NextGenNetworking

Sunday, 2 February 2020

BGP Communities: OSPF Domain-ID and OSPF Route Type

I mentioned the BGP communities; OSPF Domain-ID and OSPF RT.

My intention now is to go deeper into these BGP communities and show how we can work with them.

When OSPF is being used as the PE-CE protocol, the PEs needs to inform other PEs how to interpret the routes they are announcing through MP-BGP, so this way they can choose what type of LSA to use when redistributing from MP-BGP back into OSPF. The communities used for that purpose are OSPF Domain-ID and OSPF RT, and they are attached to the prefixes by the original PE when redistributing from OSPF into MP-BGP. Then, the destination PE gets to know which LSA type to use in the redistribution from MP-BGP back into OSPF.

Let’s study the next scenario:

Assume both PEs use the same OSPF process-id, and that there is not domain-id configured. In our case, both PEs will have the same domain-id as this is extracted from the process-id.

In the next output, we see both PEs running OSPF 100 with their respective CEs:

PE1#show ip ospf 100
Routing Process "ospf 100" with ID 10.10.11.2
Domain ID type 0x0005, value 0.0.0.100

PE2#show ip ospf 100
Routing Process "ospf 100" with ID 10.10.22.1
Domain ID type 0x0005, value 0.0.0.100

As we can see, both PEs have the same domain-id 0.0.0.100.

Let’s check how PE1 receives in BGP the loopback of CE2 that was previously redistributed:

PE1#show bgp vpnv4 unicast all 2.2.2.2/32
BGP routing table entry for 1:1:2.2.2.2/32, version 116
Paths: (1 available, best #1, table VPN_A)
Not advertised to any peer
Local
    100.100.100.2 (metric 11) from 100.100.100.2 (100.100.100.2)
      Origin incomplete, metric 11, localpref 100, valid, internal, best
      Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x000000640200
        OSPF RT:0.0.0.1:2:0 OSPF ROUTER ID:10.10.22.1:0
      mpls labels in/out nolabel/21

The OSPF Domain-ID for this prefix is 0×00000064 (0.0.0.100 in decimal).

Since there are no sham-links configured and both PEs have the same Domain-ID, the prefix will be redistributed as an INTER-AREA prefix (LSA-3).

Let’s check on CE1 if this is true:

CE1#show ip route 2.2.2.2
Routing entry for 2.2.2.2/32
Known via "ospf 100", distance 110, metric 21, type inter area
Last update from 10.10.11.2 on FastEthernet0/0, 00:00:00 ago
Routing Descriptor Blocks:
* 10.10.11.2, from 10.10.11.2, 00:00:00 ago, via FastEthernet0/0
Route metric is 21, traffic share count is 1

What will happen if we change the domain-id in PE2?

By specifying the domain-id in the configuration, the OSPF process ID is no longer taken into account when building the domain-id, only the value specified is used.

PE2(config)#router ospf 100 vrf VPN_A
PE2(config-router)#domain-id 100.100.100.2
PE2(config-router)#end

PE1#shw bgp vpnv4 unicast all 2.2.2.2/32
BGP routing table entry for 1:1:2.2.2.2/32, version 126
Paths: (1 available, best #1, table VPN_A)
Flag: 0x820
Not advertised to any peer
Local
    100.100.100.2 (metric 11) from 100.100.100.2 (100.100.100.2)
     Origin incomplete, metric 11, localpref 100, valid, internal, best
      Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x646464020200
        OSPF RT:0.0.0.1:2:0 OSPF ROUTER ID:10.10.22.1:0
      mpls labels in/out nolabel/18

CE1#show ip route 2.2.2.2
Routing entry for 2.2.2.2/32
Known via "ospf 100", distance 110, metric 11
Tag Complete, Path Length == 1, AS 65000, , type extern 2, forward metric 10
Last update from 10.10.11.2 on FastEthernet0/0, 00:00:12 ago
Routing Descriptor Blocks:
* 10.10.11.2, from 10.10.11.2, 00:00:12 ago, via FastEthernet0/0
Route metric is 11, traffic share count is 1
Route tag 3489725928

Now CE1 sees the prefix as an External prefix (LSA-5). And why is that? Well, by specifying two different domain-id’s in OSPF, the routing process assumes there are two different OSPF instances running inside the VPN. So it’s like if we were redistributing prefixes from one OSPF process to the other. And it’s seen as a LSA-5 Type 2 because that’s the redistributing type by default (if we wanted to change that, we should change the redistribute command under OSPF by specifying into which type of External LSA redistribute: Type 1 or Type 2).

