Hi,

at first, thanks for spending time on my issue.

Your answer causes me to update the drawing again :)

The "BS1-011"(on the right) does not have the issue. It's also a 4500X in VSS mode.

The BS1 has Version 03.08.01.E, the BS1-011 has Version 03.08.07.E

All routers are in the same vrf "Printer" across 3 sites. 3.0.8.15/16/26 are one site , 3.0.8.13/14 are one site, and 3.0.8.11/12/1 are at one site.

The outputs from the BS1-011 are:

BS1-011#sh ip ospf 3080 database external
Load for five secs: 11%/0%; one minute: 10%; five minutes: 10%
Time source is NTP, 12:12:30.901 UTC Tue Mar 10 2020


            OSPF Router with ID (3.0.8.1) (Process ID 3080)

                Type-5 AS External Link States

  LS age: 630
  Options: (No TOS-capability, No DC, Upward)
  LS Type: AS External Link
  Link State ID: 0.0.0.0 (External Network Number )
  Advertising Router: 3.0.8.11
  LS Seq Number: 8000014C
  Checksum: 0xBDB1
  Length: 36
  Network Mask: /0
        Metric Type: 2 (Larger than any link state path)
        MTID: 0
        Metric: 1
        Forward Address: 0.0.0.0
        External Route Tag: 0

  LS age: 447
  Options: (No TOS-capability, No DC, Upward)
  LS Type: AS External Link
  Link State ID: 0.0.0.0 (External Network Number )
  Advertising Router: 3.0.8.12
  LS Seq Number: 8000014C
  Checksum: 0xB7B6
  Length: 36
  Network Mask: /0
        Metric Type: 2 (Larger than any link state path)
        MTID: 0
        Metric: 1
        Forward Address: 0.0.0.0
        External Route Tag: 0

BS1-011#sh run | sec router ospf 3080 vrf Printer
router ospf 3080 vrf Printer
 router-id 3.0.8.1
 log-adjacency-changes detail
 nsf
 passive-interface default
 no passive-interface Vlan2385
 no passive-interface Vlan2386
  network 172.30.31.80 0.0.0.3 area 24
 network 172.30.31.84 0.0.0.3 area 24
!
!
end

BS1-011#show ip ospf 3080 border-routers
Load for five secs: 11%/1%; one minute: 10%; five minutes: 10%
Time source is NTP, 12:15:17.759 UTC Tue Mar 10 2020


            OSPF Router with ID (3.0.8.1) (Process ID 3080)


                Base Topology (MTID 0)

Internal Router Routing Table
Codes: i - Intra-area route, I - Inter-area route

i 3.0.8.11 [1] via 172.30.31.81, Vlan2385, ABR/ASBR, Area 24, SPF 14
i 3.0.8.12 [1] via 172.30.31.85, Vlan2386, ABR/ASBR, Area 24, SPF 14
BS1-011#

BS1-011#show ip ospf 3080 rib 0.0.0.0
Load for five secs: 11%/1%; one minute: 11%; five minutes: 10%
Time source is NTP, 12:16:40.302 UTC Tue Mar 10 2020


            OSPF Router with ID (3.0.8.1) (Process ID 3080)


                Base Topology (MTID 0)

OSPF local RIB
Codes: * - Best, > - Installed in global RIB
LSA: type/LSID/originator

*>  0.0.0.0/0, Ext2, cost 1, tag 0
     SPF Instance 29, age 5d02h, fwd cost 1
     Flags: RIB, PartialSPF
      via 172.30.31.85, Vlan2386
       Flags: RIB
       LSA: 5/0.0.0.0/3.0.8.12
      via 172.30.31.81, Vlan2385
       Flags: RIB
       LSA: 5/0.0.0.0/3.0.8.11
BS1-011#

Kind regards,

Andreas

Hi,

   So to conclude, the only differece between the BS1 4500X and the BS1-011 4500X is the software version. As i said, the

capability vrf-lite

is only required if the downward bit is set, which is not the case. So instead of configuring something which is not actually needed, i would rather fix the "feature" by upgrading the BS1 as well to the same version as BS1-011.

