cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
41492
Views
275
Helpful
22
Replies

Where to configure the "capability vrf lite", on CE or PE?

SIMMN
Spotlight
Spotlight

My understanding is:

1. "capability vrf lite" will make OSPF process to install the routes even with DN bit set.

2. PE running VRF will set the DN bit when advertising to CE if OSPF is used for PE-CE routing. But CE is the device to check the DN bit when installing the route...

So where to configure the

"capability vrf lite", assuming CE is not running VRF at all (most likely in real production)?

And also what if CE is actually running VRF?

2 Accepted Solutions

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

The DN bit is a check that, usually, PE routers use to check whether to install certain types of LSAs into a VRF and is used as a loop prevention method.

If your CE router is not running VRFs but using OSPF to connect to the PE router then you do not need that command anywhere.

If however you configure VRFs on your CE router then it now uses the same checks as the PE routers because it believes it is directly connected to the MPLS network in the way the PE is, even though it isn't.

And then you would need to use that command on your CE router.

So, put simply, you only need to use that command if your CE router is using "VRF-Lite" and OSPF is in use between the CE and PE routers.

There are a few good detailed explanations on this site if you want to go into it more.

Jon

View solution in original post

Jon, Shuai,

In addition to Jon's very good explanation, it is also noteworthy to mention that on Cisco routers, if an OSPF process is run in a VRF then it automatically and unconditionally considers itself to be an ABR - it believes to be connected to a so-called MPLS Superbackbone (even though there may be no BGP/MPLS configured on the router at all).

This may pose problems if such a router is actually a part of a network that uses multiple areas. Consider the following scenario:

R1 (VRF) --- Link in Area 1 --- R2 --- Link in Area 0 --- R3

Here, R2 is obviously an ABR because it has two links, one in Area 0, the other in Area 1. R1 is, by all means, an internal router in Area 1. However, because R1 runs the link toward R2, and OSPF over this link, in a VRF, R1 considers itself to also be an ABR toward the MPLS Superbackbone.

As a result, R1 - thinking it is an ABR - will not place any networks from Area 0 nor from any other area behind R2 into its routing table, because by OSPF rules, an ABR processes only those inter-area routes (that is, LSA-3 and LSA-4) that have been received over an adjacency in Area 0, and R1 has no such adjacency. The end result will be that R1 will be unable to talk with any network outside its own Area 1.

This behavior on R1 is also deactivated by the

"capability vrf-lite" command.

Thus, "capability vrf-lite" has several effects:

  • The router stops considering itself as the ABR connected to the MPLS Superbackbone
  • The router will ignore the DN bit set in LSA-3, LSA-5 and LSA-7, and will not set this bit when doing redistribution into OSPF
  • The router will ignore the tag value received in LSA-5 and LSA-7, and it will not set this value to any specific value when doing redistribution into OSPF

Best regards,
Peter

View solution in original post

22 Replies 22

Jon Marshall
Hall of Fame
Hall of Fame

The DN bit is a check that, usually, PE routers use to check whether to install certain types of LSAs into a VRF and is used as a loop prevention method.

If your CE router is not running VRFs but using OSPF to connect to the PE router then you do not need that command anywhere.

If however you configure VRFs on your CE router then it now uses the same checks as the PE routers because it believes it is directly connected to the MPLS network in the way the PE is, even though it isn't.

And then you would need to use that command on your CE router.

So, put simply, you only need to use that command if your CE router is using "VRF-Lite" and OSPF is in use between the CE and PE routers.

There are a few good detailed explanations on this site if you want to go into it more.

Jon

If however you configure VRFs on your CE router then it now uses the same checks as the PE routers because it believes it is directly connected to the MPLS network in the way the PE is, even though it isn't.

Thanks.

Jon, Shuai,

In addition to Jon's very good explanation, it is also noteworthy to mention that on Cisco routers, if an OSPF process is run in a VRF then it automatically and unconditionally considers itself to be an ABR - it believes to be connected to a so-called MPLS Superbackbone (even though there may be no BGP/MPLS configured on the router at all).

