CCIE R&S Advanced Technologies Class v4.5 - MPLS Layer 3 VPN OSPF PE-CE Routing Loop Prevention & Down-Bit, OSPF Capability VRF-Lite

Transcript

1	Introduction	0h 43m
2	Using the Cisco Documentation	0h 52m
3	Ethernet Overview, Layer 2 Switchports, Trunking, ISL, 802.1q, DTP	0h 47m
4	VTP, VTP Authentication, VTP Pruning	1h 02m
5	VTP Prune Eligible List, VTP Transparent, VTP Troubleshooting, Trunk Allowed List, Extended VLANs	0h 48m
6	VLAN and VTP Review	0h 19m
7	SVIs, Native Routed Interfaces, Router-on-a-Stick	0h 46m
8	Layer 2 EtherChannel, EtherChannel Load Balancing, Layer 3 EtherChannel	0h 57m
9	802.1q Tunneling, Layer 2 Protocol Tunneling, EtherChannel over 802.1q Tunneling	1h 03m
10	STP Root Bridge Election, STP Root Port Election, STP Designated Port Election, STP Priority, STP Cost, STP Port-Priority	1h 06m
11	STP Review	0h 12m
12	STP Timers, STP PortFast	0h 34m
13	STP UplinkFast	0h 11m
14	STP BackboneFast	0h 12m
15	STP BPDU Filter	0h 13m
16	STP BPDU Guard	0h 11m
17	STP Root Guard	0h 11m
18	STP Loop Guard, Unidirectional Link Detection (UDLD)	0h 11m
19	Multiple Spanning-Tree Protocol (MST)	0h 40m
20	Rapid Spanning-Tree Protocol (RSTP), Rapid-PVST	0h 18m
21	MST with Multiple Regions	0h 33m
22	Flex Links	0h 16m
23	Frame Relay	0h 39m
24	Frame Relay Configuration Part 1	0h 34m
25	Frame Relay Configuration Part 2	0h 41m
26	Frame Relay Switching	0h 27m
27	Back-to-Back Frame Relay	0h 08m
28	Frame-Relay End-to-End Keepalives	0h 18m
29	PPP, PPP PAP Authentication, PPP CHAP Authentication	0h 59m
30	PPPoFR, PPPoE	0h 40m
31	Transparent Bridging, IRB	0h 32m
32	Fallback Bridging	0h 14m
33	IP Routing Overview, Switching Paths, Static Routing	0h 42m
34	Static Routing Examples	0h 25m
35	IP Default-Gateway, IP Default-Network	0h 14m
36	On-Demand Routing (ODR)	0h 07m
37	Floating Static Routes	0h 10m
38	Backup Interface	0h 29m
39	Enhanced Object Tracking, IP SLA, Reliable Static Routing	0h 21m
40	Policy Routing	0h 43m
41	GRE Tunneling, GRE Recursive Routing Errors	0h 27m
42	Reliable Backup Interface with GRE	0h 25m
43	RIP Overview, RIP Versions, RIP Auto-Summary	0h 48m
44	RIP Split-Horizon, RIP Timers	0h 22m
45	RIP Broadcast Updates, IP Directed Broadcast, IP Broadcast-Address, Smurf Attacks, Fraggle Attacks	0h 16m
46	RIP Unicast Updates	0h 03m
47	RIP Offset-List	0h 18m
48	RIP Authentication	0h 11m
49	RIP Summarization	0h 10m
50	Prefix-Lists, RIP Distribute-List Filtering, RIP Administrative Distance Filtering	0h 48m
51	RIP Default Routing, RIP Conditional Default Routing	0h 18m
52	RIP Triggered, RIP Validate Update Source,	0h 12m
53	EIGRP Overview	0h 29m
54	EIGRP Auto-Summary	0h 07m
55	EIGRP Split-Horizon	0h 11m
56	EIGRP Update Types, EIGRP Neighbor, EIGRP Passive-Interface	0h 24m
57	EIGRP Hello-Interval, EIGRP Hold-Time	0h 05m
58	EIGRP Authentication	0h 11m
59	EIGRP Time Based Authentication	0h 25m
60	EIGRP Path Selection, EIGRP Metric Weights, EIGRP Traffic Engineering	0h 47m
61	EIGRP Unequal Cost Load Balancing, EIGRP Variance	0h 19m
62	EIGRP QUERY, EIGRP Summarization, EIGRP Leak-Map	0h 28m
63	EIGRP Stub Router Advertisement	0h 22m
64	EIGRP Default Routing	0h 13m
65	EIGRP Route Filtering	0h 11m
66	EIGRP Router-ID	0h 07m
67	Miscellaneous EIGRP Features	0h 02m
68	OSPF Overview	0h 27m
69	Establishing OSPF Adjacencies, Understanding the OSPF Database	0h 43m
70	OSPF Network Type Broadcast, OSPF DR/BDR Election, OSPF over NBMA, OSPF Network Type Non-Broadcast and Point-to-Multipoint	0h 56m
71	OSPF Network Type Point-to-Point, OSPF Network Type Mismatch	0h 13m
72	OSPF Network Type Point-to-Multipoint Non-Broadcast, OSPF Per Neighbor Cost	0h 17m
73	OSPF Network Type Loopback	0h 02m
74	OSPF Path Selection	0h 27m
75	OSPF Convergence Timers	0h 09m
76	OSPF Authentication	0h 12m
77	OSPF Summarization	0h 32m
78	OSPF Stub Areas, OSPF Totally Stubby Areas, OSPF NSSAs, OSPF Totally NSSAs	0h 40m
79	Controlling OSPF NSSA Redistribution	0h 02m
