Hi all, I am hoping to get confirmation of a problem I ran into recently. Before I post the configs I will say that I was very confident I knew what the problem was the moment I saw the configs, but certain people need more convincing...
Here's an idea of what the PE configs look like: router ospf 100 vrf VPN_BROKEN router-id 1.1.1.1 log-adjacency-changes capability vrf-lite area 0 sham-link 10.10.10.1 10.10.10.2 cost 10 area 0 sham-link 10.10.10.1 10.10.10.2 cost 10 redistribute bgp 1 subnets network 192.168.1.1 0.0.0.0 area 0 network 192.168.1.3 0.0.0.0 area 0 router bgp 1 ! address-family ipv4 vrf B3933994 redistribute connected route-map SHAMLINK redistribute ospf 100 vrf VPN_BROKEN match internal external 1 external 2 no synchronization exit-address-family And here's an idea of the CE config: router ospf 99 vrf MPLS-DATA router-id 1.1.1.2 log-adjacency-changes capability vrf-lite network 1.1.1.2 0.0.0.0 area 0 network 192.168.1.1 0.0.0.0 area 0 And now for the problem description... After a reload of the PE router whose config is presented above, neither of the listed sham links came back up. The person who found & corrected the problem did so by creating distribute lists on the PE's to prevent the sham link routes getting into the routing table from the OSPF database. Now.. What I am pretty sure happened after reload: 1. The redistribution between OSPF-BGP allowed the sham-link routes into OSPF on the CE's where they then transited the CE network. 2. The presence of capability vrf-lite on the PE's allowed the redistributed sham link LSA's to get back into the remote PE's with the routing bit set - allowing injection into the routing tables. 3. The sham links, now with routes via OSPF, failed to establish. When the Sham links were brought up initially, they would have established based on the BGP routes (it's even possible "capability vrf-lite" was only added after the Sham links were up). Because they function as demand circuits, the routing could change from BGP-based to OSPF-based and not actually cause the sham links to fail. It was only when they were taken down and then attempted to re-establish via OSPF-learned routes that they fully broke. If I'm right, I'm hoping someone has an even clearer explanation of why I'm correct. If I'm wrong, then perhaps someone can enlighten me! Thanks, Eric
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
