Troubleshoot #4 (OSPF Inter-AS)
Last updated
Last updated
Load vpnv4.inter-as.tshoot4.init.cfg. On R2, you may need to replace with blank.cfg first.
The PE-CE protocol for both VPNs is OSPF. Currently there is no reachability between sites located in opposite ASs. Explain the issue and find a way to fix it.
By default, when running OSPF in a VRF on a CE device, the OSPF process will not install any routes learned from LSAs with the down bit set. This is a loop prevention mechanism. The assumption is that if the device is running OSPF in a VRF, then it must be a PE, in which case it should reject OSPF routes that came from the MPLS core so that they have no chance of being redistributed back into BGP.
However, in option A, the ASBRs essentially act as CE devices. So we need to disable this check to allow the ASBRs to install the OSPF routes into the VRF RIB.
On R1 we can see than LSAs injected by XR1 have the down bit set. This indicates that the route was redistributed from BGP VPNv4/6 into OSPF, so any other PEs that learn this LSA should not redistribute these routes back into BGP.
Due to this, the router will not install 10.10.10.10/32 into the VRF RIB. However, if there were any other downstream OSPF neighbors in this VRF on R1 which did not run OSPF in a VRF, those routers could actually install the 10.10.10.10/32 route. This is because the LSAs must be flooded throughout the area, and those other routers wouldn’t care about the downward bit. However, traffic would be blackholed at R1. You can essentially think of this feature as a distribute-list filter, which filters LSAs with the down bit from being entered into the VRF RIB locally.
We turn off this check using capability vrf-lite. This command is meant for routers that are running VRF lite (using VRF functionality simply for separation of routing tables, without using MPLS VPNv4/v6).
The LSA from XR1 is unchanged, but R1 no longer filters the routes from the VRF RIB.
Interestingly, this is enough to get traffic to work. Since R1 is no longer a “PE”, it is redistributing BGP routes into OSPF as external without the down bit set now. Notice below that the down bit is not set. The route tag encodes AS 100, which also passes XR1’s check (because it is in BGP ASN 200 not 100).
So now XR1 can install this in the RIB.
Traffic is working end-to-end:
Notice that on the AS100 side, the routes are showing up as O IA. This is because XR1 is still a “true” PE, and is redistributing the AS200 routes as inter-area. R1, even though it is running capability vrf-lite, still encodes the OSPF domain ID and route-type into the BGPv4 route. This allows R2 to redistribute the routes as inter-area to the CEs.
On the AS200 side, R1 is now redistributing routes into OSPF as E2, because it is not a “true” PE. It acts more like CE when redistributing from BGP into OSPF. So AS200 must keep these as external, even though the domain ID technically matches (which is null by default on IOS-XR).
Even though it is not required, we should tell XR1 to ignore the down bit as well. AS200 doesn’t want to rely on AS100 setting capability vrf-lite on their side. On XR1, if we set capability vrf-lite, we break reachability. This is because on IOS-XE, external OSPF routes are not redistributed into BGP by default. XR1 now has the same behavior as R1 - it redistributes the routes as external instead of inter-area. Instead of fixing this on R1, let’s use a different method, which simply tells XR1 to continue to act as a true PE but ignore the down bit on LSAs.
At this point nothing has changed, because R1 is not setting the down bit anyways. XR1 is still redistributing routes as inter-area. However, if we remove capability VRF-lite on R1, XR1 will now ignore the down bit and still install these routes in its VRF RIB.
R1 now redistributes routes as inter-area again, and sets the down bit.
XR1 ignores the down bit, and the CEs in AS200 will see the route as inter-area.
IOS-XE only has one knob: capability vrf-lite. This causes the router to ignore the down bit, but also ignore the OSPF domain ID/route type when redistributing BGP VPNv4 routes into OSPF. All routes become E2 routes.
On IOS-XR, we have two knobs: capability vrf-lite and disable-dn-bit-check. The capability vrf-lite knob acts like IOS-XE. BGP routes are always redistributed into OSPF as E2. However, the disable-dn-bit-check knob retains the inter-area redistribution functionality (when domain ID matches and route-type is intra/inter-area), but still allows the router to install LSAs with the DN bit set into the VRF RIB.
