26 April 2020

This is a continuation of the other post abount installing and configuring a basic MPLS L3VPN network in GNS3.

Normally, we always have a routing protocol running between the customer CPE and the provider PE. OSPF was very common and I used to be give for granted the routing loop avoidance in a dual-home CPE, I knew the idea but never really hammered it in my head. Until a couple of months ago that I hit an issue during the migration of my employer MPLS network to a new vendor. The new vendor didnt implemented the OSPF Down bit. /o\

Summary: If an LSA arrives at a PE with the down bit set, that will never be redistributed into BGP. This prevents the route from leaking in from one PE back into another PE.

The RFC for using OSPF in PE-CE in MPLS VPNs is here:

Note: Down-Bit is only used in LSA3!

It was frustrating but it was a good excuse too because it pushed me (and I could justify) to move our PE-CE to BGP.

In general I always read these blogs when I want to refresh my OSPF Down Bit. So all merits are for them:

http://dtdccie.blogspot.com/2016/03/ospf-down-bit-set.html

https://mellowd.co.uk/ccie/ospf-as-the-pe-ce-routing-protocols-deep-dive-part-1-of-2/

https://mellowd.co.uk/ccie/ospf-as-the-pe-ce-routing-protocols-deep-dive-part-3-of-3-loop-prevention/

So with this background, I built a GNS3 lab to show OSPF Down-Bit in action:

https://github.com/thomarite/mpls-down-bit

The big picture is: CE (HQ, BRANCH) routers are running OSPF with the PE (SP1/3/4) routers. The PE routers redistribute these OSPF routes into BGP and then converts them to VPNv4 NLRI. These VPNv4 NLRI are advetised to other PE routers via BGP. The PE also converts these VPNv4 routes back into OSPF and then off to the CE router.

Now in more detail, let’s see where we can have a routing loop:

1) HQ sends a LSA1 to SP1 with Lo:172.16.10.1/32 and the connected network to PE 172.16.100.0/24

HQ#show ip ospf database router internal self-originate 

            OSPF Router with ID (172.16.110.1) (Process ID 1)

		Router Link States (Area 10)

  Now in min table 
  Table index: 42 min 17 sec
  LS age: 321
  Options: (No TOS-capability, DC)
  LS Type: Router Links
  Link State ID: 172.16.110.1
  Advertising Router: 172.16.110.1
  LS Seq Number: 80000003
  Checksum: 0x7247
  Length: 48
  AS Boundary Router
  Number of Links: 2

    Link connected to: a Stub Network
     (Link ID) Network/subnet number: 172.16.10.1
     (Link Data) Network Mask: 255.255.255.255
      Number of TOS metrics: 0
       TOS 0 Metrics: 1
          
    Link connected to: a Transit Network
     (Link ID) Designated Router address: 172.16.100.1
     (Link Data) Router Interface address: 172.16.100.1
      Number of TOS metrics: 0
       TOS 0 Metrics: 1

2) SP1 received the new OSPF route from HQ (172.16.10.1/32) and it is redistributed into BGP so other PEs can receive it (SP3 and SP4) as a VPNv4. The connected 172.16.100.0/24 is as well redistributed into BGP

SP1#show ip ospf database router internal adv-router 172.16.110.1

            OSPF Router with ID (10.0.1.1) (Process ID 1)

            OSPF Router with ID (172.16.100.254) (Process ID 10)

		Router Link States (Area 10)

  Routing Bit Set on this LSA
  Now in min table 
  Table index: 45 min 42 sec
  LS age: 648
  Options: (No TOS-capability, DC)
  LS Type: Router Links
  Link State ID: 172.16.110.1
  Advertising Router: 172.16.110.1
  LS Seq Number: 80000003
  Checksum: 0x7247
  Length: 48
  AS Boundary Router
  Number of Links: 2

    Link connected to: a Stub Network
     (Link ID) Network/subnet number: 172.16.10.1
     (Link Data) Network Mask: 255.255.255.255
      Number of TOS metrics: 0
       TOS 0 Metrics: 1

    Link connected to: a Transit Network
     (Link ID) Designated Router address: 172.16.100.1
     (Link Data) Router Interface address: 172.16.100.1
      Number of TOS metrics: 0
       TOS 0 Metrics: 1


SP1# 
SP1#show ip route vrf CUST-A

Routing Table: CUST-A
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
B       172.16.200.0/24 [200/0] via 10.0.3.1, 00:41:47
B       172.16.201.0/24 [200/0] via 10.0.4.1, 00:41:47
B       172.16.20.1/32 [200/2] via 10.0.3.1, 00:41:47
O       172.16.10.1/32 [110/2] via 172.16.100.1, 00:43:58, FastEthernet0/0
O E1    172.16.110.1/32 [110/21] via 172.16.100.1, 00:43:58, FastEthernet0/0
C       172.16.100.0/24 is directly connected, FastEthernet0/0
SP1#
SP1#show ip bgp vpnv4 all 
BGP table version is 14, local router ID is 10.0.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf CUST-A)
*> 172.16.10.1/32   172.16.100.1             2         32768 ?
* i172.16.20.1/32   10.0.4.1                 2    100      0 ?
*>i                 10.0.3.1                 2    100      0 ?
*> 172.16.100.0/24  0.0.0.0                  0         32768 ?
*> 172.16.110.1/32  172.16.100.1            21         32768 ?
* i172.16.200.0/24  10.0.4.1                 2    100      0 ?
*>i                 10.0.3.1                 0    100      0 ?
*>i172.16.201.0/24  10.0.4.1                 0    100      0 ?
* i                 10.0.3.1                 2    100      0 ?
SP1#