80	OSPF Type 7 to 5 Translator Election, OSPF LSA Type 3 Filter, OSPF Forwarding Address Suppression	0h 24m
81	Route Redistribution Overview	0h 36m
82	Route Redistribution Configuration & Verification, Connected Redistribution	0h 22m
83	OSPF External Path Selection, TCL PING Scripting	0h 33m
84	Routing Loops Overview, EIGRP Route Loop Prevention	0h 55m
85	Metric Based Routing Loops, Route Tagging	0h 46m
86	Administrative Distance Based Routing Loops, Debug IP Routing, IP Route Profile	0h 58m
87	BGP Overview, BGP Peering Types	0h 51m
88	Establishing BGP Peerings, EBGP Multihop, BGP Neighbor Disable Connected Check, BGP TTL Security	0h 49m
89	BGP 4-Byte ASNs	0h 20m
90	BGP Local AS, BGP Peer Groups	0h 30m
91	BGP Next-Hop Self, BGP Next-Hop Processing	0h 30m
92	BGP Route Reflectors	0h 37m
93	Large Scale BGP Route Reflectors with Clusters	0h 34m
94	BGP Confederation	0h 37m
95	BGP NLRI Advertisements, BGP Network Statement, BGP Redistribution	0h 43m
96	BGP Aggregation, BGP Aggregation & Summary-Only, BGP Aggregation & Unsuppress-Map	0h 46m
97	BGP Origin, BGP Aggregation & AS-Set, BGP Aggregation & Advertise-Map	0h 22m
98	BGP Conditional Route Injection	0h 21m
99	BGP Bestpath Selection, BGP Multipath, BGP Weight	0h 53m
100	BGP Local Preference, BGP Local Preference and Communities, BGP AS-Path Prepending,	0h 30m
101	BGP MED, BGP MED Missing As Worst, BGP Deterministic MED	0h 17m
102	BGP Communites, BGP Regular Expressions	0h 43m
103	BGP Filtering, BGP Convergence Timers, BGP Default Routing, Miscellaneous BGP Features	0h 24m
104	MPLS Overview, MPLS Label Distribution Protocol (LDP)	1h 05m
105	MPLS Tunnels, MPLS Penultimate Hop Popping (PHP)	0h 40m
106	MPLS Layer 3 VPNs Overview, VRF Lite	0h 36m
107	MPLS Layer 3 VPNs and VPNv4 BGP	1h 08m
108	MPLS Layer 3 VPN Verification & Troubleshooting	0h 49m
109	MPLS Layer 3 VPN OSPF PE-CE Routing Overview	0h 06m
110	MPLS Layer 3 VPN OSPF PE-CE Routing Path Selection & Sham-Links	2h 01m
111	MPLS Layer 3 VPN OSPF PE-CE Routing Loop Prevention & Down-Bit, OSPF Capability VRF-Lite	0h 40m
112	IPv6 Overview, IPv6 ICMPv6 ND, IPv6 over NBMA	0h 44m
113	IPv6 Routing Overview, IPv6 Static Routing	0h 28m
114	IPv6 RIPng	0h 20m
115	IPv6 EIGRPv6	0h 09m
116	IPv6 OSPFv3	0h 31m
117	MP-BGP for IPv6	0h 26m
118	IPv6 Tunneling	1h 13m
119	Multicast Overview, IGMP	0h 34m
120	PIM Overview	0h 18m
121	PIM Dense Mode	1h 03m
122	PIM Sparse Mode	0h 30m
123	PIM Sparse Mode Configuration	0h 36m
124	PIM Sparse Mode RPF & RP Troubleshooting	0h 27m
125	Auto-RP, Multicast over GRE Tunnels	0h 53m
126	Bootstrap Router (BSR), Bidirectional PIM, Source Specific Multicast (SSM)	0h 40m
127	MSDP, Anycast RP	0h 27m
128	IPv6 Multicast Routing	0h 24m
129	QoS Overview, IntServ QoS, DiffServ QoS, IP Precedence, DSCP, MQC, HQF	0h 41m
130	MQC Classification	0h 44m
131	FIFO, FQ, WFQ, CBWFQ, HQF	0h 50m
132	LLQ	0h 23m
133	WRED	0h 31m
134	Traffic Shaping, Traffic Policing	0h 40m
135	Frame Relay Traffic Shaping (FRTS)	0h 33m
136	RSVP	0h 07m
137	Catalyst 3560 QoS	1h 00m
138	IOS Security Overview, Access Lists (ACLs)	0h 58m
139	Time Based ACLs, Dynamic ACLs	0h 33m
140	Reflexive ACLs	0h 21m
141	TCP Intercept, Content Based Access Control (CBAC)	0h 34m
142	Zone Based Policy Firewall (ZBPF)	1h 09m
143	AAA, Local Authentication, Local Authorization, Role Based CLI Access	0h 43m
144	Port Security, Static CAM Entries, Storm Control, 802.1X Authentication, PACLs, RACLs, VLAN Access Maps (VACLs)	0h 48m
145	DHCP Snooping, Dynamic ARP Inspection (DAI), IP Source Guard	0h 12m
146	Protected Ports, Private VLANs	0h 25m
147	IP Services Overview, HSRP	1h 10m
148	VRRP, GLBP	0h 28m
149	NAT	0h 42m
150	DHCP, DNS	0h 30m
151	NetFlow	0h 09m
152	WCCP, Miscellaneous IP Services	0h 06m
153	System Management Overview, NTP, NTP Authentication	0h 24m
154	SNMP, RMON	0h 38m
155	Syslog, Telnet, SSH, Banners	0h 21m
156	EEM Scripting, Miscellaneous System Management	0h 26m
Total Duration		81h 02m