Ok, nice!! But let’s try to play now with the BGP community OSPF RT. Until now, this community hasn’t given any info. But if we configure a sham-link between both PEs (check this post about how to create a sham-link), the values of the community OSPF RT will come into play.

Let’s check how PE1 sees CE2′s Loopback after configuring the sham-link

PE1#show bgp vpnv4 unicast all 2.2.2.2/32
BGP routing table entry for 1:1:2.2.2.2/32, version 138
Paths: (1 available, best #1, table VPN_A, RIB-failure(17))
Not advertised to any peer
Local
    100.100.100.2 (metric 11) from 100.100.100.2 (100.100.100.2)
      Origin incomplete, metric 11, localpref 100, valid, internal, best
      Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x646464020200
        OSPF RT:0.0.0.1:2:0 OSPF ROUTER ID:10.10.22.1:0
      mpls labels in/out nolabel/18

The value of Domain-ID is not taken into account any more because both PEs have a direct adjacency through the sham-link (the routers don’t interpret that there are two different OSPF instances running any more). As we can see, the community OSPF RT has the value 0.0.0.1:2:0.

The first 4 bytes (0.0.0.1) are for the area. In our case, all routers are in Area 1.

The 2 last bytes (:2:0) show which type of LSA must be used when redistributing this prefix into OSPF. The values 1 and 2 mean the LSA to use must be LSA-1 (Intra-Area LSA)

Let’s check on CE1 if the prefix is seen as Intra-Area:

CE1#show ip route 2.2.2.2
Routing entry for 2.2.2.2/32
Known via "ospf 100", distance 110, metric 22, type intra area
Last update from 10.10.11.2 on FastEthernet0/0, 00:07:24 ago
Routing Descriptor Blocks:
* 10.10.11.2, from 2.2.2.2, 00:07:24 ago, via FastEthernet0/0
Route metric is 22, traffic share count is 1

Great!! It seems to be right!

Let’s see what happens if CE2 redistributes the prefix 22.22.22.22/32 into OSPF

PE1#sh bgp vpn uni all 22.22.22.22/32
BGP routing table entry for 1:1:22.22.22.22/32, version 32
Paths: (1 available, best #1, table VPN_A, RIB-failure(17))
Flag: 0x820
Not advertised to any peer
Local
    100.100.100.2 (metric 11) from 100.100.100.2 (100.100.100.2)
      Origin incomplete, metric 20, localpref 100, valid, internal, best
      Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x646464020200
        OSPF RT:0.0.0.0:5:1 OSPF ROUTER ID:10.10.22.1:0
      mpls labels in/out nolabel/20

Now the value of the community OSPF RT is 0.0.0.0:5:1. The value of 0.0.0.0 stands for no area (as we already know, external routes are not related to any area). And the value of :5:1 stands for LSA-5 Type 2. Let’s check if CE1 sees this prefix as external type 2 route

CE1#sh ip route 22.22.22.22
Routing entry for 22.22.22.22/32
Known via "ospf 100", distance 110, metric 20, type extern 2, forward metric 21
Last update from 10.10.11.2 on FastEthernet0/0, 00:07:28 ago
Routing Descriptor Blocks:
* 10.10.11.2, from 2.2.2.2, 00:07:28 ago, via FastEthernet0/0
Route metric is 20, traffic share count is 1

Ok, it seems to be true!!

So, as we can see, the BGP community OSPF RT tells the PE router which type of LSA to use when redistributing the prefix into OSPF.

The different values for the 2 last bytes of the community are:

      :1:0 or :2:0 - indicating intra-area LSA-1 routes
      :3:0 - indicating inter-area LSA-3 routes
      :5:0 or :5:1 - indicating external LSA-5 routes (type 1 and type 2 respectively)
      :7:0 or :7:1 - indicating NSSA LSA-7 routes (type 1 and type 2 respectively)

And that’s all! I hope this post has been interesting for all of you.

Saturday, 1 February 2020

Extranet VPN

Same IP address scheme.

Here we are going to show how to have Extranet VPN. R5 and R6 are the HQ for VPN A and VPN B respectively.

In this situation what we are doing is R6 generated prefix and R5 generated prefix will be get exchange between the HQ but the R7 and R8 should not reach out of their VPN site's.

Yes you understood correctly we have to create 3 VRF. So why to wait lets configure it.

R1(config)#ip vrf A

R1(config-vrf)#rd 700:7

R1(config-vrf)#route-target export 700:700

R1(config-vrf)#route-target import 500:500

R1(config)#ip vrf B

R1(config-vrf)#rd 800:8

R1(config-vrf)#rou ex 800:800

R1(config-vrf)#rou im 600:600

Here first am going to configure VPN A site.