It is important to notice how the VPNv4 for 172.16.10.1/32 is built in SP1. Based on the rfc section 4.2.6 “Handling LSAs from the CE” we see the following:

When a PE router receives, from a CE router, any LSA with the DN bit [OSPF-DN] set, the information from that LSA MUST NOT be used by the route calculation. If a Type 5 LSA is received from the CE, and if it has an OSPF route tag value equal to the VPN Route Tag (see Section 4.2.5.2), then the information from that LSA MUST NOT be used by the route calculation.

Otherwise, the PE must examine the corresponding VRF.For every address prefix that was installed in the VRF by one of its associated OSPF instances, the PE must create a VPN-IPv4 route in BGP. Each such route will have some of the following Extended Communities attributes:

– The OSPF Domain Identifier Extended Communities attribute. If the OSPF instance that installed the route has a non-NULL primary Domain Identifier, this MUST be present; if that OSPF instance has only a NULL Domain Identifier, it MAY be omitted. This attribute is encoded with a two-byte type field, and its type is 0005, 0105, or 0205. For backward compatibility, the type 8005 MAY be used as well and is treated as if it were 0005. If the OSPF instance has a NULL Domain Identifier, and the OSPF Domain Identifier Extended Communities attribute is present, then the attribute’s value field must be all zeroes, and its type field may be any of 0005, 0105, 0205, or 8005.

– OSPF Route Type Extended Communities Attribute. This attribute MUST be present. It is encoded with a two-byte type field, and its type is 0306. To ensure backward compatibility, the type 8000 SHOULD be accepted as well and treated as if it were type 0306. The remaining six bytes of the Attribute are encoded as follows:

Area Number – Route Type – Options

So the very first paragraph is our answer when we reach SP3 (when dealing with a LSA3) and there is no loop. And the second paragrah is our answer when delaling with a LS5 and avoid a loop (more of this later). So this is our VPNv4 for 172.16.10.1/32

SP1#
SP1#show ip bgp vpnv4 rd 100:1 172.16.10.1/32 
BGP routing table entry for 100:1:172.16.10.1/32, version 5
Paths: (1 available, best #1, table CUST-A)
  Advertised to update-groups:
        2
  Local
    172.16.100.1 from 0.0.0.0 (10.0.1.1)
      Origin incomplete, metric 2, localpref 100, weight 32768, valid, sourced, best
      Extended Community: RT:1:100 OSPF DOMAIN ID:0x0005:0x0000000A0200 
        OSPF RT:0.0.0.10:2:0 OSPF ROUTER ID:172.16.100.254:0
      mpls labels in/out 21/nolabel
SP1#

So the extended communities generated from being a OSPF prefix are OSPF DOMAIN ID, OSPF Route Type (RT) and OSPF ROUTER ID.

I haven’t configured “ospf domain ID” in any router so Cisco IOS is generating one for itself (although it should be NULL) in OSPF DOMAIN ID.

For OSPF RT, we have are 10 (0.0.0.10) and LSA2 (although it should be LSA1). ROUTER ID is the expected one.

3) SP2 is just a P router so it is transparent here. Doesnt know anything about BGP, VPNv4, etc. It just does LDP and IGP.

SP2#show ip bgp summary 
% BGP not active

SP2#show ip route ospf 
     10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
O       10.0.3.1/32 [110/2] via 10.0.23.1, 00:45:04, GigabitEthernet2/0
O       10.0.1.1/32 [110/2] via 10.0.12.1, 00:44:54, GigabitEthernet1/0
O       10.0.4.1/32 [110/3] via 10.0.23.1, 00:44:54, GigabitEthernet2/0
O       10.0.34.0/24 [110/2] via 10.0.23.1, 00:44:54, GigabitEthernet2/0
SP2#

