Hi guys, The DN-bit is not set on external LSAs because the options field in the LSA where that bit is set does not exist for type-5 LSAs. To handle loop-prevention for type-5's there is another feature known as the domain-tag which essentially does the same exact thing
HTH On Mon, May 17, 2010 at 6:44 AM, Marcel Lammerse <[email protected]> wrote: > Hi Rick, > > You can turn the ospf routes into external routes (as opposed to inter-area > routes), by making sure the domain-ids are different for the ospf > redistributed routes in mbgp. The domain-id is derived from the ospf process > number, but it can be configured with the domain-id command as well. > > The DN-bit is not set on the (type-5) lsas sent to the ce (although rfc4577 > says they should be), hence the ce will import the routes into its vrf. > > The question which then remains, is how does this affect the loop prevention > mechanism? What would happen if the ce re-advertises the type-5 lsa back to > the pe? > > Well, as part of the redistribution process, OSPF route tags are set to > indicate which domain the information originated from. If a pe receives an > OSPF update with its own tag, it will detect the loop and ignore it. > > From reading the rfc, it seems the specifics are slightly > implementation-dependent, but this is how ios does it. > > kind regards, > Marcel > > On 17/05/2010, at 05:25 , Rick Mur wrote: > >> The explanations by Joe and Marcel are very good. As you are planning to lab >> and debug this, here's a free IPexpert lab task :-) >> >> You have a CE that is running OSPF in a VRF (VRF-lite) that is connected to >> a PE which is redistributing routes from MP-BGP into OSPF. >> Now ensure that these routes get in the routing table of the CE without >> using the 'capability vrf-lite' command! >> >> -- >> Regards, >> >> Rick Mur >> CCIE2 #21946 (R&S / Service Provider) >> Sr. Support Engineer – IPexpert, Inc. >> URL: http://www.IPexpert.com >> >> On 15 mei 2010, at 14:01, Marcel Lammerse wrote: >> >>> Hi Rob, >>> >>> it is used in an mpls-based vpn scenario, where the ce speaks ospf with the >>> pe. In order to enable routing to remote vpn sites, the pe has to >>> redistribute mbgp prefixes into ospf with the DN-bit set. The DN-bit is >>> used as a loop prevention mechanism, because if an ospf update with the >>> DN-bit set would somehow reach the pe, it should not accept the update into >>> the vrf again. >>> >>> However, let's say you have vrf lite with ospf to the pe configured on the >>> ce, this becomes a problem. Because the ce will not import any routes that >>> have the DN-bit set into the vrf and you would not be able to route to the >>> remote vpn sites. By configuring the capability vrf-lite command, the >>> filtering rule is relaxed and the pe routes will be imported into the vrf >>> on the ce. >>> >>> Therefore, to answer your question, you would see the DN-bit set on lsas >>> received from a pe that redistributes mbgp routes into ospf. >>> >>> HTH >>> Marcel >>> >>> On 14/05/2010, at 11:04 , Robert Simmons wrote: >>> >>>> All, >>>> >>>> Can anyone shoot me a quick scenario where I would need to use the >>>> capability vrf-lite command? I need something where I can actually look at >>>> debugs and in the ospf database to see the DN bit checked? >>>> >>>> Thanks >>>> >>>> -Rob >>>> >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, please >>>> visit www.ipexpert.com >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > -- Regards, Joe Astorino - CCIE #24347 Sr. Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
