priority: 7 Reserved bandwidth bps: 100000000 Install direct, protocol srte, peer 192.168.0.101 Policy index: 4, SR-TE distinguisher: 16777220 Binding-SID: 15102 Candidate paths: Candidate-path preference 100 Path config valid Metric: igp Path-option: dynamic Affinity-set: BLUE_ONLY Constraint: include-all List: ['BLUE'] Value: 0x1 This path is currently active Calculation results: Aggregate metric: 3 Topologies: ['101'] Segment lists: [16005, 16006] Policy statistics: Last config update: 2024-06-19 14:16:36,093 Last recalculation: 2024-06-19 14:28:47.452 Policy calculation took 0 miliseconds
BGP route has been created and sent to 192.168.0.101:
TD1#show bgp ipv4 srte detail | grep -B8 R1_R6_BLUE_ONLY BGP routing table entry for [96][16777220][102][6.6.6.6] Paths: 1 available, best #1 Last modified: September 05, 2024 16:33:13 Local, inserted - from - (0.0.0.0) Origin igp, metric 0, localpref -, weight 0, valid, -, best Endpoint 6.6.6.6, Color 102, Distinguisher 16777220 Tunnel encapsulation attribute: SR Policy Policy name: R1_R6_BLUE_ONLY
TD1#show bgp neighbors 192.168.0.101 ipv4 srte advertised-routes | fgrep [96][16777220][102][6.6.6.6] *>+ [96][16777220][102][6.6.6.6] - 0 - 0 i
On Cisco router, verify that the policy has been received and installed:
RP/0/RP0/CPU0:R1#show bgp ipv4 sr-policy [16777220][102][6.6.6.6]/96 Thu Sep 5 16:36:25.065 UTC BGP routing table entry for [16777220][102][6.6.6.6]/96 Versions: Process bRIB/RIB SendTblVer Speaker 5 5 Last Modified: Sep 5 16:33:13.446 for 00:03:11 Paths: (1 available, best #1, not advertised to any peer) Not advertised to any peer Path #1: Received by speaker 0 Not advertised to any peer 65001 192.168.0.1 from 192.168.0.1 (111.111.111.111) Origin IGP, localpref 100, valid, external, best, group-best Received Path ID 0, Local Path ID 1, version 5 Community: no-advertise Tunnel encap attribute type: 15 (SR policy) bsid 15102, preference 100, num of segment-lists 1 segment-list 1, weight 1 segments: {16005} {16006} Candidate path is usable (registered) SR policy state is UP, Allocated bsid 15102
RP/0/RP0/CPU0:R1#show segment-routing traffic-eng policy endpoint ipv4 6.6.6.6 color 102 Thu Sep 5 16:36:52.360 UTC SR-TE policy database --------------------- Color: 102, End-point: 6.6.6.6 Name: srte_c_102_ep_6.6.6.6 Status: Admin: up Operational: up for 00:03:38 (since Sep 5 16:33:14.067) Candidate-paths: Preference: 100 (BGP, RD: 16777220) (active) Requested BSID: 15102 Constraints: Protection Type: protected-preferred Maximum SID Depth: 10 Explicit: segment-list (valid) Weight: 1, Metric Type: TE SID[0]: 16005 [Prefix-SID, 5.5.5.5] SID[1]: 16006 Attributes: Binding SID: 15102 (SRLB) Forward Class: Not Configured Steering labeled-services disabled: no Steering BGP disabled: no IPv6 caps enable: yes Invalidation drop enabled: no Max Install Standby Candidate Paths: 0
Lab with Cisco XRd and IS-IS
Note: this lab also requires an Arista cEOS switch with empty config to faciliate a multi-point connection between R1, R3 and R4.
This lab features:
- IS-IS L2 topology, IPv4 and IPv6
- 5 Egress Peers with BGP Peer SID, IPv4 and IPv6
- Broadcast network with IS-IS pseudonode
- Anycast SID
- A variety of IPv4 and IPv6 SR-TE policies with different constraints, endpoint and path types
- BGP-LS is used to collect IGP and EPE topology information, BGP SR-TE is used to install policies
Topology diagram
Lab configs
Download lab configs from: https://vegvisir.ie/wp-content/uploads/dist/XRd_isis_simple.tar.gz
Upload to your containerlab host and extract the archive:
sudo tar -xvf XRd_isis_simple.tar.gz
Edit the file “TD_isis_simple.clab.yml” to change your XRd container image name to appropriate release (if it’s not 7.10.2).
Run the lab
First run the Traffic Dictator (change the home directory name to yours) :
sudo docker run --name traffic-dictator --hostname TD1 -v /home/dima/TD_isis_simple/TD_config_ISIS:/usr/local/td/startup-config --privileged -d traffic_dictator:1.2
Then run the containerlab:
sudo containerlab deploy
Wait for several minutes for all nodes to start.