Slides - Diagrams

Slides - Introduction

Slides - Ethernet Switching

Slides - Advanced Ethernet Switching

Slides - Frame Relay

Slides - PPP

Slides - Transport Bridging

Slides - Redistribution

Slides - IOS Security

Slides - Layer 2 Security

Slides - IP Services

Slides - System Management

0:00:13	In our final section here for OSPF is the PE to CE routing protocol.
0:00:17	I want to spend a couple minutes talking about the
0:00:20	loop prevention mechanisms for OSPF that have changed
0:00:23	and how that can potentially affect our design and the configuration
0:00:27	on the customer side.
0:00:30	Now if we reference the RFC that is related to OSPF as the
0:00:34	PE to CE routing protocol, again this is number 4577
0:00:38	OSPF as the provider/customer edge protocol for BGP/MPLS
0:00:42	IP virtual private networks, so it's talking about for Layer 3 VPN
0:00:46	There's a specific section in here that defines the loop prevention that
0:00:51	now changes for OSPF
0:00:55	so if we look at the specifics of this
0:01:05	Section 4.2.5
0:01:08	it says when a type 3 LSA is send from a PE router to a
0:01:13	CE router, the DN bit or the Down Bit in the LSA options
0:01:17	field must be set. This is used to ensure that if any CE router
0:01:21	sends this type 3 LSA to a PE router, the PE router will
0:01:24	not redistribute it further.
0:01:27	Now essentially what this means in a topology similar to
0:01:31	the one that we have here if that when Router 6 learns
0:01:35	a route in from BGP and redistributes this into OSPF
0:01:43	if the route is generated as a type 3 LSA which means it would be
0:01:48	an inter area route, then this route is going to get a tag
0:01:52	in the LSA 3 that is known as the down bit.
0:01:56	If Switch 1 were to advertise this to Switch 2
0:01:59	Switch 2 to advertise it to Router 5, when the PE
0:02:04	receives the route back in via OSPF, if it already
0:02:08	has the down bit set, it would know not to redistribute this
0:02:12	from OSPF back into BGP.
0:02:17	Now the case where this would be significant
0:02:19	is any time that you have one customer site that is dual
0:02:22	homed and some other remote customer site that they are trying
0:02:27	to reach, so let's say now no Router 4
0:02:32	this VRF A here, let's say that this is part of VRF C
0:02:37	so Switch 4 is trying to reach both Switch 1 and Switch 2
0:02:42	This means that Switch 4's advertisements are going to go
0:02:45	to Router 4, 4 sends them to 6, 6 redistributes them into OSPF.
0:02:53	Ultimately Router 5 is going to learn this back in from Switch 2
0:02:56	if 5 redistributes this back into BGP, we have the potential
0:03:01	of Router 4 choosing the BGP route from Router 5
0:03:07	as opposed to the IGP route from its own customer.
0:03:11	Now normally this wouldn't happen regardless because of the
0:03:15	administrative distance of IBGP versus IGP
0:03:19	but there are certain design cases where you could run into
0:03:21	this problem maybe if you're doing an inter-AS MPLS VPN
0:03:26	with a multihop VPN v4 peering
0:03:30	the key point is that there are potential designs where
0:03:33	a loop can occur
0:03:34	so OSPF is going to try to prevent this by default.
0:03:38	So when Router 6 redistributes BGP into OSPF
0:03:42	it's automatically going to set the down bit into type 3 LSA.
0:03:46	But again, that's only going to be the case if the route is an
0:03:50	inter area route, so if it's type 3 LSA to begin with.
0:03:55	For a type 5 LSA, it says when a PE router needs to distribute
0:04:02	a route to the CE that is coming from a site outside
0:04:07	the latter's OSPF domain, the PE router presents itself
0:04:11	as an ASBR and distributes the route into a type 5 LSA
0:04:16	The down bit must be set in these LSAs to ensure that they
0:04:18	will be ignored by other PE routers that receive them.
0:04:24	It says that there are deployed implementations that do not
0:04:27	set the down bit, but instead use the OSPF route tagging
0:04:30	to ensure that a type 5 LSA generated by a PE router will
0:04:34	be ignored by other PE routers that may receive it.
0:04:37	Ok, this is specifically talking about Cisco's implementation.
0:04:41	So the RFC basically says you can do this two different
0:04:43	ways. For the LSA type 3s, you have to do it with the down bit.
0:04:48	For the type 5 LSA, you could do it either with the down bit
0:04:52	or with a route tag.
0:04:54	Now the way that IOS does this by default
0:04:58	is that when we redistribute from BGP into OSPF
0:05:03	if we are originating a type 5 LSA, we encode the BGP
0:05:10	autonomous system number into the OSPF route tag.
0:05:17	Now if Router 5 were to receive this type 5 LSA back in via the customer
0:05:22	it would see that it is trying to redistribute this into BGP 200
0:05:27	since AS number 200 is encoded inside the route tag
0:05:31	then this route is not going to get redistributed from
0:05:34	OSPF back into BGP.
0:05:37	So it's part of the automatic loop prevention mechanism
0:05:40	regardless of whether this is a type 3 or a type 5 LSA
0:05:44	the OSPF and BGP process are going to try to prevent
0:05:46	looping of the routes being redistributed from MPLS to
0:05:51	the customer, then from the customer back to MPLS.
0:06:00	So let's take a look at this on the command line
0:06:03	between Router 5 and Router 6
