Saturday, 1 February 2020

MPLS with OSPF and DN bit


Here am going to configure PE - CE routing as OSPF.
On CE router as usual we have to enable OSPF routing nothing special configuration.

But on PE side we have to take care special effect to configure OSPF.

As we know we are running OSPF on cloud with a process id 100. So while configuring PE - CE routing we should use different OSPF process id (other than 100)

R1#sh ip ospf int br
Interface    PID   Area            IP Address/Mask    Cost  State Nbrs F/C
Se1/2        100   0               10.0.0.1/30        64    P2P   1/1
Lo0            100   0               1.1.1.1/32         1     LOOP  0/0

R1(config)# router ospf 1 vrf 1
R1(config-router)# network 11.0.0.4 0.0.0.3 area 0

Now we can get all the CE routes to PE router under vrf A.
R1#sh ip route vrf A

O       70.2.2.1 [110/65] via 11.0.0.5, 00:51:29, Serial1/0
O       70.1.1.1 [110/65] via 11.0.0.5, 00:51:29, Serial1/0
O       70.0.0.1 [110/65] via 11.0.0.5, 00:51:29, Serial1/0
C       11.0.0.4 is directly connected, Serial1/0

We don’t need to specify the address family for ipv4 vrf because ospf process id itself determined with vrf.

While redistributing also under ospf process we can redistribute.

R1(config)# router ospf 1 vrf 1
R1(config-router)# redistribute bgp 100 subnets

R1(config)#router bgp 100
R1(config-router)# address-family ipv4 vrf A
R1(config-router-af) redistribute ospf 1 vrf A match internal

Note While redistributing from OSPF into BGP we should match all internal and external routes.

In OSPF we have a loop prevention method by DN bit (DN - Downward)

R1#sh ip ospf database summary 50.0.0.1

            OSPF Router with ID (1.1.1.1) (Process ID 100)

            OSPF Router with ID (11.0.0.6) (Process ID 1)

                Summary Net Link States (Area 0)

  LS age: 59
  Options: (No TOS-capability, DC, Downward) ====> This will prevent the loop.
  LS Type: Summary Links(Network)
  Link State ID: 50.0.0.1 (summary Network Number)
  Advertising Router: 11.0.0.6
  LS Seq Number: 80000005
  Checksum: 0x68CA
  Length: 28
  Network Mask: /32
        TOS: 0  Metric: 65

When a type 3 LSA is sent from a PE router to a CE router, the DN bit [OSPF-DN] in the LSA Options field MUST be set. This is used to ensure that if any CE router sends this type 3 LSA to a PE router,  the PE router will not redistribute it further.

But the interesting thing is how CE router R7 getting LSA 3 information. As we knew we have redistributed the other side routes. This is because ospf send extended communities like
§  Router type
§  Domain id
§  Router id
§  Metric type 1 or 2.

Lets check on the R1 which will get the VPNv4 router form R4 and check it OSPF extended communities.

R1#sh bgp vpnv4 unicast vrf A 50.0.0.1
BGP routing table entry for 700:700:50.0.0.1/32, version 36
Paths: (1 available, best #1, table A)
  Not advertised to any peer
  Local, imported path from 500:500:50.0.0.1/32
    4.4.4.4 (metric 193) from 4.4.4.4 (4.4.4.4)
      Origin incomplete, metric 65, localpref 100, valid, internal, best
      Extended Community: RT:5:7 OSPF DOMAIN ID:0x0005:0x010203040200
        OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:11.0.0.9:0
      mpls labels in/out nolabel/23

The different values for the 2 last bytes of the OSPF RT community are:
      :1:0 or :2:0 - indicating intra-area LSA-1 routes
      :3:0 - indicating inter-area LSA-3 routes
      :5:0 or :5:1 - indicating external LSA-5 routes (type 1 and type 2 respectively)
      :7:0 or :7:1 - indicating NSSA LSA-7 routes (type 1 and type 2 respectively)

So this all the extended communities we got in VPNv4 update.  Now before redistributing
R1 PE router will check the domain id it receives and its local configured ospf domain id. If both matches then PE router R1 will redistribute it as LAS 3 routes (summary routes)

R1#sh ip ospf 1
 Routing Process "ospf 1" with ID 11.0.0.6
   Domain ID type 0x0005, value 1.2.3.4

Hence the domain id matches R1 PE router will redistribute it as LAS 3 routes.

