This post is looking at MPLS based VPNs and different aspects associated with routing information when OSPF is the CE-PE routing protocol
The topology under discussion is shown below:
R1(CE)===R2(PE)===R3(PE)===R4(CE)
Here are the base configurations
R1hostname R1
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip ospf 1 area 1
!
interface FastEthernet0/0
description R2 Fa0/0
ip address 10.1.12.1 255.255.255.0
ip ospf 1 area 1
!
R2
hostname R2
ip vrf A
rd 1:1
route-target export 1:1
route-target import 1:1
interface Loopback0
ip address 2.2.2.2 255.255.255.255
ip ospf 1 area 0
!
interface FastEthernet0/0
description R1 Fa0/0
ip vrf forwarding A
ip address 10.1.12.2 255.255.255.0
ip ospf 2 area 1
speed 100
full-duplex
!
interface FastEthernet0/1
description R3 Fa0/1
ip address 10.1.23.2 255.255.255.0
ip ospf 1 area 0
mpls ip
!
router ospf 2 vrf A
log-adjacency-changes
redistribute bgp 23 subnets
!
router ospf 1
log-adjacency-changes
!
router bgp 23
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 3.3.3.3 remote-as 23
neighbor 3.3.3.3 update-source Loopback0
!
address-family vpnv4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
exit-address-family
!
address-family ipv4 vrf A
redistribute ospf 2 vrf A
no synchronization
exit-address-family
!
R3
hostname R3
ip vrf A
rd 1:1
route-target export 1:1
route-target import 1:1
interface Loopback0
ip address 3.3.3.3 255.255.255.255
ip ospf 1 area 0
!
interface FastEthernet0/0
description R4 Fa0/0
ip vrf forwarding A
ip address 10.1.34.3 255.255.255.0
ip ospf 3 area 1
speed 100
full-duplex
!
interface FastEthernet0/1
description R2 Fa0/1
ip address 10.1.23.3 255.255.255.0
ip ospf 1 area 0
mpls ip
!
router ospf 1
log-adjacency-changes
!
router ospf 3 vrf A
log-adjacency-changes
redistribute bgp 23 subnets
!
router bgp 23
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 23
neighbor 2.2.2.2 update-source Loopback0
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
exit-address-family
!
address-family ipv4 vrf A
redistribute ospf 3 vrf A
no synchronization
exit-address-family
!
R4
hostname R4
interface Loopback0
ip address 4.4.4.4 255.255.255.255
ip ospf 1 area 1
!
interface FastEthernet0/0
description R3 Fa0/0
ip address 10.1.34.4 255.255.255.0
ip ospf 1 area 1
!
R1 Fa0/0 and R4 Fa0/0 interfaces are both in OSPF area 1 when connected to the PEs so we would like to see their associated loopbacks as an "O" route
R1>sh ip route | b Gateway
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
4.0.0.0/32 is subnetted, 1 subnets
O E2 4.4.4.4 [110/2] via 10.1.12.2, 00:04:19, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C 10.1.12.0 is directly connected, FastEthernet0/0
O E2 10.1.34.0 [110/1] via 10.1.12.2, 00:04:19, FastEthernet0/0
R4>sh ip route | b Gateway
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O E2 1.1.1.1 [110/2] via 10.1.34.3, 00:04:38, FastEthernet0/0
4.0.0.0/32 is subnetted, 1 subnets
C 4.4.4.4 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 2 subnets
O E2 10.1.12.0 [110/1] via 10.1.34.3, 00:04:37, FastEthernet0/0
C 10.1.34.0 is directly connected, FastEthernet0/0
