Hello @networkinblood ,

when using OSPF as PE-CE the configuration / design allows for the emulation of a super bacbkbone area.

Even if the OSPF routes are redistributed into MP BGP to reach the remote PE, some OSPF attributes are are carried within as extended community attributes.

One of the most important of this extended communities attribute is the OSPF domain ID. When not configured explicitly the OSPF domain-id = OSPF process-id.

if the local PE and the remote PE nodes are using the same OSPF domain-ID or simply  the same OSPF process-id , then the imported routes are not created as external routes, if they were internal routes O or O IA in the originator VRF site they are converted to LSA type 3.

This gives to the remote CE the impression of the existance of a backbone area that is only emulated by the PE nodes.

To be noted external routes in the original VRF site are rebuild as external routes.

So the impact of emulation is only on internal routes.

If the OSPF prccess-ids are different or different OSPF domain ID are configured all internal routes coming from the original site are injected as LSA type 5 that is like external routes.

The LSAs created by PE nodes have the DN bit set Down bit this is a simple loop avoidance mechanism that allows a PE to avoid to accept an LSA with DN bit set. This behaviour can be disabled with capability vrf lite.

Finally, in special cases if there are direct links in the same area  between sites, in order to make use of the MPLS L3 VPN path a SHAM Link can be created betweeen the PE nodes.

The SHAM link acts a logical link in area 0 between two endpoints in VRF advertised in MP BGP only ( they are typically loopbacks in VRF). The rule of the sham link is to allow to have O routes in original site seen as O routes in remote sites and so on.

The SHAM link is used only to exchange OSPF LSAs between PE nodes, traffic forwarding uses the MPLS + VPN label.

In this way the MPLS L3 VPN when having a better metric can be used instead of the direct link between the sites that will become a backup path.

Hope to help

Giuseppe

Hello @networkinblood ,

I will try to answer to your questions .

1)  I may be wrong butt the DN bit should be present also on rebuilt LSA type 5 . The OSPF LSA type 5 can carry a route tag in an extended community attribute.

sse

https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/118800-configure-ospf-00.html

>> The

previously unused bit in the OSPF LSA Options Field is referred to as the DN Bit. This bit is set on Type 3, 5, and 7 LSA when the MP-BGP routes are redistributed into OSPF. When the other PE Router receives the LSA from a CE router Type 3, 5, or 7 LSA with the DN Bit set, the information from that LSA is not used in the OSPF route calculation.

and:

>> The Domain Tag is applicable only for the OSPF Type 5 and Type 7 LSA. When the VPNv4 routes are redistributed from MP-BGP into OSPF on PE Router, the Domain Tag is set for OSPF External Routes. The tag could either be manuallly set with the domain-tag command under OSPF Process or a 32-bit value can be automatically generated:

Looking at the document we can see as the domain-tag for LSA type 5 or type 7 provide an additional mechanism to prevent another PE node from redistributing the route from OSPF into MP BGP even if the DN bit is already set.

2)  Routes learned locally from CE node(s) on VRF access links are OSPF routes with AD 110, routes imported from remote PE have AD 200 as they are coming from MP iBGP  I agree on this.

>>

3___When we have two process ids of ospf at Ce router one for pe _ce
another ce _ce ( backdoor point to point link ) so get full route in ospf
database on CE , we need to resdribute between these two OSPF processes id
?? If yes we will get lsa5 route after retribution in ospf database??..

Here, you can make different choices depending on what you want to achieve. If you make redistribution between two OSPF process-ids you get LSA type 5 this is correct. To be noted with a dedicated process for the backdoor link you don't need a SHAM link on PE nodes. Because the routes coming from the backdoor link will be treated as LSA type 5 .

However, this is not entirely true so the best move in a case like this is to increase the distance for external routes on the secondary OSPF process.

router ospf 20

distance ospf 105 105 130

with the last number being the AD for external routes . Only in this way you can be sure that the CE will pick the PE provided route when available.

"Ships in the night" competition between different OSPF processes will not take in account the route type . This is the reason why the above command is recommended

4)

>>