To meet service security and stability requirements, you can steer data packets to pass through various service nodes as orchestrated in the network. For example, steer data packets to pass through firewalls, IPSs, application accelerators, and NAT devices. SRv6 service function chaining (SFC) is a technology that can meet the requirements. This technology adds SRv6 path information to the original packets to steer the packets to pass through application service devices as orchestrated. The path orchestrated by SRv6 SFC is called an SRv6 service chain.

SRv6 service chain basic concepts

As shown in Figure 1, specific service packets from the user network are steered into the application service nodes in the SRv6 service chain network. After the service nodes process the packets, the packets are forwarded to the destination.

Figure 1 SRv6 service chain network diagram

An SRv6 service chain network contains the following components:

· Service classifier (SC)—Source node of the SRv6 service chain, which is located at the edge of the SRv6 service chain network. The SC can use multiple methods to steer service data to an SRv6 TE policy tunnel.

· Service function (SF)—Node that provides specific application services for data traffic. An application service node that cannot recognize SRv6 packets is called an SRv6-unaware SF. An application service node that can recognize SRv6 packets is called an SRv6-aware SF.

· Service function forwarder (SFF)—Node that acts as a service chain proxy for SFs. Based on the SRv6 decapsulation information of received packets, the SFF forwards the packets to the SFs associated with the SFF. The SFs process the packets, and then return the packets back to the SFF. The SFF determines whether to continue forwarding the packets.

Proxy modes

Static proxy mode

Use this mode if SRv6-unaware SFs are attached to SFFs. Because the SFs cannot recognize SRv6 packets, the SFFs must decapsulate SRv6 packets and deliver the original packets from the user network to the SFs. After the SFs process the original packets, they forward the packets back to the SFFs. The SFFs determine whether to continue forwarding the packets in the SRv6 service chain network. If the SFFs continue forwarding the packets in the SRv6 service chain network, they reencapsulate the packets with SRv6 headers based on the manually configured SID list.

This mode supports only IPv4 inner packets and supports dualhoming protection and bypass protection.

End.AS SIDs are used by an SRv6 service chain to forward packets in static proxy mode. An End.AS SID identifies an SF. The functions of an End.AS SID are as follows:

· For packets delivered from an SFF to an SF, the SFF performs the following operations:

a. Decapsulates the packets.

b. Forwards the packets out of the interface associated with the End.AS SID.

· For packets delivered from an SF to an SFF, the SFF reencapsulates the packets according to one of the following configurations:

¡ The End.AS SID configuration associated with the input interface of the packets.

¡ The End.AS SID configuration associated with the input interface and inbound VLANs of the packets.

Masquerading mode

Use this mode if SRv6-aware SFs are attached to SFFs. Because the SFs can recognize SRv6 packets, the SFFs directly deliver SRv6 packets to the SFs. The SFs process the SRv6 packets without modifying the SRH, and they forward the packets back to the SFFs. The, the SFFs process the packets according to the standard SRv6 traffic forwarding process.

This mode supports IPv4, IPv6, and Ethernet inner packets and does not support dualhoming protection or bypass protection.

End.AM SIDs are used by an SRv6 service chain to forward packets in masquerading mode. An End.AM SID identifies an SF. The functions of an End.AM SID are as follows:

· For packets delivered from an SFF to an SF, the SFF performs the following operations:

a. Replaces the destination IP address of the packets with the first SID value in the SRH (SRH[0]).

b. Forwards the packets out of the interface associated with the End.AM SID.

· For packets delivered from an SF to an SFF, the SFF performs the following operations:

a. Restores the destination IP address of the packets to the SID pointed by the SL field in the SRH.

b. Forwards the packets according to the standard SRv6 traffic forwarding process.

SRv6 service chain traffic forwarding

In static proxy mode

As shown in Figure 2, packets pass through an SRv6 service chain in static proxy mode as follows in an IPv4 L3VPN over SRv6 TE network:

1. After the SC (source node) receives IPv4 packets from the user network, it steers the packets to an SRv6 TE policy. Then, the SC adds an SRH and outer IPv6 header to the packets according to the SRv6 TE policy. The destination address of the SRv6 packets is the End.AS SID of the SFF. The SRH includes path information in the SRv6 TE policy and the End.DT4 SID of the tail node.

2. When the SFF receives the SRv6 packets, it looks up the local SID forwarding table and finds that the destination address of the packets is the local End.AS SID. Then, the SFF records the SL value in the packets and performs the following operations:

a. Removes the outer IPv6 header and SRH from the packets.

b. Forwards the original packets to the SF through the specified output interface.

3. After the SF processes the packets, it forwards the packets back to the SFF.

4. The SFF searches for SID list configuration based on the input interface of the packets or the input interface and inbound VLANs of the packets. Then, the SFF performs the following operations:

a. Reencapsulates the packets as SRv6 packets according to the configured SID list. The SID list in the SRH must be the same as the path in the SRv6 TE policy on the source node (SC). In addition, the SL value in the SRH decreases by 1 based on the SL value recorded in step 2. The destination address of the SRv6 packets is the SID next to the local End.AS SID, which is the End SID of Device C.

b. Looks up the IPv6 routing table for a route that can reach the destination IPv6 address in the packets and forwards the packets.

5. When Device C receives the packets, it looks up the local SID forwarding table and finds that the destination address is the local End SID. Then, Device C processes the packets as follows:

a. Replaces the destination address with D1 (End SID of the tail node).

b. Decreases the SL value by 1.

c. Looks up the IPv6 routing table to forward the packets.

6. After the tail node receives the packets, it looks up the local SID forwarding table and finds that the destination address is D1 (the local End SID). Then, the tail node performs the following operations:

a. Replaces the destination address with D2 (End.DT4 SID of the tail node) and decreases the SL value by 1. The SL value changes to 0.

b. Executes the function of the End.DT4 SID, which is decapsulating the SRv6 packets and forwards the original packets to the public network or the destination VPN instance.

Figure 2 SRv6 service chain traffic forwarding in static proxy mode

In masquerading mode

As shown in Figure 3, packets pass through an SRv6 service chain in masquerading mode as follows in an IPv4 L3VPN over SRv6 TE network:

1. After the SC (source node) receives IPv4 packets from the user network, it steers the packets to an SRv6 TE policy. Then, the SC adds an SRH and outer IPv6 header to the packets according to the SRv6 TE policy. The destination address of the SRv6 packets is the End.AM SID of the SFF. The SRH includes path information in the SRv6 TE policy and the End.DT4 SID of the tail node.

2. When the SFF receives the SRv6 packets, it looks up the local SID forwarding table and finds that the destination address of the packets is the local End.AM SID. Then, the SFF performs the following operations:

a. Replaces the destination IP address of the SRv6 packets with the last SID in the SID list of the SRH. The last SID is the End.DT4 SID of the tail node.

b. Decreases the SL value by 1.

c. Forwards the packets from the output interface bound to the End.AM SID to the SF.

3. The SF processes the packets without modifying the SRv6 packet headers and forwards the packets back to the SFF.

4. The packets return back to the SFF. If an End.AM SID is bound to the input interface or both the input interface and VLAN of the packets, the SFF replaces the destination address of the SRv6 packets according to the SL value in the SRH. The SL value is 2, so the SFF replaces the destination address of the SRv6 packets with C (the next SID of the local End.AM SID, which is the End SID of Device C). The SFF looks up the IPv6 routing table to forward the packets according to the destination IPv6 address.

5. When Device C receives the packets, it looks up the local SID forwarding table and finds that the packet destination address is the local End SID. Then, Device C forwards the packets according to the standard SRv6 traffic forwarding process as follows:

a. Replaces the packet destination address with D1 (the End SID of the tail node).

b. Decreases the SL value by 1.

c. Looks up the IPv6 routing table to forward the packets.

6. When the tail node receives the packets, it looks up the local SID forwarding table and finds that packet destination address D1 is the local End SID. Then, the tail node replaces the destination address with D2 (the End.DT4 SID of the tail node) and decreases the SL value by 1. The SL value changes to 0. Finally, the tail node executes the function of the End.DT4 SID as follows:

a. Decapsulates the SRv6 packets.

b. Forwards the original packets to the matching VPN instance or to the public network.

Figure 3 SRv6 service chain traffic forwarding in masquerading mode

‌

High availability for SRv6 service chains in static proxy mode

IMPORTANT:

This feature is not supported by SRv6 service chains in masquerading mode.

About this feature

As shown in Figure 4, when the SF is unreachable, the SFF discards the packets that should be forwarded to the SF. These packets cannot bypass the SF to reach Device C.

For high availability, the SFF supports dualhoming protection and bypass protection.

· Dualhoming protection—An SF is dualhomed to two SFFs, one SFF is the primary SFF and the other is the backup SFF. When the primary SFF cannot reach the SF, it forwards service traffic to the backup SFF.

· Bypass protection—When an SF fails, packets can bypass the SF to reach the next hop.

Figure 4 Packet forwarding failure caused by unreachable SF

SRv6 service chain traffic forwarding with dualhoming protection

As shown in Figure 5, the SF is dualhomed to SFF 1 and SFF 2. Bypass protection is not configured.

For high availability, perform the following tasks on both SFF 1 and SFF 2:

· Specify the End SID of one SFF as the backup peer SID of the other SFF.

· Use the same locator to allocate the primary and backup End.AS SIDs.

· Configure the same primary and backup End.AS SIDs.

As shown in Figure 5, dualhoming protection acts as follows in packet forwarding:

1. When SFF 1 detects that it cannot reach the SF, it removes the outer IPv6 header and SRH from packets.

2. SFF 1 searches the local configuration and reencapsulates an SRH and IPv6 header to the packets. In the SRH, the SID list includes the backup End.AS SID (X2) and the End SID of SFF 2 (C). In the IPv6 header, the destination address is C.

3. SFF 1 looks up the routing table to forward the packets to the backup SFF SFF 2.

4. When the packets reach SFF 2, SFF 2 detects whether it can reach the SF.

¡ If SFF 2 can reach the SF, it forwards the packets to the SF as in a standard SRv6 service chain traffic forwarding process in static proxy mode.

¡ If SFF 2 cannot reach the SF, it discards the packets.

Figure 5 SRv6 service chain traffic forwarding with dualhoming protection in static proxy mode

SRv6 service chain traffic forwarding with bypass protection

As shown in Figure 6, in the SRv6 service chain network, SF 1 has a bypass protection node, which is SF 2. SF 1 is single-homed to SFF 1 and the bypass protection node SF 2 is single-homed to SFF 2.

To implement bypass protection, enable bypass protection and specify a bypass End.AS SID on SFF 1.

With a bypass End.AS SID specified, bypass protection acts as follows in packet forwarding:

1. When SFF 1 detects that it cannot reach SF 1, it removes the outer IPv6 header and SRH from packets.

2. SFF 1 searches the local configuration and reencapsulates an IPv6 header to the packets. In the IPv6 header, the destination address is C.

3. SFF 1 looks up the routing table to forward the packets to SFF 2.

4. After SFF 2 receives the packets, it forwards the packets as in a standard SRv6 service chain traffic forwarding process in static proxy mode.

Without a bypass End.AS SID specified, SFF 1 skips the End.AS SID of SF 1 when it cannot reach SF 1. The SFF uses the End SID of Device D as the next hop destination address. The packets are forwarded to the tail node according to the SRH.

Figure 6 SRv6 service chain traffic forwarding with bypass protection in static proxy mode

SRv6 service chain traffic forwarding with dualhoming and bypass protection

As shown in Figure 7, in the SRv6 service chain network, SF 1 has a bypass protection node, which is SF 2. SF 1 is dualhomed to SFF 1 and SFF 2 and the bypass protection node SF 2 is single-homed to SFF 3. Dualhoming protection takes precedence over bypass protection. When dualhoming protection is not available or fails, bypass protection applies.

To implement dualhoming protection and bypass protection, perform the following tasks on the SFFs:

· On SFF 1 and SFF 2, specify the End SID of one SFF as the backup peer SID of the other SFF.

· On SFF 1 and SFF 2, use the same locator to allocate the primary and backup End.AS SIDs.

· On SFF 1 and SFF 2, configure the same primary and backup End.AS SIDs.

· On SFF 1 and SFF 2, enable bypass and specify a bypass End.AS SID.

As shown in Figure 7, dualhoming protection and bypass protection act as follows in packet forwarding:

1. SFF 1 forwards packets according to whether it can reach SF 1.

¡ If SFF 1 can reach SF 1, it processes the packets as in a standard SRv6 service chain traffic forwarding process in static proxy mode.

¡ If SFF 1 cannot reach SF 1, it removes the outer IPv6 header and SRH from the packets. Then, SFF 1 reencapsulates an SRH and IPv6 header to the packets according to the local configuration. In the SRH, the SID list contains the backup End.AS SID (X2) and the End SID of SFF 2 (C). In the IPv6 header, the destination address is C. Finally, SFF 1 looks up the routing table to forward the packets to SFF 2.

2. When SFF 2 receives the packets, it processes the packets according to whether it can reach SF 1.

¡ If SFF 2 can reach SF 1, it forwards the packets as in a standard SRv6 service chain traffic forwarding process in static proxy mode.

¡ If SFF 2 cannot reach SF 1, it starts the bypass protection forwarding process. SFF 2 removes the outer IPv6 header and SRH from the packets. According to the local configuration, SFF 2 reencapsulates an SRH and IPv6 header to the packets. In the SRH, the SID list only contains the bypass End.AS SID (D). In the IPv6 header, the destination address is D. Then, SFF 2 looks up the routing table to forward the packets to SFF 3.