4) SP3 received the new VPNv4, it is redistributed from BGP to OSPF as a LSA3 (The MPLS backbone is a super OSPF area 0). If we pay attention to the details of the LSA3 (Summary) from HQ prefix 172.16.10.1/32 “show ip ospf database summary 172.16.10.1” we can see two details. First, the two LSA are one from SP3 (advert router 172.16.200.254) and the other from SP4 (advert router 172.16.201.254). Second, both show “Downward” in the options field. As stated earlier, this is directed by the rfc for any PE sending a LSA3. So, if iBGP has AD of 200 and OSPF has AD of 110. How come we have installed the BGP prefix in the routing table for 172.16.10.1/32 instead of the OSPF prefix coming from SP4. As per the standard mentioned earlier, if a PE router receives an OSPF prefix with the down bit enabled (“Downward”), the PE router ignores that prefix. The “Downward” bit is saying the prefix is coming from another PE in the same area so if you accept it, you will trigger a routing loop. Keep in mind that SP4 is doing the same thing as we see below in the commands for SP3. If SP3 accepts the OSPF prefix from SP4 for reaching 172.16.10.1/32 (HQ), SP4 is doing the same thing, accepting the SP3 prefix for reaching 172.16.10.1/32 (HQ). So SP3 would send traffic to SP4, and SP4 would return it back to SP3. When both SP3/SP4 learn the OSPF prefix from each other, they will stop redistributing the BGP prefix (that is coming from SP1/HQ) into OSPF so we reach a point where there is no more LSA3 for 172.16.10.1! and the process starts again. As well SP3/4 will redistribute the OPSF prefix learned from the other SP into BGP. So we are back to the intial stage, SP3/SP4 only have the BGP prefix for 172.16.10.1 (from SP2 or SP3/4), as it is the best route, it is redistributed to OSPF, and you know what happens next.

SP3#show ip bgp vpnv4 all 
BGP table version is 13, local router ID is 10.0.3.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf CUST-A)
*>i172.16.10.1/32   10.0.1.1                 2    100      0 ?
* i172.16.20.1/32   10.0.4.1                 2    100      0 ?
*>                  172.16.200.1             2         32768 ?
*>i172.16.100.0/24  10.0.1.1                 0    100      0 ?
*>i172.16.110.1/32  10.0.1.1                21    100      0 ?
* i172.16.200.0/24  10.0.4.1                 2    100      0 ?
*>                  0.0.0.0                  0         32768 ?
* i172.16.201.0/24  10.0.4.1                 0    100      0 ?
*>                  172.16.200.1             2         32768 ?
SP3#
SP3#
SP3#show ip route vrf CUST-A

Routing Table: CUST-A
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
C       172.16.200.0/24 is directly connected, FastEthernet0/0
O       172.16.201.0/24 [110/2] via 172.16.200.1, 00:45:46, FastEthernet0/0
O       172.16.20.1/32 [110/2] via 172.16.200.1, 00:45:46, FastEthernet0/0
B       172.16.10.1/32 [200/2] via 10.0.1.1, 00:43:35
B       172.16.110.1/32 [200/21] via 10.0.1.1, 00:43:35
B       172.16.100.0/24 [200/0] via 10.0.1.1, 00:43:35
SP3#
SP3#show ip ospf database         

            OSPF Router with ID (10.0.3.1) (Process ID 1)

		Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
10.0.1.1        10.0.1.1        1076        0x80000003 0x00D9F2 2
10.0.2.1        10.0.2.1        1132        0x80000004 0x00D79A 3
10.0.3.1        10.0.3.1        1105        0x80000004 0x0083C1 3
10.0.4.1        10.0.4.1        1095        0x80000003 0x00D0C5 2

		Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
10.0.12.2       10.0.2.1        1132        0x80000002 0x00FFFA
10.0.23.1       10.0.3.1        1105        0x80000002 0x009F4E
10.0.34.2       10.0.4.1        1095        0x80000002 0x002BB3

            OSPF Router with ID (172.16.200.254) (Process ID 10)

		Router Link States (Area 10)

Link ID         ADV Router      Age         Seq#       Checksum Link count
172.16.20.1     172.16.20.1     1105        0x80000004 0x00750C 3
172.16.200.254  172.16.200.254  1116        0x80000003 0x0059C2 1
172.16.201.254  172.16.201.254  1121        0x80000003 0x005DBA 1

		Net Link States (Area 10)

Link ID         ADV Router      Age         Seq#       Checksum
172.16.200.254  172.16.200.254  1116        0x80000002 0x00F4E4
172.16.201.254  172.16.201.254  1121        0x80000002 0x00EBEA

		Summary Net Link States (Area 10)

Link ID         ADV Router      Age         Seq#       Checksum
172.16.10.1     172.16.200.254  1116        0x80000002 0x000C61
172.16.10.1     172.16.201.254  1121        0x80000002 0x000567
172.16.100.0    172.16.200.254  1116        0x80000002 0x002AEA
172.16.100.0    172.16.201.254  1121        0x80000002 0x0023F0

		Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
172.16.110.1    172.16.200.254  1116        0x80000002 0x005FD9 3489661028
172.16.110.1    172.16.201.254  1121        0x80000002 0x0058DF 3489661028
SP3#  
SP3#
SP3#
SP3#show ip ospf database  summary 172.16.10.1

            OSPF Router with ID (10.0.3.1) (Process ID 1)

            OSPF Router with ID (172.16.200.254) (Process ID 10)

		Summary Net Link States (Area 10)