Use the lab
Connect to Traffic Dictator:
sudo docker exec -ti traffic-dictator /bin/bash
From inside container, verify TD is running:
root@TD1:/# systemctl status td ● td.service - Vegvisir Systems Traffic Dictator Loaded: loaded (/etc/systemd/system/td.service; enabled; preset: enabled) Active: active (running) since Tue 2024-06-11 07:49:47 UTC; 11min ago Docs: https://vegvisir.ie/ Main PID: 10653 (traffic_dictato) Tasks: 23 (limit: 10834) Memory: 143.5M CPU: 24.677s CGroup: /system.slice/td.service ├─10653 /bin/bash /usr/local/td/traffic_dictator_start.sh ├─10655 /usr/local/td/td_policy_engine ├─10662 python3 /usr/local/td/traffic_dictator.py ├─10667 python3 /usr/local/td/traffic_dictator.py ├─10678 python3 /usr/local/td/traffic_dictator.py ├─10692 python3 /usr/local/td/traffic_dictator.py ├─10694 python3 /usr/local/td/traffic_dictator.py └─10696 python3 /usr/local/td/traffic_dictator.py
Connect to TDCLI and verify policies:
root@TD1:/# tdcli ### Welcome to the Traffic Dictator CLI! ### TD1#show bgp su BGP summary information Router identifier 111.111.111.111, local AS number 65001 Neighbor V AS MsgRcvd MsgSent InQ OutQ Up/Down State Received NLRI Active AF 192.168.0.101 4 65002 106 15 0 0 0:13:27 Established 164 IPv4-LU, LS 2001:192::101 4 65002 103 35 0 0 0:12:22 Established 164 IPv4-SRTE, IPv6-LU, IPv6-SRTE, LS TD1#show traffic-eng policy Traffic-eng policy information Status codes: * valid, > active, e - EPE only, s - admin down, m - multi-topology Policy name Headend Endpoint Color/Service loopback Protocol Reserved bandwidth Priority Status/Reason *> R11_R1_BLUE_OR_ORANGE_IPV4 11.11.11.11 1.1.1.1 3 SR-TE/indirect 100000000 5/5 Active *> R11_R1_BLUE_OR_ORANGE_IPV6 11.11.11.11 2002::1 103 SR-TE/indirect 100000000 5/5 Active *> R1_ISP4_ANY_COLOR_IPV4 1.1.1.1 10.100.19.104 5 SR-TE/direct 100000000 7/7 Active *> R1_ISP4_ANY_COLOR_IPV6 1.1.1.1 2001:100:19::104 105 SR-TE/direct 100000000 7/7 Active *> R1_ISP5_BLUE_ONLY_IPV4 1.1.1.1 10.100.20.105 4 SR-TE/direct 100000000 7/7 Active *> R1_ISP5_BLUE_ONLY_IPV6 1.1.1.1 2001:100:20::105 104 SR-TE/direct 100000000 7/7 Active *> R1_NULL_EXCLUDE_YELLOW_AND_ORANGE_IPV4 1.1.1.1 0.0.0.0 7 SR-TE/direct 100000000 7/7 Active *> R1_NULL_EXCLUDE_YELLOW_AND_ORANGE_IPV6 1.1.1.1 :: 107 SR-TE/direct 100000000 7/7 Active *> R1_NULL_YELLOW_ONLY_IPV4 1.1.1.1 0.0.0.0 6 SR-TE/direct 100000000 7/7 Active *> R1_NULL_YELLOW_ONLY_IPV6 1.1.1.1 :: 106 SR-TE/direct 100000000 7/7 Active *> R1_R11_BLUE_ONLY_IPV4 1.1.1.1 11.11.11.11 1 SR-TE/direct 100000000 7/7 Active *> R1_R11_BLUE_ONLY_IPV6 1.1.1.1 2002::11 101 SR-TE/direct 100000000 7/7 Active *> R1_R11_EP_LOOSE_IPV4 1.1.1.1 11.11.11.11 9 SR-TE/direct 100000000 4/4 Active *> R1_R11_EP_LOOSE_IPV6 1.1.1.1 2002::11 109 SR-TE/direct 100000000 4/4 Active *> R1_R11_EXCLUDE_SOME_IPV4 1.1.1.1 11.11.11.11 10 SR-TE/direct 100000000 4/4 Active *> R1_R11_EXCLUDE_SOME_IPV6 1.1.1.1 2002::11 110 SR-TE/direct 100000000 4/4 Active *> R1_R11_YELLOW_OR_ORANGE_IPV4 1.1.1.1 11.11.11.11 2 SR-TE/direct 100000000 6/6 Active *> R1_R11_YELLOW_OR_ORANGE_IPV6 1.1.1.1 2002::11 102 SR-TE/direct 100000000 6/6 Active *> R1_R9_EP_STRICT_IPV4 1.1.1.1 9.9.9.9 8 SR-TE/direct 100000000 4/4 Active *> R1_R9_EP_STRICT_IPV6 1.1.1.1 2002::9 108 SR-TE/direct 100000000 4/4 Active
Configure and verify an SR-TE policy
Take for example, policy “R1_R11_BLUE_ONLY_IPV4”.