0:06:07	and the first thing that I'm going to do is remove the
0:06:10	previous sham-link configuration
0:06:13	so that we are not learning routes over the MPLS network
0:06:17	as OSPF
0:06:21	so on Router 5, we're going to remove the sham-link
0:06:25	on Router 6, we'll do the same thing, so under OSPF 100
0:06:28	or OSPF 1
0:06:30	no area 0 sham-link
0:06:37	This now would mean when Router 5 and Router 6 are
0:06:39	learning routes from each other, they should
0:06:42	show up in the routing table as internal BGP
0:06:45	If we show bgp vpnv4 unicast all
0:06:52	we see that we are receiving routes in from Router 5
0:06:56	we have the route to Switch 1's loopback
0:07:01	via Router 5
0:07:04	but we also have it directly in from Switch 1
0:07:11	We have the route to Switch 2's loopback
0:07:15	it says this is being learned from Switch 1
0:07:18	it's also being learned from Router 5, but basically
0:07:20	we're routing into the customer network in order to get there.
0:07:23	So if we show ip route vrf c
0:07:28	we can see based on the fact that that backdoor link
0:07:31	is the intra area link, we're preferring to use
0:07:35	that over the inter area routes.
0:07:39	So now what I'm going to do between Switch 1 and Switch 2
0:07:42	I'm going to change this again so it's not area 0
0:07:45	we'll say that this is area 78
0:07:49	so then they would prefer to route over the MPLS network as
0:07:53	opposed to the backdoor link
0:07:57	because they would both be inter area routes.
0:08:01	So on Switch 1 under OSPF process 100
0:08:04	we'll say that the backdoor link is area 78
0:08:08	so basically anything besides area 0 here
0:08:11	then on Switch 2 under OSPF 100
0:08:18	likewise that's going to be an area 78
0:08:23	Once our new adjacency comes up here and we look
0:08:26	at the show ip route ospf, we should see that the routes
0:08:29	that are now coming from the MPLS network
0:08:31	are learned as inter area routes.
0:08:35	If we look at the show ip ospf database
0:08:40	the inter area routes are the type 3 LSAs
0:08:45	these are represented by the summary network link states
0:08:49	that are being originated by the ABRs, the ABRs in this
0:08:52	case are Router 5 and Switch 2
0:08:59	Now again, the reason why this is being advertised as a
0:09:01	type 3 LSA is that from Router 5's perspective
0:09:06	when it's receiving the update in from Router 6 via VPN v4 BGP
0:09:13	and we look at the show bgp vpnv4 unicast all
0:09:25	we see we have the route to Switch 1's loopback that's coming
0:09:28	from 6, so let's say show bgp vpnv4 unicast all 10.3.7.7
0:09:39	it says the OSPF domain ID here is 0 by 00000001
0:09:46	and if we look at the show ip ospf 1 which is our process ID
0:09:52	this value is matching with our own local domain ID.
0:10:01	So since the domain IDs match, Router 5 and Router 6
0:10:05	assume that they're part of the same OSPF process
0:10:08	which means that the MPLS network is treated like area 0
0:10:13	so Router 5 and Router 6 in this case they are ABRs
0:10:16	they are not ASBRs
0:10:18	even though they're doing the redistribution
0:10:22	in the database we're going to treat each other as if we are
0:10:24	ABRs, not ASBRs
0:10:28	so again, the end result of this is now the route shows up
0:10:31	as a type 3 LSA
0:10:33	When we look at the details of the prefix if
0:10:36	we show ip ospf database for the summary
0:10:39	10.3.7.7
0:10:43	it says that this route that was originated by Router 5
0:10:46	has the downward bit set on it.
0:10:49	This is the down or the DN bit.
0:10:54	Essentially what this means is that once the route is advertised
0:10:58	back to Router 6, if Router 6 learns this in the OSPF database
0:11:04	so if we see a summary for 10.3.7.7
0:11:14	or for 10.3.8.8
0:11:18	if this has the downward bit set, it means that we would not
0:11:23	redistribute it back into BGP.
0:11:28	So in this case, we are the originator, we are the one that is
0:11:30	redistributing it from BGP into OSPF
0:11:34	but if someone else in the network were to receive this
0:11:36	back in, they're not going to perform the redistribution again
0:11:39	because the downward bit is set.
0:11:42	So this is the normal loop prevention mechanism that we
0:11:45	would want.
0:11:48	Now the only time that this is going to be a problem in our
0:11:50	design is if devices on the customer's side of the network
0:11:55	are running the VRF aware OSPF process
0:12:01	so let's say that on Switch 1 for some reason it has multiple
0:12:06	routing tables, so Switch 1 is going to run multiple
0:12:09	VRFs, but it is not running MPLS.
0:12:13	So it's using the routing tables just to separate traffic for
0:12:16	one side of the network to the other.
0:12:19	Again, this configuration with VRFs without MPLS
0:12:22	this is considered VRF lite or multi VRF.
0:12:31	So on Switch 1, let's look at the show run include interface or ip address
0:12:46	so right now I have three interfaces that have addresses.
0:12:50	I have VLAN 67, Fast Ethernet 0/13
0:12:53	and my loopback.
0:12:56	All three of these are being advertised into OSPF area 0
0:13:02	actually Fast Ethernet 13 that's advertised into area 78 right now.
0:13:08	So let's now say that for whatever reason in the design
0:13:11	Switch 1 is now running multiple VRFs.
0:13:19	In addition to this, it's going to be running the VRF
0:13:22	aware OSPF process.