3. When SFF 3 receives the packets, it processes the packets according to whether it can reach the bypass protection node SF 2.

¡ If SFF 3 can reach SF 2, it processes the packets as in a standard SRv6 service chain traffic forwarding process in static proxy mode.

¡ If SFF 3 cannot reach SF 2, it discards the packets.

Figure 7 SRv6 service chain traffic forwarding with dualhoming and bypass protection in static proxy mode

Restrictions and guidelines: SRv6 service chain configuration

This feature is supported only in IP L3VPN over SRv6 networks and EVPN L3VPN over SRv6 networks.

An SRv6 service chain in static proxy mode can process only packets whose inner protocol is IPv4.

An SRv6 service chain in masquerading mode can process packets whose inner protocol is IPv4, IPv6, or Ethernet.

An SRv6 service chain in masquerading mode does not support dualhoming protection and bypass protection.

To avoid SRv6 packet loops on an SFF in a masquerading-mode SRv6 service chain, execute the undo ipv6 fast-forwarding load-sharing command on the SFF if it is connected to multiple SFs.

SRv6 service chain tasks at a glance (static proxy mode)

To configure an SRv6 service chain in static proxy mode, perform the following tasks:

1. Configuring SRv6 TE policy traffic steering

Perform this task on the SC to steer traffic to an SRv6 TE policy tunnel according to service requirements. For more information about traffic steering, see "Configuring SRv6 TE policies."

2. Configure basic settings for an SRv6 service chain in static proxy mode on an SFF

¡ Creating an SRv6 service chain in static proxy mode

¡ Configuring the packet encapsulation method for an SRv6 service chain in static proxy mode

¡ Configuring packet reencapsulation parameters for an SRv6 service chain in static proxy mode

¡ (Optional.) Configuring the DiffServ mode for an SRv6 service chain in static proxy mode

¡ (Optional.) Configuring the TTL mode for an SRv6 service chain in static proxy mode

3. Configuring dualhoming protection for an SRv6 service chain in static proxy mode

4. Configuring bypass protection for an SRv6 service chain in static proxy mode

5. Using static BFD in echo packet mode to detect SF reachability

SRv6 service chain tasks at a glance (masquerading mode)

To configure an SRv6 service chain in masquerading mode, perform the following tasks:

1. Configuring SRv6 TE policy traffic steering

Perform this task on the SC to steer traffic to an SRv6 TE policy tunnel according to service requirements. For more information about traffic steering, see "Configuring SRv6 TE policies."

2. Configure basic settings for an SRv6 service chain in masquerading mode on an SFF

¡ Creating an SRv6 service chain in masquerading mode

¡ Configuring the packet encapsulation method for an SRv6 service chain in masquerading mode

Prerequisites for SRv6 service chain configuration

Before you configure an SRv6 service chain, complete the following tasks:

· Determine device roles in the service chain network. Configure IGP among the devices to realize IPv6 network connectivity and advertise SRv6 SIDs.

· Plan the service chain explicit path and SRv6 TE policy path.

· Configure VPN instances on the SC and tail node as needed and bind interfaces to the VPN instances.

Creating an SRv6 service chain

Creating an SRv6 service chain in static proxy mode

About this task

Perform this task on an SFF to configure an End.AS SID to associate an SF with the SFF, create an SRv6 service chain in static proxy mode, and enter SRv6 service chain static proxy view.

In SRv6 service chain static proxy view, specify the protocol type of original packets supported by the SFF. If you do not specify a protocol type, the SFF cannot forward the original packets to the SF associated with the SFF.

Restrictions and guidelines

In a dualhoming protection scenario, the End.AS SID and End SID on each SFF must belong to different locators.

An SFF can forward only original packets of the IPv4 protocol type to its associated SF.

Procedure

1. Enter system view.

system-view

2. Enable SRv6 and enter SRv6 view.

segment-routing ipv6

3. Create an SRv6 locator and enter SRv6 locator view.

locator locator-name [ ipv6-prefix ipv6-address prefix-length [ args args-length | static static-length ] * ]

4. Configure an End.AS opcode and enter SRv6 service chain static proxy view.

opcode opcode end-as

5. Allow the SFF to send original packets of the IPv4 protocol type to the SF associated with it.

inner-type ipv4

By default, the SFF cannot send original packets of any protocol type to an SF.

Creating an SRv6 service chain in masquerading mode

1. Enter system view.

system-view

2. Enable SRv6 and enter SRv6 view.

segment-routing ipv6

3. Configure an SRv6 locator and enter SRv6 locator view.

locator locator-name [ ipv6-prefix ipv6-address prefix-length [ args args-length | static static-length ] * ]

4. Configure an End.AM SID opcode and enter SRv6 service chain masquerading view.

opcode opcode end-am

Configuring the encapsulation method for packets between a pair of SFF and SF

Configuring the packet encapsulation method for an SRv6 service chain in static proxy mode

About this task

An SF can access an SFF through a Layer 2 or Layer 3 interface. According to the interface type, you can configure the encapsulation method for packets between the SFF and SF to ensure correct packet forwarding.

An SF might have multiple VMs to load share traffic for the same application service. You can configure the packet encapsulation method multiple times for the same SRv6 service chain in static proxy mode in order to distribute the application service traffic among the VMs.

Restrictions and guidelines

To ensure correct forwarding, do not bind other services such as VPN instances to an interface if that interface is specified as the input or output interface of an SRv6 service chain in static proxy mode.

An SRv6 service chain in static proxy mode supports only one packet encapsulation method. You cannot configure both Layer 2 and Layer 3 encapsulation methods for the service chain.

The same input interface cannot be shared by an SRv6 service chain in static proxy mode and an SRv6 service chain in masquerading mode.

Layer 3 encapsulation supports only Layer 3 output interfaces and Layer 3 input interfaces. VLAN interfaces cannot be used as output interfaces or input interfaces for Layer 2 encapsulation.

When you configure Layer 2 encapsulation, follow these restrictions and guidelines:

· Each SRv6 service chain in static proxy mode must have unique input interfaces, inner inbound VLAN IDs, and outer inbound VLAN IDs.

· In an SRv6 service chain in static proxy mode, the same output interface and inner and outer outbound VLAN IDs can be associated with only one input interface. If you associate different input interfaces with the same output interface and inner and outer outbound VLAN IDs for the SRv6 service chain, the most recent configuration takes effect.

For Layer 3 encapsulation, each SRv6 service chain in static proxy mode must have unique input interfaces. In the same SRv6 service chain in static proxy mode, one output interface can be associated with only one input interface.

Procedure

1. Enter system view.

system-view

2. Enter SRv6 view.

segment-routing ipv6

3. Enter SRv6 locator view.

locator locator-name [ ipv6-prefix ipv6-address prefix-length [ args args-length | static static-length ] * ]

4. Enter SRv6 service chain static proxy view.

opcode opcode end-as

5. Configure the encapsulation method for packets forwarded between the SFF and SF. Choose one of the following tasks:

¡ Configure Layer 2 encapsulation for packets forwarded between the SFF and SF.

encapsulation eth out-interface out-interface-type out-interface-number [ out-s-vlan out-svid [ out-c-vlan out-cvid ] ] in-interface in-interface-type in-interface-number [ in-s-vlan in-svid [ in-c-vlan in-cvid ] ] [ dest-mac dest-mac ]

By default, Layer 2 encapsulation is not configured for packets forwarded between the SFF and SF.

To load share traffic, execute this command multiple times to specify multiple interfaces or VLANs.

¡ Configure Layer 3 encapsulation for inner IPv4 packets forwarded between the SFF and SF.

encapsulation ipv4 nexthop nexthop-addr out-interface out-interface-type out-interface-number in-interface in-interface-type in-interface-number [ symmetric-index index-value ]

By default, Layer 3 encapsulation is not configured for inner IPv4 packets forwarded between the SFF and SF.

To load share traffic, execute this command multiple times to specify multiple next hops.

Configuring the packet encapsulation method for an SRv6 service chain in masquerading mode

About this task

Restrictions and guidelines

To ensure correct forwarding, do not bind other services such as VPN instances to an interface if that interface is specified as the input or output interface of an SRv6 service chain.

An SRv6 service chain in masquerading mode supports only one packet encapsulation method. You cannot configure both the Layer 2 and Layer 3 encapsulation methods for the same SRv6 service chain in masquerading mode.

When you configure input interfaces, follow these restrictions and guidelines:

· The same input interface cannot be shared by an SRv6 service chain in static proxy mode and an SRv6 service chain in masquerading mode.

· Multiple SRv6 service chains in masquerading mode can share the same input interface.

· Layer 3 encapsulation supports only Layer 3 input interfaces. VLAN interfaces cannot be used as input interfaces for Layer 2 encapsulation.

When you configure output interfaces and outer outbound VLAN IDs, follow these restrictions and guidelines:

· Layer 3 encapsulation supports only Layer 3 output interfaces. VLAN interfaces cannot be used as output interfaces for Layer 2 encapsulation.

· For Layer 2 encapsulation, the same output interface and inner and outer outbound VLAN IDs can be associated with only one input interface in an SRv6 service chain in masquerading mode. If you associate different input interfaces with the same output interface and inner and outer outbound VLAN IDs for the SRv6 service chain, the most recent configuration takes effect.

· For Layer 3 encapsulation, one output interface can be associated with only one input interface in an SRv6 service chain in masquerading mode.

Procedure

1. Enter system view.

system-view

2. Enter SRv6 view.

segment-routing ipv6

3. Enter SRv6 locator view.

locator locator-name [ ipv6-prefix ipv6-address prefix-length [ args args-length | static static-length ] * ]

4. Enter SRv6 service chain masquerading view.

opcode opcode end-am

5. Configure the encapsulation method for packets forwarded between the SFF and SF. Choose one of the following tasks:

¡ Configure Layer 2 encapsulation for packets forwarded between the SFF and SF.

By default, Layer 2 encapsulation is not configured for packets forwarded between an SFF and SF.

To load share traffic, execute this command multiple times to specify multiple interfaces or VLANs.

¡ Configure Layer 3 encapsulation for IPv6 packets forwarded between the SFF and SF.

encapsulation ipv6 nexthop nexthop-addr out-interface out-interface-type out-interface-number in-interface in-interface-type in-interface-number

By default, Layer 3 encapsulation is not configured for IPv6 packets forwarded between an SFF and SF.

To load share traffic, execute this command multiple times to specify multiple next hops.

Configuring packet reencapsulation parameters for an SRv6 service chain in static proxy mode

About this task

In static proxy mode, when packets return back to an SFF after they are processed by the SF associated with the SFF, they do not have an outer IPv6 header or SRH. To continue forwarding the packets in the SRv6 service chain network, the SFF must reencapsulate an SRH and outer IPv6 header to the packets. Perform this task to configure packet reencapsulation parameters on the SFF.

When the SFF receives packets forwarded from its associated SF, it searches for a matching service chain in static proxy mode based on the input interface of the packets. Then, the SFF adds an SRH and outer IPv6 header to the packets. The SRH contains the SID list configured for the service chain by using the cache list command. The destination address in the outer IPv6 header is the SID next to the local End.AS SID in the SID list. The source address in the outer IPv6 header is the source IPv6 address manually specified by using the cache source-address command.

Restrictions and guidelines

Specify the SID value of each node in the forwarding path according to the number of hops to the source node. The fewer the hops to the source node, the closer the SID position to the front of the SID list.

To avoid loops, each SID in the specified SID list must be unique.

The SID list must contain a minimum of two SIDs and must contain End.AS SIDs. The last SID in the SID list must be an End.DT4 SID.

The explicit path of the specified SID list must be consistent with the end-to-end path in the SRv6 TE policy on the SC.

Procedure

1. Enter system view.

system-view

2. Enter SRv6 view.

segment-routing ipv6

3. Enter SRv6 locator view.

locator locator-name [ ipv6-prefix ipv6-address prefix-length [ args args-length | static static-length ] * ]

4. Enter SRv6 service chain static proxy view.

opcode opcode end-as

5. Specify the source IPv6 address that will be reencapsulated to the packets received from the SF associated with the SFF.

cache source-address ipv6-address

By default, no source IPv6 address is specified for the SFF to reencapsulate the packets received from its associated SF. The SFF discards the packets.

6. Specify the SID list that will be reencapsulated to the packets received from the SF associated with the SFF.

cache list sid-list

By default, no SID list is specified for the SFF to reencapsulate the packets received from its associated SF.

Configuring the DiffServ mode for an SRv6 service chain in static proxy mode

About this task

In static proxy mode, perform this task on an SFF to configure the DiffServ mode for packets forwarded between the SFF and its associated SF. By default, the DiffServ mode for an SRv6 service chain in static proxy mode is uniform. If you set the mode to pipe, you must also specify the service class and color.

· Pipe mode—In this mode, packets are processed as follows:

¡ In the inbound direction (from SF to SFF), the SFF ignores the IP precedence or DSCP value in the incoming packets. Instead, the SFF uses the specified service class as the priority and uses the specified color as the color flag when it reencapsulates the packets as SRv6 packets. In the SRv6 network, devices perform QoS scheduling for the packets based on the specified service class and color.

¡ In the outbound direction (from SFF to SF), the SFF removes the outer IPv6 header and SRH without modifying the IP precedence, DSCP, or color in the original packets.

· Uniform mode—In this mode, packets are processed as follows:

¡ In the inbound direction (from SF to SFF), the SFF maps the IP precedence or DSCP value in the original packets to the outer IPv6 header when it reencapsulates the packets. The color of the original packets is not mapped to the outer IPv6 header.