R7#sh ip ospf 1 0 database | be Summa
                Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
11.0.0.8        11.0.0.6        1578        0x80000005 0x008A0C
50.0.0.1        11.0.0.6        1578        0x80000005 0x0068CA
50.1.1.1        11.0.0.6        1578        0x80000005 0x0051DF
50.2.2.1        11.0.0.6        1578        0x80000005 0x003AF4

Now come to the loop prevention point. As we are getting LSA 3 type router PE router R1 will set the DN bit.
R1#sh ip ospf database summary 50.0.0.1

            OSPF Router with ID (1.1.1.1) (Process ID 100)

            OSPF Router with ID (11.0.0.6) (Process ID 1)

                Summary Net Link States (Area 0)

  LS age: 1698
  Options: (No TOS-capability, DC, Downward)
  LS Type: Summary Links(Network)
  Link State ID: 50.0.0.1 (summary Network Number)
  Advertising Router: 11.0.0.6
  LS Seq Number: 80000005
  Checksum: 0x68CA
  Length: 28
  Network Mask: /32
        TOS: 0  Metric: 65
 
Now suppose If we have VRF lite on CE side then see this default loop prevention DN bit might cause problem. To do this lets have vrf lite configured on CE router R7.

Here am going to put vrf TEST on CE router R7.


R7(config)#ip vrf TEST
R7(config-vrf)#rd 11:11
R7(config)# no router ospf 1
R7(config)#router ospf 1 vrf TEST
R7(config-vrf)#interface Loopback0
R7(config-if)#ip vrf for TEST
R7(config-if)# ip address 70.0.0.1 255.255.255.0
R7(config-if)# ip ospf 1 area 0
R7(config-if)#interface Loopback1
R7(config-if)#ip vrf for TEST
R7(config-if)# ip address 70.1.1.1 255.255.255.0
R7(config-if)# ip ospf 1 area 0
R7(config-if)#interface Loopback2
R7(config-if)#ip vrf for TEST
R7(config-if)# ip address 70.2.2.1 255.255.255.0
R7(config-if)# ip ospf 1 area 0
R7(config-if)#interface Serial1/0
R7(config-if)#ip vrf for TEST
R7(config-if)# ip address 11.0.0.5 255.255.255.252
R7(config-if)# ip ospf 1 area 0


We have done the process. Now check whether R1 getting VPNv4 update
R1#sh bgp vpnv4 unicast vrf A 50.0.0.1
BGP routing table entry for 700:700:50.0.0.1/32, version 36
Paths: (1 available, best #1, table A)
  Not advertised to any peer
  Local, imported path from 500:500:50.0.0.1/32
    4.4.4.4 (metric 193) from 4.4.4.4 (4.4.4.4)
      Origin incomplete, metric 65, localpref 100, valid, internal, best
      Extended Community: RT:5:7 OSPF DOMAIN ID:0x0005:0x010203040200
        OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:11.0.0.9:0
      mpls labels in/out nolabel/23

Yes we are getting but after redistributing also on CE router R7 we are not getting the routes because of the DN bit.

R7#sh ip route vrf TEST

Routing Table: TEST
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     70.0.0.0/24 is subnetted, 3 subnets
C       70.2.2.0 is directly connected, Loopback2
C       70.1.1.0 is directly connected, Loopback1
C       70.0.0.0 is directly connected, Loopback0
     11.0.0.0/30 is subnetted, 1 subnets
C       11.0.0.4 is directly connected, Serial1/0


To over come this we can override this DN bit feature with one simple command.
R7(config)#router ospf 1
R7(config-router)#capability vrf-lite

R7#sh ip route vrf TEST ospf

Routing Table: TEST

     50.0.0.0/32 is subnetted, 3 subnets
O IA    50.2.2.1 [110/129] via 11.0.0.6, 00:00:30, Serial1/0
O IA    50.1.1.1 [110/129] via 11.0.0.6, 00:00:30, Serial1/0
O IA    50.0.0.1 [110/129] via 11.0.0.6, 00:00:30, Serial1/0
     11.0.0.0/30 is subnetted, 2 subnets
O IA    11.0.0.8 [110/65] via 11.0.0.6, 00:00:30, Serial1/0

Amazing rite we got the routes :) haha :)

We can also do this without this command. Instead of LSA 3 if we redistribute  as LSA 5 we can do this.


R7(config)#router ospf 1
R7(config-router)#no capability vrf-lite

R7#sh ip route vrf TEST
     70.0.0.0/24 is subnetted, 3 subnets
C       70.2.2.0 is directly connected, Loopback2
C       70.1.1.0 is directly connected, Loopback1
C       70.0.0.0 is directly connected, Loopback0
     11.0.0.0/30 is subnetted, 1 subnets
C       11.0.0.4 is directly connected, Serial1/0

See we are not getting any ospf routes. We can simple mismatch the domain id.

