OSPF Loop-Free Alternate (LFA) Fast Reroute (FRR)

OSPF Loop-Free Alternate (LFA) Fast Reroute (FRR) allows OSPF to quickly switch (within 50 ms) to a backup path when a primary path fails. Without LFA FRR, OSPF has to re-run SPF to find a new path when the primary path fails. With LFA FRR, OSPF pre-computes a backup path and installs the backup next hop in the forwarding table.

If you have seen my EIGRP LFA FRR lesson, you know that EIGRP uses its feasible successors as backup paths. OSPF doesn’t have the concept of feasible successors but it does have another trick up its sleeve. As a link-state routing protocol, all routers in the same area share the same LSDB. This allows OSPF to run SPF with any other router in the area as the root, finding usable backup paths.

IGPs have two methods to calculate LFAs:

• Per-link: all prefixes that are reachable through a certain link all share the same next hop address. An IGP can calculate a backup next hop for all prefixes that use the same link. When the link fails, all prefixes will automatically be assigned to use the same backup next hop address. The advantage of per link LFA is that it requires fewer CPU cycles and memory than per-prefix LFA. The downside, however, is that once the primary link fails, you suddenly put a lot of burden on the backup link.
• Per-prefix: the IGP calculates an LFA for each and every prefix. It requires more CPU cycles and memory but it does offer better load balancing. When a primary path fails, prefixes could use different backup paths, spreading the traffic throughout the network.

When OSPF has to select a backup path, it doesn’t just look for the “next best” lowest metric path but it uses a list of “tie breakers” to decide what path to use. This process is a bit similar to how BGP uses attributes. OSPF is able to use the following tie breakers:

• SRLG (Shared Risk Link Groups): this is a group of interfaces that have a high likelihood of failing at the same time. For example, VLAN interfaces that use the same physical interface. When one logical interface goes down, it’s very likely that the other logical interfaces on the same physical interface go down too. In the EIGRP LFA FRR lesson, you can find a configuration example for SRLG.
• Interface Protection: don’t select an LFA that uses the same outgoing interface as the primary path.
• Broadcast Interface Protection: don’t select backup paths that use the same broadcast network as the primary path. With a broadcast network (most likely a switch), you can have different next hops but you still use the same link. When the switch fails, there is a risk that both the primary and backup path are both unreachable.
• Node Protection: don’t select a backup path that uses the same next-hop router as your primary path. I will demonstrate this one in the configuration section where it’s explained in detail.
• Downstream Path: this is very similar to the EIGRP feasible successor rule. A neighbor should have a smaller metric to the destination as the total metric of our primary path. This attribute is added since traffic sent over backup paths might loop for a short time until OSPF recalculates the primary path.
• Line-Card Disjoint Interfaces: this is similar to SRLGs, don’t use backup paths that use the same line card as the primary path.
• Metric: the best backup path might not be the one with the lowest metric next to the primary path, which is why we have all these tie breaker attributes. However, you can still use the lowest metric as one of the tie breakers.
• Equal-Cost Multipath:
  • Primary: prefer a backup path that is part of ECMP (equal cost multipath).
  • Secondary: prefer a backup path is not part of ECMP. This can be useful if a single link in ECMP is unable to handle all traffic. Imagine you have 2x 100 Mbit interfaces carrying about 150 Mbit of traffic. When one of the links fails, a single link will be unable to transmit everything. In this case, it’s best not to use the remaining link of the ECMP as a backup path.

Configuration

Let’s take a look at OSPF LFA FRR in action. We have the following topology:

There are five routers in total. We focus on R1 that wants to reach 5.5.5.5/32 behind R5. There are three paths. The shortest path is through R2; R3 and R4 could be used as backup paths.

• Configurations
• R1
• R2
• R3
• R4
• R5

Want to take a look for yourself? Here you will find the startup configuration of each device.

Without LFA FRR

Let’s first take a look at R1 when we don’t use LFA FRR. Here’s the routing table:

R1#show ip route 5.5.5.5
Routing entry for 5.5.5.5/32
  Known via "ospf 1", distance 110, metric 5, type intra area
  Last update from 192.168.12.2 on GigabitEthernet2, 00:00:40 ago
  Routing Descriptor Blocks:
  * 192.168.12.2, from 5.5.5.5, 00:00:40 ago, via GigabitEthernet2
      Route metric is 5, traffic share count is 1

R1 uses 192.168.12.2 (R2) as its next hop, which is installed in the forwarding table:

R1#show ip cef 5.5.5.5
5.5.5.5/32
  nexthop 192.168.12.2 GigabitEthernet2

Right now, when R2 fails, R1 has to re-run SPF to figure out a new path.