¡ In the outbound direction (from SFF to SF), the SFF removes the outer IPv6 header and SRH from outgoing packets. Then, the SFF maps the priority value in the outer IPv6 header to the IP precedence or DSCP of the original packets. The color of the outer IPv6 header is not mapped to the original packets.

Restrictions and guidelines

For more information about IP precedence, DSCP, and color, see QoS configuration in ACL and QoS Configuration Guide.

Procedure

1. Enter system view.

system-view

2. Enter SRv6 view.

segment-routing ipv6

3. Enter SRv6 locator view.

locator locator-name [ ipv6-prefix ipv6-address prefix-length [ args args-length | static static-length ] * ]

4. Enter SRv6 service chain static proxy view.

opcode opcode end-as

5. Configure the DiffServ mode for the SRv6 service chain in static proxy mode.

sfc diffserv-mode pipe service-class color

By default, the DiffServ mode is uniform for an SRv6 service chain in static proxy mode.

Configuring the TTL mode for an SRv6 service chain in static proxy mode

About this task

In static proxy mode, perform this task on an SFF to configure the TTL mode for packets forwarded back to the SFF from its associated SF.

· Uniform mode—When packets are forwarded back to the SFF, the SFF decreases the TTL value in the original packets by 1 and encapsulates the TTL to the reencapsulated outer IPv6 header.

· Pipe mode—When packets are forwarded back to the SFF, the SFF decreases the specified TTL value by 1 and encapsulates the TTL to the reencapsulated outer IPv6 header.

Procedure

1. Enter system view.

system-view

2. Enter SRv6 view.

segment-routing ipv6

3. Enter SRv6 locator view.

locator locator-name [ ipv6-prefix ipv6-address prefix-length [ args args-length | static static-length ] * ]

4. Enter SRv6 service chain static proxy view.

opcode opcode end-as

5. Configure the TTL mode for the SRv6 service chain in static proxy mode.

sfc ttl-mode pipe ttl-value

By default, the TTL mode is uniform for an SRv6 service chain in static proxy mode.

Configuring dualhoming protection for an SRv6 service chain in static proxy mode

Restrictions and guidelines

The End.AS SID and End SID on an SFF must belong to different locators.

Make sure the SFFs in a dualhoming protection scenario are configured with the same primary and backup End.AS opcodes.

Make sure the static SIDs on the SFFs do not conflict with each other.

Procedure

1. Enter system view.

system-view

2. Enter SRv6 view.

segment-routing ipv6

3. Specify the End SID of the peer SFF as the backup peer SID.

proxy peer-sid peer-sid

By default, no backup peer SID is specified for dualhoming protection.

In a dualhoming protection scenario, specify the End SID of the peer SFF as the backup peer SID on each SFF.

4. Enter SRv6 locator view.

locator locator-name [ ipv6-prefix ipv6-address prefix-length [ args args-length | static static-length ] * ]

5. Enter SRv6 service chain static proxy view.

opcode opcode end-as

6. Specify a backup End.AS SID opcode for SRv6 service chain dualhoming protection in static proxy mode.

backup-opcode func-opcode

By default, no backup End.AS SID opcode is specified for SRv6 service chain dualhoming protection in static proxy mode.

The primary and backup End.AS SIDs on both SFFs must belong to the same locator. Use different opcodes to distinguish the primary and backup End.AS SIDs on the SFFs.

Configuring bypass protection for an SRv6 service chain in static proxy mode

Restrictions and guidelines

Dualhoming protection takes precedence over bypass protection. If dualhoming protection is not available or fails, bypass protection applies.

Procedure

1. Enter system view.

system-view

2. Enter SRv6 view.

segment-routing ipv6

3. Enter SRv6 locator view.

locator locator-name [ ipv6-prefix ipv6-address prefix-length [ args args-length | static static-length ] * ]

4. Enter SRv6 service chain static proxy view.

opcode opcode end-as

5. Enable bypass and specify a bypass End.AS SID.

bypass [ sid ipv6-address ]

By default, bypass is disabled.

To ensure correct packet forwarding when the SF associated with the SFF is unreachable and the network does not have a bypass SF, enable bypass without specifying a bypass End.AS SID. In this case, the SFF skips the End.AS SID of the current SF and uses the next SID in the SRH as the next hop destination address. The data traffic is forwarded to the tail node according to the SRH.

Using static BFD in echo packet mode to detect SF reachability

About this task

Perform this task on an SFF to use a static BFD session in echo packet mode to detect the reachability of the SF associated with that SFF. When the SF is unreachable, the system can quickly trigger dualhoming protection or bypass protection for the SRv6 service chain in static proxy mode.

Restrictions and guidelines

Layer 2 encapsulation does not support this feature in the current software version.

You only need to create a static BFD session on the local SFF.

When creating a static BFD session on an SFF, you must specify the IPv4 address of the SF associated with that SFF as the peer address of the session. The system only checks the IPv4 address format and does not validate it. To ensure successful static BFD session establishment, make sure the peer IP address and source IP address are correct for the session.

The local discriminator of each static BFD session must be unique.

When creating a static BFD session, you can specify a source IPv4 address for echo packets or not.

· If you do not specify a source IPv4 address, the system uses the IPv4 address specified by using the bfd echo-source-ip command as the source IPv4 address of echo packets.

· If you specify a source IPv4 address, the system uses the specified IPv4 address as the source IPv4 address of echo packets. As a best practice, specify a source IP address when creating a static BFD session in echo packet mode.

For more information about the commands in this section, see BFD commands in High Availability Command Reference.

Procedure

1. Enter system view.

system-view

2. Configure the source IPv4 address of echo packets.

bfd echo-source-ip ip-address

By default, no source IPv4 address is configured for echo packets.

The source IP address cannot be on the same network segment as any local interface's IP address. This avoids the peer from sending a large number of ICMP redirect packets to cause network congestion.

3. Create a static BFD session and enter static BFD session view.

bfd static session-name [ peer-ip ipv4-address interface interface-type interface-number destination-ip ipv4-address [ source-ip ipv4-address ] one-arm-echo [ discriminator auto ] ]

4. (Optional.) Specify the local discriminator for the static BFD session.

discriminator local local-value

By default, no local discriminator is specified for a static BFD session.

Use this command only if no local discriminator is specified for a static BFD session when the session is created.

Verifying and maintaining SRv6 service chains

Displaying SRv6 service chain information

To display forwarding entry information about SRv6 service chains in static proxy mode, execute the following command in any view:

display segment-routing ipv6 sfc forwarding [ locator locator-name [ opcode operation-code ] ] [ nid-value ]

SRv6 service chain configuration examples

Example: Configuring an SRv6 service chain in masquerading mode with Layer 3 encapsulation

Network configuration

As shown in Figure 8, CE 1 and CE 2 belong to one VPN instance. In the network, deploy an SRv6 service chain in masquerading mode to orchestrate the service traffic from CE 1 to pass through the SF to reach CE 2.

SFF 1 is connected to the SF through a Layer 3 Ethernet interface. Layer 3 encapsulation is used for packets forwarded between the SFF and SF.

To meet the requirements, perform the following tasks:

· On the SC and tail node, configure the VPN instance settings and steer service traffic to an SRv6 TE policy. The forwarding path in the policy is SC—> SFF 1 —> SF —> Tail.

· On SFF 1, configure an SRv6 service chain in masquerading mode with Layer 3 encapsulation.

Figure 8 Network diagram

‌

Device	Interface	IP address	Device	Interface	IP address
SC	Loop1	1::1/128	SFF 1	Loop1	2::2/128
	GE0/0/1	16.0.0.2/30		GE0/0/1	100::2/96
	GE0/0/2	100::1/96		GE1/0/2	10::1/96
SF	-	10::2/96		GE1/0/3	400::1/96
Tail	Loop1	5::5/128	CE 1	Loop1	6.6.6.6/32
	GE0/0/1	57.0.0.1/30		GE0/0/1	16.0.0.1/30
	GE0/0/2	400::2/96	CE 2	Loop1	7.7.7.7/32
				GE0/0/1	57.0.0.2/30

Prerequisites

· Plan SRv6 SIDs on each device.

¡ On the SC, the network of locator a is 1000::/64, the End SID is 1000::1, and the End.DT4 SID is 1000::2.

¡ On SFF 1, the network of locator b is 2000::/64, the End SID is 2000::1, the network of locator am1 is 2001::/64, and the End.AM SID is 2001::1.

¡ On the tail node, the network of locator e is 5000::/64, the End SID is 5000::1, and the End.DT4 SID is 5000::2.

· Plan the traffic forwarding tunnel and the explicit path of the tunnel. In this example, traffic on the SC is forwarded to the tail node through the explicit path of an SRv6 TE policy. In the forwarding path, SFF 1 forwards the traffic to the SF. The SF processes the traffic and forwards the traffic back to SFF 1. SFF 1 forwards the traffic to the tail node.

Procedure

1. On the SC, SFF 1, and the tail node, configure IPv6 IS-IS to ensure their reachability over the backbone network:

# Configure the SC.

<SC> system-view

[SC] isis 1

[SC-isis-1] is-level level-2

[SC-isis-1] cost-style wide

[SC-isis-1] network-entity 10.1111.1111.1111.00

[SC-isis-1] address-family ipv6 unicast

[SC-isis-1-ipv6] quit

[SC-isis-1] quit

[SC] interface loopback 1

[SC-LoopBack1] ipv6 address 1::1 128

[SC-LoopBack1] isis ipv6 enable 1

[SC-LoopBack1] quit

[SC] interface gigabitethernet 0/0/2

[SC-GigabitEthernet0/0/2] ipv6 address 100::1 96

[SC-GigabitEthernet0/0/2] isis ipv6 enable

[SC-GigabitEthernet0/0/2] quit

# Configure SFF 1.

<SFF1> system-view

[SFF1] isis

[SFF1-isis-1] is-level level-2

[SFF1-isis-1] cost-style wide

[SFF1-isis-1] network-entity 10.2222.2222.2222.00

[SFF1-isis-1] address-family ipv6 unicast

[SFF1-isis-1-ipv6] quit

[SFF1-isis-1] quit

[SFF1] interface loopback 1

[SFF1-LoopBack1] ipv6 address 2::2 128

[SFF1-LoopBack1] isis ipv6 enable

[SFF1-LoopBack1] quit

[SFF1] interface gigabitethernet 0/0/1

[SFF1-GigabitEthernet0/0/1] ipv6 address 100::2 96

[SFF1-GigabitEthernet0/0/1] isis ipv6 enable

[SFF1-GigabitEthernet0/0/1] quit

[SFF1] interface gigabitethernet 0/0/3

[SFF1-GigabitEthernet0/0/3] ipv6 address 400::1 96

[SFF1-GigabitEthernet0/0/3] isis ipv6 enable

[SFF1-GigabitEthernet0/0/3] quit

# Configure the tail node.

<Tail> system-view

[Tail] isis

[Tail-isis-1] is-level level-2

[Tail-isis-1] cost-style wide

[Tail-isis-1] network-entity 10.5555.5555.5555.00

[Tail-isis-1] address-family ipv6 unicast

[Tail-isis-1-ipv6] quit

[Tail-isis-1] quit

[Tail] interface loopback 1

[Tail-LoopBack1] ipv6 address 5::5 128

[Tail-LoopBack1] isis ipv6 enable

[Tail-LoopBack1] quit

[Tail] interface gigabitethernet 0/0/2

[Tail-GigabitEthernet0/0/2] ipv6 address 400::2 96

[Tail-GigabitEthernet0/0/2] isis ipv6 enable

[Tail-GigabitEthernet0/0/2] quit

# Verify that the SC, SFF 1, and the tail node can establish IPv6 IS-IS neighbor relationship with each other. Execute the display isis peer command on each device to verify that the neighbors are in up state. (Details not shown.)

# Execute the display isis route ipv6 command on the SC and tail node to verify that they have learned the routes of loopback interfaces to reach each other. (Details not shown.)

2. On the SC and tail node, configure VPN instance settings to allow CE 1 and CE 2 to access the SC and tail node, respectively, in a VPN instance:

# Configure the SC.

[SC] ip vpn-instance vpn1

[SC-vpn-instance-vpn1] route-distinguisher 100:1

[SC-vpn-instance-vpn1] vpn-target 111:1

[SC-vpn-instance-vpn1] quit

[SC] interface gigabitethernet 0/0/1

[SC-GigabitEthernet0/0/1] ip binding vpn-instance vpn1

[SC-GigabitEthernet0/0/1] ip address 16.0.0.2 30

[SC-GigabitEthernet0/0/1] quit

# Configure the tail node.

[Tail] ip vpn-instance vpn1

[Tail-vpn-instance-vpn1] route-distinguisher 100:1

[Tail-vpn-instance-vpn1] vpn-target 111:1

[Tail-vpn-instance-vpn1] quit

[Tail] interface gigabitethernet 0/0/1

[Tail-GigabitEthernet0/0/1] ip binding vpn-instance vpn1

[Tail-GigabitEthernet0/0/1] ip address 57.0.0.1 24

[Tail-GigabitEthernet0/0/1] quit

# Configure IP addresses for interfaces on the CEs. (Details not shown.)

# On the SC and tail node, display VPN instance configuration to verify that the configuration is correct. Verify that the SC and tail node can ping their CEs. (This step uses the SC and CE 1 as an example.)