R1(config)#int s1/0

R1(config-if)#ip vrf for A

Lets run BGP as PE-CE Routing.

R1(config)#router bgp 100

R1(config-router)#address-family ipv4 vrf A

R1(config-router-af)#neighbor 11.0.0.5 remot 65031

R7(config)#router bgp 65031

R7(config-router)#neighbor 11.0.0.6 remot 100

R7(config-router)#net 70.0.0.0 mask 255.255.255.0

That’s it finish now check the neighborship and routing table.

R1#sh ip bgp vpnv4 vrf A summary | be Ne

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

11.0.0.5 4 65031 7 6 2 0 0 00:02:19 1

See we are getting the prefix. Now lets enable the VPN B also.

R1(config)#router eigrp 1

R1(config-router)#address-family ipv4 vrf B

R1(config-router-af)#network 11.0.0.0 0.0.0.3

R1(config-router-af)#no au

R1(config-router-af)#autonomous-system 10

R8(config)#router eigrp 10

R8(config-router)#net 11.0.0.0 0.0.0.3

R8(config-router)#no au

R8(config-router)#net 80.0.0.0 0.0.0.255

Lets check the neighborship

R1#sh ip eigrp vrf B neighbors

IP-EIGRP neighbors for process 10

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 11.0.0.1 Se1/1 11 00:02:37 82 492 0 4

Now come the difficult part we already knew that only one interface can belong to only one VRF instance. Then how to make it work its very simple check it out.

R4(config)#ip vrf AB

R4(config-vrf)#rd 506:506

R4(config-vrf)#route-target export 500:500

R4(config-vrf)#route-target export 500:506

R4(config-vrf)#route-target im 700:700

R4(config-vrf)#route-target im 600:605

R4(config)#int s1/1

R4(config-if)#ip vrf for AB

R4(config-if)#ip add 11.0.0.9 255.255.255.252

R4(config)#router rip

R4(config-router)#add

R4(config-router)#address-family ipv

R4(config-router)#address-family ipv4 vr

R4(config-router)#address-family ipv4 vrf AB

R4(config-router-af)#net

R4(config-router-af)#network 11.0.0.8

R4(config-router-af)#no au

R4(config-router-af)#ver 2

R5(config)#router rip

R5(config-router)#net 11.0.0.0

R5(config-router)#net 50.0.0.0

R5(config-router)#no au

R5(config-router)#ver 2

Lets check the Routing table and confirm it.

R4#sh ip route vrf AB rip

50.0.0.0/24 is subnetted, 3 subnets

R 50.2.2.0 [120/1] via 11.0.0.10, 00:00:13, Serial1/1

R 50.1.1.0 [120/1] via 11.0.0.10, 00:00:13, Serial1/1

R 50.0.0.0 [120/1] via 11.0.0.10, 00:00:13, Serial1/1

Now lets create a VRF BA for site B.

R4(config)#ip vrf BA

R4(config-vrf)#rd 605:605

R4(config-vrf)#route-target export 600:600

R4(config-vrf)#route-target export 600:605

R4(config-vrf)#route-target import 800:800

R4(config-vrf)#route-target import 500:506

R4(config)#int s1/2

R4(config-if)#ip vrf forwarding BA

R4(config-if)#ip add 11.0.0.13 255.255.255.252

Am going to run OSPF as PE-CE routing

R4(config)#router ospf 10 vrf BA

R4(config-router)#network 11.0.0.12 0.0.0.3 area 0

R6(config)#router ospf 1

R6(config-router)#net 11.0.0.12 0.0.0.3 a 0

R6(config-router)#net 60.0.0.0 0.0.0.255 a 0

Lets check the neighborship for OSPF.

R4#sh ip ospf 10 ne

Neighbor ID Pri State Dead Time Address Interface

60.2.2.1 0 FULL/ - 00:00:38 11.0.0.14 Serial1/2

That’s it as we have designed the VRF export and import correctly so just by redistributing it everything will work fine. Lets configure and check it.

