Wednesday, January 11, 2017

CCIE SPv4 - MPLS L3 VPN - OSPFv2 and OSPFv3 PE-CE Routing

Software versions:
IOS XE 15.5
IOS XR 5.3

The topology for this demo:
In this post we will implement OSPFv2 and OSPFv3 as the PE to CE routing protocol. There are several caveats when rolling out OSPF in this type of deployment, not advisable in a production environment. OSPF has some unique challenges when deployed the way we will be rolling it out. We will leveraging the "Multi VRF CE" design where our connection to the provider is in a VRF. We'll focus on setting up the PEs and the CEs first.


R1
router ospf 110 vrf OSPF
 redistribute bgp 50693 subnets
 network 131.0.0.0 0.0.0.255 area 0
!
router ospfv3 110
 !
 address-family ipv6 unicast vrf OSPF
  redistribute bgp 50693
!
interface GigabitEthernet1.1110
 encapsulation dot1Q 1110
 vrf forwarding OSPF
 ip address 131.0.0.1 255.255.255.0
 ipv6 address 2131:CC1E::1/64
 ospfv3 110 ipv6 area 0
!
router bgp 50693
address-family ipv4 vrf OSPF
  redistribute ospf 110
 exit-address-family
 !
 address-family ipv6 vrf OSPF
  redistribute ospf 110 include-connected
 exit-address-family

R13
router ospfv3 110
 !
 address-family ipv6 unicast vrf OSPF
  exit-address-family
router ospf 110 vrf OSPF
 network 131.0.0.0 0.0.0.255 area 0
!
interface GigabitEthernet1.1110
 encapsulation dot1Q 1110
 vrf forwarding OSPF
 ip address 131.0.0.13 255.255.255.0
 ipv6 address 2131:CC1E::13/64
 ospfv3 110 ipv6 area 0


XR3
router ospf 110
 vrf OSPF
  redistribute bgp 50693
  area 0
   interface GigabitEthernet0/0/0/0.1110
!
router ospfv3 110
 redistribute bgp 50693
 area 0
 !
 vrf OSPF
  redistribute bgp 50693
  area 0
   interface GigabitEthernet0/0/0/0.1110
!
router bgp 50693
vrf OSPF
  rd 110:50693
  address-family ipv4 unicast
   redistribute ospf 110
  !
  address-family ipv6 unicast
   redistribute ospfv3 110


R14
router ospfv3 110
 !
 address-family ipv6 unicast
 exit-address-family
 !
 address-family ipv6 unicast vrf OSPF
 exit-address-family
router ospf 110 vrf OSPF
 network 113.0.0.0 0.0.0.255 area 0
!
interface GigabitEthernet1.1110
 encapsulation dot1Q 1311
 vrf forwarding OSPF
 ip address 113.0.0.14 255.255.255.0
 ipv6 address 2113:CC1E::14/64
 ospfv3 110 ipv6 area 0


Now that we have our configuration in place, we need to verify the configuration.

R13#sh ip ospf 110 neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
131.0.0.1         1   FULL/DR         00:00:34    131.0.0.1       GigabitEthernet1.1110

R13#sh ospfv3 vrf OSPF neighbor

          OSPFv3 110 address-family ipv6 vrf OSPF (router-id 110.110.110.13)

Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
131.0.0.1         1   FULL/DR         00:00:39    20              GigabitEthernet1.1110

As you can see our peerings to the PE are up and operational. Let's take a look at the VRF aware RIB to see what we have reachability to.

R13#sh ip route vrf OSPF | b Gateway
Gateway of last resort is not set

      110.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        110.110.110.0/24 is directly connected, Loopback110
L        110.110.110.13/32 is directly connected, Loopback110
      131.0.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        131.0.0.0/24 is directly connected, GigabitEthernet1.1110
L        131.0.0.13/32 is directly connected, GigabitEthernet1.1110


We haven't learned any routes, there is a reason why this is happening. I've added an interface into the global RIB on R13 to show a scenario where the CE interface is not in a VRF. 

interface GigabitEthernet1.10
 encapsulation dot1Q 11
 ip address 11.0.0.13 255.255.255.0
 ipv6 address 2001:11::13/64
 ospfv3 110 ipv6 area 0
!
router ospf 1
 network 11.0.0.0 0.0.0.255 area 0

R13#sh ip route ospf | b Gateway
Gateway of last resort is not set

      83.0.0.0/24 is subnetted, 1 subnets
O IA     83.0.0.0 [110/2] via 11.0.0.1, 00:02:56, GigabitEthernet1.10
      110.0.0.0/32 is subnetted, 3 subnets
O IA     110.110.110.8 [110/3] via 11.0.0.1, 00:02:56, GigabitEthernet1.10
O        110.110.110.13 [110/3] via 11.0.0.1, 00:02:56, GigabitEthernet1.10
O E2     110.110.110.14 [110/2] via 11.0.0.1, 00:02:56, GigabitEthernet1.10
      113.0.0.0/24 is subnetted, 1 subnets
O E2     113.0.0.0 [110/1] via 11.0.0.1, 00:02:56, GigabitEthernet1.10

As you can see we've learned routes from our other CE routers and have installed them in the RIB. 

Now to identify the issue with the CE VRF configuration.

