Here am going to
configure PE - CE routing as OSPF.
On CE router as
usual we have to enable OSPF routing nothing special configuration.
But on PE side we
have to take care special effect to configure OSPF.
As we know we are
running OSPF on cloud with a process id 100. So while configuring PE - CE
routing we should use different OSPF process id (other than 100)
R1#sh ip ospf int
br
Interface PID
Area IP
Address/Mask Cost State Nbrs F/C
Se1/2 100
0 10.0.0.1/30 64
P2P 1/1
Lo0 100 0 1.1.1.1/32 1
LOOP 0/0
R1(config)# router
ospf 1 vrf 1
R1(config-router)#
network 11.0.0.4 0.0.0.3 area 0
Now we can get all
the CE routes to PE router under vrf A.
R1#sh ip route vrf
A
O 70.2.2.1 [110/65] via 11.0.0.5,
00:51:29, Serial1/0
O 70.1.1.1 [110/65] via 11.0.0.5,
00:51:29, Serial1/0
O 70.0.0.1 [110/65] via 11.0.0.5,
00:51:29, Serial1/0
C 11.0.0.4 is directly connected,
Serial1/0
We don’t need to
specify the address family for ipv4 vrf because ospf process id itself
determined with vrf.
While
redistributing also under ospf process we can redistribute.
R1(config)# router
ospf 1 vrf 1
R1(config-router)#
redistribute bgp 100 subnets
R1(config)#router
bgp 100
R1(config-router)#
address-family ipv4 vrf A
R1(config-router-af)
redistribute ospf 1 vrf A match internal
Note While
redistributing from OSPF into BGP we should match all internal and external
routes.
In OSPF we have a
loop prevention method by DN bit (DN - Downward)
R1#sh ip ospf
database summary 50.0.0.1
OSPF Router with ID (1.1.1.1)
(Process ID 100)
OSPF Router with ID (11.0.0.6)
(Process ID 1)
Summary Net Link States (Area
0)
LS age: 59
Options: (No TOS-capability, DC, Downward) ====> This will prevent the loop.
LS Type: Summary Links(Network)
Link State ID: 50.0.0.1 (summary Network
Number)
Advertising Router: 11.0.0.6
LS Seq Number: 80000005
Checksum: 0x68CA
Length: 28
Network Mask: /32
TOS: 0
Metric: 65
When a
type 3 LSA is sent from a PE router to a CE router, the DN bit [OSPF-DN] in the
LSA Options field MUST be set. This is used to ensure that if any CE router
sends this type 3 LSA to a PE router,
the PE router will not redistribute it further.
But the
interesting thing is how CE router R7 getting LSA 3 information. As we knew we
have redistributed the other side routes. This is because ospf send extended
communities like
§
Router type
§
Domain id
§
Router id
§
Metric type 1 or 2.
Lets check on the R1 which will get the
VPNv4 router form R4 and check it OSPF extended communities.
R1#sh bgp vpnv4 unicast vrf A 50.0.0.1
BGP routing table entry for 700:700:50.0.0.1/32,
version 36
Paths: (1 available, best #1, table A)
Not advertised
to any peer
Local,
imported path from 500:500:50.0.0.1/32
4.4.4.4
(metric 193) from 4.4.4.4 (4.4.4.4)
Origin
incomplete, metric 65, localpref 100, valid, internal, best
Extended
Community: RT:5:7 OSPF DOMAIN ID:0x0005:0x010203040200
OSPF RT:0.0.0.0:2:0 OSPF ROUTER
ID:11.0.0.9:0
mpls
labels in/out nolabel/23
The different values for the 2 last bytes of the OSPF
RT community are:
:1:0 or
:2:0 - indicating intra-area LSA-1 routes
:3:0 - indicating inter-area LSA-3 routes
:5:0 or :5:1 - indicating external LSA-5 routes (type 1 and type 2 respectively)
:7:0 or :7:1 - indicating NSSA LSA-7 routes (type 1 and type 2 respectively)
:3:0 - indicating inter-area LSA-3 routes
:5:0 or :5:1 - indicating external LSA-5 routes (type 1 and type 2 respectively)
:7:0 or :7:1 - indicating NSSA LSA-7 routes (type 1 and type 2 respectively)
So this all the extended communities we got in VPNv4
update. Now before redistributing
R1 PE router will check the domain id it receives and
its local configured ospf domain id. If both matches then PE router R1 will
redistribute it as LAS 3 routes (summary routes)
R1#sh ip ospf 1
Routing Process
"ospf 1" with ID 11.0.0.6
Domain ID type 0x0005, value 1.2.3.4
Hence the domain id matches R1 PE router
will redistribute it as LAS 3 routes.