0:13:24	So the first thing I would do on Switch 1 is define the VRF
0:13:27	let's say ip vrf whatever customer VRF
0:13:34	Since I'm not running MPLS, I don't necessarily need to
0:13:38	define the route target import and export policy
0:13:42	but I do still need to define a route distinguisher.
0:13:46	Again, it doesn't matter what this value is because if I'm
0:13:50	not running VPN v4 BGP, it means that the route
0:13:54	distinguisher is not going to be advertised to any other neighbors.
0:13:58	As long as the different VRFs locally have different
0:14:00	route distinguishers, that's really the only thing that matters
0:14:03	in VRF lite.
0:14:07	So I have the VRF
0:14:09	I'm then going to apply it on these different interfaces.
0:14:13	So we'll say ip vrf forwarding
0:14:17	the customer VRF
0:14:19	and this is going to go on all three of these interfaces.
0:14:26	If we look at also the OSPF configuration
0:14:30	this is going to need to be changed in order to be a
0:14:33	VRF aware process.
0:14:36	So I'll take OSPF 100
0:14:40	this is going to be removed and then replaced with
0:14:45	router ospf 100 for vrf the customer VRF
0:15:03	So typically, if we were to do this, there would be
0:15:06	other multiple VRFs that we have assigned on the interfaces
0:15:09	it doesn't make sense just to have one VRF
0:15:12	and not use the global table or not use other interfaces
0:15:16	so within the scope of the lab exam, it's really going to depend on what the
0:15:19	rest of the network design is.
0:15:22	But if we look at the show ip route vrf *
0:15:29	we see that there's no routes in the global routing table
0:15:33	essentially all of the routes are now in the customer VRF table.
0:15:39	If we look at the show ip ospf database
0:15:43	we see that we are learning the different routes
0:15:48	in area 78 and in area 0
0:15:53	if we show ip ospf neighbors
0:15:57	we see we have adjacencies with Router 6 and with Switch 2
0:16:08	so again, really the only thing that has changed in this design
0:16:11	is now that Switch 1 is running multiple VRFs
0:16:17	and it's running the VRF aware OSPF process.
0:16:22	So instead of just saying router ospf 100, we had to
0:16:24	say router ospf 100 customer_vrf
0:16:31	Now the design issue that we run into is that the
0:16:34	RFC says that when the type 3 LSA is sent from the PE to the
0:16:39	CE, the down bit has to be set.
0:16:42	This is used to ensure that if any CE router sends this type 3
0:16:47	LSA to a PE, the PE router will not redistribute it further.
0:16:52	The key point being the very last portion of the sentence.
0:16:56	The PE router will not redistribute it further.
0:17:03	What this essentially means is that if we are running the
0:17:06	VRF aware OSPF process and we receive a type 3 LSA
0:17:12	that has the down bit set, we will not install it into the routing table.
0:17:18	Now if it's not installed in the routing table, it means that it can't
0:17:21	be redistributed because remember what we talked about
0:17:24	redistribution it happens from the routing table, it doesn't happen
0:17:28	from the routing database.
0:17:31	Now in our particular case, Switch 1 is not going to cause
0:17:36	a loop by installing these routes in the table
0:17:39	because it's not doing any redistribution. Really what this
0:17:43	feature is trying to prevent is the case where Switch 1
0:17:46	is attached to the MPLS network, let's say that this is
0:17:51	Router 7 that goes to Router 1 and Router 3
0:17:55	we would not want a case where the route comes from
0:17:58	MPLS to Router 6, 6 sends it to Switch 1
0:18:02	Switch 1 redistributes it back and then it gets learned, it gets
0:18:05	looped out somewhere in the MPLS network.
0:18:08	So the down bit is trying to prevent this case.
0:18:11	But in our particular design, Switch 1 is not really a PE
0:18:17	it's simply a multi-VRF router or a VRF lite router
0:18:21	that's running the VRF aware OSPF process.
0:18:25	But the end result is that the router is automatically going to
0:18:28	filter these prefixes out.
0:18:31	So when we look at the show ip route vrf for the
0:18:35	customer VRF,
0:18:42	notice that none of the OSPF routes are getting installed
0:18:45	into the routing table.
0:18:49	Even though they're in the OSPF database, we can't actually
0:18:53	install them.
0:18:55	The end result of this is that we're not going to have reachability.
0:19:00	So from Switch 2 if we now try to trace to get to
0:19:02	Switch 1's loopback
0:19:05	we see that we can't actually get there.
0:19:19	So from Switch 2's perspective, this is not going to affect them.
0:19:22	If we look at the show ip route ospf on Switch 2
0:19:26	we can install their routes, the problem is just that they
0:19:29	are not going to install our routes.
0:19:38	So for this very specific design case,
0:19:41	there's a workaround for the VRF aware OSPF process
0:19:46	that basically tells it to ignore the down bit.
0:19:50	So if we look under the OSPF command reference
0:19:54	this is the -- it should be through A through IP
0:20:02	which is capability VRF lite.
0:20:20	It say the usage is to suppress the provider edge specific checks
0:20:24	on a router where the OSPF process is associated with a
0:20:27	VPN routing and forwarding instance or VRF
0:20:30	Use the capability vrf-lite command in router configuration mode.
0:20:35	It says by default this is disabled which means that the