  LS age: 1127
  Options: (No TOS-capability, DC, Downward)
  LS Type: Summary Links(Network)
  Link State ID: 172.16.10.1 (summary Network Number)
  Advertising Router: 172.16.200.254
  LS Seq Number: 80000002
  Checksum: 0xC61
  Length: 28
  Network Mask: /32
	TOS: 0 	Metric: 2 

  LS age: 1132
  Options: (No TOS-capability, DC, Downward)
  LS Type: Summary Links(Network)
  Link State ID: 172.16.10.1 (summary Network Number)
  Advertising Router: 172.16.201.254
  LS Seq Number: 80000002
  Checksum: 0x567
  Length: 28
  Network Mask: /32
	TOS: 0 	Metric: 2 

SP3#

Like we did in SP1, let’s see how SP3 deals with the VPNv4 for 172.16.10.1/32.

Based on th rfc “4.2.8” VPNv4 Routes received via BGP, we need to check “4.2.8.1 External Routes” (LSA5/7) and “4.2.8.2 Summary Routes” (LSA3) and the VPNv4 received:

SP3#show ip bgp vpnv4 rd 100:1 172.16.10.1/32 
BGP routing table entry for 100:1:172.16.10.1/32, version 8
Paths: (1 available, best #1, table CUST-A)
  Not advertised to any peer
  Local
    10.0.1.1 (metric 3) from 10.0.1.1 (10.0.1.1)
      Origin incomplete, metric 2, localpref 100, valid, internal, best
      Extended Community: RT:1:100 OSPF DOMAIN ID:0x0005:0x0000000A0200 
        OSPF RT:0.0.0.10:2:0 OSPF ROUTER ID:172.16.100.254:0
      mpls labels in/out nolabel/21
SP3#

The DOMAIN ID has to match as we haven’t defined it. OSPF RT, is telling that is coming from OSPF area 10 and non-external. So SP3 can generate a LSA3 for 172.16.10.1/32 as we have OSPF area 10 defined too.

5) From SP4 perspective. Same view as SP3. SP4 ignores LSA3 with Down-bit.

SP4#show ip bgp vpnv4 all 
BGP table version is 13, local router ID is 10.0.4.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf CUST-A)
*>i172.16.10.1/32   10.0.1.1                 2    100      0 ?
* i172.16.20.1/32   10.0.3.1                 2    100      0 ?
*>                  172.16.201.1             2         32768 ?
*>i172.16.100.0/24  10.0.1.1                 0    100      0 ?
*>i172.16.110.1/32  10.0.1.1                21    100      0 ?
* i172.16.200.0/24  10.0.3.1                 0    100      0 ?
*>                  172.16.201.1             2         32768 ?
* i172.16.201.0/24  10.0.3.1                 2    100      0 ?
*>                  0.0.0.0                  0         32768 ?
SP4#
SP4#
SP4#show ip ospf database summary 172.16.10.1

            OSPF Router with ID (10.0.4.1) (Process ID 1)

            OSPF Router with ID (172.16.201.254) (Process ID 10)

		Summary Net Link States (Area 10)

  LS age: 1489
  Options: (No TOS-capability, DC, Downward)
  LS Type: Summary Links(Network)
  Link State ID: 172.16.10.1 (summary Network Number)
  Advertising Router: 172.16.200.254
  LS Seq Number: 80000003
  Checksum: 0xA62
  Length: 28
  Network Mask: /32
	TOS: 0 	Metric: 2 

  LS age: 1475
  Options: (No TOS-capability, DC, Downward)
  LS Type: Summary Links(Network)
  Link State ID: 172.16.10.1 (summary Network Number)
  Advertising Router: 172.16.201.254
  LS Seq Number: 80000003
  Checksum: 0x368
  Length: 28
  Network Mask: /32
	TOS: 0 	Metric: 2 

SP4#  
SP4#show ip route vrf CUST-A

Routing Table: CUST-A
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
O       172.16.200.0/24 [110/2] via 172.16.201.1, 01:31:12, FastEthernet3/0
C       172.16.201.0/24 is directly connected, FastEthernet3/0
O       172.16.20.1/32 [110/2] via 172.16.201.1, 01:31:12, FastEthernet3/0
B       172.16.10.1/32 [200/2] via 10.0.1.1, 01:28:57
B       172.16.110.1/32 [200/21] via 10.0.1.1, 01:28:57
B       172.16.100.0/24 [200/0] via 10.0.1.1, 01:28:57
SP4#

6) And Finally, BRANCH. It can see the prefix 172.16.10.1/32 (HQ) via two paths as we would expect. And without routing loops (the routes has been installed for over 1h 30minutes). BRANCH doesnt react to the Down-Bit so it accepts the LSA3 from SP2/3 and install the OSPF prefix.