R1(config)#router ospf 1
R1(config-router)#domain-id 2.2.2.2

R7#sh ip route vrf TEST ospf

Routing Table: TEST

     50.0.0.0/32 is subnetted, 3 subnets
O E2    50.2.2.1 [110/65] via 11.0.0.6, 00:00:43, Serial1/0
O E2    50.1.1.1 [110/65] via 11.0.0.6, 00:00:43, Serial1/0
O E2    50.0.0.1 [110/65] via 11.0.0.6, 00:00:43, Serial1/0
     11.0.0.0/30 is subnetted, 2 subnets
O E2    11.0.0.8 [110/1] via 11.0.0.6, 00:00:43, Serial1/0

See we got LSA 5 :)

R7#traceroute vrf TEST 50.0.0.1

Type escape sequence to abort.
Tracing the route to 50.0.0.1

  1 11.0.0.6 48 msec 68 msec 64 msec
  2 10.0.0.2 [MPLS: Labels 19/23 Exp 0] 248 msec 260 msec 192 msec
  3 10.0.0.6 [MPLS: Labels 19/23 Exp 0] 268 msec 156 msec 184 msec
  4 11.0.0.9 [MPLS: Label 23 Exp 0] 132 msec 204 msec 184 msec
  5 11.0.0.10 260 msec *  236 msec

Now lets have a backdoor link between the customers. Note I have removed the VRF configuration on R7
R7#ping 50.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 50.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 176/216/304 ms

R7#sh ip route ospf
     50.0.0.0/32 is subnetted, 3 subnets
O E2    50.2.2.1 [110/65] via 11.0.0.6, 00:01:54, Serial1/0
O E2    50.1.1.1 [110/65] via 11.0.0.6, 00:01:54, Serial1/0
O E2    50.0.0.1 [110/65] via 11.0.0.6, 00:01:54, Serial1/0
     11.0.0.0/30 is subnetted, 2 subnets
O E2    11.0.0.8 [110/1] via 11.0.0.6, 00:01:54, Serial1/0

After forming neighbor ship with other side CE router via backdoor link.

R7#sh ip ospf ne
Neighbor ID     Pri   State           Dead Time   Address         Interface
50.2.2.1          1   FULL/BDR        00:00:34    20.0.0.5        FastEthernet2/0
11.0.0.6          0   FULL/  -        00:00:34    11.0.0.6        Serial1/0

R7#sh ip route ospf
     50.0.0.0/32 is subnetted, 3 subnets
O       50.2.2.1 [110/2] via 20.0.0.5, 00:01:11, FastEthernet2/0
O       50.1.1.1 [110/2] via 20.0.0.5, 00:01:11, FastEthernet2/0
O       50.0.0.1 [110/2] via 20.0.0.5, 00:01:11, FastEthernet2/0
     11.0.0.0/30 is subnetted, 2 subnets
O       11.0.0.8 [110/65] via 20.0.0.5, 00:01:11, FastEthernet2/0

R7#traceroute 50.0.0.1
  1 20.0.0.5 60 msec *  76 msec

See we are not routing from MPLS cloud because from backdoor we are getting intra-area routes and from PE R1 we are getting  external-routes.

As we know for OSPF the priority order is:
O              Intra-Area
O-IA         Inter-Area
O-E1        External Type 1
O-E2        External Type 2
O-N1       NSSA External Type 1
O-N2       NSSA External Type 2

Hence the backdoor link is used. If we change the LSA 5 to LSA 3 also we will get same situation only.

Now for to over come this situation we have a SHAM LINK concept.
Note
When configuring SHAM Link we should always use the path that should go via MPLS cloud.

For example
R1#ping vrf A 11.0.0.9
Sending 5, 100-byte ICMP Echos to 11.0.0.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 168/214/320 ms
R1#trac vrf A 11.0.0.9
Tracing the route to 11.0.0.9
  1 11.0.0.5 80 msec 88 msec 20 msec
  2 20.0.0.5 168 msec 96 msec 176 msec
  3 11.0.0.9 252 msec *  140 msec

Like this address, should not be configured as sham link as its routing via backdoor.

Now to configure sham link am going to create a loopback address on both PE under vrf A and going to redistribute only in BGP not in OSPF.