[SC] display ip vpn-instance

Total VPN-Instances configured : 1

Total IPv4 VPN-Instances configured : 1

Total IPv6 VPN-Instances configured : 1

VPN-Instance Name RD Address family Create time

vpn1 100:1 IPv4/IPv6 2020/10/29 13:59:39

[SC] ping -vpn-instance vpn1 16.0.0.1

Ping 16.0.0.1 (16.0.0.1): 56 data bytes, press CTRL+C to break

56 bytes from 16.0.0.1: icmp_seq=0 ttl=255 time=2.000 ms

56 bytes from 16.0.0.1: icmp_seq=1 ttl=255 time=0.000 ms

56 bytes from 16.0.0.1: icmp_seq=2 ttl=255 time=1.000 ms

56 bytes from 16.0.0.1: icmp_seq=3 ttl=255 time=0.000 ms

56 bytes from 16.0.0.1: icmp_seq=4 ttl=255 time=0.000 ms

--- Ping statistics for 16.0.0.1 in VPN instance vpn1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/0.600/2.000/0.800 ms

3. Configure the SC and tail node to establish EBGP peer relationship with their connected CEs and redistribute VPN routes:

# Configure CE 1.

<CE1> system-view

[CE1] bgp 65410

[CE1-bgp-default] peer 16.0.0.2 as-number 100

[CE1-bgp-default] address-family ipv4 unicast

[CE1-bgp-default-ipv4] peer 16.0.0.2 enable

[CE1-bgp-default-ipv4] import-route direct

[CE1-bgp-default-ipv4] quit

[CE1-bgp-default] quit

# Configure CE 2 in the same way CE 1 is configured. (Details not shown.)

# Configure the SC.

[SC] bgp 100

[SC-bgp-default] router-id 1.1.1.1

[SC-bgp-default] ip vpn-instance vpn1

[SC-bgp-default-vpn1] peer 16.0.0.1 as-number 65410

[SC-bgp-default-vpn1] address-family ipv4 unicast

[SC-bgp-default-ipv4-vpn1] peer 16.0.0.1 enable

[SC-bgp-default-ipv4-vpn1] quit

[SC-bgp-default-vpn1] quit

# Configure the tail node in the same way the SC is configured. (Details not shown.)

# On the SC and tail node, execute the display bgp peer ipv4 vpn-instance command to verify that they have established BGP peer relationship with their connected CEs. The peer relationship is in Established state. (Details not shown.)

4. Establish VPNv4 peer relationship between the SC and tail node:

# Configure the SC.

[SC] bgp 100

[SC-bgp-default] peer 5::5 as-number 100

[SC-bgp-default] peer 5::5 connect-interface loopback 1

[SC-bgp-default] address-family vpnv4

[SC-bgp-default-vpnv4] peer 5::5 enable

[SC-bgp-default-vpnv4] quit

[SC-bgp-default] quit

# Configure the tail node.

[Tail] bgp 100

[Tail-bgp-default] peer 1::1 as-number 100

[Tail-bgp-default] peer 1::1 connect-interface loopback 1

[Tail-bgp-default] address-family vpnv4

[Tail-bgp-default-vpnv4] peer 1::1 enable

[Tail-bgp-default-vpnv4] quit

[Tail-bgp-default] quit

# On the SC and tail node, execute the display bgp peer vpnv4 command to verify that they have established VPNv4 peer relationship with each other. The peer relationship is in Established state. (Details not shown.)

5. Configure End SIDs and End.DT4 SIDs, and advertise the locators of the SIDs by using an IGP:

# Configure the SC.

[SC] segment-routing ipv6

[SC-segment-routing-ipv6] encapsulation source-address 11::11

[SC-segment-routing-ipv6] locator a ipv6-prefix 1000::1 64 static 32

[SC-segment-routing-ipv6-locator-a] opcode 1 end

[SC-segment-routing-ipv6-locator-a] opcode 2 end-dt4 vpn-instance vpn1

[SC-segment-routing-ipv6-locator-a] quit

[SC-segment-routing-ipv6] quit

[SC] isis 1

[SC-isis-1] address-family ipv6 unicast

[SC-isis-1-ipv6] segment-routing ipv6 locator a

[SC-isis-1-ipv6] quit

[SC-isis-1] quit

# Configure SFF 1.

[SFF1] segment-routing ipv6

[SFF1-segment-routing-ipv6] encapsulation source-address 22::22

[SFF1-segment-routing-ipv6] locator b ipv6-prefix 2000::1 64 static 32

[SFF1-segment-routing-ipv6-locator-b] opcode 1 end

[SFF1-segment-routing-ipv6-locator-b] quit

[SFF1-segment-routing-ipv6] quit

[SFF1] isis 1

[SFF1-isis-1] address-family ipv6 unicast

[SFF1-isis-1-ipv6] segment-routing ipv6 locator b

[SFF1-isis-1-ipv6] quit

[SFF1-isis-1] quit

# Configure the tail node.

[Tail] segment-routing ipv6

[Tail-segment-routing-ipv6] encapsulation source-address 55::55

[Tail-segment-routing-ipv6] locator e ipv6-prefix 5000::1 64 static 32

[Tail-segment-routing-ipv6-locator-e] opcode 1 end

[Tail-segment-routing-ipv6-locator-e] opcode 2 end-dt4 vpn-instance vpn1

[Tail-segment-routing-ipv6-locator-e] quit

[Tail-segment-routing-ipv6] quit

[Tail] isis 1

[Tail-isis-1] address-family ipv6 unicast

[Tail-isis-1-ipv6] segment-routing ipv6 locator e

[Tail-isis-1-ipv6] quit

[Tail-isis-1] quit

# On the SC and tail node, verify that the End.DT4 SIDs have been redistributed to the routing table and SRv6 routes have been generated. This example only displays the routing table information on the SC.

[SC] display ipv6 routing-table protocol srv6

Summary count : 8

SRv6 Routing table status : <Active>

Summary count : 8

Destination: 1000::2/128 Protocol : SRv6

NextHop : ::1 Preference: 4

Interface : InLoop0 Cost : 0

SRv6 Routing table status : <Inactive>

Summary count : 0

6. On the SC and tail node, add End.DT4 SIDs to private network routes, exchange End.DT4 SIDs between peers, and allow the devices to recurse private network routes to End.DT4 SID routes:

# Configure the SC.

[SC] bgp 100

[SC-bgp-default] address-family vpnv4

[SC-bgp-default-vpnv4] peer 5::5 prefix-sid

[SC-bgp-default-vpnv4] quit

[SC-bgp-default] ip vpn-instance vpn1

[SC-bgp-default-vpn1] address-family ipv4 unicast

[SC-bgp-default-ipv4-vpn1] segment-routing ipv6 locator a

[SC-bgp-default-ipv4-vpn1] segment-routing ipv6 traffic-engineering best-effort

[SC-bgp-default-ipv4-vpn1] quit

[SC-bgp-default-vpn1] quit

[SC-bgp-default] quit

# Configure the tail node.

[Tail] bgp 100

[Tail-bgp-default] address-family vpnv4

[Tail-bgp-default-vpnv4] peer 1::1 prefix-sid

[Tail-bgp-default-vpnv4] quit

[Tail-bgp-default] ip vpn-instance vpn1

[Tail-bgp-default-vpn1] address-family ipv4 unicast

[Tail-bgp-default-ipv4-vpn1] segment-routing ipv6 locator e

[Tail-bgp-default-ipv4-vpn1] segment-routing ipv6 traffic-engineering best-effort

[Tail-bgp-default-ipv4-vpn1] quit

[Tail-bgp-default-vpn1] quit

[Tail-bgp-default] quit

# On the SC, display detailed information about the VPNv4 route advertised by the tail node to verify that the route has SRv6 SID attribute data. On the tail node, display detailed information about the VPNv4 route advertised by the SC to verify that the route has SRv6 SID attribute data. If the SC and tail node have received the VPNv4 routes that carry SRv6 SID attribute data from each other, they have established an SRv6-BE tunnel. (This example only displays information on the SC.)

[SC] display bgp routing-table vpnv4 7.7.7.7

BGP local router ID: 1.1.1.1

Local AS number: 100

Route distinguisher: 100:1(vpn1)

Total number of routes: 1

Paths: 1 available, 1 best

BGP routing table information of 7.7.7.7/32:

From : 5::5 (5.5.5.5)

Rely nexthop : FE80::2A96:34FF:FE9D:216

Original nexthop: 5::5

Out interface : GigabitEthernet0/0/2

Route age : 00h14m23s

OutLabel : 3

Ext-Community : <RT: 111:1>

RxPathID : 0x0

TxPathID : 0x0

PrefixSID : End.DT4 SID <5000::2>

AS-path : 65420

Origin : incomplete

Attribute value : MED 0, localpref 100, pref-val 0

State : valid, internal, best

IP precedence : N/A

QoS local ID : N/A

Traffic index : N/A

Tunnel policy : NULL

Rely tunnel IDs : N/A

7. On the SC and tail node, configure an SRv6 TE policy tunnel:

IMPORTANT:

Traffic from the SC to the tail node is forwarded to the SF for processing.

# Configure the SC.

[SC] segment-routing ipv6

[SC-segment-routing-ipv6] traffic-engineering

[SC-srv6-te] srv6-policy locator a

[SC-srv6-te] segment-list s1

[SC-srv6-te-sl-s1] index 10 ipv6 2001::1

[SC-srv6-te-sl-s1] index 20 ipv6 5000::1

[SC-srv6-te-sl-s1] quit

[SC-srv6-te] policy p1

[SC-srv6-te-policy-p1] color 10 end-point ipv6 5::5

[SC-srv6-te-policy-p1] candidate-paths

[SC-srv6-te-policy-p1-path] preference 10

[SC-srv6-te-policy-p1-path-pref-10] explicit segment-list s1

[SC-srv6-te-policy-p1-path-pref-10] quit

[SC-srv6-te-policy-p1-path] quit

[SC-srv6-te-policy-p1] quit

[SC-srv6-te] quit

[SC-segment-routing-ipv6] quit

# Configure the tail node.

[Tail] segment-routing ipv6

[Tail-segment-routing-ipv6] traffic-engineering

[Tail-srv6-te] srv6-policy locator e

[Tail-srv6-te] segment-list s2

[Tail-srv6-te-sl-s2] index 10 ipv6 2001::1

[Tail-srv6-te-sl-s2] index 10 ipv6 1000::1

[Tail-srv6-te-sl-s2] quit

[Tail-srv6-te] policy p1

[Tail-srv6-te-policy-p1] color 10 end-point ipv6 1::1

[Tail-srv6-te-policy-p1] candidate-paths

[Tail-srv6-te-policy-p1-path] preference 10

[Tail-srv6-te-policy-p1-path-pref-10] explicit segment-list s2

[Tail-srv6-te-policy-p1-path-pref-10] quit

[Tail-srv6-te-policy-p1-path] quit

[Tail-srv6-te-policy-p1] quit

[Tail-srv6-te] quit

[Tail-segment-routing-ipv6] quit

# On the SC and tail node, display detailed information about the SRv6 TE policy tunnel. (This example only displays information on the SC.)

[SC] display segment-routing ipv6 te policy

Name/ID: p1/0

Color: 10

Endpoint: 5::5

Name from BGP:

BSID:

Mode: Dynamic Type: Type_2 Request state: Succeeded

Current BSID: 1000::1:0:5 Explicit BSID: - Dynamic BSID: 1000::1:0:5

Reference counts: 4

Flags: A/BS/NC

Status: Up

Up time: 2020-10-30 16:08:03

Down time: 2020-10-30 16:03:48

Hot backup: Not configured

Statistics: Not configured

SBFD: Not configured

BFD Echo: Not configured

Forwarding index: 2150629377

Candidate paths state: Configured

Candidate paths statistics:

CLI paths: 1 BGP paths: 0 PCEP paths: 0

Candidate paths:

Preference : 10

CPathName:

Instance ID: 0 ASN: 0 Node address: 0.0.0.0

Peer address: ::

Optimal: Y Flags: V/A

Explicit SID list:

ID: 1 Name: s1

Weight: 1 Forwarding index: 2149580801

State: Up State(SBFD): -

8. On the SC and tail node, configure a routing policy to steer traffic that matches a color to the SRv6 TE policy:

# Configure the SC.

[SC] route-policy p1 permit node 10

[SC-route-policy-p1-10] apply extcommunity color 00:10 additive

[SC-route-policy-p1-10] quit

[SC] bgp 100

[SC-bgp-default] address-family vpnv4

[SC-bgp-default-vpnv4] peer 5::5 route-policy p1 import

[SC-bgp-default-vpnv4] quit

[SC-bgp-default]quit

# Configure the tail node.

[Tail] route-policy p1 permit node 10

[Tail-route-policy-p1-10] apply extcommunity color 00:10 additive

[Tail-route-policy-p1-10] quit

[Tail] bgp 100

[Tail-bgp-default] address-family vpnv4

[Tail-bgp-default-vpnv4] peer 1::1 route-policy p1 import

[Tail-bgp-default-vpnv4] quit

[Tail-bgp-default] quit

# On the SC, display detailed information about the VPNv4 route advertised by the tail node. Verify that the VPNv4 route has the color extended community attribute and the route is recursed to the SRv6 TE policy tunnel.