This may pose problems if such a router is actually a part of a network that uses multiple areas. Consider the following scenario:

R1 (VRF) --- Link in Area 1 --- R2 --- Link in Area 0 --- R3

Here, R2 is obviously an ABR because it has two links, one in Area 0, the other in Area 1. R1 is, by all means, an internal router in Area 1. However, because R1 runs the link toward R2, and OSPF over this link, in a VRF, R1 considers itself to also be an ABR toward the MPLS Superbackbone.

As a result, R1 - thinking it is an ABR - will not place any networks from Area 0 nor from any other area behind R2 into its routing table, because by OSPF rules, an ABR processes only those inter-area routes (that is, LSA-3 and LSA-4) that have been received over an adjacency in Area 0, and R1 has no such adjacency. The end result will be that R1 will be unable to talk with any network outside its own Area 1.

This behavior on R1 is also deactivated by the

"capability vrf-lite" command.

Thus, "capability vrf-lite" has several effects:

  • The router stops considering itself as the ABR connected to the MPLS Superbackbone
  • The router will ignore the DN bit set in LSA-3, LSA-5 and LSA-7, and will not set this bit when doing redistribution into OSPF
  • The router will ignore the tag value received in LSA-5 and LSA-7, and it will not set this value to any specific value when doing redistribution into OSPF

Best regards,
Peter

explanation is  very deeply ,many thanks 

HI Peter Paluch,
Thank you for your explanation.
But there is one point I am confused, You said "As a result, R1 - thinking it is an ABR - will not place any networks from Area 0 nor from any other area behind R2 into its routing table, because by OSPF rules, an ABR processes only those inter-area routes (that is, LSA-3 and LSA-4) that have been received over an adjacency in Area 0, and R1 has no such adjacency." In this example, I guess "Area 0" you mention in your sentence is Super Backbone? Am I right.

Hello

The superbackone (area 0) refers to the service providers internal ospf MPLS VPN network which is completely transparent to customers that use any IGP (including ospf) as its routing protocol.

However a network without mpls vpns that uses ospf as it routing protocol then area 0 would be referred to the Backbone that interconnect non backbone (ospf 0) areas


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

IF R1 doesn't have any vrf, topology like below:
R1 --- Link in Area 1 --- R2 --- Link in Area 0 --- R3
R1 will learn network in area 0.
IF R1 have a vrf, topology like below:
R1 (VRF) --- Link in Area 1 --- R2 --- Link in Area 0 --- R3
R1 doesn't see any network in area 0, R1 considers itself as an ABR.

"As a result, R1 - thinking it is an ABR - will not place any networks from Area 0 nor from any other area behind R2 into its routing table, because by OSPF rules, an ABR processes only those inter-area routes (that is, LSA-3 and LSA-4) that have been received over an adjacency in Area 0, and R1 has no such adjacency."
Follow as the above sentence, R1 now is an ABR but it doesn't consider R2 is an adjacency in area 0 (even I still config a network between R2 and R3 in area 0). In this case, R1 doesn't consider area 0 is a backbone area so it doesn't place network learned from R2 to its rib. In the view of R1, area backbone is superbackbone, it only learns routes from remote PE (if available).
This is my opinions, but I don't know whether it is right or not.
Hope you clear it for me.

Hi Peter Paluch ,

What if Area-1 in your topology is configured as Stub ?

In that case R2 (actual ABR) will generate Default route in Stub Area-1 and since R1 also considers itself as ABR , it will generate default route as well , right ?

 

Now if there is any packet to R1 or R2 (for which they do not have specific destination , it will get infinite looped between R1 and R2 ?

Thanks,

Gaurav Sukhadia

Hi, if I understood correctly, vrf capability-lite is necessary only when using VRFs and (1) multi-area OSPF or (2) when redistributing routes into OSPF? If there is only area 0 and no LSA Type 3, 5 or 7, vrf capability-lite doesn't matter? Will the default route being originated by a router be omitted by other routers in the area without vrf capability-lite?

VFR-Lite and OSPF do not depend each other although they can be used together.

