Hi Eric, I guess clearing up the down-bit by redistribution would be better than breaking the loop prevention on the PE rotuer by enabling vrf light
adam -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Tuesday, February 08, 2011 1:28 AM To: [email protected] Subject: CCIE_SP Digest, Vol 47, Issue 6 Send CCIE_SP mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit http://onlinestudylist.com/mailman/listinfo/ccie_sp or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of CCIE_SP digest..." Today's Topics: 1. Re: OSPF Sham Links & Capability VRF Lite (Tyson Scott) 2. Re: OSPF Sham Links & Capability VRF Lite (Eric Rioux) ---------------------------------------------------------------------- Message: 1 Date: Mon, 7 Feb 2011 18:00:12 -0500 From: "Tyson Scott" <[email protected]> To: "'Eric Rioux'" <[email protected]>, <[email protected]> Subject: Re: [OSL | CCIE_SP] OSPF Sham Links & Capability VRF Lite Message-ID: <011d01cbc71a$c83bf200$58b3d600$@com> Content-Type: text/plain; charset="us-ascii" why do you have capability vrf-lite on the PE. This is only necessary when the router doesn't have a connection to the BGP domain. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Eric Rioux Sent: Monday, February 07, 2011 4:34 PM To: [email protected] Subject: Re: [OSL | CCIE_SP] OSPF Sham Links & Capability VRF Lite Sorry, I updated some of the naming used below.. please respond to this email instead. On Mon, Feb 7, 2011 at 4:27 PM, Eric Rioux <[email protected]> wrote: Hi all, I am hoping to get confirmation of a problem I ran into recently. Before I post the configs I will say that I was very confident I knew what the problem was the moment I saw the configs, but certain people need more convincing... Here's an idea of what the PE configs look like: router ospf 100 vrf VPN_BROKEN router-id 1.1.1.1 log-adjacency-changes capability vrf-lite area 0 sham-link 10.10.10.1 10.10.10.2 cost 10 area 0 sham-link 10.10.10.1 10.10.10.2 cost 10 redistribute bgp 1 subnets network 192.168.1.1 0.0.0.0 area 0 network 192.168.1.3 0.0.0.0 area 0 router bgp 1 ! address-family ipv4 vrf VPN_BROKEN redistribute connected route-map SHAMLINK redistribute ospf 100 vrf VPN_BROKEN match internal external 1 external 2 no synchronization exit-address-family And here's an idea of the CE config: router ospf 99 vrf LOCAL_VRF router-id 1.1.1.2 log-adjacency-changes capability vrf-lite network 1.1.1.2 0.0.0.0 area 0 network 192.168.1.1 0.0.0.0 area 0 And now for the problem description... After a reload of the PE router whose config is presented above, neither of the listed sham links came back up. The person who found & corrected the problem did so by creating distribute lists on the PE's to prevent the sham link routes getting into the routing table from the OSPF database. Now.. What I am pretty sure happened after reload: 1. The redistribution between OSPF-BGP allowed the sham-link routes into OSPF on the CE's where they then transited the CE network. 2. The presence of capability vrf-lite on the PE's allowed the redistributed sham link LSA's to get back into the remote PE's with the routing bit set - allowing injection into the routing tables. 3. The sham links, now with routes via OSPF, failed to establish. When the Sham links were brought up initially, they would have established based on the BGP routes (it's even possible "capability vrf-lite" was only added after the Sham links were up). Because they function as demand circuits, the routing could change from BGP-based to OSPF-based and not actually cause the sham links to fail. It was only when they were taken down and then attempted to re-establish via OSPF-learned routes that they fully broke. If I'm right, I'm hoping someone has an even clearer explanation of why I'm correct. If I'm wrong, then perhaps someone can enlighten me! Thanks, Eric -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_sp/attachments/20110207/ed2667c7/attachment-0001.html> ------------------------------ Message: 2 Date: Mon, 7 Feb 2011 19:28:03 -0500 From: Eric Rioux <[email protected]> To: Tyson Scott <[email protected]> Cc: [email protected] Subject: Re: [OSL | CCIE_SP] OSPF Sham Links & Capability VRF Lite Message-ID: <[email protected]> Content-Type: text/plain; charset="iso-8859-1" That was the first thing that caught my attention as well. I believe this stems from a misunderstanding, on a former co-worker's part, of how the capability works. One scenario I've had presented that I'm curious about is that of a CE device connected to an OSPF network where PE-CE style BGP-to-OSPF redistribution is taking place. In such a scenario, routes learned from the customer network would theoretically have the down bit set from customer redistribution and would prevent the Provider PE router from installing these routes (presumably unless capability vrf-lite were set). Does this make sense to you and, if so, would setting the capability on the PE be the correct way to resolve or is there a more preferred method? Thanks for the feedback, Eric On Mon, Feb 7, 2011 at 6:00 PM, Tyson Scott <[email protected]> wrote: > why do you have capability vrf-lite on the PE. This is only necessary when > the router doesn't have a connection to the BGP domain. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > Managing Partner / Sr. Instructor - IPexpert, Inc. > Mailto: [email protected] > Telephone: +1.810.326.1444, ext. 208 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Eric Rioux > *Sent:* Monday, February 07, 2011 4:34 PM > *To:* [email protected] > *Subject:* Re: [OSL | CCIE_SP] OSPF Sham Links & Capability VRF Lite > > > > Sorry, > > I updated some of the naming used below.. please respond to this email > instead. > > On Mon, Feb 7, 2011 at 4:27 PM, Eric Rioux <[email protected]> wrote: > > Hi all, > > I am hoping to get confirmation of a problem I ran into recently. Before I > post the configs I will say that I was very confident I knew what the > problem was the moment I saw the configs, but certain people need more > convincing... > > Here's an idea of what the PE configs look like: > > router ospf 100 vrf VPN_BROKEN > router-id 1.1.1.1 > log-adjacency-changes > capability vrf-lite > area 0 sham-link 10.10.10.1 10.10.10.2 cost 10 > area 0 sham-link 10.10.10.1 10.10.10.2 cost 10 > redistribute bgp 1 subnets > network 192.168.1.1 0.0.0.0 area 0 > network 192.168.1.3 0.0.0.0 area 0 > > router bgp 1 > ! > address-family ipv4 vrf VPN_BROKEN > redistribute connected route-map SHAMLINK > redistribute ospf 100 vrf VPN_BROKEN match internal external 1 external 2 > no synchronization > exit-address-family > > And here's an idea of the CE config: > > router ospf 99 vrf LOCAL_VRF > router-id 1.1.1.2 > log-adjacency-changes > capability vrf-lite > network 1.1.1.2 0.0.0.0 area 0 > network 192.168.1.1 0.0.0.0 area 0 > > And now for the problem description... > > After a reload of the PE router whose config is presented above, neither of > the listed sham links came back up. The person who found & corrected the > problem did so by creating distribute lists on the PE's to prevent the sham > link routes getting into the routing table from the OSPF database. > > Now.. What I am pretty sure happened after reload: > 1. The redistribution between OSPF-BGP allowed the sham-link routes into > OSPF on the CE's where they then transited the CE network. > 2. The presence of capability vrf-lite on the PE's allowed the > redistributed sham link LSA's to get back into the remote PE's with the > routing bit set - allowing injection into the routing tables. > 3. The sham links, now with routes via OSPF, failed to establish. > > When the Sham links were brought up initially, they would have established > based on the BGP routes (it's even possible "capability vrf-lite" was only > added after the Sham links were up). Because they function as demand > circuits, the routing could change from BGP-based to OSPF-based and not > actually cause the sham links to fail. It was only when they were taken > down and then attempted to re-establish via OSPF-learned routes that they > fully broke. > > If I'm right, I'm hoping someone has an even clearer explanation of why I'm > correct. If I'm wrong, then perhaps someone can enlighten me! > > Thanks, > > Eric > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_sp/attachments/20110207/2097f24e/attachment.html> End of CCIE_SP Digest, Vol 47, Issue 6 ************************************** _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