[SC] display bgp routing-table vpnv4 7.7.7.7

BGP local router ID: 1.1.1.1

Local AS number: 100

Route distinguisher: 100:1(vpn1)

Total number of routes: 1

Paths: 1 available, 1 best

BGP routing table information of 7.7.7.7/32:

From : 5::5 (5.5.5.5)

Rely nexthop : FE80::2A96:34FF:FE9D:216

Original nexthop: 5::5

Out interface : GigabitEthernet0/0/2

Route age : 00h52m23s

OutLabel : 3

Ext-Community : <RT: 111:1>, <CO-Flag:Color(00:10)>

RxPathID : 0x0

TxPathID : 0x0

PrefixSID : End.DT4 SID <5000::2>

AS-path : 65420

Origin : incomplete

Attribute value : MED 0, localpref 100, pref-val 0

State : valid, internal, best

IP precedence : N/A

QoS local ID : N/A

Traffic index : N/A

Tunnel policy : NULL

Rely tunnel IDs : 2150629377

9. On SFF 1, configure an SRv6 service chain in masquerading mode.

[SFF1] interface gigabitethernet 0/0/2

[SFF1-GigabitEthernet0/0/2] ipv6 address 10::1 96

[SFF1-GigabitEthernet0/0/2] quit

[SFF1-segment-routing-ipv6] locator am1 ipv6-prefix 2001:: 64 static 32

[SFF1-segment-routing-ipv6-locator-am1] opcode 1 end-am

[SFF1-segment-routing-ipv6-locator-am1-endam-1] encapsulation ipv6 nexthop 10::1 out-interface gigabitethernet 0/0/2 in-interface gigabitethernet 0/0/2

[SFF1-segment-routing-ipv6-locator-am1-endam-1] quit

[SFF1-segment-routing-ipv6-locator-am1] quit

[SFF1-segment-routing-ipv6] quit

[SFF1] isis 1

[SFF1-isis-1] address-family ipv6 unicast

[SFF1-isis-1-ipv6] segment-routing ipv6 locator am1

[SFF1-isis-1-ipv6] quit

[SFF1-isis-1] quit

Verifying the configuration

# On SFF 1, display End.AM SID forwarding information.

[SFF1] display segment-routing ipv6 local-sid end-am

Local SID forwarding table (End.AM)

Total SIDs: 1

SID : 2001::1/64

Function type : End.AM Allocation type: Static

Locator name : am1 Forward type : L3

Encapsulation count: 1

Next hop : 10::1 Out-interface : GE0/0/2

In-interface : GE0/0/2

Owner : SIDMGR State : Active

Create Time : May 19 17:21:15.687 2020

Example: Configuring an SRv6 service chain in masquerading mode with Layer 2 encapsulation

Network configuration

As shown in Figure 9, CE 1 and CE 2 belong to one VPN instance. In the network, deploy an SRv6 service chain in masquerading mode to orchestrate the service traffic from CE 1 to pass through the SF to reach CE 2.

SFF 1 is connected to the SF through a Layer 3 Ethernet subinterface. Layer 2 encapsulation is used for packets forwarded between the SFF and SF.

To meet the requirements, perform the following tasks:

· On the SC and tail node, configure the VPN instance settings and steer service traffic to an SRv6 TE policy. The forwarding path in the policy is SC—> SFF 1 —> SF —> Tail.

· On SFF 1, configure an SRv6 service chain in masquerading mode with Layer 2 encapsulation.

Figure 9 Network diagram

‌

Device	Interface	IP address	Device	Interface	IP address
SC	Loop1	1::1/128	SFF 1	Loop1	2::2/128
	GE0/0/1	16.0.0.2/30		GE0/0/1	100::2/96
	GE0/0/2	100::1/96		GE1/0/3	400::1/96
Tail	Loop1	5::5/128	CE 1	Loop1	6.6.6.6/32
	GE0/0/1	57.0.0.1/30		GE0/0/1	16.0.0.1/30
	GE0/0/2	400::2/96	CE 2	Loop1	7.7.7.7/32
				GE0/0/1	57.0.0.2/30

Prerequisites

· Plan SRv6 SIDs on each device.

¡ On the SC, the network of locator a is 1000::/64, the End SID is 1000::1, and the End.DT4 SID is 1000::2.

¡ On SFF 1, the network of locator b is 2000::/64, the End SID is 2000::1, the network of locator am1 is 2001::/64, and the End.AM SID is 2001::1.

¡ On the tail node, the network of locator e is 5000::/64, the End SID is 5000::1, and the End.DT4 SID is 5000::2.

Procedure

IMPORTANT:

L3VPN and SRv6 TE policy settings are the same for masquerading-mode SRv6 service chains that use Layer 2 encapsulation and Layer 3 encapsulation. This example only covers the configuration that Layer 2 encapsulation differs from Layer 3 encapsulation. For more information, see "Example: Configuring an SRv6 service chain in masquerading mode with Layer 3 encapsulation."

# On SFF 1, configure basic settings for the SRv6 service chain in masquerading mode.

<SFF1> system-view

[SFF1] interface gigabitethernet 0/0/2.1

[SFF1-GigabitEthernet0/0/2.1] vlan-type dot1q vid 2

[SFF1-GigabitEthernet0/0/2.1] quit

[SFF1-segment-routing-ipv6] locator am1 ipv6-prefix 2001:: 64 static 32

[SFF1-segment-routing-ipv6-locator-am1] opcode 1 end-am

[SFF1-segment-routing-ipv6-locator-am1-endam-1] encapsulation eth out-interface gigabitethernet 0/0/2.1 out-s-vlan 2 in-interface gigabitethernet 0/0/2.1 in-s-vlan 2

[SFF1-segment-routing-ipv6-locator-am1-endam-1] quit

[SFF1-segment-routing-ipv6-locator-am1] quit

[SFF1-segment-routing-ipv6] quit

[SFF1] isis 1

[SFF1-isis-1] address-family ipv6 unicast

[SFF1-isis-1-ipv6] segment-routing ipv6 locator am1

[SFF1-isis-1-ipv6] quit

[SFF1-isis-1] quit

Verifying the configuration

# On SFF 1, display End.AM SID forwarding information.

[SFF1] display segment-routing ipv6 local-sid end-am

Local SID forwarding table (End.AM)

Total SIDs: 1

SID : 2001::1/64

Function type : End.AM Allocation type: Static

Locator name : am1 Forward type : L2

Encapsulation count: 1

Out-interface: GE0/0/2.1 In-interface : GE0/0/2.1

Out-S-VLAN : 2 Out-C-VLAN : -

In-S-VLAN : 2 In-C-VLAN : -

Owner : SIDMGR State : Active

Create Time : May 19 17:21:15.687 2020

Example: Configuring an SRv6 service chain in static proxy mode with Layer 3 encapsulation

Network configuration

As shown in Figure 10, CE 1 and CE 2 belong to one VPN instance. In the network, deploy an SRv6 service chain in static proxy mode to orchestrate the service traffic from CE 1 to pass through SF 1 to reach CE 2. For high availability, SF 1 is dualhomed to SFF 1 and SFF 2 and SF 2 is the bypass protection node of SF 1.

The SFFs are connected to SFs through Layer 3 Ethernet interfaces. Layer 3 encapsulation is used for packets forwarded between a pair of SFF and SF.

To meet the requirements, perform the following tasks:

· On the SC and tail node, configure the VPN instance settings and steer service traffic to an SRv6 TE policy. The forwarding path in the policy is SC—> SFF 1 —> SF 1 —> Tail.

· On SFF 1, SFF 2, and SFF 3, configure an SRv6 service chain in static proxy mode with Layer 3 encapsulation.

· On SFF 1 and SFF 2, configure dualhoming protection settings. Make sure service chain traffic can be forwarded to SFF 2 when SFF 1 cannot reach SF 1.

· On SFF 1 and SFF 2, configure bypass protection settings. Make sure SF 2 can provide bypass protection when SF 1 is not reachable.

Figure 10 Network diagram

‌

Device	Interface	IP address	Device	Interface	IP address
SC	Loop1	1::1/128	SFF 1	Loop1	2::2/128 2.2.2.2/32
	GE0/0/1	16.0.0.2/30		GE0/0/1	100::2/96
	GE0/0/2	100::1/96		GE0/0/2	300::1/96
	GE0/0/3	200::1/96		GE0/0/3	10.1.1.2/24
SFF 2	Loop1	3::3/128 3.3.3.3/32		GE0/0/4	400::1/96
	GE0/0/1	300::2/96	SFF 3	Loop1	4::4/128 4.4.4.4/32
	GE0/0/2	500::1/96		GE0/0/1	500::2/96
	GE0/0/3	10.1.1.3/24		GE0/0/2	600::1/96
	GE0/0/4	200::2/96		GE0/0/3	10.2.1.2/24
SF 1	-	10.1.1.1/24		GE0/0/4	400::2/96
SF 2	-	10.2.1.1/24	CE 1	Loop1	6.6.6.6/32
Tail	Loop1	5::5/128		GE0/0/1	16.0.0.1/30
	GE0/0/1	57.0.0.1/30	CE 2	Loop1	7.7.7.7/32
	GE0/0/2	600::2/96		GE0/0/1	57.0.0.2/30

Prerequisites

· Plan SRv6 SIDs on each device.

¡ On the SC, the network of locator a is 1000::/64, the End SID is 1000::1, and the End.DT4 SID is 1000::2.

¡ On SFF 1, the network of locator b is 2000::/64, the End SID is 2000::1, the network of locator as1 is 2001::/64, and the End.AS SID is 2001::1.

¡ On SFF 2, the network of locator c is 3000::/64, the End SID is 3000::1, the network of locator as1 is 2001::/64, and the End.AS SID is 2001::1.

¡ On SFF 3, the network of locator d is 4000::/64, the End SID is 4000::1, the network of locator as2 is 4001::/64, and the End.AS SID is 4001::1.

¡ On the tail node, the network of locator e is 5000::/64, the End SID is 5000::1, and the End.DT4 SID is 5000::2.

· Plan the traffic forwarding tunnel and the explicit path of the tunnel. In this example, traffic on the SC is forwarded to the tail node through the explicit path of an SRv6 TE policy. In the forwarding path, SFF 1 forwards the traffic to SF 1. SF 1 processes the traffic and forwards the traffic back to SFF 1. When the tail node sends traffic back to the SC, the traffic passes through SFF 2 to reach the SC in the explicit path of the SRv6 TE policy. The traffic is not forwarded to any SF.

Procedure

1. On the SC, SFF 1, SFF 2, SFF 3, and the tail node, configure IPv6 IS-IS for their communication over the backbone network:

