Solved: Re: Where to configure the "capability vrf lite", on CE or P

m1xed0s · ‎01-20-2016

My understanding is:

1. "capability vrf lite" will make OSPF process to install the routes even with DN bit set.

2. PE running VRF will set the DN bit when advertising to CE if OSPF is used for PE-CE routing. But CE is the device to check the DN bit when installing the route...

So where to configure the

"capability vrf lite", assuming CE is not running VRF at all (most likely in real production)?

And also what if CE is actually running VRF?

Jon Marshall · ‎01-20-2016

The DN bit is a check that, usually, PE routers use to check whether to install certain types of LSAs into a VRF and is used as a loop prevention method.

If your CE router is not running VRFs but using OSPF to connect to the PE router then you do not need that command anywhere.

If however you configure VRFs on your CE router then it now uses the same checks as the PE routers because it believes it is directly connected to the MPLS network in the way the PE is, even though it isn't.

And then you would need to use that command on your CE router.

So, put simply, you only need to use that command if your CE router is using "VRF-Lite" and OSPF is in use between the CE and PE routers.

There are a few good detailed explanations on this site if you want to go into it more.

Jon

View solution in original post

Peter Paluch · ‎01-20-2016

Jon, Shuai,

In addition to Jon's very good explanation, it is also noteworthy to mention that on Cisco routers, if an OSPF process is run in a VRF then it automatically and unconditionally considers itself to be an ABR - it believes to be connected to a so-called MPLS Superbackbone (even though there may be no BGP/MPLS configured on the router at all).

This may pose problems if such a router is actually a part of a network that uses multiple areas. Consider the following scenario:

R1 (VRF) --- Link in Area 1 --- R2 --- Link in Area 0 --- R3

Here, R2 is obviously an ABR because it has two links, one in Area 0, the other in Area 1. R1 is, by all means, an internal router in Area 1. However, because R1 runs the link toward R2, and OSPF over this link, in a VRF, R1 considers itself to also be an ABR toward the MPLS Superbackbone.

As a result, R1 - thinking it is an ABR - will not place any networks from Area 0 nor from any other area behind R2 into its routing table, because by OSPF rules, an ABR processes only those inter-area routes (that is, LSA-3 and LSA-4) that have been received over an adjacency in Area 0, and R1 has no such adjacency. The end result will be that R1 will be unable to talk with any network outside its own Area 1.

This behavior on R1 is also deactivated by the

"capability vrf-lite" command.

Thus, "capability vrf-lite" has several effects:

The router stops considering itself as the ABR connected to the MPLS Superbackbone
The router will ignore the DN bit set in LSA-3, LSA-5 and LSA-7, and will not set this bit when doing redistribution into OSPF
The router will ignore the tag value received in LSA-5 and LSA-7, and it will not set this value to any specific value when doing redistribution into OSPF

Best regards,
Peter

View solution in original post

Jon Marshall · ‎01-20-2016

The DN bit is a check that, usually, PE routers use to check whether to install certain types of LSAs into a VRF and is used as a loop prevention method.

If your CE router is not running VRFs but using OSPF to connect to the PE router then you do not need that command anywhere.

If however you configure VRFs on your CE router then it now uses the same checks as the PE routers because it believes it is directly connected to the MPLS network in the way the PE is, even though it isn't.

And then you would need to use that command on your CE router.

So, put simply, you only need to use that command if your CE router is using "VRF-Lite" and OSPF is in use between the CE and PE routers.

There are a few good detailed explanations on this site if you want to go into it more.

Jon

m1xed0s · ‎01-20-2016

If however you configure VRFs on your CE router then it now uses the same checks as the PE routers because it believes it is directly connected to the MPLS network in the way the PE is, even though it isn't.

Thanks.

Peter Paluch · ‎01-20-2016

Jon, Shuai,

In addition to Jon's very good explanation, it is also noteworthy to mention that on Cisco routers, if an OSPF process is run in a VRF then it automatically and unconditionally considers itself to be an ABR - it believes to be connected to a so-called MPLS Superbackbone (even though there may be no BGP/MPLS configured on the router at all).