0:20:37	PE checks are performed if the process is associated with
0:20:41	a VRF command mode.
0:20:47	It says when the OSPF process is associated with the VRF
0:20:50	several checks are performed when the link state advertisements are
0:20:52	received. PE checks are needed to prevent loops when the PE is
0:20:56	performing multiple redistribution between OSPF and BGP.
0:21:00	It says for type 3 LSAs, the down bit is checked.
0:21:04	If the down bit is checked, the type 3 LSA is not considered
0:21:08	during the SPF calculation.
0:21:10	For type 5 or type 7 LSAs, if the tag is equal to the
0:21:15	VPN tag, the type 5 or type 7 LSA is not considered
0:21:20	during SPF calculation. Now the second one is talking about
0:21:24	the BGP AS number.
0:21:26	So if the route is not a type 3 LSA, we would see that Router 5
0:21:32	and Router 6, they're going to encode this with the BGP
0:21:36	autonomous system number inside of the route tag.
0:21:43	So in this very specific case like it says here in some situations
0:21:47	performing PE checks might not be desirable. The concept of VRFs can be
0:21:51	used on a router that's not a PE
0:21:54	that is a router that is not running BGP.
0:21:57	So it's exactly the situation that we have here
0:21:59	where Switch 1 is running multiple VRFs
0:22:04	but it's actually not a PE
0:22:06	It's running VRF lite, but it's not actually running
0:22:08	Layer 3 MPLS VPNs.
0:22:10	So in order to bypass this we would need to go under the
0:22:14	OSPF process of Switch 1 so router ospf 100
0:22:19	and say capability vrf lite
0:22:25	Once this is enabled, if we now look at the routing table
0:22:29	we see now we can install the OSPF routes.
0:22:39	So now even though the down bit is being checked
0:22:42	Switch 1 is ignoring this when it goes to do its SPF calculation
0:22:47	and figure out which routes can move from the database into the routing table.
0:22:57	But again, the key point here is that this check only
0:23:00	happens on type 3 LSAs which is the inter area routes.
0:23:07	This would then means that there's another couple solutions
0:23:10	that we could use for this problem.
0:23:12	So the problem is in the first place that Switch 1
0:23:15	thinks it's a PE.
0:23:16	So with the capability vrf lite off
0:23:19	it cannot install into the routing table
0:23:22	any route that has the down bit set.
0:23:26	So if we go under router ospf 100
0:23:28	and say no capability vrf lite
0:23:32	which is the default
0:23:39	if we look at the change in the routing table
0:23:41	we can see the OSPF routes are no longer installed.
0:23:55	So if the down bit is only set on the inter area routes
0:24:00	what are the other possible solutions we could get Switch 1
0:24:04	to install the routes
0:24:06	without having to say capability vrf lite
0:24:11	because we know that's one of the solutions, if we tell the
0:24:14	OSPF process to ignore the down bit
0:24:18	then for any of the type 3 LSAs, it's going to skip that check and
0:24:21	it can install them into the routing table.
0:24:26	But remember that the LSA 3 is the only one that
0:24:31	gets the down bit.
0:24:33	So if we were able to change the OSPF route type
0:24:39	and Switch 1 were to receive this as either an intra area route
0:24:44	or an external route, then it would not be using the down
0:24:50	bit for the loop prevention.
0:24:58	So let's say we wanted to get the routes to show up
0:25:00	as external
0:25:03	in this particular topology who is the device that is choosing
0:25:09	where the route goes into the database whether it's going to be
0:25:13	a type 1 router LSA a type 3 summary LSA
0:25:18	network summary LSA or type 5 external.
0:25:29	From Switch 1's perspective this is going to be Router 6
0:25:32	because Router 6 is the one that's performing the
0:25:34	BGP to OSPF redistribution.
0:25:38	So if Router 6 were to redistribute this not as a type 3 LSA
0:25:43	then we should be able to get around this check in the database.
0:25:53	So let's take a look at Router 6's process
0:25:55	and again, if we look at the show bgp vpn v4 unicast
0:26:01	vpn v4 unicast all for 10.3.8.8
0:26:08	What is the reason that Router 6 is installing this
0:26:11	as a type 3 LSA into the database to begin with?
0:26:23	It's based on the fact that the OSPF domain ID of
0:26:26	the route that was encoded here as the BGP extended community
0:26:31	this is matching the local OSPF process.
0:26:36	So again if we say show ip ospf 100
0:26:39	or actually show ip ospf 1
0:26:43	it says for OSPF process 1 my domain ID is 0.0.0.1
0:26:48	Since this matches this incoming route
0:26:52	I'm going to treat this as an inter area route when I
0:26:56	redistribute it back into OSPF
0:27:04	so this means what we could do on Router 6 would be to
0:27:07	go to the OSPF process
0:27:11	and if we were to either change the process number
0:27:14	so if I deleted OSPF 1 and then restarted it with some different
0:27:18	number or changed the domain ID to any other value
0:27:23	let's say 6.6.6.6
0:27:28	when we receive the VPN v4 route,
0:27:37	Router 6 is going to see that the domain ID of this prefix
0:27:41	does not match the domain ID of the local process
0:27:45	which means that this is now going to be advertised
0:27:47	as an external route.
0:27:50	So if we look at Switch 1 and look at the routing table
