Hi Rick, You can turn the ospf routes into external routes (as opposed to inter-area routes), by making sure the domain-ids are different for the ospf redistributed routes in mbgp. The domain-id is derived from the ospf process number, but it can be configured with the domain-id command as well.
The DN-bit is not set on the (type-5) lsas sent to the ce (although rfc4577 says they should be), hence the ce will import the routes into its vrf. The question which then remains, is how does this affect the loop prevention mechanism? What would happen if the ce re-advertises the type-5 lsa back to the pe? Well, as part of the redistribution process, OSPF route tags are set to indicate which domain the information originated from. If a pe receives an OSPF update with its own tag, it will detect the loop and ignore it. >From reading the rfc, it seems the specifics are slightly >implementation-dependent, but this is how ios does it. kind regards, Marcel On 17/05/2010, at 05:25 , Rick Mur wrote: > The explanations by Joe and Marcel are very good. As you are planning to lab > and debug this, here's a free IPexpert lab task :-) > > You have a CE that is running OSPF in a VRF (VRF-lite) that is connected to a > PE which is redistributing routes from MP-BGP into OSPF. > Now ensure that these routes get in the routing table of the CE without using > the 'capability vrf-lite' command! > > -- > Regards, > > Rick Mur > CCIE2 #21946 (R&S / Service Provider) > Sr. Support Engineer – IPexpert, Inc. > URL: http://www.IPexpert.com > > On 15 mei 2010, at 14:01, Marcel Lammerse wrote: > >> Hi Rob, >> >> it is used in an mpls-based vpn scenario, where the ce speaks ospf with the >> pe. In order to enable routing to remote vpn sites, the pe has to >> redistribute mbgp prefixes into ospf with the DN-bit set. The DN-bit is used >> as a loop prevention mechanism, because if an ospf update with the DN-bit >> set would somehow reach the pe, it should not accept the update into the vrf >> again. >> >> However, let's say you have vrf lite with ospf to the pe configured on the >> ce, this becomes a problem. Because the ce will not import any routes that >> have the DN-bit set into the vrf and you would not be able to route to the >> remote vpn sites. By configuring the capability vrf-lite command, the >> filtering rule is relaxed and the pe routes will be imported into the vrf on >> the ce. >> >> Therefore, to answer your question, you would see the DN-bit set on lsas >> received from a pe that redistributes mbgp routes into ospf. >> >> HTH >> Marcel >> >> On 14/05/2010, at 11:04 , Robert Simmons wrote: >> >>> All, >>> >>> Can anyone shoot me a quick scenario where I would need to use the >>> capability vrf-lite command? I need something where I can actually look at >>> debugs and in the ospf database to see the DN bit checked? >>> >>> Thanks >>> >>> -Rob >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