TD1#show run | sec R1_R11_BLUE_ONLY_IPV4 policy R1_R11_BLUE_ONLY_IPV4 headend 1.1.1.1 topology-id 101 endpoint 11.11.11.11 color 1 binding-sid 15001 priority 7 7 install direct srte 2001:192::101 ! candidate-path preference 100 metric igp affinity-set BLUE_ONLY bandwidth 100 mbps
Verify policy state:
TD1#show traffic-eng policy R1_R11_BLUE_ONLY_IPV4 detail Detailed traffic-eng policy information: Traffic engineering policy "R1_R11_BLUE_ONLY_IPV4" Valid config, Active Headend 1.1.1.1, topology-id 101, Maximum SID depth: 10 Endpoint 11.11.11.11, color 1 Endpoint type: Node, Topology-id: 101, Protocol: isis, Router-id: 0011.0011.0011.00 Setup priority: 7, Hold priority: 7 Reserved bandwidth bps: 100000000 Install direct, protocol srte, peer 2001:192::101 Policy index: 10, SR-TE distinguisher: 16777226 Binding-SID: 15001 Candidate paths: Candidate-path preference 100 Path config valid Metric: igp Path-option: dynamic Affinity-set: BLUE_ONLY Constraint: include-all List: ['BLUE'] Value: 0x1 This path is currently active Calculation results: Aggregate metric: 40 Topologies: ['101'] Segment lists: [16005, 16010, 24013] Policy statistics: Last config update: 2024-09-05 16:48:27,660 Last recalculation: 2024-09-05 16:50:20.473 Policy calculation took 0 miliseconds
BGP route has been created and sent to 2001:192::101:
TD1#show bgp ipv4 srte detail | grep -B8 R1_R11_BLUE_ONLY_IPV4 BGP routing table entry for [96][16777226][1][11.11.11.11] Paths: 1 available, best #1 Last modified: September 05, 2024 16:50:20 Local, inserted - from - (0.0.0.0) Origin igp, metric 0, localpref -, weight 0, valid, -, best Endpoint 11.11.11.11, Color 1, Distinguisher 16777226 Tunnel encapsulation attribute: SR Policy Policy name: R1_R11_BLUE_ONLY_IPV4
TD1#show bgp neighbors 2001:192::101 ipv4 srte advertised-routes | fgrep [96][16777226][1][11.11.11.11] *>+ [96][16777226][1][11.11.11.11] - 0 - 0 i
On Cisco router, verify that the policy has been received and installed:
RP/0/RP0/CPU0:R1#show bgp ipv4 sr-policy [16777226][1][11.11.11.11]/96 Thu Sep 5 16:59:25.260 UTC BGP routing table entry for [16777226][1][11.11.11.11]/96 Versions: Process bRIB/RIB SendTblVer Speaker 12 12 Last Modified: Sep 5 16:50:14.895 for 00:09:10 Paths: (1 available, best #1, not advertised to any peer) Not advertised to any peer Path #1: Received by speaker 0 Not advertised to any peer 65001 2001:192::a8c1:abff:fe54:2578 from 2001:192::1 (111.111.111.111) Origin IGP, localpref 100, valid, external, best, group-best Received Path ID 0, Local Path ID 1, version 12 Community: no-advertise Tunnel encap attribute type: 15 (SR policy) bsid 15001, preference 100, num of segment-lists 1 segment-list 1, weight 1 segments: {16005} {16010} {24013} Candidate path is usable (registered) SR policy state is UP, Allocated bsid 15001
show segment-routing traffic-eng policy endpoint ipv4 11.11.11.11 color 1 Thu Sep 5 16:59:39.420 UTC SR-TE policy database --------------------- Color: 1, End-point: 11.11.11.11 Name: srte_c_1_ep_11.11.11.11 Status: Admin: up Operational: up for 00:09:23 (since Sep 5 16:50:16.217) Candidate-paths: Preference: 100 (BGP, RD: 16777226) (active) Requested BSID: 15001 Constraints: Protection Type: protected-preferred Maximum SID Depth: 10 Explicit: segment-list (valid) Weight: 1, Metric Type: TE SID[0]: 16005 [Prefix-SID, 5.5.5.5] SID[1]: 16010 SID[2]: 24013 Attributes: Binding SID: 15001 (SRLB) Forward Class: Not Configured Steering labeled-services disabled: no Steering BGP disabled: no IPv6 caps enable: yes Invalidation drop enabled: no Max Install Standby Candidate Paths: 0
Lab with Arista cEOS
This lab features:
- IS-IS L2 topology, IPv4 only
- 5 Egress Peers with BGP-LU originated EPE routes, IPv4 only
- Anycast SID
- A variety of IPv4 SR-TE and LU policies with different constraints, endpoint and path types
- BGP-LS is used to collect IGP topology information, BGP-LU is used to collect EPE topology information, BGP SR-TE and LU are used to install policies
Topology diagram
Note that unlike the XRd lab, in this one TD has BGP-LU sessions with all egress ASBR. This is because EOS doesn’t support Peer SID but instead advertises EPE routes via BGP-LU.