R7#sh ip ospf 1 0 database | be Summa
Summary Net Link States (Area 0)
Link ID
ADV Router Age Seq# Checksum
11.0.0.8
11.0.0.6 1578 0x80000005 0x008A0C
50.0.0.1
11.0.0.6 1578 0x80000005 0x0068CA
50.1.1.1
11.0.0.6 1578 0x80000005 0x0051DF
50.2.2.1
11.0.0.6 1578 0x80000005 0x003AF4
Now
come to the loop prevention point. As we are getting LSA 3 type router PE
router R1 will set the DN bit.
R1#sh ip ospf
database summary 50.0.0.1
OSPF Router with ID (1.1.1.1)
(Process ID 100)
OSPF Router with ID (11.0.0.6)
(Process ID 1)
Summary Net Link States (Area
0)
LS age: 1698
Options: (No TOS-capability, DC, Downward)
LS Type: Summary Links(Network)
Link State ID: 50.0.0.1 (summary Network
Number)
Advertising Router: 11.0.0.6
LS Seq Number: 80000005
Checksum: 0x68CA
Length: 28
Network Mask: /32
TOS: 0
Metric: 65
Now suppose If we
have VRF lite on CE side then see this default loop prevention DN bit might
cause problem. To do this lets have vrf lite configured on CE router R7.
Here am going to
put vrf TEST on CE router R7.
R7(config)#ip vrf
TEST
R7(config-vrf)#rd
11:11
R7(config)# no
router ospf 1
R7(config)#router
ospf 1 vrf TEST
R7(config-vrf)#interface
Loopback0
R7(config-if)#ip
vrf for TEST
R7(config-if)# ip
address 70.0.0.1 255.255.255.0
R7(config-if)# ip
ospf 1 area 0
R7(config-if)#interface
Loopback1
R7(config-if)#ip
vrf for TEST
R7(config-if)# ip
address 70.1.1.1 255.255.255.0
R7(config-if)# ip
ospf 1 area 0
R7(config-if)#interface
Loopback2
R7(config-if)#ip
vrf for TEST
R7(config-if)# ip
address 70.2.2.1 255.255.255.0
R7(config-if)# ip
ospf 1 area 0
R7(config-if)#interface
Serial1/0
R7(config-if)#ip
vrf for TEST
R7(config-if)# ip address
11.0.0.5 255.255.255.252
R7(config-if)# ip
ospf 1 area 0
We have
done the process. Now check whether R1 getting VPNv4 update
R1#sh bgp vpnv4
unicast vrf A 50.0.0.1
BGP routing table
entry for 700:700:50.0.0.1/32, version 36
Paths: (1
available, best #1, table A)
Not advertised to any peer
Local, imported path from 500:500:50.0.0.1/32
4.4.4.4 (metric 193) from 4.4.4.4 (4.4.4.4)
Origin incomplete, metric 65, localpref
100, valid, internal, best
Extended Community: RT:5:7 OSPF DOMAIN
ID:0x0005:0x010203040200
OSPF RT:0.0.0.0:2:0 OSPF ROUTER
ID:11.0.0.9:0
mpls labels in/out nolabel/23
Yes we are
getting but after redistributing also on CE router R7 we are not getting the
routes because of the DN bit.
