why do you have capability vrf-lite on the PE. This is only necessary when the router doesn't have a connection to the BGP domain.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Eric Rioux Sent: Monday, February 07, 2011 4:34 PM To: [email protected] Subject: Re: [OSL | CCIE_SP] OSPF Sham Links & Capability VRF Lite Sorry, I updated some of the naming used below.. please respond to this email instead. On Mon, Feb 7, 2011 at 4:27 PM, Eric Rioux <[email protected]> wrote: Hi all, I am hoping to get confirmation of a problem I ran into recently. Before I post the configs I will say that I was very confident I knew what the problem was the moment I saw the configs, but certain people need more convincing... Here's an idea of what the PE configs look like: router ospf 100 vrf VPN_BROKEN router-id 1.1.1.1 log-adjacency-changes capability vrf-lite area 0 sham-link 10.10.10.1 10.10.10.2 cost 10 area 0 sham-link 10.10.10.1 10.10.10.2 cost 10 redistribute bgp 1 subnets network 192.168.1.1 0.0.0.0 area 0 network 192.168.1.3 0.0.0.0 area 0 router bgp 1 ! address-family ipv4 vrf VPN_BROKEN redistribute connected route-map SHAMLINK redistribute ospf 100 vrf VPN_BROKEN match internal external 1 external 2 no synchronization exit-address-family And here's an idea of the CE config: router ospf 99 vrf LOCAL_VRF router-id 1.1.1.2 log-adjacency-changes capability vrf-lite network 1.1.1.2 0.0.0.0 area 0 network 192.168.1.1 0.0.0.0 area 0 And now for the problem description... After a reload of the PE router whose config is presented above, neither of the listed sham links came back up. The person who found & corrected the problem did so by creating distribute lists on the PE's to prevent the sham link routes getting into the routing table from the OSPF database. Now.. What I am pretty sure happened after reload: 1. The redistribution between OSPF-BGP allowed the sham-link routes into OSPF on the CE's where they then transited the CE network. 2. The presence of capability vrf-lite on the PE's allowed the redistributed sham link LSA's to get back into the remote PE's with the routing bit set - allowing injection into the routing tables. 3. The sham links, now with routes via OSPF, failed to establish. When the Sham links were brought up initially, they would have established based on the BGP routes (it's even possible "capability vrf-lite" was only added after the Sham links were up). Because they function as demand circuits, the routing could change from BGP-based to OSPF-based and not actually cause the sham links to fail. It was only when they were taken down and then attempted to re-establish via OSPF-learned routes that they fully broke. If I'm right, I'm hoping someone has an even clearer explanation of why I'm correct. If I'm wrong, then perhaps someone can enlighten me! Thanks, Eric
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