Update 01.08.2024: replaced XRd image used for ISP with FRR image. So this lab now requires only free images.
Lab configs
Download lab configs from: https://vegvisir.ie/wp-content/uploads/dist/cEOS_isis_simple_frr.tar.gz
Upload to your containerlab host and extract the archive:
sudo tar -xvf cEOS_isis_simple_frr.tar.gz
Edit the file “TD_isis_eos_simple_frr.clab.yml” to change your cEOS container image name to appropriate release.
Run the lab
First run the Traffic Dictator (change the home directory name to yours) :
sudo docker run --name traffic-dictator --hostname TD1 -v /home/dima/TD_isis_eos_simple_frr/TD_config_ISIS_EOS:/usr/local/td/startup-config --privileged -d traffic_dictator:1.2
Then run the containerlab:
sudo containerlab deploy
Wait for several minutes for all nodes to start.
Use the lab
Connect to Traffic Dictator:
sudo docker exec -ti traffic-dictator /bin/bash
From inside container, verify TD is running:
root@TD1:/# systemctl status td ● td.service - Vegvisir Systems Traffic Dictator Loaded: loaded (/etc/systemd/system/td.service; enabled; preset: enabled) Active: active (running) since Tue 2024-06-11 07:49:47 UTC; 11min ago Docs: https://vegvisir.ie/ Main PID: 10653 (traffic_dictato) Tasks: 23 (limit: 10834) Memory: 143.5M CPU: 24.677s CGroup: /system.slice/td.service ├─10653 /bin/bash /usr/local/td/traffic_dictator_start.sh ├─10655 /usr/local/td/td_policy_engine ├─10662 python3 /usr/local/td/traffic_dictator.py ├─10667 python3 /usr/local/td/traffic_dictator.py ├─10678 python3 /usr/local/td/traffic_dictator.py ├─10692 python3 /usr/local/td/traffic_dictator.py ├─10694 python3 /usr/local/td/traffic_dictator.py └─10696 python3 /usr/local/td/traffic_dictator.py
Connect to TDCLI and verify policies:
root@TD1:/# tdcli ### Welcome to the Traffic Dictator CLI! ### TD1#sh bgp su BGP summary information Router identifier 111.111.111.111, local AS number 65001 Neighbor V AS MsgRcvd MsgSent InQ OutQ Up/Down State Received NLRI Active AF 192.168.0.101 4 65002 65 10 0 0 0:00:50 Established 100 IPv4-LU, IPv4-SRTE, LS 192.168.0.102 4 65002 5 3 0 0 0:00:50 Established 1 IPv4-LU 192.168.0.105 4 65002 12 9 0 0 0:07:29 Established 1 IPv4-LU 192.168.0.106 4 65002 5 3 0 0 0:00:50 Established 1 IPv4-LU 192.168.0.111 4 65002 12 15 0 0 0:05:48 Established 2 IPv4-LU
TD1#show traf pol Traffic-eng policy information Status codes: * valid, > active, e - EPE only, s - admin down, m - multi-topology Policy name Headend Endpoint Color/Service loopback Protocol Reserved bandwidth Priority Status/Reason *> R11_R1_BLUE_OR_ORANGE_IPV4 11.11.11.11 1.1.1.1 3 SR-TE/direct 100000000 5/5 Active *> R1_ISP4_ANY_COLOR_IPV4 1.1.1.1 10.100.19.104 5 SR-TE/direct 100000000 7/7 Active e *> R1_ISP4_EPE_ONLY N/A 10.100.19.104 103.11.11.11 LU/direct 100000000 7/7 Active *> R1_ISP5_BLUE_ONLY_IPV4 1.1.1.1 10.100.20.105 102.11.11.11 LU/direct 100000000 7/7 Active *> R1_NULL_EXCLUDE_YELLOW_AND_ORANGE_IPV4 1.1.1.1 0.0.0.0 7 SR-TE/direct 100000000 7/7 Active *> R1_NULL_YELLOW_ONLY_IPV4 1.1.1.1 0.0.0.0 6 SR-TE/direct 100000000 7/7 Active *> R1_R11_BLUE_ONLY_IPV4 1.1.1.1 11.11.11.11 100.11.11.11 LU/direct 100000000 7/7 Active *> R1_R11_EP_LOOSE_IPV4 1.1.1.1 11.11.11.11 9 SR-TE/direct 100000000 4/4 Active *> R1_R11_EXCLUDE_SOME_IPV4 1.1.1.1 11.11.11.11 10 SR-TE/direct 100000000 4/4 Active *> R1_R11_YELLOW_OR_ORANGE_IPV4 1.1.1.1 11.11.11.11 2 SR-TE/direct 100000000 6/6 Active *> R1_R9_EP_STRICT_IPV4 1.1.1.1 9.9.9.9 8 SR-TE/direct 100000000 4/4 Active
Configure and verify an SR-TE policy
Take for example policy “R1_R11_EP_LOOSE_IPV4”:
TD1#show run | sec R1_R11_EP_LOOSE_IPV4 policy R1_R11_EP_LOOSE_IPV4 headend 1.1.1.1 topology-id 101 endpoint 11.11.11.11 color 9 binding-sid 966005 priority 4 4 install direct srte 192.168.0.101 ! candidate-path preference 100 explicit-path R25_LOOSE bandwidth 100 mbps
It has been resolved via anycast SID shared between R2 and R5:
TD1#show traffic-eng policy R1_R11_EP_LOOSE_IPV4 detail Detailed traffic-eng policy information: Traffic engineering policy "R1_R11_EP_LOOSE_IPV4" Valid config, Active Headend 1.1.1.1, topology-id 101, Maximum SID depth: 6 Endpoint 11.11.11.11, color 9 Endpoint type: Node, Topology-id: 101, Protocol: isis, Router-id: 0011.0011.0011.00 Setup priority: 4, Hold priority: 4 Reserved bandwidth bps: 100000000 Install direct, protocol srte, peer 192.168.0.101 Policy index: 7, SR-TE distinguisher: 16777223 Binding-SID: 966005 Candidate paths: Candidate-path preference 100 Path config valid Metric: igp Path-option: explicit Explicit path name: R25_LOOSE This path is currently active Calculation results: Aggregate metric: 400 Topologies: ['101'] Segment lists: [900025, 900011] Policy statistics: Last config update: 2024-09-05 17:28:56,025 Last recalculation: 2024-09-05 17:34:59.568 Policy calculation took 1 miliseconds
Verify BGP route created and advertised to peer:
TD1#show bgp ipv4 srte detail | grep -B8 R1_R11_EP_LOOSE_IPV4 BGP routing table entry for [96][16777223][9][11.11.11.11] Paths: 1 available, best #1 Last modified: September 05, 2024 17:35:00 Local, inserted - from - (0.0.0.0) Origin igp, metric 0, localpref -, weight 0, valid, -, best Endpoint 11.11.11.11, Color 9, Distinguisher 16777223 Tunnel encapsulation attribute: SR Policy Policy name: R1_R11_EP_LOOSE_IPV4
TD1#show bgp neighbors 192.168.0.101 ipv4 srte advertised-routes | fgrep [96][16777223][9][11.11.11.11] *>+ [96][16777223][9][11.11.11.11] - 0 - 0 i
Verify SR-TE policy on EOS:
R1#show bgp sr-te endpoint 11.11.11.11 color 9 distinguisher 16777223 BGP routing table information for VRF default Router identifier 1.1.1.1, local AS number 65002 BGP routing table entry for Endpoint: 11.11.11.11, Color: 9, Distinguisher: 16777223 Paths: 1 available 65001 192.168.0.1 from 192.168.0.1 (111.111.111.111) Origin IGP, metric -, localpref 100, weight 0, received 00:01:08 ago, valid, external, best Community: no-advertise Rx SAFI: SR TE Policy
R1#show traffic-engineering segment-routing policy endpoint 11.11.11.11 color 9 Endpoint 11.11.11.11 Color 9, Counters: not available Path group: State: active (for 00:07:41), modified: 00:07:41 ago Protocol: BGP Originator: 111.111.111.111(AS65001) Discriminator: 16777223 Preference: 100 IGP metric: 0 (static) Binding SID: 966005 Explicit null label policy: IPv6 (system default) Segment List: State: Valid, ID: 7, Counters: not available Protected: No, Reason: The top label is not protected Label Stack: [900025 900011], Weight: 1 Resolved Label Stack: [900011], Next hop: 10.100.1.2, Interface: Ethernet1 Resolved Label Stack: [900011], Next hop: 10.100.3.5, Interface: Ethernet3
Configure and verify an LU policy
BGP-LU is an alternative method of policy installtion to routers that don’t support BGP SR-TE. Refer to the relevant documentation section: https://vegvisir.ie/bgp-lu-policies/
Policy “R1_ISP5_BLUE_ONLY_IPV4” has been configured as LU:
TD1#show run | sec R1_ISP5_BLUE_ONLY_IPV4 policy R1_ISP5_BLUE_ONLY_IPV4 headend 1.1.1.1 topology-id 101 endpoint 10.100.20.105 service-loopback 102.11.11.11 binding-sid 15004 priority 7 7 install direct labeled-unicast 192.168.0.101 ! candidate-path preference 100 metric te affinity-set BLUE_ONLY bandwidth 100 mbps
It is also an EPE policy going to ISP5.