# Configure the SC.

<SC> system-view

[SC] isis 1

[SC-isis-1] is-level level-2

[SC-isis-1] cost-style wide

[SC-isis-1] network-entity 10.1111.1111.1111.00

[SC-isis-1] address-family ipv6 unicast

[SC-isis-1-ipv6] quit

[SC-isis-1] quit

[SC] interface loopback 1

[SC-LoopBack1] ipv6 address 1::1 128

[SC-LoopBack1] isis ipv6 enable 1

[SC-LoopBack1] quit

[SC] interface gigabitethernet 0/0/2

[SC-GigabitEthernet0/0/2] ipv6 address 100::1 96

[SC-GigabitEthernet0/0/2] isis ipv6 enable

[SC-GigabitEthernet0/0/2] quit

[SC] interface gigabitethernet 0/0/3

[SC-GigabitEthernet0/0/3] ipv6 address 200::1 96

[SC-GigabitEthernet0/0/3] isis ipv6 enable

[SC-GigabitEthernet0/0/3] quit

# Configure SFF 1.

<SFF1> system-view

[SFF1] isis

[SFF1-isis-1] is-level level-2

[SFF1-isis-1] cost-style wide

[SFF1-isis-1] network-entity 10.2222.2222.2222.00

[SFF1-isis-1] address-family ipv6 unicast

[SFF1-isis-1-ipv6] quit

[SFF1-isis-1] quit

[SFF1] interface loopback 1

[SFF1-LoopBack1] ipv6 address 2::2 128

[SFF1-LoopBack1] isis ipv6 enable

[SFF1-LoopBack1] quit

[SFF1] interface gigabitethernet 0/0/1

[SFF1-GigabitEthernet0/0/1] ipv6 address 100::2 96

[SFF1-GigabitEthernet0/0/1] isis ipv6 enable

[SFF1-GigabitEthernet0/0/1] quit

[SFF1] interface gigabitethernet 0/0/2

[SFF1-GigabitEthernet0/0/2] ipv6 address 300::1 96

[SFF1-GigabitEthernet0/0/2] isis ipv6 enable

[SFF1-GigabitEthernet0/0/2] quit

[SFF1] interface gigabitethernet 0/0/4

[SFF1-GigabitEthernet0/0/4] ipv6 address 400::1 96

[SFF1-GigabitEthernet0/0/4] isis ipv6 enable

[SFF1-GigabitEthernet0/0/4] quit

# Configure SFF 2.

<SFF2> system-view

[SFF2] isis

[SFF2-isis-1] is-level level-2

[SFF2-isis-1] cost-style wide

[SFF2-isis-1] network-entity 10.3333.3333.3333.00

[SFF2-isis-1] address-family ipv6 unicast

[SFF2-isis-1-ipv6] quit

[SFF2-isis-1] quit

[SFF2] interface loopback 1

[SFF2-LoopBack1] ipv6 address 3::3 128

[SFF2-LoopBack1] isis ipv6 enable

[SFF2-LoopBack1] quit

[SFF2] interface gigabitethernet 0/0/1

[SFF2-GigabitEthernet0/0/1] ipv6 address 300::2 96

[SFF2-GigabitEthernet0/0/1] isis ipv6 enable

[SFF2-GigabitEthernet0/0/1] quit

[SFF2] interface gigabitethernet 0/0/2

[SFF2-GigabitEthernet0/0/2] ipv6 address 500::1 96

[SFF2-GigabitEthernet0/0/2] isis ipv6 enable

[SFF2-GigabitEthernet0/0/2] quit

[SFF2] interface gigabitethernet 0/0/4

[SFF2-GigabitEthernet0/0/4] ipv6 address 200::2 96

[SFF2-GigabitEthernet0/0/4] isis ipv6 enable

[SFF2-GigabitEthernet0/0/4] quit

# Configure SFF 3.

<SFF3> system-view

[SFF3] isis

[SFF3-isis-1] is-level level-2

[SFF3-isis-1] cost-style wide

[SFF3-isis-1] network-entity 10.4444.4444.4444.00

[SFF3-isis-1] address-family ipv6 unicast

[SFF3-isis-1-ipv6] quit

[SFF3-isis-1] quit

[SFF3] interface loopback 1

[SFF3-LoopBack1] ipv6 address 4::4 128

[SFF3-LoopBack1] isis ipv6 enable

[SFF3-LoopBack1] quit

[SFF3] interface gigabitethernet 0/0/1

[SFF3-GigabitEthernet0/0/1] ipv6 address 500::2 96

[SFF3-GigabitEthernet0/0/1] isis ipv6 enable

[SFF3-GigabitEthernet0/0/1] quit

[SFF3] interface gigabitethernet 0/0/2

[SFF3-GigabitEthernet0/0/2] ipv6 address 600::1 96

[SFF3-GigabitEthernet0/0/2] isis ipv6 enable

[SFF3-GigabitEthernet0/0/2] quit

[SFF3] interface gigabitethernet 0/0/4

[SFF3-GigabitEthernet0/0/4] ipv6 address 400::2 96

[SFF3-GigabitEthernet0/0/4] isis ipv6 enable

[SFF3-GigabitEthernet0/0/4] quit

# Configure the tail node.

<Tail> system-view

[Tail] isis

[Tail-isis-1] is-level level-2

[Tail-isis-1] cost-style wide

[Tail-isis-1] network-entity 10.5555.5555.5555.00

[Tail-isis-1] address-family ipv6 unicast

[Tail-isis-1-ipv6] quit

[Tail-isis-1] quit

[Tail] interface loopback 1

[Tail-LoopBack1] ipv6 address 5::5 128

[Tail-LoopBack1] isis ipv6 enable

[Tail-LoopBack1] quit

[Tail] interface gigabitethernet 0/0/2

[Tail-GigabitEthernet0/0/2] ipv6 address 600::2 96

[Tail-GigabitEthernet0/0/2] isis ipv6 enable

[Tail-GigabitEthernet0/0/2] quit

# Verify that the SC, SFF 1, SFF 2, SFF 3, and the tail node can establish IPv6 IS-IS neighbor relationship with each other. Execute the display isis peer command on each device to verify that the neighbors are in up state. (Details not shown.)

# Execute the display isis route ipv6 command on the SC and tail node to verify that they have learned the routes of loopback interfaces to reach each other. (Details not shown.)

2. On the SC and tail node, configure VPN instance settings to allow CE 1 and CE 2 to access the SC and tail node, respectively, in a VPN instance:

# Configure the SC.

[SC] ip vpn-instance vpn1

[SC-vpn-instance-vpn1] route-distinguisher 100:1

[SC-vpn-instance-vpn1] vpn-target 111:1

[SC-vpn-instance-vpn1] quit

[SC] interface gigabitethernet 0/0/1

[SC-GigabitEthernet0/0/1] ip binding vpn-instance vpn1

[SC-GigabitEthernet0/0/1] ip address 16.0.0.2 30

[SC-GigabitEthernet0/0/1] quit

# Configure the tail node.

[Tail] ip vpn-instance vpn1

[Tail-vpn-instance-vpn1] route-distinguisher 100:1

[Tail-vpn-instance-vpn1] vpn-target 111:1

[Tail-vpn-instance-vpn1] quit

[Tail] interface gigabitethernet 0/0/1

[Tail-GigabitEthernet0/0/1] ip binding vpn-instance vpn1

[Tail-GigabitEthernet0/0/1] ip address 57.0.0.1 24

[Tail-GigabitEthernet0/0/1] quit

# Configure IP addresses for interfaces on the CEs. (Details not shown.)

# On the SC and tail node (PEs), display VPN instance configuration to verify that the configuration is correct. Verify that the SC and tail node can ping their CEs.

This step uses the SC and CE 1 as an example.

[SC] display ip vpn-instance

Total VPN-Instances configured : 1

Total IPv4 VPN-Instances configured : 1

Total IPv6 VPN-Instances configured : 1

VPN-Instance Name RD Address family Create time

vpn1 100:1 IPv4/IPv6 2020/10/29 13:59:39

[SC] ping -vpn-instance vpn1 16.0.0.1

Ping 16.0.0.1 (16.0.0.1): 56 data bytes, press CTRL+C to break

56 bytes from 16.0.0.1: icmp_seq=0 ttl=255 time=2.000 ms

56 bytes from 16.0.0.1: icmp_seq=1 ttl=255 time=0.000 ms

56 bytes from 16.0.0.1: icmp_seq=2 ttl=255 time=1.000 ms

56 bytes from 16.0.0.1: icmp_seq=3 ttl=255 time=0.000 ms

56 bytes from 16.0.0.1: icmp_seq=4 ttl=255 time=0.000 ms

--- Ping statistics for 16.0.0.1 in VPN instance vpn1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/0.600/2.000/0.800 ms

3. Configure the SC and tail node to establish EBGP peer relationship with their connected CEs and redistribute VPN routes:

# Configure CE 1.

<CE1> system-view

[CE1] bgp 65410

[CE1-bgp-default] peer 16.0.0.2 as-number 100

[CE1-bgp-default] address-family ipv4 unicast

[CE1-bgp-default-ipv4] peer 16.0.0.2 enable

[CE1-bgp-default-ipv4] import-route direct

[CE1-bgp-default-ipv4] quit

[CE1-bgp-default] quit

# Configure CE 2 in the same way as CE 1 is configured. (Details not shown.)

# Configure the SC.

[SC] bgp 100

[SC-bgp-default] router-id 1.1.1.1

[SC-bgp-default] ip vpn-instance vpn1

[SC-bgp-default-vpn1] peer 16.0.0.1 as-number 65410

[SC-bgp-default-vpn1] address-family ipv4 unicast

[SC-bgp-default-ipv4-vpn1] peer 16.0.0.1 enable

[SC-bgp-default-ipv4-vpn1] quit

[SC-bgp-default-vpn1] quit

# Configure the tail node in the same way as the SC is configured. (Details not shown.)

4. Establish VPNv4 peer relationship between the SC and tail node:

# Configure the SC.

[SC] bgp 100

[SC-bgp-default] peer 5::5 as-number 100

[SC-bgp-default] peer 5::5 connect-interface loopback 1

[SC-bgp-default] address-family vpnv4

[SC-bgp-default-vpnv4] peer 5::5 enable

[SC-bgp-default-vpnv4] quit

[SC-bgp-default] quit

# Configure the tail node.

[Tail] bgp 100

[Tail-bgp-default] peer 1::1 as-number 100

[Tail-bgp-default] peer 1::1 connect-interface loopback 1

[Tail-bgp-default] address-family vpnv4

[Tail-bgp-default-vpnv4] peer 1::1 enable

[Tail-bgp-default-vpnv4] quit

[Tail-bgp-default] quit

5. Configure End SIDs and End.DT4 SIDs, and advertise the locators of the SIDs by using an IGP:

# Configure the SC.

[SC] segment-routing ipv6

[SC-segment-routing-ipv6] encapsulation source-address 11::11

[SC-segment-routing-ipv6] locator a ipv6-prefix 1000::1 64 static 32

[SC-segment-routing-ipv6-locator-a] opcode 1 end

[SC-segment-routing-ipv6-locator-a] opcode 2 end-dt4 vpn-instance vpn1

[SC-segment-routing-ipv6-locator-a] quit

[SC-segment-routing-ipv6] quit

[SC] isis 1

[SC-isis-1] address-family ipv6 unicast

[SC-isis-1-ipv6] segment-routing ipv6 locator a

[SC-isis-1-ipv6] quit

[SC-isis-1] quit

# Configure SFF 1.

[SFF1] segment-routing ipv6

[SFF1-segment-routing-ipv6] encapsulation source-address 22::22

[SFF1-segment-routing-ipv6] locator b ipv6-prefix 2000::1 64 static 32

[SFF1-segment-routing-ipv6-locator-b] opcode 1 end

[SFF1-segment-routing-ipv6-locator-b] quit

[SFF1-segment-routing-ipv6] quit

[SFF1] isis 1

[SFF1-isis-1] address-family ipv6 unicast

[SFF1-isis-1-ipv6] segment-routing ipv6 locator b

[SFF1-isis-1-ipv6] quit

[SFF1-isis-1] quit

# Configure SFF 2.

[SFF2] segment-routing ipv6

[SFF2-segment-routing-ipv6] encapsulation source-address 33::33

[SFF2-segment-routing-ipv6] locator c ipv6-prefix 3000::1 64 static 32

[SFF2-segment-routing-ipv6-locator-c] opcode 1 end

[SFF2-segment-routing-ipv6-locator-c] quit

[SFF2-segment-routing-ipv6] quit

[SFF2] isis 1

[SFF2-isis-1] address-family ipv6 unicast

[SFF2-isis-1-ipv6] segment-routing ipv6 locator c

[SFF2-isis-1-ipv6] quit

[SFF2-isis-1] quit

# Configure SFF 3.

[SFF3] segment-routing ipv6

[SFF3-segment-routing-ipv6] encapsulation source-address 44::44

[SFF3-segment-routing-ipv6] locator d ipv6-prefix 4000::1 64 static 32

[SFF3-segment-routing-ipv6-locator-d] opcode 1 end

[SFF3-segment-routing-ipv6-locator-d] quit

[SFF3-segment-routing-ipv6] quit

[SFF3] isis 1

[SFF3-isis-1] address-family ipv6 unicast

[SFF3-isis-1-ipv6] segment-routing ipv6 locator d

[SFF3-isis-1-ipv6] quit

[SFF3-isis-1] quit

# Configure the tail node.

[Tail] segment-routing ipv6

[Tail-segment-routing-ipv6] encapsulation source-address 55::55

[Tail-segment-routing-ipv6] locator e ipv6-prefix 5000::1 64 static 32

[Tail-segment-routing-ipv6-locator-e] opcode 1 end

[Tail-segment-routing-ipv6-locator-e] opcode 2 end-dt4 vpn-instance vpn1

[Tail-segment-routing-ipv6-locator-e] quit

[Tail-segment-routing-ipv6] quit

[Tail] isis 1

[Tail-isis-1] address-family ipv6 unicast

[Tail-isis-1-ipv6] segment-routing ipv6 locator e

[Tail-isis-1-ipv6] quit

[Tail-isis-1] quit

[SC] display ipv6 routing-table protocol srv6

Summary count : 8

SRv6 Routing table status : <Active>

Summary count : 8

Destination: 1000::2/128 Protocol : SRv6

NextHop : ::1 Preference: 4

Interface : InLoop0 Cost : 0

SRv6 Routing table status : <Inactive>

Summary count : 0

6. On the SC and tail node, add End.DT4 SIDs to private network routes, exchange End.DT4 SIDs between peers, and allow the devices to recurse private network routes to End.DT4 SID routes:

# Configure the SC.

[SC] bgp 100

[SC-bgp-default] address-family vpnv4

[SC-bgp-default-vpnv4] peer 5::5 prefix-sid

[SC-bgp-default-vpnv4] quit

[SC-bgp-default] ip vpn-instance vpn1

[SC-bgp-default-vpn1] address-family ipv4 unicast

[SC-bgp-default-ipv4-vpn1] segment-routing ipv6 locator a

[SC-bgp-default-ipv4-vpn1] segment-routing ipv6 traffic-engineering best-effort

[SC-bgp-default-ipv4-vpn1] quit

[SC-bgp-default-vpn1] quit

[SC-bgp-default] quit

# Configure the tail node.

[Tail] bgp 100

[Tail-bgp-default] address-family vpnv4

[Tail-bgp-default-vpnv4] peer 1::1 prefix-sid

[Tail-bgp-default-vpnv4] quit

[Tail-bgp-default] ip vpn-instance vpn1

[Tail-bgp-default-vpn1] address-family ipv4 unicast

[Tail-bgp-default-ipv4-vpn1] segment-routing ipv6 locator e

[Tail-bgp-default-ipv4-vpn1] segment-routing ipv6 traffic-engineering best-effort

[Tail-bgp-default-ipv4-vpn1] quit

[Tail-bgp-default-vpn1] quit

[Tail-bgp-default] quit

This example only displays information on the SC.

[SC] display bgp routing-table vpnv4 7.7.7.7

BGP local router ID: 1.1.1.1

Local AS number: 100

Route distinguisher: 100:1(vpn1)

Total number of routes: 1

Paths: 1 available, 1 best

BGP routing table information of 7.7.7.7/32:

From : 5::5 (5.5.5.5)

Rely nexthop : FE80::2A96:34FF:FE9D:216

Original nexthop: 5::5

Out interface : GigabitEthernet0/0/2

Route age : 00h14m23s

OutLabel : 3

Ext-Community : <RT: 111:1>

RxPathID : 0x0

TxPathID : 0x0

PrefixSID : End.DT4 SID <5000::2>

AS-path : 65420

Origin : incomplete

Attribute value : MED 0, localpref 100, pref-val 0

State : valid, internal, best

IP precedence : N/A

QoS local ID : N/A

Traffic index : N/A

Tunnel policy : NULL

Rely tunnel IDs : N/A

7. On the SC and tail node, configure an SRv6 TE policy tunnel:

IMPORTANT:

Traffic from the SC to the tail node is forwarded to an SF for processing. Traffic from the tail node to the SC is not forwarded to any SF.