Regards,

Cristian Matei.

Hello @Cristian Matei 

---

@Cristian Matei wrote:

It's very curios that

capability vrf-lite

fixed this case,

---

My understanding is that 4500x thinks its a ABR router connected to the mpls backbone even though it isnt area due to it using vrf on its ospf interconects so appending that capbailty lite feature disables this rule thus allows routes from the correct area 0 rtrs to be accepted into its rib.

Hi,

   In this use case, the 4500x plays the role of the CE (runs OSPF in GRT),  so it can't think is connected to the MPLS superbackbone. The nexus plays the role of the PE, running OSPF in a VRF without MPLS. 

Regards,

Cristian Matei.

Hi,

I do not have an mpls connection anywhere, everthing is ethernet. I have a trunk between the sites, so I can have multiple vrf's running across the wan-connection(s). The

exit -> default-gateway

for all sites is always the site with area 24.

I definitely want to get this solved without the

capability vrf-lite

command, cause I also think it's not needed. My next downtime-window to update the 4500x is at the end of the week...

But I suspect that the nexus 3k is the one who doesn't forward the default-route information.

Kind regards,

Andreas

Hi,

   The Nexus is not the problem, as you were seeing the Type5 and Type4 LSA's on your 4500X BS1, so the Nexus devices were forwarding the LSA's; it's just that the 4500X was not behaving properly. Upgrade and post your results.

Regards,

Cristian Matei.

Yes, let's wait and see what the update brings.

Kind regards,

Andreas

Hello

@Cristian Matei @Andreas Schneider 

Guys it may well be the software however my understanding and  I stand corrected if deemed so, Is when your using vrf on ospf rtr and that rtr is in a non backbone area then that rtr thinks its an ABR connected to an mpls backbone (even if one doesn’t exist!) Thus it wont except any routes from its connected routers because it needs to be connected to area 0 but it isn’t even though it thinks it is, Hence using the

capability-vrf-lite

feature prohibits the rtr considering itself as a ABR connected to the MPLS superbackbone so allows the routes in being advertised to it.

Hi,

 @paul driver An OSPF speaker, by design, cannot not accept a non-malformed LSA, but it can ignore it, because it fails to validate it, due to specific design reasons. What you're saying, is for a router which runs OSPF in a VRF, which is not the case here for the 4500X, which runs OSPF in GRT.

    And the problem you're describing show up only for LSA Type3, Type4, Type5, where OSPF behaves as distance vector, thus it has some additional checks to be performed to provide loop free environment. Funny though, OSPF still has 2 design cases, where it is NOT loop free :)

Regards,

Cristian Matei.

Hi,

@Cristian Matei 

maybe we're talk at cross purposes. From my understanding the ospf process 3080 on the 4500x and on the Nexus  runs in the VRF "Printer".

Kind regards,

Andreas

Hello

---

@Andreas Schneider wrote:

Hi,

@Cristian Matei 

maybe we're talk at cross purposes. From my understanding the ospf process 3080 on the 4500x and on the Nexus  runs in the VRF "Printer".

 

---

Okay so you are using OSPF VRF?
Can you post the output

sh ip ospf databse summary 

do you see the downward bit set in the summary lsa?

Hi,

 @Andreas Schneider Yes, you are right, i looked at the first post you made and i saw no VRF on 4500X. So here's how it works: whenever you run OSPF in a VRF on Cisco devices, it assumes it will become a PE, running MPLS (becomes attached to the backbone area or super area 0), thus run PE rules for loop prevention mechanism; when PE-CE routing is OSPF, and the customer has a backup link, in order to avoid loops in specific designs, PE's will accept any OSPF LSA's inbound on an adjacency built in a VRF (per OSPF design), but will not validate any LSA's which have the Downward bit set (not taken into consideration for best-path selection) or any LSA's which have in the VPN TAG the same BGP AS number as the PE is running, cause this means the LSA's was actually injected into OSPF by a remote PE (the Downward bit and the VPN TAG are set by the PE), which means using it may create a loop; the VPN TG does not apply to you, as you don't actually run PE/MPLS/BGP so there is no VPN TAG.