With LFA FRR

Let’s enable fast reroute with the fast-reroute command:

R1(config)#router ospf 1
R1(config-router)#fast-reroute ?
  keep-all-paths  Keep LFA FRR audit trail
  per-prefix      Per-prefix LFA FRR parameters

This router only supports per-prefix LFA. We’ll talk about “keep-all-paths” in a bit. Let’s see what options we have:

R1(config-router)#fast-reroute per-prefix enable ?
  area             Area to enable LFA FRR in
  prefix-priority  Priority of prefixes to be protected

Let’s configure the area we want to protect, area 0 in our case:

R1(config-router)#fast-reroute per-prefix enable area 0 ?
  prefix-priority  Priority of prefixes to be protected

The other thing we have to configure is the priority:

R1(config-router)#fast-reroute per-prefix enable area 0 prefix-priority ?
  high  High priority prefixes
  low   Low priority prefixes

There are two options; high and low. When you select the high priority, OSPF treats loopback and /32 prefixes with higher priority, calculating an LFA for these a bit earlier than other prefixes. When you select the low priority, it just calculates an LFA for all prefixes. Let’s go for the low priority option:

R1(config-router)#fast-reroute per-prefix enable area 0 prefix-priority low

That’s all there is to configure. There is one more command I’d like to show you though:

R1(config-router)#fast-reroute keep-all-paths

When you add this command, OSPF keeps track of all paths…not only the primary path and backup path but all paths that it considered but has not selected. First, let’s look at the routing table:

R1#show ip route 5.5.5.5
Routing entry for 5.5.5.5/32
  Known via "ospf 1", distance 110, metric 5, type intra area
  Last update from 192.168.12.2 on GigabitEthernet2, 00:00:53 ago
  Routing Descriptor Blocks:
  * 192.168.12.2, from 5.5.5.5, 00:00:53 ago, via GigabitEthernet2
      Route metric is 5, traffic share count is 1
      Repair Path: 192.168.13.3, via GigabitEthernet3

Above we see that R1 has selected R2 as the primary path and R3 as a backup path. Let’s look at the forwarding table:

R1#show ip cef 5.5.5.5
5.5.5.5/32
  nexthop 192.168.12.2 GigabitEthernet2
    repair: attached-nexthop 192.168.13.3 GigabitEthernet3

In the forwarding table, we find the repair next hop as well. Excellent! R4 could also be selected as a backup path but R1 preferred R3. We can see a list of all possible backup paths with the following command:

R1#show ip ospf rib 5.5.5.5

            OSPF Router with ID (1.1.1.1) (Process ID 1)


                Base Topology (MTID 0)

OSPF local RIB
Codes: * - Best, > - Installed in global RIB
LSA: type/LSID/originator

*>  5.5.5.5/32, Intra, cost 5, area 0
     SPF Instance 23, age 21:03:19
     Flags: RIB, HiPrio
      via 192.168.12.2, GigabitEthernet2 label 1048578
       Flags: RIB
       LSA: 1/5.5.5.5/5.5.5.5
      repair path via 192.168.13.3, GigabitEthernet3 label 1048578, cost 7
       Flags: RIB, Repair, IntfDj, BcastDj, CostWon, NodeProt, Downstr
       LSA: 1/5.5.5.5/5.5.5.5
      repair path via 192.168.14.4, GigabitEthernet4, cost 9
       Flags: Ignore, Repair, IntfDj, BcastDj, NodeProt
       LSA: 1/5.5.5.5/5.5.5.5

The output above is pretty neat. It shows us the primary path, the backup path, and the ignored path through R4. The information about R4 only shows up because I added the fast-reroute keep-all-paths command.