This may pose problems if such a router is actually a part of a network that uses multiple areas. Consider the following scenario:

R1 (VRF) --- Link in Area 1 --- R2 --- Link in Area 0 --- R3

Here, R2 is obviously an ABR because it has two links, one in Area 0, the other in Area 1. R1 is, by all means, an internal router in Area 1. However, because R1 runs the link toward R2, and OSPF over this link, in a VRF, R1 considers itself to also be an ABR toward the MPLS Superbackbone.

As a result, R1 - thinking it is an ABR - will not place any networks from Area 0 nor from any other area behind R2 into its routing table, because by OSPF rules, an ABR processes only those inter-area routes (that is, LSA-3 and LSA-4) that have been received over an adjacency in Area 0, and R1 has no such adjacency. The end result will be that R1 will be unable to talk with any network outside its own Area 1.

This behavior on R1 is also deactivated by the

"capability vrf-lite" command.

Thus, "capability vrf-lite" has several effects:

The router stops considering itself as the ABR connected to the MPLS Superbackbone
The router will ignore the DN bit set in LSA-3, LSA-5 and LSA-7, and will not set this bit when doing redistribution into OSPF
The router will ignore the tag value received in LSA-5 and LSA-7, and it will not set this value to any specific value when doing redistribution into OSPF

Best regards,
Peter

saif · ‎10-20-2018

explanation is very deeply ,many thanks

Ethan55 · ‎05-08-2019

HI Peter Paluch,
Thank you for your explanation.
But there is one point I am confused, You said "As a result, R1 - thinking it is an ABR - will not place any networks from Area 0 nor from any other area behind R2 into its routing table, because by OSPF rules, an ABR processes only those inter-area routes (that is, LSA-3 and LSA-4) that have been received over an adjacency in Area 0, and R1 has no such adjacency." In this example, I guess "Area 0" you mention in your sentence is Super Backbone? Am I right.

paul driver · ‎05-08-2019

Hello

The superbackone (area 0) refers to the service providers internal ospf MPLS VPN network which is completely transparent to customers that use any IGP (including ospf) as its routing protocol.

However a network without mpls vpns that uses ospf as it routing protocol then area 0 would be referred to the Backbone that interconnect non backbone (ospf 0) areas

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Ethan55 · ‎05-09-2019

IF R1 doesn't have any vrf, topology like below:
R1 --- Link in Area 1 --- R2 --- Link in Area 0 --- R3
R1 will learn network in area 0.
IF R1 have a vrf, topology like below:
R1 (VRF) --- Link in Area 1 --- R2 --- Link in Area 0 --- R3
R1 doesn't see any network in area 0, R1 considers itself as an ABR.

"As a result, R1 - thinking it is an ABR - will not place any networks from Area 0 nor from any other area behind R2 into its routing table, because by OSPF rules, an ABR processes only those inter-area routes (that is, LSA-3 and LSA-4) that have been received over an adjacency in Area 0, and R1 has no such adjacency."
Follow as the above sentence, R1 now is an ABR but it doesn't consider R2 is an adjacency in area 0 (even I still config a network between R2 and R3 in area 0). In this case, R1 doesn't consider area 0 is a backbone area so it doesn't place network learned from R2 to its rib. In the view of R1, area backbone is superbackbone, it only learns routes from remote PE (if available).
This is my opinions, but I don't know whether it is right or not.
Hope you clear it for me.

gauravsukhadia · ‎10-11-2019

Hi Peter Paluch ,

What if Area-1 in your topology is configured as Stub ?

In that case R2 (actual ABR) will generate Default route in Stub Area-1 and since R1 also considers itself as ABR , it will generate default route as well , right ?

Now if there is any packet to R1 or R2 (for which they do not have specific destination , it will get infinite looped between R1 and R2 ?

Thanks,

Gaurav Sukhadia

Where to configure the "capability vrf lite", on CE or PE?