R1(config)#int loopback 5
R1(config-if)#ip vrf forwarding A
R1(config-if)#ip add 11.11.11.11 255.255.255.255
R1(config)#router bgp 100
R1(config-router)#address-family ipv4 vrf A
R1(config-router-af)#network 11.11.11.11 mask 255.255.255.255
R1(config)#ip prefix-list SHAM_LINK permit 11.11.11.11/32
R1(config)#ip prefix-list SHAM_LINK permit 12.12.12.12/32
R1(config)#route-map SHAM deny
R1(config-route-map)#match ip address prefix-list SHAM_LINK
R1(config)#route-map SHAM permit 20
R1(config)#router ospf 1
R1(config-router)#redistribute bgp 100 subnets route-map SHAM


R4#traceroute vrf A 11.11.11.11 source 12.12.12.12
  1 10.0.0.9 [MPLS: Labels 16/21 Exp 0] 200 msec 208 msec 252 msec
  2 10.0.0.5 [MPLS: Labels 16/21 Exp 0] 188 msec 120 msec 264 msec
  3 11.11.11.11 [MPLS: Label 21 Exp 0] 204 msec *  156 msec


Now on this path we can create SHAM link :) under ospf process
R4(config-router)#area 0 sham-link 12.12.12.12 11.11.11.11
R4(config-router)#
*Dec 23 01:48:43.566: %OSPF-5-ADJCHG: Process 500, Nbr 11.0.0.6 on OSPF_SL0 from LOADING to FULL, Loading Done
R1(config-router)#area 0 sham-link 11.11.11.11 12.12.12.12
R1(config-router)#
*Dec 23 01:48:44.418: %OSPF-5-ADJCHG: Process 1, Nbr 11.0.0.9 on OSPF_SL0 from LOADING to FULL, Loading Done

R7#sh ip route ospf
     50.0.0.0/32 is subnetted, 3 subnets
O       50.2.2.1 [110/2] via 20.0.0.5, 00:02:40, FastEthernet2/0
O       50.1.1.1 [110/2] via 20.0.0.5, 00:02:40, FastEthernet2/0
O       50.0.0.1 [110/2] via 20.0.0.5, 00:02:40, FastEthernet2/0
     11.0.0.0/30 is subnetted, 2 subnets
O       11.0.0.8 [110/65] via 20.0.0.5, 00:02:40, FastEthernet2/0

Still R7 having the backdoor to reach 50.0.0.0 network.
Now since R7 getting O routes (intra-area) form PE and CE now cost comes to role play.
Increase the cost on backdoor link and the traffic goes via the mpls cloud.

R7(config)#int fa2/0
R7(config-if)#ip ospf cost 10000

R7#sh ip route ospf
     50.0.0.0/32 is subnetted, 3 subnets
O       50.2.2.1 [110/130] via 11.0.0.6, 00:00:04, Serial1/0
O       50.1.1.1 [110/130] via 11.0.0.6, 00:00:04, Serial1/0
O       50.0.0.1 [110/130] via 11.0.0.6, 00:00:04, Serial1/0
     11.0.0.0/30 is subnetted, 2 subnets
O       11.0.0.8 [110/129] via 11.0.0.6, 00:00:04, Serial1/0
R7#traceroute 50.0.0.1
  1 11.0.0.6 28 msec 128 msec 56 msec
  2 10.0.0.2 [MPLS: Labels 19/23 Exp 0] 172 msec 104 msec 112 msec
  3 10.0.0.6 [MPLS: Labels 19/23 Exp 0] 124 msec 108 msec 132 msec
  4 11.0.0.9 [MPLS: Label 23 Exp 0] 140 msec 164 msec 216 msec
  5 11.0.0.10 100 msec *  156 msec

##################################                                      THE END               ########################################################
R1(config)#ip vrf TEST
R1(config-vrf)#rd 11:11
R1(config-vrf)#route-target export 7:5
R1(config-vrf)#route-target import 5:7
R1(config)#no router ospf 1
R1(config)#router ospf 1 vrf TEST
R1(config-router)#redistribute bgp 100 subnets
R1(config)#int s1/0
R1(config-if)#ip vrf forwarding TEST
R1(config-if)#ip add 11.0.0.6 255.255.255.252


R4(config)#int loopback 5
R4(config-if)#ip vrf forwarding A
R4(config-if)#ip add 12.12.12.12 255.255.255.255
R4(config)#router bgp 100
R4(config-router)#address-family ipv4 vrf A
R4(config-router-af)#network 11.11.11.11 mask 255.255.255.255
R4(config)#ip prefix-list SHAM_LINK permit 11.11.11.11/32
R4(config)#ip prefix-list SHAM_LINK permit 12.12.12.12/32
R4(config)#route-map SHAM deny
R4(config-route-map)#match ip address prefix-list SHAM_LINK
R4(config)#route-map SHAM permit 20
R4(config)#router ospf 1
R4(config-router)#redistribute bgp 100 subnets route-map SHAM

No comments:

Post a Comment