R1(config)#router eigrp 1

R1(config-router)#add

R1(config-router)#address-family v

R1(config-router)#address-family i

R1(config-router)#address-family ipv4 v

R1(config-router)#address-family ipv4 vrf B

R1(config-router-af)#red

R1(config-router-af)#redistribute bg

R1(config-router-af)#redistribute bgp 100

R1(config-router-af)#exi

R1(config-router)#exi

R1(config)#router bgp 100

R1(config-router)#add

R1(config-router)#address-family ipv

R1(config-router)#address-family ipv4 vr

R1(config-router)#address-family ipv4 vrf B

R1(config-router-af)#red

R1(config-router-af)#redistribute ei

R1(config-router-af)#redistribute eigrp 10 ?

metric Metric for redistributed routes

route-map Route map reference

<cr>

R1(config-router-af)#redistribute bgp 100 metric 1 1 1 1 1

R1(config-router-af)#

R4(config)#router rip

R4(config-router)#add

R4(config-router)#address-family ipv

R4(config-router)#address-family ipv4 v

R4(config-router)#address-family ipv4 vrf AB

R4(config-router-af)#red

R4(config-router-af)#redistribute bg

R4(config-router-af)#redistribute bgp 100 ?

metric Metric for redistributed routes

route-map Route map reference

<cr>

R4(config-router-af)#redistribute bgp 100

R4(config-router-af)#exi

R4(config-router)#exi

R4(config)#router bgp 100

R4(config-router)#add

R4(config-router)#address-family ipv

R4(config-router)#address-family ipv4 vr

R4(config-router)#address-family ipv4 vrf AB

R4(config-router-af)#red

R4(config-router-af)#redistribute ri

R4(config-router-af)#redistribute rip me

R4(config-router-af)#redistribute rip metric 5

R4(config-router-af)#^Z

R4#

R4#con

*Feb 19 08:43:22.923: %SYS-5-CONFIG_I: Configured from console by console

R4#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R4(config)#router ospf 10 vrf BA

R4(config-router)#red

R4(config-router)#redistribute bgp

R4(config-router)#redistribute bgp 10

BGP is already running; AS is 100

R4(config-router)#redistribute bgp 100 su

R4(config-router)#redistribute bgp 100 subnets

R4(config-router)#exi

R4(config)#router bgp 100

R4(config-router)#add

R4(config-router)#address-family ipv

R4(config-router)#address-family ipv4 v

R4(config-router)#address-family ipv4 vrf BA

R4(config-router-af)#red

R4(config-router-af)#redistribute os

R4(config-router-af)#redistribute ospf 10 ?

match Redistribution of OSPF routes

metric Metric for redistributed routes

route-map Route map reference

vrf VPN Routing/Forwarding Instance

<cr>

R4(config-router-af)#redistribute ospf 10

That’s it lets check the routing table for the last verification

R5#sh ip route rip

70.0.0.0/24 is subnetted, 1 subnets

R 70.0.0.0 [120/5] via 11.0.0.9, 00:00:26, Serial1/0

11.0.0.0/30 is subnetted, 2 subnets

R 11.0.0.12 [120/5] via 11.0.0.9, 00:00:26, Serial1/0

60.0.0.0/32 is subnetted, 1 subnets

R 60.0.0.1 [120/5] via 11.0.0.9, 00:00:26, Serial1/0

R5#

R6#sh ip route ospf

50.0.0.0/24 is subnetted, 3 subnets

O E2 50.2.2.0 [110/5] via 11.0.0.13, 00:06:05, Serial1/0

O E2 50.1.1.0 [110/5] via 11.0.0.13, 00:06:05, Serial1/0

O E2 50.0.0.0 [110/5] via 11.0.0.13, 00:06:05, Serial1/0

80.0.0.0/24 is subnetted, 1 subnets

O E2 80.0.0.0 [110/2297856] via 11.0.0.13, 00:06:05, Serial1/0

11.0.0.0/30 is subnetted, 3 subnets

O E2 11.0.0.8 [110/1] via 11.0.0.13, 00:06:05, Serial1/0

O E2 11.0.0.0 [110/1] via 11.0.0.13, 00:06:05, Serial1/0

R6#

R7#sh ip route bgp

50.0.0.0/24 is subnetted, 3 subnets

B 50.2.2.0 [20/0] via 11.0.0.6, 00:06:35

B 50.1.1.0 [20/0] via 11.0.0.6, 00:06:35

B 50.0.0.0 [20/0] via 11.0.0.6, 00:06:35

11.0.0.0/30 is subnetted, 2 subnets

B 11.0.0.8 [20/0] via 11.0.0.6, 00:06:35

R7#

R8#sh ip route eigrp

11.0.0.0/30 is subnetted, 2 subnets

D EX 11.0.0.12 [170/2560512256] via 11.0.0.2, 00:03:52, Serial1/0

60.0.0.0/32 is subnetted, 1 subnets

D EX 60.0.0.1 [170/2560512256] via 11.0.0.2, 00:03:52, Serial1/0

R8#

} {