Verify:
TD1#show traffic-eng policy R1_ISP5_BLUE_ONLY_IPV4 detail Detailed traffic-eng policy information: Traffic engineering policy "R1_ISP5_BLUE_ONLY_IPV4" Valid config, Active Headend 1.1.1.1, topology-id 101, Maximum SID depth: 6 Endpoint 10.100.20.105, service-loopback 102.11.11.11 Endpoint type: Egress peer, Topology-id: 101, Protocol: isis, Router-id: 0011.0011.0011.00 Setup priority: 7, Hold priority: 7 Reserved bandwidth bps: 100000000 Install direct, protocol labeled-unicast, peer 192.168.0.101 Policy index: 3, SR-TE distinguisher: 16777219 Candidate paths: Candidate-path preference 100 Path config valid Metric: te Path-option: dynamic Affinity-set: BLUE_ONLY Constraint: include-all List: ['BLUE'] Value: 0x1 This path is currently active Calculation results: Aggregate metric: 2000 Topologies: ['101'] Segment lists: [900010, 100003, 100001] BGP-LU next-hop: 10.100.3.5 Policy statistics: Last config update: 2024-09-06 10:40:56,270 Last recalculation: 2024-09-06 10:41:16.650 Policy calculation took 0 miliseconds
Verify the BGP route:
TD1#show bgp ipv4 labeled-unicast [16777219][102.11.11.11/32] BGP-LS routing table information Router identifier 111.111.111.111, local AS number 65001 BGP routing table entry for [16777219][102.11.11.11/32] Label stack: [900010, 100003, 100001] Paths: 1 available, best #1 Last modified: September 06, 2024 10:41:16 Local, inserted - from - (0.0.0.0) Origin igp, metric 0, localpref -, weight 0, valid, -, best
Verify the policy has been received on EOS:
R1#sh bgp ipv4 labeled-unicast 102.11.11.11/32 BGP routing table information for VRF default Router identifier 1.1.1.1, local AS number 65002 BGP routing table entry for 102.11.11.11/32 Paths: 2 available 65001 10.100.3.5 labels [ 900010 100003 100001 ] from 192.168.0.1 (111.111.111.111) Origin IGP, metric 0, localpref 500, IGP metric 0, weight 0, tag 0 Received 00:16:21 ago, valid, external, best Community: no-advertise Local MPLS label: 100005 Rx SAFI: MplsLabel Tunnel RIB eligible
R1#show bgp labeled-unicast tunnel | grep 102.11.11.11/32 5 102.11.11.11/32 10.100.3.5 Ethernet3 [ 900010 100003 100001 ] Yes 0 MED 0 200 0
Configure and verify an EPE-only policy
EPE only policy is useful for pure Egress Peer Engineering applications, where the network does not Segment Routing and does not advertise BGP-LS information to Traffic Dictator. Refer to the relevant documentation section: https://vegvisir.ie/epe-only-policies/
Take for example policy “R1_ISP4_EPE_ONLY”:
TD1#show run | sec R1_ISP4_EPE_ONLY policy R1_ISP4_EPE_ONLY endpoint 10.100.19.104 service-loopback 103.11.11.11 epe-only priority 7 7 install direct labeled-unicast 192.168.0.101 ! candidate-path preference 100 bandwidth 100 mbps
Verify:
TD1#show traffic-eng policy R1_ISP4_EPE_ONLY detail Detailed traffic-eng policy information: Traffic engineering policy "R1_ISP4_EPE_ONLY" Valid config, Active This is an EPE-only policy Endpoint 10.100.19.104, service-loopback 103.11.11.11 Endpoint type: Egress peer, Topology-id: None, Protocol: epe_only, Router-id: 11.11.11.11 Setup priority: 7, Hold priority: 7 Reserved bandwidth bps: 100000000 Install direct, protocol labeled-unicast, peer 192.168.0.101 Policy index: 2, SR-TE distinguisher: 16777218 Candidate paths: Candidate-path preference 100 Path config valid Metric: igp Path-option: dynamic This path is currently active Calculation results: Topologies: None Segment lists: [100000] BGP-LU next-hop: 11.11.11.11 Policy statistics: Last config update: 2024-09-06 10:40:56,270 Last recalculation: 2024-09-06 10:41:16.650 Policy calculation took 0 miliseconds
Unlike a regular BGP-LU policy, Traffic Dictator sets BGP-LU nexthop not to the next router in IGP topology, but to the node IP configured under “traffic-eng nodes”. So the policy headend can recursively resolve that IP over its MPLS control plane. In this lab it’s SR, but can be also LDP, RSVP or BGP-LU.