0:27:54	now these are installed as E2s as opposed to OIA
0:28:01	and then the end result of this is that we should be able to
0:28:04	reach the destination.
0:28:13	So there's a couple different ways that you could solve this
0:28:15	particular problem, the key is that you need to understand
0:28:18	why the filtering is happening in the first place
0:28:21	that if Switch 1 is running VRF lite
0:28:25	it says I'm now a PE so I'm going to do those
0:28:28	PE specific checks
0:28:29	it's going to look for the down bit in the type 3 LSAs
0:28:32	and not install those into the routing table.
0:28:36	Then Router 6 is going to create the type 3 LSA
0:28:40	if the VPN v4 update has the OSPF domain ID set
0:28:46	that matches the local process domain ID
0:28:50	Now since the domain ID is by default inferred from the
0:28:53	OSPF process number, it basically means that if Router 6
0:28:57	and Router 5's OSPF process number for VRF C is different
0:29:02	they're going to have different domain IDs.
0:29:07	Otherwise, we could change the domain ID
0:29:11	that's going to cause Router 6 to redistribute the route as a type 5
0:29:15	external. We could tell Switch 1 simply to ignore
0:29:22	the down bit that would be by the capability
0:29:24	of VRF lite or how could we get it to show up as an
0:29:29	intra area route.
0:29:37	If we were to configure a sham link between
0:29:40	Router 5 and Router 6 that matches the
0:29:45	area that the router's being advertised into in the first place
0:29:51	Switch 1 would then see this as an intra area route
0:29:55	as opposed to an inter area route
0:30:01	and the intra area routes they do not use the down bit for the loop prevention
0:30:05	it's only the type 3 LSAs only the inter area routes.
0:30:10	So you can see definitely here with OSPF it gets much more
0:30:13	complicated than RIP or EIGRP is as the PE to CE routing protocol
0:30:18	because there's these new rules that are introduced for the
0:30:21	path selection and also for the loop prevention
0:30:24	you do definitely want to make sure you understand how
0:30:26	this stuff works before you get to the actual lab exam.
0:30:31	So you can try out the examples that I did here in class
0:30:34	there's also some examples of this in the volume 1 workbook.
0:30:38	Another good resource for this there's a Cisco press
0:30:40	book that is MPLS configuration on Cisco IOS
0:30:49	and I believe this one is also available then on Safari
0:30:54	so this is some different configuration examples
0:30:57	with different designs, it talks about what is the
0:31:00	design problem in the first place, then looks at
0:31:02	how to configure this.
0:31:04	You'll see some of this stuff is going to be outside of our scope like
0:31:07	the any transport over MPLS which is the Layer 2 VPNs
0:31:11	along with the VPLS and the MPLS traffic engineering
0:31:15	that's not going to be part of the CCIE routing and switching scope.
0:31:22	Again, the other book that's really good for this for theory
0:31:26	is the MPLS enabled applications.
0:31:31	So if you're looking for more detailed explanation of how
0:31:34	how MPLS works and why
0:31:38	then I would definitely recommend to look at this one
0:31:41	as opposed to the Cisco specific books.
0:31:45	So obviously the Cisco press stuff is going to talk about
0:31:48	it from the implementation point of view of IOS
0:31:52	but this one, MPLS enabled applications, is more just from a technology point of view
0:31:58	how the MPLS standards are defined and what are the different
0:32:02	design issues with the Layer 2 and Layer 3 VPNs
0:32:08	Ok, there's a question here, "Is the domain tag the same
0:32:11	as the router tag used for external routes?"
0:32:13	Before we finish this section, let's look at that real quick.
0:32:16	If we were to go to Switch 1
0:32:20	we can see now when we look at the routing table
0:32:22	these OSPF routes are being advertised as external type 5
0:32:28	They're showing up as E2 in the routing table.
0:32:31	So if we look in the database and say show ip ospf database
0:32:36	then we look down into the type 5 LSAs
0:32:40	notice this route tag value that's been added onto the
0:32:44	route now.
0:32:49	So normally the route tag is going to be zero, it's going to be
0:32:52	null unless you're manually setting it.
0:32:55	So this is what we used before for the loop prevention
0:32:57	in the redistribution where we manually set the route tag
0:33:02	and then deny it on the other side.
0:33:05	But in the case of OSPF and MPLS, it's actually doing this
0:33:08	by default.
0:33:13	So inside this actual number if we look at the way this is
0:33:18	derived and it's kind of strange we'd have to take this
0:33:20	full number in decimal
0:33:24	convert it to hex
0:33:27	then the last two bytes which here are 00C8
0:33:34	if I were to take 00C8, convert this back to decimal
0:33:40	this is the BGP AS number.
0:33:47	So basically what this says is that when Router 6
0:33:50	did the redistribution, the route came from BGP AS number 200 to begin with
0:33:58	so if the route gets advertised down to the customer and then it comes
0:34:00	back to a different PE, Router 5 is not going to redistribute this
0:34:05	back into BGP.
0:34:12	So if we wanted to change that, we could manually
0:34:14	set it with a route map or we could manually change the
0:34:17	domain tag, but most of the time you would just leave it alone