R7#sh ip route vrf
TEST
Routing Table: TEST
Codes: C -
connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O -
OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 -
OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF
external type 2
i - IS-IS, su - IS-IS summary, L1 -
IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate
default, U - per-user static route
o - ODR, P - periodic downloaded static
route
Gateway of last
resort is not set
70.0.0.0/24 is subnetted, 3 subnets
C 70.2.2.0 is directly connected,
Loopback2
C 70.1.1.0 is directly connected,
Loopback1
C 70.0.0.0 is directly connected,
Loopback0
11.0.0.0/30 is subnetted, 1 subnets
C 11.0.0.4 is directly connected,
Serial1/0
To over
come this we can override this DN bit feature with one simple command.
R7(config)#router
ospf 1
R7(config-router)#capability
vrf-lite
R7#sh ip route vrf
TEST ospf
Routing Table: TEST
50.0.0.0/32 is subnetted, 3 subnets
O IA 50.2.2.1 [110/129] via 11.0.0.6, 00:00:30,
Serial1/0
O IA 50.1.1.1 [110/129] via 11.0.0.6, 00:00:30,
Serial1/0
O IA 50.0.0.1 [110/129] via 11.0.0.6, 00:00:30,
Serial1/0
11.0.0.0/30 is subnetted, 2 subnets
O IA 11.0.0.8 [110/65] via 11.0.0.6, 00:00:30,
Serial1/0
Amazing
rite we got the routes :) haha :)
We can
also do this without this command. Instead of LSA 3 if we redistribute as LSA 5 we can do this.
R7(config)#router
ospf 1
R7(config-router)#no
capability vrf-lite
R7#sh ip route vrf
TEST
70.0.0.0/24 is subnetted, 3 subnets
C 70.2.2.0 is directly connected,
Loopback2
C 70.1.1.0 is directly connected,
Loopback1
C 70.0.0.0 is directly connected,
Loopback0
11.0.0.0/30 is subnetted, 1 subnets
C 11.0.0.4 is directly connected,
Serial1/0
See we
are not getting any ospf routes. We can simple mismatch the domain id.
R1(config)#router
ospf 1
R1(config-router)#domain-id
2.2.2.2
R7#sh ip route vrf
TEST ospf
Routing Table: TEST
50.0.0.0/32 is subnetted, 3 subnets
O E2 50.2.2.1 [110/65] via 11.0.0.6, 00:00:43,
Serial1/0
O E2 50.1.1.1 [110/65] via 11.0.0.6, 00:00:43,
Serial1/0
O E2 50.0.0.1 [110/65] via 11.0.0.6, 00:00:43,
Serial1/0
11.0.0.0/30 is subnetted, 2 subnets
O E2 11.0.0.8 [110/1] via 11.0.0.6, 00:00:43,
Serial1/0
See we got LSA 5 :)
R7#traceroute vrf
TEST 50.0.0.1
Type escape
sequence to abort.
Tracing the route
to 50.0.0.1
1 11.0.0.6 48 msec 68 msec 64 msec
2 10.0.0.2 [MPLS: Labels 19/23 Exp 0] 248
msec 260 msec 192 msec
3 10.0.0.6 [MPLS: Labels 19/23 Exp 0] 268
msec 156 msec 184 msec
4 11.0.0.9 [MPLS: Label 23 Exp 0] 132 msec
204 msec 184 msec
5 11.0.0.10 260 msec * 236 msec
Now lets have a
backdoor link between the customers. Note I have removed the VRF configuration
on R7
R7#ping 50.0.0.1
Type escape
sequence to abort.
