OSPF Down-bit and Capability vrf-lite

This topic is not only to understand what is the OSPF Down-bit or Capability vrf-lite feature, but the main purpose of this article is to eliminate a common confusion caused to many scouts specially those who are/were preparing for CCIE SP.

Assuming that you know the basics of MPLS L3VPN and how it works, a big issue appears when using OSPF as a PE-CE routing protocol specially when a CE or more are multi-homed to the same ISP. This network setup is exposed to possible routing loops to occur when CE1 advertise routes to PE1 then PE1 redistribute these routes to PE2 and then PE2 to CE2 then CE2 advertise them back to PE1 “Multi-homed”, here comes the importance of the Option field in OSPF LSA header, there is a bit called DN “Down-bit is described in RFC4577” inside this field, remember it is just 1 bit so that  there are no options more than 1 or 0, if this bit is set to 1 that means this route is already redistributed from a PE of an MPLS backbone, so that if it comes back to any vrf enabled router, that router will ignore the received LSA to prevent any possible routing loop to occur.

In our scenario PE1 will copy the OSPF cost to MED attribute and the OSPF local Domain-Tag* to the extended communities before sending the updates to PE2. PE2 will check the Domain-Tag in the extended communities to know which LSA type it has to originate and advertise to CE2. According to the superbackbone rules a PE acts as an ABR, which means if the Domain-Tag in the extended communities matches the local Domain-Tag on PE2, a summary LSA type 3 is generated and sent to CE2 and routes will appear as OIA but if Domain-Tags didn’t match an external LSA type 5 is originated, and according to RFC4577 Down-bit has to be set in LSAs type 3, 5 & 7.

Note: Cisco IOS platforms don’t follow the RFC and set the DN bit to LSAs type 3 only.

*Domain-Tag: It is the local OSPF process number, like in OSPF 2 so that the Domain-Tag will be 0.0.0.2 and used to determine the LSA type to be originated at the PE.

Actually Down-bit solved the possible routing loops issue, but another issue appeared when the receiving CE is a vrf enabled router like in Inter-AS option A** and if the customer is using vrf-lite feature, all LSA type 3 sent by a PE are rejected.

**Inter-AS option A: is known as Back-to-Back vrf option so each ASBR will act as a PE/CE at the same time.

Cisco came out with a feature called Capability vrf-lite, applying this feature will make a vrf enabled router ignores the Down-bit and accepts LSAs type 3.

As mentioned in the first two lines of this article, there is a common confusion happens to SP students when that –unexpected– behavior occur and think it is a bug in the IOS image.

Actually it is not the first time to hear the same question, but the answer is “No, it is not a bug“. Simply Capability vrf-lite disables all the PE specific checks including Domain-Tag check so that the PE will only generate LSAs type 5 from its side, Cisco fixed this in IOS-XR by specifying only DN bit check to be disabled using the command mentioned in the main question “disable-dn-check“.

Hope this topic was really useful…

recursive-lookup.com

Don’t miss our Articles & Podcasts!

We don’t spam! Read our privacy policy for more info.

Osama Aboelfath is co-founder at Recursive-lookup. Osama is a network engineer and developer with over 10 years of production network engineering, deployment & operation.

Leave a Reply