BRANCH#show ip route                 
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
C       172.16.200.0/24 is directly connected, FastEthernet0/0
C       172.16.201.0/24 is directly connected, FastEthernet3/0
C       172.16.20.0/24 is directly connected, Loopback0
O IA    172.16.10.1/32 [110/3] via 172.16.201.254, 01:30:38, FastEthernet3/0
                       [110/3] via 172.16.200.254, 01:30:39, FastEthernet0/0
O E1    172.16.110.1/32 [110/22] via 172.16.201.254, 01:30:34, FastEthernet3/0
                        [110/22] via 172.16.200.254, 01:30:34, FastEthernet0/0
O IA    172.16.100.0/24 [110/2] via 172.16.201.254, 01:30:38, FastEthernet3/0
                        [110/2] via 172.16.200.254, 01:30:39, FastEthernet0/0
BRANCH#
BRANCH#
BRANCH#
BRANCH#show ip ospf database summary 172.16.10.1

            OSPF Router with ID (172.16.20.1) (Process ID 1)

		Summary Net Link States (Area 10)

  Routing Bit Set on this LSA
  LS age: 1599
  Options: (No TOS-capability, DC, Downward)
  LS Type: Summary Links(Network)
  Link State ID: 172.16.10.1 (summary Network Number)
  Advertising Router: 172.16.200.254
  LS Seq Number: 80000003
  Checksum: 0xA62
  Length: 28
  Network Mask: /32
	TOS: 0 	Metric: 2 

  Routing Bit Set on this LSA
  LS age: 1587
  Options: (No TOS-capability, DC, Downward)
  LS Type: Summary Links(Network)
  Link State ID: 172.16.10.1 (summary Network Number)
  Advertising Router: 172.16.201.254
  LS Seq Number: 80000003
  Checksum: 0x368
  Length: 28
  Network Mask: /32
	TOS: 0 	Metric: 2 

BRANCH#

So, we have seen the Down-bit in action for LSA3. But what about the external LSA: LSA5 and LSA7? How we avoid routing loops for them?

In this case, we have the “tag” field. This is explained in the rfc too.

1) In the same scenario, we have HQ router advertising 172.16.110.1/32 as LSA5 External.

HQ#
HQ#show ip interface brief 
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            172.16.100.1    YES NVRAM  up                    up      
GigabitEthernet1/0         unassigned      YES NVRAM  administratively down down    
GigabitEthernet2/0         unassigned      YES NVRAM  administratively down down    
FastEthernet3/0            unassigned      YES NVRAM  administratively down down    
FastEthernet3/1            unassigned      YES NVRAM  administratively down down    
Loopback0                  172.16.10.1     YES NVRAM  up                    up      
Loopback1                  172.16.110.1    YES NVRAM  up                    up      
HQ#
HQ#
HQ#
HQ#show ip ospf database          

            OSPF Router with ID (172.16.110.1) (Process ID 1)

		Router Link States (Area 10)

Link ID         ADV Router      Age         Seq#       Checksum Link count
172.16.100.254  172.16.100.254  1270        0x80000005 0x00D7D1 1
172.16.110.1    172.16.110.1    1272        0x80000005 0x006E49 2

		Net Link States (Area 10)

Link ID         ADV Router      Age         Seq#       Checksum
172.16.100.1    172.16.110.1    1272        0x80000004 0x007824

		Summary Net Link States (Area 10)

Link ID         ADV Router      Age         Seq#       Checksum
172.16.20.1     172.16.100.254  1270        0x80000004 0x00586D
172.16.200.0    172.16.100.254  1270        0x80000004 0x00947E
172.16.201.0    172.16.100.254  1270        0x80000004 0x008988

		Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
172.16.110.1    172.16.110.1    1272        0x80000004 0x007253 0
HQ# 
HQ#
HQ#show ip ospf database external 

            OSPF Router with ID (172.16.110.1) (Process ID 1)

		Type-5 AS External Link States

  LS age: 1276
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 172.16.110.1 (External Network Number )
  Advertising Router: 172.16.110.1
  LS Seq Number: 80000004
  Checksum: 0x7253
  Length: 36
  Network Mask: /32
	Metric Type: 1 (Comparable directly to link state metric)
	TOS: 0 
	Metric: 20 
	Forward Address: 0.0.0.0
	External Route Tag: 0

HQ#

2) SP1 sees 172.16.110.1/32 as OSPF E1. And redistribute it into BGP and creates a VPNv4

SP1#
SP1#show ip route vrf CUST-A       

Routing Table: CUST-A
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
B       172.16.200.0/24 [200/0] via 10.0.3.1, 02:00:18
B       172.16.201.0/24 [200/0] via 10.0.4.1, 02:00:18
B       172.16.20.1/32 [200/2] via 10.0.3.1, 02:00:18
O       172.16.10.1/32 [110/2] via 172.16.100.1, 02:02:29, FastEthernet0/0
O E1    172.16.110.1/32 [110/21] via 172.16.100.1, 02:02:29, FastEthernet0/0
C       172.16.100.0/24 is directly connected, FastEthernet0/0
SP1#
SP1#
SP1#       
SP1#show ip ospf database 

            OSPF Router with ID (10.0.1.1) (Process ID 1)

		Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
10.0.1.1        10.0.1.1        1303        0x80000005 0x00D5F4 2
10.0.2.1        10.0.2.1        1350        0x80000006 0x00D39C 3
10.0.3.1        10.0.3.1        1554        0x80000006 0x007FC3 3
10.0.4.1        10.0.4.1        1352        0x80000005 0x00CCC7 2

		Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
10.0.12.2       10.0.2.1        1350        0x80000004 0x00FBFC
10.0.23.1       10.0.3.1        1554        0x80000004 0x009B50
10.0.34.2       10.0.4.1        1352        0x80000004 0x0027B5

            OSPF Router with ID (172.16.100.254) (Process ID 10)

		Router Link States (Area 10)

Link ID         ADV Router      Age         Seq#       Checksum Link count
172.16.100.254  172.16.100.254  1400        0x80000005 0x00D7D1 1
172.16.110.1    172.16.110.1    1405        0x80000005 0x006E49 2

		Net Link States (Area 10)

Link ID         ADV Router      Age         Seq#       Checksum
172.16.100.1    172.16.110.1    1405        0x80000004 0x007824

		Summary Net Link States (Area 10)

Link ID         ADV Router      Age         Seq#       Checksum
172.16.20.1     172.16.100.254  1400        0x80000004 0x00586D
172.16.200.0    172.16.100.254  1400        0x80000004 0x00947E
172.16.201.0    172.16.100.254  1400        0x80000004 0x008988

		Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
172.16.110.1    172.16.110.1    1405        0x80000004 0x007253 0
SP1#  
SP1#
SP1#
SP1#show ip ospf database external 

            OSPF Router with ID (10.0.1.1) (Process ID 1)

            OSPF Router with ID (172.16.100.254) (Process ID 10)

		Type-5 AS External Link States

  Routing Bit Set on this LSA
  LS age: 1409
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 172.16.110.1 (External Network Number )
  Advertising Router: 172.16.110.1
  LS Seq Number: 80000004
  Checksum: 0x7253
  Length: 36
  Network Mask: /32
	Metric Type: 1 (Comparable directly to link state metric)
	TOS: 0 
	Metric: 20 
	Forward Address: 0.0.0.0
	External Route Tag: 0

SP1#
SP1#show ip bgp vpnv4 all 
BGP table version is 14, local router ID is 10.0.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf CUST-A)
*> 172.16.10.1/32   172.16.100.1             2         32768 ?
* i172.16.20.1/32   10.0.4.1                 2    100      0 ?
*>i                 10.0.3.1                 2    100      0 ?
*> 172.16.100.0/24  0.0.0.0                  0         32768 ?
*> 172.16.110.1/32  172.16.100.1            21         32768 ?
* i172.16.200.0/24  10.0.4.1                 2    100      0 ?
*>i                 10.0.3.1                 0    100      0 ?
*>i172.16.201.0/24  10.0.4.1                 0    100      0 ?
* i                 10.0.3.1                 2    100      0 ?
SP1#
SP1#show ip bgp vpnv4 rd 100:1 172.16.110.1/32                   
BGP routing table entry for 100:1:172.16.110.1/32, version 7
Paths: (1 available, best #1, table CUST-A)
  Advertised to update-groups:
        2
  Local
    172.16.100.1 from 0.0.0.0 (10.0.1.1)
      Origin incomplete, metric 21, localpref 100, weight 32768, valid, sourced, best
      Extended Community: RT:1:100 OSPF DOMAIN ID:0x0005:0x0000000A0200 
        OSPF RT:0.0.0.0:5:0 OSPF ROUTER ID:172.16.100.254:0
      mpls labels in/out 23/nolabel
SP1#

3) Again SP2, is transparent.

4) SP3 receives the VPNv4 for 172.16.110.1/32 from SP1. Installs it into BGP and then redistribute to OSPF. If we compare the ospf database output of SP1 with SP3. We see that SP3 has a different value for “tag” in 172.16.110.1/32. So that tags is created by SP3 when redistributing the BGP prefix to OSPF (based on the extended communities in the VPNv4 prefix). As per the rfc, the tag is generated based on the ASN (100). As are all our SPs are in the same ASN, the tag will be the same in all of PE generating the LSA from the VPNv4.

SP3#show ip bgp vpnv4  all 
BGP table version is 13, local router ID is 10.0.3.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf CUST-A)
*>i172.16.10.1/32   10.0.1.1                 2    100      0 ?
* i172.16.20.1/32   10.0.4.1                 2    100      0 ?
*>                  172.16.200.1             2         32768 ?
*>i172.16.100.0/24  10.0.1.1                 0    100      0 ?
*>i172.16.110.1/32  10.0.1.1                21    100      0 ?
* i172.16.200.0/24  10.0.4.1                 2    100      0 ?
*>                  0.0.0.0                  0         32768 ?
* i172.16.201.0/24  10.0.4.1                 0    100      0 ?
*>                  172.16.200.1             2         32768 ?
SP3#
SP3#
SP3#show ip route vrf CUST-A 