Right now these guys are seeing each other as external routes (Type 5 LSAs) Why is this? Well if you think about it these should be external routes because we are redistributing from OSPF into BGP and then back into OSPF on our PEs. However normally things are smart enough so that the MPLS network super backbone should keep things appearing as OSPF routes. This isn't happening in this case for some reason:
R2#sh ip ospf int brief
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Fa0/1 1 0 10.1.23.2/24 1 DR 1/1
Lo0 1 0 2.2.2.2/32 1 LOOP 0/0
Fa0/0 2 1 10.1.12.2/24 1 BDR 1/1
R3#sh ip ospf int brief
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Fa0/0 3 1 10.1.34.3/24 1 BDR 1/1
Fa0/1 1 0 10.1.23.3/24 1 BDR 1/1
Lo0 1 0 3.3.3.3/32 1 LOOP 0/0
The problem here is the OSPF process ID for the CE facing interfaces on the PEs are different - if we had the same ospf domain id (which by default is inherited from the process id) these would not show up as external routes
R2#sh ip ospf | i Process|Domain
Routing Process "ospf 1" with ID 2.2.2.2
Routing Process "ospf 2" with ID 10.1.12.2
Domain ID type 0x0005, value 0.0.0.2
R3#sh ip ospf | i Process|Domain
Routing Process "ospf 3" with ID 10.1.34.3
Domain ID type 0x0005, value 0.0.0.3
Routing Process "ospf 1" with ID 3.3.3.3
So if we want the routes not to appear as external, all we need to do is make both sides agree on the domain id:
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#router ospf 2
R2(config-router)#domain-id 0.0.0.3
R2(config-router)#end
*Mar 1 22:11:44.698: %SYS-5-CONFIG_I: Configured from console by console
R2#clear ip ospf proc
Reset ALL OSPF processes? [no]: yes
*Mar 1 22:11:59.690: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on FastEthernet0/1 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar 1 22:11:59.726: %OSPF-5-ADJCHG: Process 2, Nbr 1.1.1.1 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar 1 22:11:59.778: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on FastEthernet0/1 from LOADING to FULL, Loading Done
*Mar 1 22:11:59.782: %OSPF-5-ADJCHG: Process 2, Nbr 1.1.1.1 on FastEthernet0/0 from LOADING to FULL, Loading Done
R2#sh ip ospf | i Process|Domain
Routing Process "ospf 1" with ID 2.2.2.2
Routing Process "ospf 2" with ID 10.1.12.2
Domain ID type 0x0005, value 0.0.0.3
R1>sh ip route | b Gateway
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
4.0.0.0/32 is subnetted, 1 subnets
O IA 4.4.4.4 [110/3] via 10.1.12.2, 00:00:40, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C 10.1.12.0 is directly connected, FastEthernet0/0
O IA 10.1.34.0 [110/2] via 10.1.12.2, 00:00:40, FastEthernet0/0
R4>sh ip route | b Gateway
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O IA 1.1.1.1 [110/3] via 10.1.34.3, 00:00:40, FastEthernet0/0
4.0.0.0/32 is subnetted, 1 subnets
C 4.4.4.4 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 2 subnets
O IA 10.1.12.0 [110/2] via 10.1.34.3, 00:00:40, FastEthernet0/0
C 10.1.34.0 is directly connected, FastEthernet0/0
Well these routes no longer appear as external (Type 5s) but are showing up as Inter-Area (type 3s) which closer but not what we wanted.
The way that this can be fixed so that the routes will appear as intra-Area (type 1s) is to use sham-links, which is a construct that is somewhat similar to a virtual-link in that it is a tunnel over the backbone area (the MPLS network super backbone in this case) but it can be used for more than just OSPF area 0... How do we make this work?
