SRv6 Simulation with FRR

SRv6 stands for Segment Routing over IPv6 and will be the replacement of MPLS.

Prerequisites

To have SRv6 working with FRR and Linux, you need at least the Linux kernel 5.19, iproute2 version 6.x and FRR 8.4.1. This document describe how to create a QEMU image with those minimal version and two VRFs.

This configuration could be used in such simulation:

Simulation

Figure 1: SRv6 Simulation with FRR and GNS-3

IP Base configuration

All interfaces of the core network are configured with IPv6 addresses and IP point-to-point connectivity is already up and running.

The IPv4 and IPv6 forwarding is enable:

ip forwarding
ipv6 forwarding

It is also interesting to use Loopback interface addressed in IPv6 to create the BGP sessions between the PE. Those interfaces will also participate in the ISIS route exchange.

IS-IS Configuration

The base configuration is the following, having all nodes in the same area and using Level-1 connections.

• <x> is your router number, for exemple 1,2 or 3 ;-)
• <n> is your interfaces where isis is configured

As an example:

router isis <Process Name>
 is-type level-1
 net 49.0001.0001.0001.000<x>.00
 lsp-mtu 1300
 topology ipv6-unicast
 !
 interface eth<n>
  ipv6 router isis <Process Name>
  isis circuit-type level-1       
 !
 interface lo
   ipv6 router isis <Process Name>
   isis circuit-type level-1
   isis passive

SRv6 Configuration

The configuration is completed as shown in this example:

• <x> is your router number, for exemple 1,2 or 3 ;-)

segment-routing
 srv6
  locators
   locator <Router-Name>
    prefix 2001:dead:<x>::/64
   exit
   !
  exit
  !
 exit

In order to announce this prefix, we can create a Loopback interface (or dummy interface), and activate ISIS on it:

interface lo1
  ipv6 address 2001:dead:<x>::1/64
  ipv6 router isis <Process Name>
  isis circuit-type level-1
  isis passive

Add the following two commands in the ISIS configuration:

router isis SRv6
 segment-routing on
 segment-routing node-msd 8
exit
!

BGP Configuration

The base configuration is completed as shown in this example (for the router FRR-3):

router bgp 65000
 bgp router-id 3.3.3.3
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 bgp graceful-restart
 neighbor 2001:db8:66::6 remote-as 65000
 neighbor 2001:db8:66::6 description FRR-6
 neighbor 2001:db8:66::6 update-source lo
 neighbor 2001:db8:66::6 capability extended-nexthop
 !
 segment-routing srv6
  locator FRR3
 exit
 !
 address-family ipv4 unicast
  neighbor 2001:db8:66::6 activate
 exit-address-family
 !
 address-family ipv4 vpn
  neighbor 2001:db8:66::6 activate
 exit-address-family
 !
 address-family ipv6 unicast
  network 2001:dead:30::/64
  aggregate-address 2001:dead:30::/64 summary-only
  neighbor 2001:db8:66::6 activate
 exit-address-family
 !
 address-family ipv6 vpn
  neighbor 2001:db8:66::6 activate
 exit-address-family
exit

We also have to configure the different VRF for the routing exchange:

router bgp 65000 vrf Client1
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 bgp graceful-restart
 !
 address-family ipv4 unicast
  redistribute connected
  redistribute ospf
  sid vpn export auto
  rd vpn export 65000:1
  nexthop vpn export 2001:dead:30::
  rt vpn both 65000:1
  export vpn
  import vpn
 exit-address-family
 !
 address-family ipv6 unicast
  redistribute connected
  redistribute ospf6
  sid vpn export auto
  rd vpn export 65000:1
  nexthop vpn export 2001:dead:30::
  rt vpn both 65000:1
  export vpn
  import vpn
 exit-address-family
exit
!
router bgp 65000 vrf Client2
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 bgp graceful-restart
 !
 address-family ipv4 unicast
  redistribute connected
  redistribute ospf
  sid vpn export auto
  rd vpn export 65000:2
  nexthop vpn export 2001:dead:30::
  rt vpn both 65000:2
  export vpn
  import vpn
 exit-address-family
 !
 address-family ipv6 unicast
  redistribute connected
  redistribute ospf6
  sid vpn export auto
  rd vpn export 65000:2
  nexthop vpn export 2001:dead:30::
  rt vpn both 65000:2
  export vpn
  import vpn
 exit-address-family
exit

L3 VPN

The route exchange between the PE and the CE of the customer (VRF Client1 or Client2) is done through OSPFv3 for IPv6 and with OSPFv2 for IPv4. The default route is announced from the PE. On the PE, add the following configuration for the Customer “side”, as exemple for FRR-3:

vrf Client1

interface eth3
  description Part of VRF Client1 (configured at linux level)
  ip address 172.16.11.3/24
  ipv6 address 2001:cafe:11::3/64

router ospf vrf Client1
 ospf router-id 3.3.3.3
 network 172.16.11.0/24 area 0
 redistribute BGP
 default-information originate always
exit
!
router ospf6 vrf Client1
 ospf6 router-id 3.3.3.3
 redistribute BGP
 default-information originate always
exit
!

The configuration assigned for the VRF Client 1 is completed as shown in this example:

router bgp 65000 vrf Client1
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 bgp graceful-restart
 !
 address-family ipv4 unicast
  redistribute connected
  redistribute ospf
  sid vpn export auto
  rd vpn export 65000:1
  nexthop vpn export 2001:dead:30::
  rt vpn both 65000:1
  export vpn
  import vpn
 exit-address-family
 !
 address-family ipv6 unicast
  redistribute connected
  redistribute ospf6
  sid vpn export auto
  rd vpn export 65000:1
  nexthop vpn export 2001:dead:30::
  rt vpn both 65000:1
  export vpn
  import vpn
 exit-address-family
exit

Warning

To enable the use of END.DT4 (bug), you need to run the following commands (as a root user) once your configuration is complete, in the Linux console (not in the FRR CLI):

sysctl -w net.vrf.strict_mode=1
systemctl restart frr

Configurations

Here are all the configuration of the equipment used in this simulation:

• Configuration of VRF Client1 devices
• Configuration of VRF Client2 devices
• Configuration of the Core Network devices

References

1. Segment Routing IPv6 with FRR
2. SRv6 and ISIS
3. FRRouting SRv6 L3VPN (IPv4 and IPv6)…and WireGuard VPN

---

Dernière mise à jour: 3 October 2023