Sending 5, 100-byte
ICMP Echos to 50.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100
percent (5/5), round-trip min/avg/max = 176/216/304 ms
R7#sh ip route ospf
50.0.0.0/32 is subnetted, 3 subnets
O E2 50.2.2.1 [110/65] via 11.0.0.6, 00:01:54,
Serial1/0
O E2 50.1.1.1 [110/65] via 11.0.0.6, 00:01:54,
Serial1/0
O E2 50.0.0.1 [110/65] via 11.0.0.6, 00:01:54,
Serial1/0
11.0.0.0/30 is subnetted, 2 subnets
O E2 11.0.0.8 [110/1] via 11.0.0.6, 00:01:54,
Serial1/0
After forming
neighbor ship with other side CE router via backdoor link.
R7#sh ip ospf ne
Neighbor ID Pri
State Dead Time Address Interface
50.2.2.1 1
FULL/BDR 00:00:34 20.0.0.5 FastEthernet2/0
11.0.0.6 0
FULL/ - 00:00:34 11.0.0.6 Serial1/0
R7#sh ip route ospf
50.0.0.0/32 is subnetted, 3 subnets
O 50.2.2.1 [110/2] via 20.0.0.5, 00:01:11,
FastEthernet2/0
O 50.1.1.1 [110/2] via 20.0.0.5, 00:01:11,
FastEthernet2/0
O 50.0.0.1 [110/2] via 20.0.0.5, 00:01:11,
FastEthernet2/0
11.0.0.0/30 is subnetted, 2 subnets
O 11.0.0.8 [110/65] via 20.0.0.5,
00:01:11, FastEthernet2/0
R7#traceroute
50.0.0.1
1 20.0.0.5 60 msec * 76 msec
See we are not
routing from MPLS cloud because from backdoor we are getting intra-area routes
and from PE R1 we are getting
external-routes.
As we know for OSPF
the priority order is:
O Intra-Area
O-IA Inter-Area
O-E1 External Type 1
O-E2 External Type 2
O-N1 NSSA External Type 1
O-N2 NSSA External Type 2
Hence the backdoor
link is used. If we change the LSA 5 to LSA 3 also we will get same situation
only.
Now for to over
come this situation we have a SHAM LINK concept.
Note
When configuring SHAM Link we should always use the
path that should go via MPLS cloud.
For example
R1#ping vrf A 11.0.0.9
Sending 5, 100-byte ICMP Echos to 11.0.0.9, timeout is
2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip
min/avg/max = 168/214/320 ms
R1#trac vrf A 11.0.0.9
Tracing the route to 11.0.0.9
1 11.0.0.5 80
msec 88 msec 20 msec
2 20.0.0.5 168
msec 96 msec 176 msec
3 11.0.0.9 252
msec * 140 msec
Like this address, should not be configured as sham
link as its routing via backdoor.
Now to configure
sham link am going to create a loopback address on both PE under vrf A and
going to redistribute only in BGP not in OSPF.
