Introduction
OSPF can be used as another CE-PE routing protocol.
MPLS VPN OSPF
- OSPF is the only protocol that runs a separate instance of the process for each VRF on IOS.
- When redistributing OSPF into BGP, you have to specify the type of OSPF routes that should be redistributed. By default only intra-area and inter-area are redistributed. To redistribute external or nssa types, you have to specifically set that.
- Make sure not to use capital letter for router or else it won't work :( see below.
- BGP MED attribute carries the OSPF metric, when redistributing into OSPF that value is used as its metric.
- IOS-XR by default does not add a domain-id and all route from IOS-XR will be considered as external unless manually set (see below for domain-id).
MP-BGP Attributes
- BGP uses extended attributes to help PEs reconstruct OSPF routes like the route type, area number, OSPF router ID, domain ID, metric type.
- "With these attributes, BGP carries enough information about the route to enable the route to be converted back into OSPF "transparently", just as if BGP had not been involved."
- Route type - carries the OSPF route type, if it is type 1, 2 or 3, the PE will advertise them as LSA type 3 (network summary) into the area. Format is area:route-type:option, where option defines external LSAs type 1 or 2 for LSA5 or LSA7.
- Domain ID - by default is the OSPF process ID on IOS but not XR. See below for more details and how it affects redistribution between BGP and OSPF
- OSPF Router ID - Optional attribute. Specifies the BGP NEXT_HOP.
Extended Community: RT:100:1 OSPF DOMAIN ID:0x0005:0x000000640200
OSPF RT:0.0.0.0:1:0 OSPF ROUTER ID:19.19.19.19:0
Domain ID
- By default process id is used as the domain ID on IOS, but no XR. In XR, you have to manually set the domain ID.
- Domain ID controls if OSPF routes are imported from MPLS super area as LSA 3 or LSA 5. It is meant to define the OSPF domain on MPLS networks.
- The default BGP/OSPF interaction is to import prefixes as external routes LSA type 5. This could be an undesirable condition when connecting the same networks.
- RFC 4577 establishes that as long as OSPF routers are in the same domain-id they should be able to import routes from BGP as LSA type 3 (network summary). If they are not in the same domain id, routes will be imported as external LSAs.
- With this new functionality OSPF backdoor links (direct connection of sites) can exist and MPLS VPN cloud could still be preferred. If those sites are connected with the same area and have a backdoor link than Sham Links might be required.
- A null domain-id value can be set, which clears the domain-id extended community attribute. The rules with null are as follow:
- Null vs Non-null would generate LSA Type 5 routes (as in the case of XR vs IOS).
- Null vs Null would generate LSA Type 3 routes.
- Best method of configure Domain ID on XR is to see what IOS set it on other routes and copy it.
Topology
- The MPLS VPN creates a virtual super area.
- Super area can have area 0 or non-backbone areas connected to it.
- If a site has multiple areas, the PE router has to be in Area 0. If they are not a virtual link between PE and area 0 is required.
Loop Prevention
- Down bit (DN) - the PE routers set the DN on LSA 3 received from MP-BGP. Any other router that has OSPF VRF running will ignore LSAs with DN bit set. In most cases those are only PE routers (in some cases CE routers might have that enabled also, see VRF-Lite Capability). The functionality is there to prevent looping with dual PE routers or backdoor link. This does not apply to external LSA (LSA 5).
- Route Tag (Domain Tag) - Older method for loop prevention, where the MP-BGP ASN is set as the OSPF route tag (LSA 5). When PE router receives an OSPF route with the same tag value or the BGP ASN it will ignore and not redistribute into MP-BGP. If another PE router receives a Type-5 or Type-7 LSA with an External Route Tag equal to the set tag value (domain-tag), it will ignore the LSA. The tag's value has an encoded BGP ASN number. Taking the tag 3489661028, converting it into hex 0xD0000064 and converting the last 2 bytes to decimal will provide the ASN, which in this case is ASN 100
VRF-Lite Capability
- VRF-Lite capability applied to CEs that have OSPF instance running in a VRF.
- Most of the time only PEs have VRF and OSPF configured. They don't want to accept OSPF routes received from other PEs, that's why they rely on the loop prevention mechanism using DN bit. There are few cases where a CE might have a VRF configured but.
- Cisco devices that have OSPF using VRF configured, will perform PE type loop prevention checks. If a device detects a Down bit (DN) set on the LSA, those LSAs are imported into the database but SPF algorithm ignores them.
- VRF-Lite capability allows the user to disable DN bit check on CE devices not running BGP.
- One way to verify if VRF-Lite is configured is by checking it the ospf process is showing as not connected to MPLS Superbackbone.
- When you enter this command on a PE device, along with disabling the loop prevention checks, it will also not resemble OSPF routes to LSA 3, but only redistribute them to LSA 5, no matter what if Domain ID are matching. The one situation where you want to use this command is in an Inter-AS Option A scenario when you use OSPF as the routing protocol between ASBRs. See mpls-inter-as-option-a.
- By entering the command "capability vrf-lite" you are making the router not act as it if is connected to the Superbackbon and not act as an ABR. See mpls-vpn-ospf-multi-homed-multi-area for few examples.
Relevant IOS Commands
router ospf vrf
Configures a separate instance of the OSPF process for VRF. REMEMBER that typing "ROUTER ospf 100 vrf A" with capital R and not "router ospf 100 vrf A" will result in an error.
PID on PEs is used as Domain-id.
R1(config)# router ospf (PID) vrf (VRF_ID)
domain-id
By default the domain id is assigned the ospf process id. With this command a custom domain-id can be defined.
PE routers in the same domain-id will import OSPF routes from BGP as LSA 3 (summary routes), while in different domain-id as LSA 5 (external).
R1(config-router)# domain-id (a.b.c.d)
domain-tag
Configured under the ospf process, it overrides the default OSPF BGP behavior, where any route redistributed into OSPF has it's route tag set to the ASN. Any PE router that receives an OSPF route with the route tag set to the same domain tag with not redistribute to BGP.
R1(config-router)# domain-tag (value)
capability vrf-lite
To disable loop prevention using DN bit on a router running vrf ospf (CE) process use this command. This should only be used on CE routers with VRFs not on PE routers. Main function is to prevent looping when a site have dual PE routers.
R1(config-router)# capability vrf-lite
Show ip ospf
Show various OSPF as CE-PE protocol features.
show ip ospf
Relevant XR Commands
domain-id
Is not set by default and has to be set manually.
RP/0/0/CPU0:XR11(config-ospf-vrf)#domain-id type 0005 value (12 Characters)