# Configure the SC.

[SC] segment-routing ipv6

[SC-segment-routing-ipv6] traffic-engineering

[SC-srv6-te] srv6-policy locator a

[SC-srv6-te] segment-list s1

[SC-srv6-te-sl-s1] index 10 ipv6 2001::1

[SC-srv6-te-sl-s1] index 20 ipv6 5000::1

[SC-srv6-te-sl-s1] quit

[SC-srv6-te] policy p1

[SC-srv6-te-policy-p1] color 10 end-point ipv6 5::5

[SC-srv6-te-policy-p1] candidate-paths

[SC-srv6-te-policy-p1-path] preference 10

[SC-srv6-te-policy-p1-path-pref-10] explicit segment-list s1

[SC-srv6-te-policy-p1-path-pref-10] quit

[SC-srv6-te-policy-p1-path] quit

[SC-srv6-te-policy-p1] quit

[SC-srv6-te] quit

[SC-segment-routing-ipv6] quit

# Configure the tail node.

[Tail] segment-routing ipv6

[Tail-segment-routing-ipv6] traffic-engineering

[Tail-srv6-te] srv6-policy locator e

[Tail-srv6-te] segment-list s2

[Tail-srv6-te-sl-s2] index 10 ipv6 3000::1

[Tail-srv6-te-sl-s2] index 20 ipv6 1000::1

[Tail-srv6-te-sl-s2] quit

[Tail-srv6-te] policy p1

[Tail-srv6-te-policy-p1] color 10 end-point ipv6 1::1

[Tail-srv6-te-policy-p1] candidate-paths

[Tail-srv6-te-policy-p1-path] preference 10

[Tail-srv6-te-policy-p1-path-pref-10] explicit segment-list s2

[Tail-srv6-te-policy-p1-path-pref-10] quit

[Tail-srv6-te-policy-p1-path] quit

[Tail-srv6-te-policy-p1] quit

[Tail-srv6-te] quit

[Tail-segment-routing-ipv6] quit

# On the SC and tail node, display detailed information about the SRv6 TE policy tunnel.

This example only displays information on the SC.

[SC] display segment-routing ipv6 te policy

Name/ID: p1/0

Color: 10

Endpoint: 5::5

Name from BGP:

BSID:

Mode: Dynamic Type: Type_2 Request state: Succeeded

Current BSID: 1000::1:0:5 Explicit BSID: - Dynamic BSID: 1000::1:0:5

Reference counts: 4

Flags: A/BS/NC

Status: Up

Up time: 2020-10-30 16:08:03

Down time: 2020-10-30 16:03:48

Hot backup: Not configured

Statistics: Not configured

SBFD: Not configured

BFD Echo: Not configured

Forwarding index: 2150629377

Candidate paths state: Configured

Candidate paths statistics:

CLI paths: 1 BGP paths: 0 PCEP paths: 0

Candidate paths:

Preference : 10

CPathName:

Instance ID: 0 ASN: 0 Node address: 0.0.0.0

Peer address: ::

Optimal: Y Flags: V/A

Explicit SID list:

ID: 1 Name: s1

Weight: 1 Forwarding index: 2149580801

State: Up State(SBFD): -

8. On the SC and tail node, configure a routing policy to steer traffic that matches a color to the SRv6 TE policy:

# Configure the SC.

[SC] route-policy p1 permit node 10

[SC-route-policy-p1-10] apply extcommunity color 00:10 additive

[SC-route-policy-p1-10] quit

[SC] bgp 100

[SC-bgp-default] address-family vpnv4

[SC-bgp-default-vpnv4] peer 5::5 route-policy p1 import

[SC-bgp-default-vpnv4] quit

[SC-bgp-default]quit

# Configure the tail node.

[Tail] route-policy p1 permit node 10

[Tail-route-policy-p1-10] apply extcommunity color 00:10 additive

[Tail-route-policy-p1-10] quit

[Tail] bgp 100

[Tail-bgp-default] address-family vpnv4

[Tail-bgp-default-vpnv4] peer 1::1 route-policy p1 import

[Tail-bgp-default-vpnv4] quit

[Tail-bgp-default] quit

[SC] display bgp routing-table vpnv4 7.7.7.7

BGP local router ID: 1.1.1.1

Local AS number: 100

Route distinguisher: 100:1(vpn1)

Total number of routes: 1

Paths: 1 available, 1 best

BGP routing table information of 7.7.7.7/32:

From : 5::5 (5.5.5.5)

Rely nexthop : FE80::2A96:34FF:FE9D:216

Original nexthop: 5::5

Out interface : GigabitEthernet0/0/2

Route age : 00h52m23s

OutLabel : 3

Ext-Community : <RT: 111:1>, <CO-Flag:Color(00:10)>

RxPathID : 0x0

TxPathID : 0x0

PrefixSID : End.DT4 SID <5000::2>

AS-path : 65420

Origin : incomplete

Attribute value : MED 0, localpref 100, pref-val 0

State : valid, internal, best

IP precedence : N/A

QoS local ID : N/A

Traffic index : N/A

Tunnel policy : NULL

Rely tunnel IDs : 2150629377

9. On SFF 1, SFF 2, and SFF 3, configure basic SRv6 service chain settings:

# Configure SFF 1.

[SFF1] interface gigabitethernet 0/0/3

[SFF1-GigabitEthernet0/0/3] ip address 10.1.1.2 24

[SFF1-GigabitEthernet0/0/3] quit

[SFF1-segment-routing-ipv6] locator as1 ipv6-prefix 2001:: 64 static 32

[SFF1-segment-routing-ipv6-locator-as1] opcode 1 end-as

[SFF1-segment-routing-ipv6-locator-as1-endas-1] inner-type ipv4

[SFF1-segment-routing-ipv6-locator-as1-endas-1] encapsulation ipv4 nexthop 10.1.1.1 out-interface gigabitethernet 0/0/3 in-interface gigabitethernet 0/0/3

[SFF1-segment-routing-ipv6-locator-as1-endas-1] cache source-address 1::1

[SFF1-segment-routing-ipv6-locator-as1-endas-1] cache list 2001::1 5000::1 5000::2

[SFF1-segment-routing-ipv6-locator-as1-endas-1] quit

[SFF1-segment-routing-ipv6-locator-as1] quit

[SFF1-segment-routing-ipv6] quit

[SFF1] isis 1

[SFF1-isis-1] address-family ipv6 unicast

[SFF1-isis-1-ipv6] segment-routing ipv6 locator as1

[SFF1-isis-1-ipv6] quit

[SFF1-isis-1] quit

# Configure SFF 2 as the backup of SFF 1 to access SF 1.

[SFF2] interface gigabitethernet 0/0/3

[SFF2-GigabitEthernet0/0/3] ip address 10.1.1.3 24

[SFF2-GigabitEthernet0/0/3] quit

[SFF2] segment-routing ipv6

[SFF2-segment-routing-ipv6] locator as1 ipv6-prefix 2001:: 64 static 32

[SFF2-segment-routing-ipv6-locator-as1] opcode 1 end-as

[SFF2-segment-routing-ipv6-locator-as1-endas-1] inner-type ipv4

[SFF2-segment-routing-ipv6-locator-as1-endas-1] encapsulation ipv4 nexthop 10.1.1.1 out-interface gigabitethernet 0/0/3 in-interface gigabitethernet 0/0/3

[SFF2-segment-routing-ipv6-locator-as1-endas-1] cache source-address 1::1

[SFF2-segment-routing-ipv6-locator-as1-endas-1] cache list 2001::1 5000::1 5000::2

[SFF2-segment-routing-ipv6-locator-as1-endas-1] quit

[SFF2-segment-routing-ipv6-locator-as1] quit

[SFF2-segment-routing-ipv6] quit

[SFF2] isis 1

[SFF2-isis-1] address-family ipv6 unicast

[SFF2-isis-1-ipv6] segment-routing ipv6 locator as1

[SFF2-isis-1-ipv6] quit

[SFF2-isis-1] quit

# Configure SFF3 to access SF 2.

[SFF3] interface gigabitethernet 0/0/3

[SFF3-GigabitEthernet0/0/3] ip address 10.2.1.2 24

[SFF3-GigabitEthernet0/0/3] quit

[SFF3] segment-routing ipv6

[SFF3-segment-routing-ipv6] locator as2 ipv6-prefix 4001:: 64 static 32

[SFF3-segment-routing-ipv6-locator-as2] opcode 1 end-as

[SFF3-segment-routing-ipv6-locator-as2-endas-1] inner-type ipv4

[SFF3-segment-routing-ipv6-locator-as2-endas-1] encapsulation ipv4 nexthop 10.2.1.1 out-interface gigabitethernet 0/0/3 in-interface gigabitethernet 0/0/3

[SFF3-segment-routing-ipv6-locator-as2-endas-1] cache source-address 1::1

[SFF3-segment-routing-ipv6-locator-as2-endas-1] cache list 4001::1 5000::1 5000::2

[SFF3-segment-routing-ipv6-locator-as2-endas-1] quit

[SFF3-segment-routing-ipv6-locator-as2] quit

[SFF3-segment-routing-ipv6] quit

[SFF3] isis 1

[SFF3-isis-1] address-family ipv6 unicast

[SFF3-isis-1-ipv6] segment-routing ipv6 locator as2

[SFF3-isis-1-ipv6] quit

[SFF3-isis-1] quit

10. On SFF 1 and SFF 2, configure dualhoming protection and configure static BFD in echo packet mode on Layer 3 interfaces that connect the SFFs to SF 1:

# Configure SFF 1.

[SFF1] segment-routing ipv6

[SFF1-segment-routing-ipv6] proxy peer-sid 3000::1

[SFF1-segment-routing-ipv6] locator as1

[SFF1-segment-routing-ipv6-locator-as1] opcode 1 end-as

[SFF1-segment-routing-ipv6-locator-as1-endas-1] backup-opcode 2

[SFF1-segment-routing-ipv6-locator-as1-endas-1] quit

[SFF1-segment-routing-ipv6-locator-as1] quit

[SFF1-segment-routing-ipv6] quit

[SFF1] interface loopback 1

[SFF1-LoopBack1] ip address 2.2.2.2 32

[SFF1-LoopBack1] quit

[SFF1] bfd echo-source-ip 2.2.2.2

[SFF1] bfd static sf peer-ip 10.1.1.1 interface gigabitethernet 0/0/3 destination-ip 10.1.1.2 one-arm-echo

[SFF1-bfd-static-session-sf] discriminator local 100

[SFF1-bfd-static-session-sf] quit

# Configure SFF 2.

[SFF2] segment-routing ipv6

[SFF2-segment-routing-ipv6] proxy peer-sid 2000::1

[SFF2-segment-routing-ipv6] locator as1

[SFF2-segment-routing-ipv6-locator-as1] opcode 1 end-as

[SFF2-segment-routing-ipv6-locator-as1-endas-1] backup-opcode 2

[SFF2-segment-routing-ipv6] quit

[SFF2] interface loopback 1

[SFF2-LoopBack1] ip address 3.3.3.3 32

[SFF2-LoopBack1] quit

[SFF2] bfd echo-source-ip 3.3.3.3

[SFF2] bfd static sf peer-ip 10.1.1.1 interface gigabitethernet 0/0/3 destination-ip 10.1.1.3 one-arm-echo

[SFF2-bfd-static-session-sf] discriminator local 200

[SFF2-bfd-static-session-sf] quit

11. On SFF 1 and SFF 2, configure SRv6 service chain bypass protection and configure SF 2 as the bypass protection node of SF 1:

# Configure SFF 1.

[SFF1] segment-routing ipv6

[SFF1-segment-routing-ipv6] locator as1

[SFF1-segment-routing-ipv6-locator-as1] opcode 1 end-as

[SFF1-segment-routing-ipv6-locator-as1-endas-1] bypass sid 4001::1

[SFF1-segment-routing-ipv6-locator-as1-endas-1] quit

[SFF1-segment-routing-ipv6-locator-as1] quit

# Configure SFF 2.

[SFF2] segment-routing ipv6

[SFF2-segment-routing-ipv6] locator as1

[SFF2-segment-routing-ipv6-locator-as1] opcode 1 end-as

[SFF2-segment-routing-ipv6-locator-as1-endas-1] bypass sid 4001::1

[SFF2-segment-routing-ipv6-locator-as1-endas-1] quit

[SFF2-segment-routing-ipv6-locator-as1] quit

[SFF2-segment-routing-ipv6] quit

Verifying the configuration

1. On SFF 1, display SRv6 service chain forwarding entry information. Verify that the forwarding entries include the primary service chain forwarding entry, the dualhoming backup service chain forwarding entry, and the bypass protection service chain forwarding entry.