0:34:21	because it's the automatic loop prevention mechanism.
0:34:25	The only issue is that if we manually wanted to allow the
0:34:28	redistribution of BGP to OSPF, then OSPF back to BGP
0:34:36	we would need to remove what that route tag value is.
0:34:39	But I'm not really sure what the design is that you would want to
0:34:42	do this because it's an automatic loop prevention
0:34:45	mechanism of OSPF
0:34:48	so otherwise, if we look at the documentation here
0:34:51	for the 12.4 configuration guides, then down to
0:34:57	MPLS
0:35:00	pretty much the only thing that you're going to need to
0:35:02	know for the exam would be the topics here under MPLS
0:35:05	label distribution protocol so you should understand the basic
0:35:10	features of LDP like how do I do authentication
0:35:13	how do I establish the adjacency, if I need to, how do I change the
0:35:17	transport address which is the source of the TCP update
0:35:22	for most of these, you can just look at the command reference under MPLS
0:35:26	so if we were to go to MPLS commands and then look at the
0:35:30	MPLS LDP commands
0:35:34	you'll see that there's really not that many features to begin with.
0:35:38	So I could say what's the label range like the number of
0:35:41	labels that I'm going to use for allocation.
0:35:44	If for some reason I wanted to filter what particular
0:35:47	prefixes I'm doing bindings for, we could say no MPLS
0:35:52	LDP advertise labels and then advertise a specific access list in there
0:36:01	otherwise, if you don't modify either of these, the routers are
0:36:04	automatically going to dynamically negotiate what the
0:36:06	label number is going to be.
0:36:09	So we really don't care what the number is at the end of the day
0:36:13	because it's just a locally significant value between those two neighbors.
0:36:17	The only time we would need to know it is if we're trying to do
0:36:19	some verification in the data plane by looking at the
0:36:23	debug mpls packets, we can see the difference between the
0:36:26	transport label and the VPN label
0:36:29	then we look at the show mpls forwarding table to
0:36:32	verify our transport labels and the show vpn
0:36:37	show bgp vpnv4 unicast
0:36:40	for the individual prefixes to verify what the VPN labels are.
0:36:50	Then there's some other options here like MPLS LDP explicit null
0:36:54	this says for your connected interfaces, instead of advertising
0:36:59	no label, you can advertise a label value of zero
0:37:02	which would be used for a QoS classification
0:37:05	we'll touch on that a little bit when we get to QoS
0:37:09	there's also MPLS LDP IGP auto config
0:37:12	and IGP sync
0:37:15	The auto config here this is used to basically just
0:37:19	automatically enable LDP on every interface that's
0:37:24	running OSPF
0:37:27	so in a real design, you want to make sure that MPLS is
0:37:30	on every single interface that you're also doing IGP routing
0:37:35	so if you just use this one command, then you're going to
0:37:38	make sure there's never a mismatch between your
0:37:40	IGP domain and the LDP domain.
0:37:48	Then the next one, the MPLS LDP IGP sync
0:37:52	it says
0:37:58	use the MPLS LDP IGP sync delay seconds command to
0:38:02	configure a delay time for MPLS LDP and IGP synchronization
0:38:06	on an interface by interface basis.
0:38:10	It says if you configure a delay, LDP starts the timer
0:38:14	when the timer expires, LDP checks that synchronization
0:38:17	is still valid and notifies OSPF.
0:38:19	So basically what this means is that it's a delay
0:38:24	before you start allocating your labels
0:38:29	because we want to make sure that the IGP domain
0:38:31	has converged before LDP starts advertising label values.
0:38:38	So this can be used, it's kind of like how that
0:38:43	the set the overload bit works in IS-to-IS or the
0:38:46	stub router advertisement works in OSPF
0:38:50	where it could be used for like graceful restart
0:38:53	if you need to take the router out of service, when it comes back into
0:38:56	the network, you want to make sure it doesn't advertise
0:38:59	destinations that it's going to black hole routes for.
0:39:02	So you would give IGP some time to converge before you
0:39:05	start advertising yourself as transit
0:39:07	and that's what the IGP synchronization does here.
0:39:12	But again, there's going to be a lot of stuff here that's
0:39:14	not within the scope of routing and switching
0:39:16	so if you look at the LDP section here
0:39:20	and then the portion of the Layer 3 VPNs
0:39:23	that are just for the intra AS Layer 3 VPNs
0:39:30	then this specific document says ensuring that the MPLS
0:39:33	VPN clients using OSPF communicate over the
0:39:35	backbone instead of through backdoor links
0:39:38	that's what we were just discussing here with the sham links.

Now Viewing

CCIE R&S Advanced Technologies Class v4.5
Title:	CCIE R&S Advanced Technologies Class v4.5
Duration:	81h 02m
The CCIE Routing & Switching Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Routing & Switching lab will be described in detail using an instructor led hands on demonstration. The class consists of over 80 hours of in depth explanations and examples.
Get instant access to our entire library!
	Sign Up
Download this Course
$299.00	Add to Cart

MPLS Layer 3 VPN OSPF PE-CE Routing Loop Prev...

Create Bookmark