Tie Breakers

As explained in the first part of this lesson, LFA FRR uses tie breakers to decide which backup path to use. These are similar to the attributes BGP uses. On my CSR1000V router, the following tie breakers are active with the following priorities:

R1#show running-config all | incl break
 fast-reroute per-prefix tie-break primary-path index 10
 fast-reroute per-prefix tie-break interface-disjoint index 20
 fast-reroute per-prefix tie-break lowest-metric index 30
 fast-reroute per-prefix tie-break linecard-disjoint index 40
 fast-reroute per-prefix tie-break broadcast-interface-disjoint index 50

The lower the priority, the more important the tie breaker is. If you want to change the tie breakers, you have to use the fast-reroute per-prefix command:

R1(config)#router ospf 1
R1(config-router)#fast-reroute per-prefix tie-break ?
  broadcast-interface-disjoint  Interface protection attribute
  downstream                    Downstream repair path attribute
  interface-disjoint            Interface protection attribute
  linecard-disjoint             Line card protection attribute
  lowest-metric                 Lowest metric repair path attribute
  node-protecting               Node protecting repair path attribute
  primary-path                  Equal cost multipath attribute
  secondary-path                Not-equal cost multipath attribute
  srlg                          Shared risk link group attribute

Let’s try one of these in action.

Node Protecting

We will test the node protecting tie breaker. On my router, it is disabled by default. There are a couple of changes I’ll make to our topology:

We use the same topology but there is a new link in between R2 and R3. I also slightly increased the cost on the link between R3 and R5. Right now, R1 uses R2 as the primary path and R3 as the backup path. R4 is not used:

R1#show ip ospf rib 5.5.5.5

            OSPF Router with ID (1.1.1.1) (Process ID 1)


                Base Topology (MTID 0)

OSPF local RIB
Codes: * - Best, > - Installed in global RIB
LSA: type/LSID/originator

*>  5.5.5.5/32, Intra, cost 5, area 0
     SPF Instance 11, age 00:03:57
     Flags: RIB, HiPrio
      via 192.168.12.2, GigabitEthernet2 label 1048578
       Flags: RIB
       LSA: 1/5.5.5.5/5.5.5.5
      repair path via 192.168.13.3, GigabitEthernet3 label 1048578, cost 7
       Flags: RIB, Repair, IntfDj, BcastDj, CostWon, Downstr
       LSA: 1/5.5.5.5/5.5.5.5
      repair path via 192.168.14.4, GigabitEthernet4, cost 9
       Flags: Ignore, Repair, IntfDj, BcastDj, NodeProt
       LSA: 1/5.5.5.5/5.5.5.5

Using R3 as a backup path doesn’t make much sense. Because of the cost change, R3 is using R2 as the next hop to reach 5.5.5.5:

R3#show ip route | include 5.5.5.5
O        5.5.5.5 [110/4] via 192.168.23.2, 00:02:13, GigabitEthernet4

Whenever R2 fails, R3 has to re-converge to find a new next hop. On the other hand, nothing will change for R4 so even though R4 has a higher metric path, it is a better choice than R3.

Let’s enable node protecting and change the priority to the lowest value of all currently active tie breakers:

R1(config)#router ospf 1
R1(config-router)#fast-reroute per-prefix tie-break node-protecting required index 5

With this change, R1 now prefers R4 as a backup path:

R1#show ip ospf rib 5.5.5.5

            OSPF Router with ID (1.1.1.1) (Process ID 1)


                Base Topology (MTID 0)

OSPF local RIB
Codes: * - Best, > - Installed in global RIB
LSA: type/LSID/originator

*>  5.5.5.5/32, Intra, cost 5, area 0
     SPF Instance 13, age 00:18:13
     Flags: RIB, HiPrio
      via 192.168.12.2, GigabitEthernet2 label 1048578
       Flags: RIB
       LSA: 1/5.5.5.5/5.5.5.5
      repair path via 192.168.14.4, GigabitEthernet4 label 1048578, cost 9
       Flags: RIB, Repair, IntfDj, BcastDj, NodeProt
       LSA: 1/5.5.5.5/5.5.5.5
      repair path via 192.168.13.3, GigabitEthernet3, cost 7
       Flags: Ignore, Repair, IntfDj, BcastDj, Downstr
       LSA: 1/5.5.5.5/5.5.5.5

That’s all there is to it.