Routing Table: CUST-A
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
C       172.16.200.0/24 is directly connected, FastEthernet0/0
O       172.16.201.0/24 [110/2] via 172.16.200.1, 02:06:43, FastEthernet0/0
O       172.16.20.1/32 [110/2] via 172.16.200.1, 02:06:43, FastEthernet0/0
B       172.16.10.1/32 [200/2] via 10.0.1.1, 02:04:33
B       172.16.110.1/32 [200/21] via 10.0.1.1, 02:04:33
B       172.16.100.0/24 [200/0] via 10.0.1.1, 02:04:33
SP3#
SP3#
SP3#show ip ospf database 

            OSPF Router with ID (10.0.3.1) (Process ID 1)

		Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
10.0.1.1        10.0.1.1        1556        0x80000005 0x00D5F4 2
10.0.2.1        10.0.2.1        1602        0x80000006 0x00D39C 3
10.0.3.1        10.0.3.1        1804        0x80000006 0x007FC3 3
10.0.4.1        10.0.4.1        1602        0x80000005 0x00CCC7 2

		Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
10.0.12.2       10.0.2.1        1602        0x80000004 0x00FBFC
10.0.23.1       10.0.3.1        1804        0x80000004 0x009B50
10.0.34.2       10.0.4.1        1602        0x80000004 0x0027B5

            OSPF Router with ID (172.16.200.254) (Process ID 10)

		Router Link States (Area 10)

Link ID         ADV Router      Age         Seq#       Checksum Link count
172.16.20.1     172.16.20.1     1640        0x80000006 0x00710E 3
172.16.200.254  172.16.200.254  1625        0x80000005 0x0055C4 1
172.16.201.254  172.16.201.254  1626        0x80000005 0x0059BC 1

		Net Link States (Area 10)

Link ID         ADV Router      Age         Seq#       Checksum
172.16.200.254  172.16.200.254  1625        0x80000004 0x00F0E6
172.16.201.254  172.16.201.254  1626        0x80000004 0x00E7EC

		Summary Net Link States (Area 10)

Link ID         ADV Router      Age         Seq#       Checksum
172.16.10.1     172.16.200.254  1625        0x80000004 0x000863
172.16.10.1     172.16.201.254  1626        0x80000004 0x000169
172.16.100.0    172.16.200.254  1625        0x80000004 0x0026EC
172.16.100.0    172.16.201.254  1626        0x80000004 0x001FF2

		Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
172.16.110.1    172.16.200.254  1625        0x80000004 0x005BDB 3489661028
172.16.110.1    172.16.201.254  1626        0x80000004 0x0054E1 3489661028
SP3#

5) So let’s see with details the VPNv4 prefix for 172.16.10.1/32 (OSPF LSA3) and 172.16.110.1/32 (OSPF LSA5). Both originated by HQ.

SP3#show ip bgp vpnv4 rd 100:1 172.16.10.1/32 
BGP routing table entry for 100:1:172.16.10.1/32, version 8
Paths: (1 available, best #1, table CUST-A)
  Not advertised to any peer
  Local
    10.0.1.1 (metric 3) from 10.0.1.1 (10.0.1.1)
      Origin incomplete, metric 2, localpref 100, valid, internal, best
      Extended Community: RT:1:100 OSPF DOMAIN ID:0x0005:0x0000000A0200 
        OSPF RT:0.0.0.10:2:0 OSPF ROUTER ID:172.16.100.254:0
      mpls labels in/out nolabel/21
SP3#
SP3#show ip bgp vpnv4 rd 100:1 172.16.110.1/32
BGP routing table entry for 100:1:172.16.110.1/32, version 11
Paths: (1 available, best #1, table CUST-A)
  Not advertised to any peer
  Local
    10.0.1.1 (metric 3) from 10.0.1.1 (10.0.1.1)
      Origin incomplete, metric 21, localpref 100, valid, internal, best
      Extended Community: RT:1:100 OSPF DOMAIN ID:0x0005:0x0000000A0200 
        OSPF RT:0.0.0.0:5:0 OSPF ROUTER ID:172.16.100.254:0
      mpls labels in/out nolabel/23
SP3#

6) So SP3, based on the Extended communities, knows the VPNv4 prefix 172.16.110.1/32 was an OSPF LSA5 and it creates a tag. Keep in mind that SP4 is doing exactly the same thing as SP3:

SP4#
SP4#show ip route vrf CUST-A                   

Routing Table: CUST-A
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
O       172.16.200.0/24 [110/2] via 172.16.201.1, 02:18:34, FastEthernet3/0
C       172.16.201.0/24 is directly connected, FastEthernet3/0
O       172.16.20.1/32 [110/2] via 172.16.201.1, 02:18:34, FastEthernet3/0
B       172.16.10.1/32 [200/2] via 10.0.1.1, 02:16:19
B       172.16.110.1/32 [200/21] via 10.0.1.1, 02:16:19
B       172.16.100.0/24 [200/0] via 10.0.1.1, 02:16:19
SP4#
SP4#
SP4#
SP4#show ip ospf database   

