Sorry, I updated some of the naming used below.. please respond to this email instead.
On Mon, Feb 7, 2011 at 4:27 PM, Eric Rioux <[email protected]> wrote: > Hi all, > > I am hoping to get confirmation of a problem I ran into recently. Before I > post the configs I will say that I was very confident I knew what the > problem was the moment I saw the configs, but certain people need more > convincing... > > Here's an idea of what the PE configs look like: > > router ospf 100 vrf VPN_BROKEN > router-id 1.1.1.1 > log-adjacency-changes > capability vrf-lite > area 0 sham-link 10.10.10.1 10.10.10.2 cost 10 > area 0 sham-link 10.10.10.1 10.10.10.2 cost 10 > redistribute bgp 1 subnets > network 192.168.1.1 0.0.0.0 area 0 > network 192.168.1.3 0.0.0.0 area 0 > > router bgp 1 > ! > address-family ipv4 vrf VPN_BROKEN > redistribute connected route-map SHAMLINK > redistribute ospf 100 vrf VPN_BROKEN match internal external 1 external 2 > no synchronization > exit-address-family > > And here's an idea of the CE config: > > router ospf 99 vrf LOCAL_VRF > router-id 1.1.1.2 > log-adjacency-changes > capability vrf-lite > network 1.1.1.2 0.0.0.0 area 0 > network 192.168.1.1 0.0.0.0 area 0 > > And now for the problem description... > > After a reload of the PE router whose config is presented above, neither of > the listed sham links came back up. The person who found & corrected the > problem did so by creating distribute lists on the PE's to prevent the sham > link routes getting into the routing table from the OSPF database. > > Now.. What I am pretty sure happened after reload: > 1. The redistribution between OSPF-BGP allowed the sham-link routes into > OSPF on the CE's where they then transited the CE network. > 2. The presence of capability vrf-lite on the PE's allowed the > redistributed sham link LSA's to get back into the remote PE's with the > routing bit set - allowing injection into the routing tables. > 3. The sham links, now with routes via OSPF, failed to establish. > > When the Sham links were brought up initially, they would have established > based on the BGP routes (it's even possible "capability vrf-lite" was only > added after the Sham links were up). Because they function as demand > circuits, the routing could change from BGP-based to OSPF-based and not > actually cause the sham links to fail. It was only when they were taken > down and then attempted to re-establish via OSPF-learned routes that they > fully broke. > > If I'm right, I'm hoping someone has an even clearer explanation of why I'm > correct. If I'm wrong, then perhaps someone can enlighten me! > > Thanks, > > Eric >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