Firstly we need to add loopbacks on each PE that are associated with the CE's VRF and advertise that into MP-BGP
R2(config-if)#int lo23
R2(config-if)#ip vrf forwarding A
R2(config-if)#ip add 23.23.23.2 255.255.255.255
R2(config-if)#router bgp 23
R2(config-router)#address-family ipv4 vrf A
R2(config-router-af)#network 23.23.23.2 mask 255.255.255.255
R3(config-if)#int lo23
R3(config-if)#ip vrf forwarding A
R3(config-if)#ip add 23.23.23.3 255.255.255.255
R3(config-if)#router bgp 23
R3(config-router)#address-family ipv4 vrf A
R3(config-router-af)#network 23.23.23.3 mask 255.255.255.255
Then within the OSPF process for the VRF we configure the sham-link
R2(config-router-af)#router ospf 2
R2(config-router)#area 1 sham-link 23.23.23.2 23.23.23.3
R3(config-router-af)#router ospf 3
R3(config-router)#area 1 sham-link 23.23.23.3 23.23.23.2
Resulting in
*Mar 1 22:24:17.802: %OSPF-5-ADJCHG: Process 3, Nbr 10.1.12.2 on OSPF_SL1 from LOADING to FULL, Loading Done
R2#sh ip ospf sham-links
Sham Link OSPF_SL1 to address 23.23.23.3 is up
Area 1 source address 23.23.23.2
Run as demand circuit
DoNotAge LSA allowed. Cost of using 1 State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40,
Hello due in 00:00:09
Adjacency State FULL (Hello suppressed)
Index 2/2, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec
R1>sh ip route | b Gateway
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/4] via 10.1.12.2, 00:00:39, FastEthernet0/0
23.0.0.0/32 is subnetted, 2 subnets
O E2 23.23.23.3 [110/1] via 10.1.12.2, 00:02:55, FastEthernet0/0
O E2 23.23.23.2 [110/1] via 10.1.12.2, 00:03:54, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C 10.1.12.0 is directly connected, FastEthernet0/0
O 10.1.34.0 [110/3] via 10.1.12.2, 00:00:39, FastEthernet0/0
R4>sh ip route | b Gateway
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/4] via 10.1.34.3, 00:00:49, FastEthernet0/0
4.0.0.0/32 is subnetted, 1 subnets
C 4.4.4.4 is directly connected, Loopback0
23.0.0.0/32 is subnetted, 2 subnets
O E2 23.23.23.3 [110/1] via 10.1.34.3, 00:03:06, FastEthernet0/0
O E2 23.23.23.2 [110/1] via 10.1.34.3, 00:04:01, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
O 10.1.12.0 [110/3] via 10.1.34.3, 00:00:49, FastEthernet0/0
C 10.1.34.0 is directly connected, FastEthernet0/0
As we can see R1 and R2 now see the routes as intra-area (Type 1) as an extra clean up we may want to get rid of the loopbacks for the sham links, which can be done by controlling the redistribution from MP-BGP into OSPF
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 23 deny 23.23.23.0 0.0.0.255
R2(config)#access-list 23 permit any
R2(config)#route-map BGP2OSPF
R2(config-route-map)#match ip address 23
R2(config-route-map)#router ospf 2
R2(config-router)#default domain-id
R2(config-router)#redistribute bgp 23 subnets route-map BGP2OSPF
R2(config-router)#do clear ip ospf proc
Reset ALL OSPF processes? [no]: yes
R2(config-router)#do sh ip ospf | i Process|Domain
Routing Process "ospf 1" with ID 2.2.2.2
Routing Process "ospf 2" with ID 10.1.12.2
Domain ID type 0x0005, value 0.0.0.2
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#access-list 23 deny 23.23.23.0 0.0.0.255
R3(config)#access-list 23 permit any
R3(config)#route-map BGP2OSPF
R3(config-route-map)#match ip address 23
R3(config-route-map)#router ospf 3
R3(config-router)#redistribute bgp 23 subnets route-map BGP2OSPF
R3(config-router)#do sh ip ospf | i Process|Domain
Routing Process "ospf 3" with ID 10.1.34.3
Domain ID type 0x0005, value 0.0.0.3
Routing Process "ospf 1" with ID 3.3.3.3
I reset the domain-id to the default on R2 just to show that for Sham-links the domain id doesn't matter
R1>sh ip route | b Gateway
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/4] via 10.1.12.2, 00:02:00, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C 10.1.12.0 is directly connected, FastEthernet0/0
O 10.1.34.0 [110/3] via 10.1.12.2, 00:02:00, FastEthernet0/0
R4>sh ip route | b Gateway
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/4] via 10.1.34.3, 00:01:54, FastEthernet0/0
4.0.0.0/32 is subnetted, 1 subnets
C 4.4.4.4 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 2 subnets
O 10.1.12.0 [110/3] via 10.1.34.3, 00:01:54, FastEthernet0/0
C 10.1.34.0 is directly connected, FastEthernet0/0
So why would we even care about this? If there could be a backup link that bypasses the MPLS between between R1 and R2. If OSPF was running on that link as well, the path via the MPLS network would not be used regardless of the link metric because intra-area routes are preferred over inter-area routes which are preferred over external routes. Potentially the backdoor link may require the ospf cost to be increased to ensure that it is used only if the MPLS link is down.
MUST READ: Meaningful Availability
4 years ago
great!
ReplyDelete