[SFF1] display segment-routing ipv6 sfc forwarding

Total forwarding entries: 3

NID : 2153775105

Locator name/Opcode : as1/1

Type : Cache list

Path Count : 1

Interface : GE0/0/4

NextHop : FE80::424:B0FF:FEF7:AD02

NID : 2153775106

Locator name/Opcode : as1/1

Type : Backup opcode

Path Count : 1

Interface : GE0/0/2

NextHop : ::1

NID : 2153775107

Locator name/Opcode : as2/1

Type : Bypass

Path Count : 1

Interface : GE0/0/4

NextHop : FE80::424:B0FF:FEF7:AD02

2. On SFF 1, display SRv6 forwarding entry information.

[SFF1] display segment-routing ipv6 forwarding

Total SRv6 forwarding entries: 3

Flags: T - Forwarded through a tunnel

N - Forwarded through the outgoing interface to the nexthop IP address

A - Active forwarding information

B - Backup forwarding information

ID FWD-Type Flags Forwarding info

--------------------------------------------------------------------------------

2153775105 SRv6SFC NA GE0/0/4

FE80::424:B0FF:FEF7:AD02

{2001::1, 5000::1, 5000::2}

2153775106 SRv6SFC N GE0/0/2

::1

{3000::1}

2153775107 SRv6SFC NA GE0/0/4

FE80::424:B0FF:FEF7:AD02

{4001::1}

Example: Configuring an SRv6 service chain in static proxy mode with Layer 2 encapsulation

Network configuration

As shown in Figure 11, CE 1 and CE 2 belong to one VPN instance. In the network, deploy an SRv6 service chain in static proxy mode to orchestrate the service traffic from CE 1 to pass through SF 1 to reach CE 2. For high availability, SF 1 is dualhomed to SFF 1 and SFF 2 and SF 2 is the bypass protection node of SF 1.

The SFFs are connected to SFs through Layer 3 Ethernet subinterfaces. Layer 2 encapsulation is used for packets forwarded between a pair of SFF and SF.

To meet the requirements, perform the following tasks:

· On the SC and tail node, configure the VPN instance settings and steer service traffic to an SRv6 TE policy. The forwarding path in the policy is SC—> SFF 1 —> SF 1 —> Tail.

· On SFF 1, SFF 2, and SFF 3, configure an SRv6 service chain in static proxy mode with Layer 2 encapsulation.

· On SFF 1 and SFF 2, configure dualhoming protection settings. Make sure service chain traffic can be forwarded to SFF 2 when SFF 1 cannot reach SF 1.

· On SFF 1 and SFF 2, configure bypass protection settings. Make sure SF 2 can provide bypass protection when SF 1 is not reachable.

Figure 11 Network diagram

‌

Device	Interface	IP address	Device	Interface	IP address
SC	Loop1	1::1/128	SFF 1	Loop1	2::2/128
	GE0/0/1	16.0.0.2/30		GE0/0/1	100::2/96
	GE0/0/2	100::1/96		GE0/0/2	300::1/96
	GE0/0/3	200::1/96		GE0/0/4	400::1/96
SFF 2	Loop1	3::3/128	SFF 3	Loop1	4::4/128
	GE0/0/1	300::2/96		GE0/0/1	500::2/96
	GE0/0/2	500::1/96		GE0/0/2	600::1/96
	GE0/0/4	200::2/96		GE0/0/4	400::2/96
Tail	Loop1	5::5/128	CE 1	Loop1	6.6.6.6/32
	GE0/0/1	57.0.0.1/30		GE0/0/1	16.0.0.1/30
	GE0/0/2	600::2/96	CE 2	Loop1	7.7.7.7/32
				GE0/0/1	57.0.0.2/30

Prerequisites

· Plan SRv6 SIDs on each device.

¡ On the SC, the network of locator a is 1000::/64, the End SID is 1000::1, and the End.DT4 SID is 1000::2.

¡ On SFF 1, the network of locator b is 2000::/64, the End SID is 2000::1, the network of locator as1 is 2001::/64, and the End.AS SID is 2001::1.

¡ On SFF 2, the network of locator c is 3000::/64, the End SID is 3000::1, the network of locator as1 is 2001::/64, and the End.AS SID is 2001::1.

¡ On SFF 3, the network of locator d is 4000::/64, the End SID is 4000::1, the network of locator as2 is 4001::/64, and the End.AS SID is 4001::1.

¡ On the tail node, the network of locator e is 5000::/64, the End SID is 5000::1, and the End.DT4 SID is 5000::2.

· Plan the traffic forwarding tunnel and the explicit path of the tunnel. In this example, traffic on the SC is forwarded to the tail node through the explicit path of an SRv6 TE policy. In the forwarding path, SFF 1 forwards the traffic to SF 1. SF 1 processes the traffic and forwards the traffic back to SFF 1. When the tail node sends traffic back to the SC, the traffic passes through SFF 2 to reach the SC in the explicit path of the SRv6 TE policy. The traffic is not forwarded to any SF.

Procedure

IMPORTANT:

In a dualhoming and bypass protection scenario, L3VPN and SRv6 TE policy settings are the same for SRv6 service chains that use Layer 2 encapsulation and Layer 3 encapsulation. This example only covers the configuration that Layer 2 encapsulation differs from Layer 3 encapsulation. For more information, see "Example: Configuring an SRv6 service chain in static proxy mode with Layer 3 encapsulation."

1. On SFF 1, SFF 2, and SFF 3, configure basic SRv6 service chain settings:

# Configure SFF 1.

<SFF1> system-view

[SFF1] interface gigabitethernet 0/0/3.1

[SFF1-GigabitEthernet0/0/3.1] vlan-type dot1q vid 2

[SFF1-GigabitEthernet0/0/3.1] quit

[SFF1-segment-routing-ipv6] locator as1 ipv6-prefix 2001:: 64 static 32

[SFF1-segment-routing-ipv6-locator-as1] opcode 1 end-as

[SFF1-segment-routing-ipv6-locator-as1-endas-1] inner-type ipv4

[SFF1-segment-routing-ipv6-locator-as1-endas-1] encapsulation eth out-interface gigabitethernet 0/0/3.1 out-s-vlan 2 in-interface gigabitethernet 0/0/3.1 in-s-vlan 2

[SFF1-segment-routing-ipv6-locator-as1-endas-1] cache source-address 1::1

[SFF1-segment-routing-ipv6-locator-as1-endas-1] cache list 2001::1 5000::1 5000::2

[SFF1-segment-routing-ipv6-locator-as1-endas-1] quit

[SFF1-segment-routing-ipv6-locator-as1] quit

[SFF1-segment-routing-ipv6] quit

[SFF1] isis 1

[SFF1-isis-1] address-family ipv6 unicast

[SFF1-isis-1-ipv6] segment-routing ipv6 locator as1

[SFF1-isis-1-ipv6] quit

[SFF1-isis-1] quit

# Configure SFF 2 as the backup of SFF 1 to access SF 1.

<SFF2> system-view

[SFF2] interface gigabitethernet 0/0/3.1

[SFF2-GigabitEthernet0/0/3.1] vlan-type dot1q vid 2

[SFF2-GigabitEthernet0/0/3.1] quit

[SFF2] segment-routing ipv6

[SFF2-segment-routing-ipv6] locator as1 ipv6-prefix 2001:: 64 static 32

[SFF2-segment-routing-ipv6-locator-as1] opcode 1 end-as

[SFF2-segment-routing-ipv6-locator-as1-endas-1] inner-type ipv4

[SFF2-segment-routing-ipv6-locator-as1-endas-1] encapsulation eth out-interface gigabitethernet 0/0/3.1 out-s-vlan 2 in-interface gigabitethernet 0/0/3.1 in-s-vlan 2

[SFF2-segment-routing-ipv6-locator-as1-endas-1] cache source-address 1::1

[SFF2-segment-routing-ipv6-locator-as1-endas-1] cache list 2001::1 5000::1 5000::2

[SFF2-segment-routing-ipv6-locator-as1-endas-1] quit

[SFF2-segment-routing-ipv6-locator-as1] quit

[SFF2-segment-routing-ipv6] quit

[SFF2] isis 1

[SFF2-isis-1] address-family ipv6 unicast

[SFF2-isis-1-ipv6] segment-routing ipv6 locator as1

[SFF2-isis-1-ipv6] quit

[SFF2-isis-1] quit

# Configure SFF3 to access SF 2.

<SFF3> system-view

[SFF3] interface gigabitethernet 0/0/3.1

[SFF3-GigabitEthernet0/0/3.1] vlan-type dot1q vid 2

[SFF3-GigabitEthernet0/0/3.1] quit

[SFF3] segment-routing ipv6

[SFF3-segment-routing-ipv6] locator as2 ipv6-prefix 4001:: 64 static 32

[SFF3-segment-routing-ipv6-locator-as2] opcode 1 end-as

[SFF3-segment-routing-ipv6-locator-as2-endas-1] inner-type ipv4

[SFF3-segment-routing-ipv6-locator-as2-endas-1] encapsulation eth out-interface gigabitethernet 0/0/3.1 out-s-vlan 2 in-interface gigabitethernet 0/0/3.1 in-s-vlan 2

[SFF3-segment-routing-ipv6-locator-as2-endas-1] cache source-address 1::1

[SFF3-segment-routing-ipv6-locator-as2-endas-1] cache list 4001::1 5000::1 5000::2

[SFF3-segment-routing-ipv6-locator-as2-endas-1] quit

[SFF3-segment-routing-ipv6-locator-as2] quit

[SFF3-segment-routing-ipv6] quit

[SFF3] isis 1

[SFF3-isis-1] address-family ipv6 unicast

[SFF3-isis-1-ipv6] segment-routing ipv6 locator as2

[SFF3-isis-1-ipv6] quit

[SFF3-isis-1] quit

2. On SFF 1 and SFF 2, configure SRv6 service chain dualhoming protection:

# Configure SFF 1.

[SFF1] segment-routing ipv6

[SFF1-segment-routing-ipv6] proxy peer-sid 3000::1

[SFF1-segment-routing-ipv6] locator as1

[SFF1-segment-routing-ipv6-locator-as1] opcode 1 end-as

[SFF1-segment-routing-ipv6-locator-as1-endas-1] backup-opcode 2

[SFF1-segment-routing-ipv6-locator-as1-endas-1] quit

[SFF1-segment-routing-ipv6-locator-as1] quit

[SFF1-segment-routing-ipv6] quit

# Configure SFF 2.

[SFF2] segment-routing ipv6

[SFF2-segment-routing-ipv6] proxy peer-sid 2000::1

[SFF2-segment-routing-ipv6] locator as1

[SFF2-segment-routing-ipv6-locator-as1] opcode 1 end-as

[SFF2-segment-routing-ipv6-locator-as1-endas-1] backup-opcode 2

[SFF2-segment-routing-ipv6] quit

3. On SFF 1 and SFF 2, configure SRv6 service chain bypass protection and configure SF 2 as the bypass protection node of SF 1:

# Configure SFF 1.

[SFF1] segment-routing ipv6

[SFF1-segment-routing-ipv6] locator as1

[SFF1-segment-routing-ipv6-locator-as1] opcode 1 end-as

[SFF1-segment-routing-ipv6-locator-as1-endas-1] bypass sid 4001::1

[SFF1-segment-routing-ipv6-locator-as1-endas-1] quit

[SFF1-segment-routing-ipv6-locator-as1] quit

# Configure SFF 2.

[SFF2] segment-routing ipv6

[SFF2-segment-routing-ipv6] locator as1

[SFF2-segment-routing-ipv6-locator-as1] opcode 1 end-as

[SFF2-segment-routing-ipv6-locator-as1-endas-1] bypass sid 4001::1

[SFF2-segment-routing-ipv6-locator-as1-endas-1] quit

[SFF2-segment-routing-ipv6-locator-as1] quit

[SFF2-segment-routing-ipv6] quit

Verifying the configuration

[SFF1] display segment-routing ipv6 sfc forwarding

Total forwarding entries: 3

NID : 2153775105

Locator name/Opcode : as1/1

Type : Cache list

Path Count : 1

Interface : GE0/0/4

NextHop : FE80::424:B0FF:FEF7:AD02

NID : 2153775106

Locator name/Opcode : as1/1

Type : Backup opcode

Path Count : 1

Interface : GE0/0/2

NextHop : ::1

NID : 2153775107

Locator name/Opcode : as2/1

Type : Bypass

Path Count : 1

Interface : GE0/0/4

NextHop : FE80::424:B0FF:FEF7:AD02

2. On SFF 1, display SRv6 forwarding entry information.

[SFF1] display segment-routing ipv6 forwarding

Total SRv6 forwarding entries: 3

Flags: T - Forwarded through a tunnel

N - Forwarded through the outgoing interface to the nexthop IP address

A - Active forwarding information

B - Backup forwarding information

ID FWD-Type Flags Forwarding info

--------------------------------------------------------------------------------

2153775105 SRv6SFC NA GE0/0/4

FE80::424:B0FF:FEF7:AD02

{2001::1, 5000::1, 5000::2}

2153775106 SRv6SFC N GE0/0/2

::1

{3000::1}

2153775107 SRv6SFC NA GE0/0/4

FE80::424:B0FF:FEF7:AD02

{4001::1}

11-Segment Routing Configuration Guide

SRv6 service chain basic concepts

SRv6 service chain traffic forwarding

SRv6 service chain traffic forwarding with dualhoming and bypass protection

SRv6 service chain tasks at a glance (static proxy mode)

SRv6 service chain tasks at a glance (masquerading mode)

Creating an SRv6 service chain

About this task

Restrictions and guidelines

Procedure

Creating an SRv6 service chain in masquerading mode

About this task

Restrictions and guidelines

Procedure

Configuring the packet encapsulation method for an SRv6 service chain in masquerading mode

About this task

Restrictions and guidelines

Procedure

Configuring packet reencapsulation parameters for an SRv6 service chain in static proxy mode

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

Restrictions and guidelines

Procedure

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

Verifying and maintaining SRv6 service chains

SRv6 service chain configuration examples

Network configuration

Prerequisites

Procedure

Verifying the configuration

Network configuration

Prerequisites

Procedure

Verifying the configuration

Network configuration

Prerequisites

Procedure

Verifying the configuration

Network configuration

Prerequisites

Procedure

Verifying the configuration

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

Company Information

News & Events

Contact Us