R1(config)#int loopback 5
R1(config-if)#ip vrf forwarding A
R1(config-if)#ip add 11.11.11.11 255.255.255.255
R1(config)#router bgp 100
R1(config-router)#address-family ipv4 vrf A
R1(config-router-af)#network 11.11.11.11 mask
255.255.255.255
R1(config)#ip prefix-list SHAM_LINK permit
11.11.11.11/32
R1(config)#ip prefix-list SHAM_LINK permit
12.12.12.12/32
R1(config)#route-map SHAM deny
R1(config-route-map)#match ip address prefix-list
SHAM_LINK
R1(config)#route-map SHAM permit 20
R1(config)#router ospf 1
R1(config-router)#redistribute bgp 100 subnets
route-map SHAM
R4#traceroute vrf A 11.11.11.11 source 12.12.12.12
1 10.0.0.9
[MPLS: Labels 16/21 Exp 0] 200 msec 208 msec 252 msec
2 10.0.0.5
[MPLS: Labels 16/21 Exp 0] 188 msec 120 msec 264 msec
3 11.11.11.11
[MPLS: Label 21 Exp 0] 204 msec * 156
msec
Now on this path we
can create SHAM link :) under ospf process
R4(config-router)#area
0 sham-link 12.12.12.12 11.11.11.11
R4(config-router)#
*Dec 23
01:48:43.566: %OSPF-5-ADJCHG: Process 500, Nbr 11.0.0.6 on OSPF_SL0 from
LOADING to FULL, Loading Done
R1(config-router)#area
0 sham-link 11.11.11.11 12.12.12.12
R1(config-router)#
*Dec 23
01:48:44.418: %OSPF-5-ADJCHG: Process 1, Nbr 11.0.0.9 on OSPF_SL0 from LOADING
to FULL, Loading Done
R7#sh ip route ospf
50.0.0.0/32 is subnetted, 3 subnets
O 50.2.2.1 [110/2] via 20.0.0.5, 00:02:40,
FastEthernet2/0
O 50.1.1.1 [110/2] via 20.0.0.5, 00:02:40,
FastEthernet2/0
O 50.0.0.1 [110/2] via 20.0.0.5, 00:02:40,
FastEthernet2/0
11.0.0.0/30 is subnetted, 2 subnets
O 11.0.0.8 [110/65] via 20.0.0.5,
00:02:40, FastEthernet2/0
Still R7 having the
backdoor to reach 50.0.0.0 network.
Now since R7
getting O routes (intra-area) form PE and CE now cost comes to role play.
Increase the cost
on backdoor link and the traffic goes via the mpls cloud.
R7(config)#int
fa2/0
R7(config-if)#ip
ospf cost 10000
R7#sh ip route ospf
50.0.0.0/32 is subnetted, 3 subnets
O 50.2.2.1 [110/130] via 11.0.0.6,
00:00:04, Serial1/0
O 50.1.1.1 [110/130] via 11.0.0.6,
00:00:04, Serial1/0
O 50.0.0.1 [110/130] via 11.0.0.6,
00:00:04, Serial1/0
11.0.0.0/30 is subnetted, 2 subnets
O 11.0.0.8 [110/129] via 11.0.0.6,
00:00:04, Serial1/0
R7#traceroute
50.0.0.1
1 11.0.0.6 28 msec 128 msec 56 msec
2 10.0.0.2 [MPLS: Labels 19/23 Exp 0] 172
msec 104 msec 112 msec
3 10.0.0.6 [MPLS: Labels 19/23 Exp 0] 124
msec 108 msec 132 msec
4 11.0.0.9 [MPLS: Label 23 Exp 0] 140 msec
164 msec 216 msec
5 11.0.0.10 100 msec * 156 msec
################################## THE END ########################################################
R1(config)#ip vrf
TEST
R1(config-vrf)#rd
11:11
R1(config-vrf)#route-target
export 7:5
R1(config-vrf)#route-target
import 5:7
R1(config)#no
router ospf 1
R1(config)#router
ospf 1 vrf TEST
R1(config-router)#redistribute
bgp 100 subnets
R1(config)#int s1/0
R1(config-if)#ip
vrf forwarding TEST
R1(config-if)#ip
add 11.0.0.6 255.255.255.252
R4(config)#int
loopback 5
R4(config-if)#ip
vrf forwarding A
R4(config-if)#ip
add 12.12.12.12 255.255.255.255
R4(config)#router
bgp 100
R4(config-router)#address-family
ipv4 vrf A
R4(config-router-af)#network
11.11.11.11 mask 255.255.255.255
R4(config)#ip
prefix-list SHAM_LINK permit 11.11.11.11/32
R4(config)#ip
prefix-list SHAM_LINK permit 12.12.12.12/32
R4(config)#route-map
SHAM deny
R4(config-route-map)#match
ip address prefix-list SHAM_LINK
R4(config)#route-map
SHAM permit 20
R4(config)#router
ospf 1
R4(config-router)#redistribute
bgp 100 subnets route-map SHAM
No comments:
Post a Comment