     In your case, both 4500X are running OSPF in a VRF, which means they ignore LSA's with the Downward bit set. On IOS, you tell the device to no longer perform DN bit check by

capability vrf-lite

, on Nexus by

down-bit-ignore.

 However, there is no DN bit set in your Type5 LSA's (and this is expected, the DN bit was set for Type3 LSA's), so both 4500X should actually validate the LSA's and send it to the OSPF RIB, to make it further to the RIB.

    Can you confirm that the other 4500X has the default route in the RIB, although no

capability vrf-lite

is configured? As this is the way it should be. In which case, you still need to upgrade the 4500X with the problem, as the need to use  

capability vrf-lite

means you have a buggy OSPF code, so although you fix this issue, you may run into other ones later down the road.

Regards,

Cristian Matei.

Hi,

here is the output from the "other" 4500x:

BS1-011#sh run | sec router ospf 3080 vrf Printer
router ospf 3080 vrf Printer
 router-id 3.0.8.1
 log-adjacency-changes detail
 nsf
 passive-interface default
 no passive-interface Vlan2385
 no passive-interface Vlan2386
 network 172.30.31.80 0.0.0.3 area 24
 network 172.30.31.84 0.0.0.3 area 24

BS1-011#sh ip ospf 3080 rib 0.0.0.0
Load for five secs: 11%/0%; one minute: 13%; five minutes: 11%
Time source is NTP, 07:41:06.735 UTC Wed Mar 11 2020


            OSPF Router with ID (3.0.8.1) (Process ID 3080)


                Base Topology (MTID 0)

OSPF local RIB
Codes: * - Best, > - Installed in global RIB
LSA: type/LSID/originator

*>  0.0.0.0/0, Ext2, cost 1, tag 0
     SPF Instance 29, age 5d21h, fwd cost 1
     Flags: RIB, PartialSPF
      via 172.30.31.85, Vlan2386
       Flags: RIB
       LSA: 5/0.0.0.0/3.0.8.12
      via 172.30.31.81, Vlan2385
       Flags: RIB
       LSA: 5/0.0.0.0/3.0.8.11

BS1-011#sh ip ospf 3080 database external
Load for five secs: 9%/0%; one minute: 10%; five minutes: 11%
Time source is NTP, 07:52:59.292 UTC Wed Mar 11 2020


            OSPF Router with ID (3.0.8.1) (Process ID 3080)

                Type-5 AS External Link States

  LS age: 386
  Options: (No TOS-capability, No DC, Upward)
  LS Type: AS External Link
  Link State ID: 0.0.0.0 (External Network Number )
  Advertising Router: 3.0.8.11
  LS Seq Number: 80000173
  Checksum: 0x6FD8
  Length: 36
  Network Mask: /0
        Metric Type: 2 (Larger than any link state path)
        MTID: 0
        Metric: 1
        Forward Address: 0.0.0.0
        External Route Tag: 0

  LS age: 203
  Options: (No TOS-capability, No DC, Upward)
  LS Type: AS External Link
  Link State ID: 0.0.0.0 (External Network Number )
  Advertising Router: 3.0.8.12
  LS Seq Number: 80000173
  Checksum: 0x69DD
  Length: 36
  Network Mask: /0
        Metric Type: 2 (Larger than any link state path)
        MTID: 0
        Metric: 1
        Forward Address: 0.0.0.0
        External Route Tag: 0

BS1-011#

So, no

capability vrf-lite

but a

default-route...

Kind regards,

Andreas