Verify on EOS:
R1#sh bgp ipv4 labeled-unicast 103.11.11.11/32 BGP routing table information for VRF default Router identifier 1.1.1.1, local AS number 65002 BGP routing table entry for 103.11.11.11/32 Paths: 2 available 65001 11.11.11.11 labels [ 100000 ] from 192.168.0.1 (111.111.111.111) Origin IGP, metric 0, localpref 500, IGP metric 410, weight 0, tag 0 Received 00:21:31 ago, valid, external, best Community: no-advertise Local MPLS label: 100006 Rx SAFI: MplsLabel Tunnel RIB eligible
R1#show bgp labeled-unicast tunnel | grep 103.11.11.11/32 7 103.11.11.11/32 IS-IS SR IPv4 (13) - [ 100000 ] Yes 0 MED 0 200 0
Multi-domain lab with Cisco XRd
This lab features:
- Seamless MPLS network with 3 separate IS-IS instances, both IPv4 and IPv6
- BGP-LU is used for end-to-end connectivity across different IS-IS instances; no redistribution
- 5 Egress Peers with BGP Peer SID, IPv4 and IPv6
- Anycast SID
- A variety of IPv4 and IPv6 SR-TE multi-domain policies with different constraints, endpoint and path types
- BGP-LS is used to collect IGP and EPE topology information, BGP SR-TE is used to install policies
Topology diagram
Lab configs
Download lab configs from: https://vegvisir.ie/wp-content/uploads/dist/XRd_isis_3topologies.tar.gz
Upload to your containerlab host and extract the archive:
sudo tar -xvf XRd_isis_3topologies.tar.gz
Edit the file “TD_isis_3topologies.clab.yml” to change your XRd container image name to appropriate release (if it’s not 7.10.2).
Run the lab
First run the Traffic Dictator (change the home directory name to yours) :
sudo docker run --name traffic-dictator --hostname TD1 -v /home/dima/TD_isis_3topologies/TD_config_ISIS_3topologies:/usr/local/td/startup-config --privileged -d traffic_dictator:1.2
Then run the containerlab:
sudo containerlab deploy
Wait for several minutes for all nodes to start.
Use the lab
Connect to Traffic Dictator:
sudo docker exec -ti traffic-dictator /bin/bash
From inside container, verify TD is running:
root@TD1:/# systemctl status td ● td.service - Vegvisir Systems Traffic Dictator Loaded: loaded (/etc/systemd/system/td.service; enabled; preset: enabled) Active: active (running) since Tue 2024-06-11 07:49:47 UTC; 11min ago Docs: https://vegvisir.ie/ Main PID: 10653 (traffic_dictato) Tasks: 23 (limit: 10834) Memory: 143.5M CPU: 24.677s CGroup: /system.slice/td.service ├─10653 /bin/bash /usr/local/td/traffic_dictator_start.sh ├─10655 /usr/local/td/td_policy_engine ├─10662 python3 /usr/local/td/traffic_dictator.py ├─10667 python3 /usr/local/td/traffic_dictator.py ├─10678 python3 /usr/local/td/traffic_dictator.py ├─10692 python3 /usr/local/td/traffic_dictator.py ├─10694 python3 /usr/local/td/traffic_dictator.py └─10696 python3 /usr/local/td/traffic_dictator.py
Connect to TDCLI and verify policies:
root@TD1:/# tdcli ### Welcome to the Traffic Dictator CLI! ### TD1#show traf pol Traffic-eng policy information Status codes: * valid, > active, e - EPE only, s - admin down, m - multi-topology Endpoint codes: * active override Policy name Headend Endpoint Color/Service loopback Protocol Reserved bandwidth Priority Status/Reason m*> R1_ISP3_YELLOW_IPV4 1.1.1.1 10.100.28.103 101 SR-TE/direct 100000000 7/7 Active m*> R1_ISP3_YELLOW_IPV6 1.1.1.1 2001:100:28::103 101 SR-TE/direct 100000000 7/7 Active m*> R1_ISP3_YELLOW_IPV6_MIXED 1.1.1.1 2001:100:28::103 102 SR-TE/direct 100000000 7/7 Active m*> R1_ISP4_BLUE_IPV4 1.1.1.1 10.100.29.104 114 SR-TE/direct 100000000 7/7 Active m*> R1_ISP4_BLUE_IPV6 1.1.1.1 2001:100:29::104 115 SR-TE/direct 100000000 7/7 Active m*> R1_R11_BLUE_IPV4 1.1.1.1 11.11.11.11 100 SR-TE/direct 100000000 5/5 Active m*> R1_R11_BLUE_IPV6 1.1.1.1 2002::11 100 SR-TE/direct 100000000 5/5 Active m*> R1_R15_STRICT_IPV4 1.1.1.1 15.15.15.15 103 SR-TE/direct 100000000 7/7 Active m*> R1_R15_STRICT_IPV6 1.1.1.1 2002::15 103 SR-TE/direct 100000000 7/7 Active m*> R1_R15_STRICT_MIXED 1.1.1.1 15.15.15.15 104 SR-TE/direct 100000000 7/7 Active m*> R1_R16_LOOSE_ANYCAST_IPV4 1.1.1.1 16.16.16.16 111 SR-TE/direct 100000000 7/7 Active m*> R1_R16_LOOSE_ANYCAST_IPV6 1.1.1.1 2002::16 111 SR-TE/direct 100000000 7/7 Active m*> R1_R16_LOOSE_ANYCAST_MIXED 1.1.1.1 16.16.16.16 112 SR-TE/direct 100000000 7/7 Active
Note letter “m” indicating those are multi-topology policies.