Miscellaneous

There are a couple of other commands that are useful to know. If you want to see how many prefixes are protected and on what interfaces, use the following command:

R1#show ip ospf fast-reroute prefix-summary 

            OSPF Router with ID (1.1.1.1) (Process ID 1)
                    Base Topology (MTID 0)

Area 0:

Interface        Protected    Primary paths    Protected paths Percent protected
                             All  High   Low   All  High   Low    All High  Low
Gi4                    Yes     1     0     1     0     0     0     0%   0%   0%
Gi3                    Yes     1     0     1     0     0     0     0%   0%   0%
Gi2                    Yes     4     1     3     4     1     3   100% 100% 100%

Area total:                    6     1     5     4     1     3    66% 100%  60%

Process total:                 6     1     5     4     1     3    66% 100%  60%

Also, if you don’t want to use an interface as a backup path or don’t want to protect its prefixes, you can use the following command:

R1(config)#interface GigabitEthernet 4
R1(config-if)#ip ospf fast-reroute per-prefix ?
  candidate   If interface can be protecting
  protection  If interface can be protected

Let’s see if we can tell the router not to use GigabitEthernet 4 as a backup path:

R1(config-if)#ip ospf fast-reroute per-prefix candidate disable

Let’s verify this:

R1#show ip ospf rib 5.5.5.5

            OSPF Router with ID (1.1.1.1) (Process ID 1)


                Base Topology (MTID 0)

OSPF local RIB
Codes: * - Best, > - Installed in global RIB
LSA: type/LSID/originator

*>  5.5.5.5/32, Intra, cost 5, area 0
     SPF Instance 16, age 00:51:31
     Flags: RIB, HiPrio
      via 192.168.12.2, GigabitEthernet2 label 1048578
       Flags: RIB
       LSA: 1/5.5.5.5/5.5.5.5
      repair path via 192.168.13.3, GigabitEthernet3, cost 7
       Flags: Ignore, Repair, IntfDj, BcastDj, Downstr
       LSA: 1/5.5.5.5/5.5.5.5

GigabitEthernet 4 is completely removed which is why we now see R3 again as a backup path.

Conclusion

You have now learned:

• how OSPF uses LFA (Loop Free Alternate) FRR (Fast Reroute) to install a backup path next hop in the forwarding table of your router.
• the difference between per-link and per-prefix LFA.
• the different tie breakers OSPF uses to select a backup path.
• how to configure LFA FRR.
• how to verify everything.

Unit 1: Introduction to OSPF

• Introduction to OSPF
• Basic OSPF Configuration
• OSPF Multi Area Configuration
• OSPF Reference Bandwidth
• OSPF Plain Text Authentication
• OSPF MD5 Authentication
• OSPF SHA-HMAC Authentication
• OSPF TTL Security Check
• OSPF Default Route

Unit 2: OSPF Neighbor Adjacency

• OSPF LSA Types
• OSPF LSAs and LSDB Flooding
• OSPF Hello and Dead Interval
• OSPF Router ID
• OSPF Packets and Neighbor Discovery
• OSPF DR/BDR Election
• OSPF Passive Interface
• Troubleshooting OSPF Neighbor Adjacency

Unit 3: OSPF Network Types

• OSPF Non-Broadcast Network Type
• OSPF Broadcast Network Type
• OSPF Point-to-Multipoint Network Type
• OSPF Point-to-Multipoint Non-Broadcast Network Type
• OSPF Point-to-Point Network Type
• OSPF Next Hop with Network Types

Unit 4: OSPF Stub Areas

• Introduction to OSPF Stub Areas
• How to configure OSPF Stub Area
• How to configure OSPF Totally Stub
• How to configure OSPF NSSA (Not So Stubby) Area
• How to configure OSPF Totally NSSA (Not So Stubby) Area
• OSPF NSSA P-bit explained

Unit 5: Advanced OSPF Topics

• OSPF Summarization
• OSPF Distribute-List Filtering
• OSPF LSA Type 3 Filtering
• OSPF LSA Type 5 Filtering
• OSPF Virtual Link
• OSPF Virtual Link Authentication
• OSPF Path Selection Explained
• How to read the OSPF Database
• OSPFv3 for IPv4
• Troubleshooting OSPF Route Advertisement
• OSPF SPF Scheduling and Throttling
• OSPF LSA Throttling
• OSPF Incremental SPF
• OSPF Prefix Suppression
• OSPF Stub Router
• OSPF Graceful Shutdown
• OSPF Graceful Restart
• OSPF Loop-Free Alternate (LFA) Fast Reroute (FRR)
• OSPF Remote Loop-Free Alternate (LFA) Fast Reroute (FRR)