I'm guessing VRF is new to you?  If so, would you like a brief explanation of the technology?

 

@Joseph W. Doherty I am familiar with VRFs but I am not sure what exactly do you mean. Feel free to provide any explanation that could advance my knowledge, I would be very grateful. I am trying to understand in which scenarios I don't need to use the command "capability vrf lite" when using OSPF and VRFs.

make new post this better 

MHM

BTW, I agree with @MHM Cisco World , your question probably should have been its own posting.

In any case, VRFs are sort of the equivalent of VLANs for L3.

Quick review, given 3 routers, linearly connected, with loopbacks 1.1.1.1, 2.2.2.2 and 3.3.3.3,  and these loopbacks were known to OSPF, i.e. R1.1.1.1<>R2.2.2.2<>R3.3.3.3, if there was just one area number (doesn't need to be area zero) for all 3 routers, each router knows of all the routes within the OSPF AS.

If we go multi area, having area 1 shared between R1.1.1.1 and R2.2.2.2 and area 3 between R2.2.2.2 and R3.3.3.3, R2.2.2.2 would still know all routes, but R1.1.1.1 and R3.3.3.3 wouldn't know the other area's routes, unless we add an area zero on R2.2.2.2, and if we do, sharing of routes between areas would depends on the kind of area and/or if route summarization is being done on ABRs.  Even in the latter case, usually we can still route between all the areas even without knowledge of external area routes.

Next, on R2.2.2.2 we could run two OSPF processes.  Those processes would still allow R2.2.2.2 to know all routes, but again, R1.1.1.1 and R3.3.3.3 would not, unless we redistributes between those OSPF processes on R2.2.2.2.

In the forgoing, we have the "problem" R2.2.2.2 might have more routing info than we desire.  I.e. We truly want to logically separate R1.1.1.1<>R2.2.2.2 from R2.2.2.2<>R3.3.3.3.  This is where VRFs come in.  We can define two VRFs on R2.2.2.2, and whatever routing information is known in one VRF, by default, is not available to the other VRF.

Two issues that arise with VRF, how do we share multiple VRFs across/between L3 devices (the equivalent of sharing a VLAN across/between switches) and is there a way to selectively "redistribute" routes between VRF.

On a single device, we can identify interfaces or static routes to a VRF, much like assigning a L2 port to a VLAN.

On L3 devices, we can identify SVI to a VRF, and implicitly, we can use a trunk (with VLAN tagging), to share a VRF across/between them.  This is the VRF-Lite approach.

Full blown VRF, uses VLAN like tagging (RDs) of BGP routes to identify what VRF they belong to.  (Unsure any other routing protocols support that too.)

Full blown VRF can use RTs to selectively "filter" BGP routes, on a particular device, so there is a way "leak" routes between VRFs.  (One reason to do this, might be to allow separate VRFs to share an address space.  [Sort of the equivalent of private IPs seeing public IPs, but not the converse.])

Again, I don't know if any other routing protocols support RD/RTs as can BGP.

If any of the above makes any sense, to your questions, VRF-Lite, basically allows you to run totally independent OSPF ASs on the same router, and those independent ASs can be shared across multiple devices, again, conceptionally, much as having multiple VLANs on a single switch and/or sharing multiple VLANS between switches.  VLANs, of course, isolate L2, while VRFs isolate L3.

In the Enterprise, you often don't see much need for VRFs, unless you're very, very security conscience.  Consider you have "sales" and "accounting" and you want to preclude them from directly being able to exchange data, except perhaps through a FW.  With VRF, you can route these two ASs across your network, but each has no way to reach the other, except perhaps, through a FW.

Many VLAN examples might show "sales" and "accounting" VLANs, VLANs might have L2 size and topology considerations which can be better addressed by L3 using VRFs.  Remember, even on any L3 devices with different VRFs, no need to maintain ACLs to block traffic between the VRFs.

@Joseph W. Doherty I appreciate your explanation. Now, is there any scenario where it is not necessary to use the command "capability vrf lite"? What about those I mentioned in my first comment?

Review Cisco Networking for a $25 gift card