Configure and verify a multi-topology policy
Take for example a policy that goes through all 3 IGP domains and uses anycast SID shared between R5 and R6, and another anycast SID shared by R11 and R12.
Configuration:
traffic-eng policies ! policy R1_R16_LOOSE_ANYCAST_IPV4 headend 1.1.1.1 topology-id 101 endpoint 16.16.16.16 color 111 binding-sid 15011 priority 7 7 install direct srte 192.168.0.101 ! candidate-path preference 100 explicit-path ANYCAST_IPV4 metric igp bandwidth 100 mbps ! traffic-eng explicit-paths ! explicit-path ANYCAST_IPV4 index 10 loose 56.56.56.56 index 20 loose 11.11.12.12
56.56.56.56 is an anycast IP shared between R5 and R6; 11.11.12.12 is an anycast IP shared between R11 and R12.
Verify the policy:
TD1#show traffic-eng policy R1_R16_LOOSE_ANYCAST_IPV4 detail Detailed traffic-eng policy information: Traffic engineering policy "R1_R16_LOOSE_ANYCAST_IPV4" Valid config, Active Headend 1.1.1.1, topology-id 101, Maximum SID depth: 10 Endpoint 16.16.16.16, color 111 Endpoint type: Node, Topology-id: 103, Protocol: isis, Router-id: 0016.0016.0016.00 Setup priority: 7, Hold priority: 7 Reserved bandwidth bps: 100000000 Install direct, protocol srte, peer 192.168.0.101 Policy index: 10, SR-TE distinguisher: 16777226 Binding-SID: 15011 Candidate paths: Candidate-path preference 100 Path config valid Metric: igp Path-option: explicit Explicit path name: ANYCAST_IPV4 This path is currently active Calculation results: Aggregate metric: 70 Topologies: ['101', '102', '103'] Segment lists: [16056, 16112, 16016] Policy statistics: Last config update: 2024-09-06 10:26:46,386 Last recalculation: 2024-09-06 10:28:36.840 Policy calculation took 1 miliseconds TD1#
Check the BGP SR-TE route:
TD1#show bgp ipv4 srte detail | grep -B8 R1_R16_LOOSE_ANYCAST_IPV4 BGP routing table entry for [96][16777226][111][16.16.16.16] Paths: 1 available, best #1 Last modified: September 06, 2024 10:28:37 Local, inserted - from - (0.0.0.0) Origin igp, metric 0, localpref -, weight 0, valid, -, best Endpoint 16.16.16.16, Color 111, Distinguisher 16777226 Tunnel encapsulation attribute: SR Policy Policy name: R1_R16_LOOSE_ANYCAST_IPV4
Verify on IOS-XR:
RP/0/RP0/CPU0:R1#show bgp ipv4 sr-policy [16777226][111][16.16.16.16]/96 Fri Sep 6 10:32:33.431 UTC BGP routing table entry for [16777226][111][16.16.16.16]/96 Versions: Process bRIB/RIB SendTblVer Speaker 8 8 Last Modified: Sep 6 10:28:37.191 for 00:03:56 Paths: (1 available, best #1, not advertised to any peer) Not advertised to any peer Path #1: Received by speaker 0 Not advertised to any peer 65001 192.168.0.1 from 192.168.0.1 (111.111.111.111) Origin IGP, localpref 100, valid, external, best, group-best Received Path ID 0, Local Path ID 1, version 8 Community: no-advertise Tunnel encap attribute type: 15 (SR policy) bsid 15011, preference 100, num of segment-lists 1 segment-list 1, weight 1 segments: {16056} {16112} {16016} Candidate path is usable (registered) SR policy state is UP, Allocated bsid 15011
RP/0/RP0/CPU0:R1#show segment-routing traffic-eng policy binding-sid 15011 Fri Sep 6 10:32:48.113 UTC SR-TE policy database --------------------- Color: 111, End-point: 16.16.16.16 Name: srte_c_111_ep_16.16.16.16 Status: Admin: up Operational: up for 00:04:09 (since Sep 6 10:28:38.660) Candidate-paths: Preference: 100 (BGP, RD: 16777226) (active) Requested BSID: 15011 Constraints: Protection Type: protected-preferred Maximum SID Depth: 10 Explicit: segment-list (valid) Weight: 1, Metric Type: TE SID[0]: 16056 [Prefix-SID, 56.56.56.56] SID[1]: 16112 SID[2]: 16016 Attributes: Binding SID: 15011 (SRLB) Forward Class: Not Configured Steering labeled-services disabled: no Steering BGP disabled: no IPv6 caps enable: yes Invalidation drop enabled: no Max Install Standby Candidate Paths: 0
Refer to the documentation about multi-domain policies for more details and examples.
Further information
For more details about Traffic Dictator configuration, refer to https://vegvisir.ie/documentation/
Check out also Traffic Dictator White Paper