            OSPF Router with ID (10.0.4.1) (Process ID 1)

		Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
10.0.1.1        10.0.1.1        253         0x80000006 0x00D3F5 2
10.0.2.1        10.0.2.1        310         0x80000007 0x00D19D 3
10.0.3.1        10.0.3.1        504         0x80000007 0x007DC4 3
10.0.4.1        10.0.4.1        301         0x80000006 0x00CAC8 2

		Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
10.0.12.2       10.0.2.1        310         0x80000005 0x00F9FD
10.0.23.1       10.0.3.1        504         0x80000005 0x009951
10.0.34.2       10.0.4.1        301         0x80000005 0x0025B6

            OSPF Router with ID (172.16.201.254) (Process ID 10)

		Router Link States (Area 10)

Link ID         ADV Router      Age         Seq#       Checksum Link count
172.16.20.1     172.16.20.1     315         0x80000007 0x006F0F 3
172.16.200.254  172.16.200.254  347         0x80000006 0x0053C5 1
172.16.201.254  172.16.201.254  315         0x80000006 0x0057BD 1

		Net Link States (Area 10)

Link ID         ADV Router      Age         Seq#       Checksum
172.16.200.254  172.16.200.254  347         0x80000005 0x00EEE7
172.16.201.254  172.16.201.254  315         0x80000005 0x00E5ED

		Summary Net Link States (Area 10)

Link ID         ADV Router      Age         Seq#       Checksum
172.16.10.1     172.16.200.254  347         0x80000005 0x000664
172.16.10.1     172.16.201.254  315         0x80000005 0x00FE6A
172.16.100.0    172.16.200.254  347         0x80000005 0x0024ED
172.16.100.0    172.16.201.254  315         0x80000005 0x001DF3

		Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
172.16.110.1    172.16.200.254  347         0x80000005 0x0059DC 3489661028
172.16.110.1    172.16.201.254  315         0x80000005 0x0052E2 3489661028
SP4#   
SP4#
SP4#
SP4#show ip ospf database external 172.16.110.1

            OSPF Router with ID (10.0.4.1) (Process ID 1)

            OSPF Router with ID (172.16.201.254) (Process ID 10)

		Type-5 AS External Link States

  LS age: 350
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 172.16.110.1 (External Network Number )
  Advertising Router: 172.16.200.254
  LS Seq Number: 80000005
  Checksum: 0x59DC
  Length: 36
  Network Mask: /32
	Metric Type: 1 (Comparable directly to link state metric)
	TOS: 0 
	Metric: 21 
	Forward Address: 0.0.0.0
	External Route Tag: 3489661028

  LS age: 319
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 172.16.110.1 (External Network Number )
  Advertising Router: 172.16.201.254
  LS Seq Number: 80000005
  Checksum: 0x52E2
  Length: 36
  Network Mask: /32
	Metric Type: 1 (Comparable directly to link state metric)
	TOS: 0 
	Metric: 21 
	Forward Address: 0.0.0.0
	External Route Tag: 3489661028

SP4#   
SP4#
SP4#
SP4#show ip bgp vpnv4 rd 100:1 172.16.10.1/32
BGP routing table entry for 100:1:172.16.10.1/32, version 8
Paths: (1 available, best #1, table CUST-A)
  Not advertised to any peer
  Local
    10.0.1.1 (metric 4) from 10.0.1.1 (10.0.1.1)
      Origin incomplete, metric 2, localpref 100, valid, internal, best
      Extended Community: RT:1:100 OSPF DOMAIN ID:0x0005:0x0000000A0200 
        OSPF RT:0.0.0.10:2:0 OSPF ROUTER ID:172.16.100.254:0
      mpls labels in/out nolabel/21
SP4#
SP4#
SP4#show ip bgp vpnv4 rd 100:1 172.16.110.1/32
BGP routing table entry for 100:1:172.16.110.1/32, version 11
Paths: (1 available, best #1, table CUST-A)
  Not advertised to any peer
  Local
    10.0.1.1 (metric 4) from 10.0.1.1 (10.0.1.1)
      Origin incomplete, metric 21, localpref 100, valid, internal, best
      Extended Community: RT:1:100 OSPF DOMAIN ID:0x0005:0x0000000A0200 
        OSPF RT:0.0.0.0:5:0 OSPF ROUTER ID:172.16.100.254:0
      mpls labels in/out nolabel/23
SP4#

7) As you can see, SP3 and SP4 are generating the same “tag” 3489661028 for the LSA5 172.16.110.1/32 (because they are in the same ASN 100). So as the receiving LSA for the other SP in the same Area 10 has the same tag, SP3/SP4 ignore the LSA. And again, the BGP prefix is installed in the routing table instead of the OSPF AD110 172.16.110.1/32 and we dont have a routing loop.

Day: 26 April 2020

Git Basics

GNS3: PE-CE OSPF, Down Bit and External LSA