R13#sh ip ospf database summary adv-router 131.0.0.1
OSPF Router with ID (131.0.0.13) (Process ID 110)

                Summary Net Link States (Area 0)

  LS age: 749
  Options: (No TOS-capability, DC, Downward)
  LS Type: Summary Links(Network)
  Link State ID: 83.0.0.0 (summary Network Number)
  Advertising Router: 131.0.0.1
  LS Seq Number: 80000091
  Checksum: 0xA49
  Length: 28
  Network Mask: /24
        MTID: 0         Metric: 1

  LS age: 749
  Options: (No TOS-capability, DC, Downward)
  LS Type: Summary Links(Network)
  Link State ID: 110.110.110.8 (summary Network Number)
  Advertising Router: 131.0.0.1
  LS Seq Number: 8000008D
  Checksum: 0x7FD6
  Length: 28
  Network Mask: /32
        MTID: 0         Metric: 2

The key piece that needs to be zeroed in on here is the "downward" bit that is set from R1 (131.0.0.1) who is the advertising router and is the PE. The PE device will set the downward bit in an effort to prevent the route from being propagated inside the customer network and then readvertised back to the provider. The only drawback with this is the route is in the LSDB but because the DN bit is set, SPF can't be ran on the LSA and won't be installed in the RIB. There is a simple fix for this and is applicable for OSPFv2 and OSPFv3, configured on the CE. Capability vrf-lite is used to disable the "DN" bit check and let's SPF run on those LSAs and installs the routes in the RIB. This bit is set on Type 3, 5 and 7 LSAs when BGP routes are redistributed into OSPF.

R13#debug ip opsf spf
R13#debug ip ospf rib local
R13#debug ip ospf rib global

R14#sh ip ospf 110 | in VPN
 Connected to MPLS VPN Superbackbone, VRF OSPF

This means that R14 is connected to the MPLS backbone via OSPF, where the MPLS backbone is acting has a superior Area 0, the CEs take on an ABR style role where they are the connection into the MPLS backbone. You will see on R13 for the non VRF OSPF connection that there is no connection like that. According to the Cisco Docs, the MPLS Super backbone is only applicable in Multi VRF CE. 

R13#sh ip ospf 1 | in VPN
#no output. 

These debugs will let you see the SPF run get kicked off and the RIB get the best routes installed. I'll now configure "capability vrf-lite" on R13 for both OSPFv2 and OSPFv3.

router ospfv3 110
 address-family ipv6 unicast vrf OSPF
  capability vrf-lite
 exit-address-family
router ospf 110 vrf OSPF
 capability vrf-lite

R13#sh ip ospf database summary adv-router 131.0.0.1
OSPF Router with ID (131.0.0.13) (Process ID 110)

                Summary Net Link States (Area 0)

  LS age: 1437
  Options: (No TOS-capability, DC, Downward)
  LS Type: Summary Links(Network)
  Link State ID: 83.0.0.0 (summary Network Number)
  Advertising Router: 131.0.0.1
  LS Seq Number: 80000091
  Checksum: 0xA49
  Length: 28
  Network Mask: /24
        MTID: 0         Metric: 1

  LS age: 1437
  Options: (No TOS-capability, DC, Downward)
  LS Type: Summary Links(Network)
  Link State ID: 110.110.110.8 (summary Network Number)
  Advertising Router: 131.0.0.1
  LS Seq Number: 8000008D
  Checksum: 0x7FD6
  Length: 28
  Network Mask: /32
        MTID: 0         Metric: 2

As you can see the downward bit is showing up, it doesn't actually "go away", the check for it is simply disabled. Allowing SPF to be run and those routes to get installed in the RIB.

R13# sh ip route vrf OSPF ospf | b Gateway
Gateway of last resort is not set

      11.0.0.0/24 is subnetted, 1 subnets
O        11.0.0.0 [110/2] via 131.0.0.1, 00:07:03, GigabitEthernet1.1110
      83.0.0.0/24 is subnetted, 1 subnets
O IA     83.0.0.0 [110/2] via 131.0.0.1, 00:07:03, GigabitEthernet1.1110
      110.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O IA     110.110.110.8/32
           [110/3] via 131.0.0.1, 00:07:03, GigabitEthernet1.1110
O E2     110.110.110.14/32
           [110/2] via 131.0.0.1, 00:07:03, GigabitEthernet1.1110
      113.0.0.0/24 is subnetted, 1 subnets
O E2     113.0.0.0 [110/1] via 131.0.0.1, 00:07:03, GigabitEthernet1.1110

Now we have routes installed in the RIB. I'll now go ahead and do some ping/traces from R13. You'll notice that some of the OSPF routes are O IA and some are O E2. Our configuration on all the PEs requires us to redistribute OSPF and BGP bidirectionally. The PEs that are IOS XE, R3, R6 R1. The CEs attached will see anything advertised to them from the PEs as Inter Area or O IA. IOS XR advertises routes as O E2. 

Let's go ahead and verify the reachability. 

R13#ping vrf OSPF 110.110.110.14
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 110.110.110.14, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/7 ms

R8#traceroute vrf OSPF 110.110.110.14 source 110.110.110.8 num
Type escape sequence to abort.
Tracing the route to 110.110.110.14
VRF info: (vrf in name/id, vrf out name/id)
  1 83.0.0.3 3 msec 1 msec 1 msec
  2 10.3.4.4 [MPLS: Labels 20/24012 Exp 0] 12 msec 5 msec 8 msec
  3 10.4.5.5 [MPLS: Labels 20/24012 Exp 0] 14 msec 20 msec 29 msec
  4 10.5.6.6 [MPLS: Labels 20/24012 Exp 0] 24 msec 13 msec 19 msec
  5 10.2.6.2 [MPLS: Labels 17/24012 Exp 0] 21 msec 31 msec 32 msec
  6 10.13.2.13 [MPLS: Label 24012 Exp 0] 23 msec 9 msec 8 msec
  7 113.0.0.14 7 msec *  8 msec


As you can see, both ping and traces are functioning. 

Thanks for stopping by!
Rob Riker, CCIE #50693




Posted by at
Labels: , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)