116 IPExpert MPLS OSPF as a PE CE routing protocol in L3VPN

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] what is going to be the behavior in our network if as the pece routing protocol we actually used OSPF instead of using some other protocols so what I have configured in the meantime is actually an OSPF process here which is running on r5 as OSPF 57 here it's OSPF 1 and this is going to be in area 0 on this side this is going to be OSPF 68 on our 6 and OSPF 1 on our 8 and this is also running in area 0 so I have configured that between these interfaces here and I have also redistributed OSPF into MP BGP and I have redistributed from MP b GP into OSPF so this is the setup that we have right now so let's take a look if this actually works so I'm going to go to our 7 and I'm going to run very very simple pink source look like zero and I can paint from our 7 to our 8 this is no big deal on our 8 ping from our 8 to our 7 also works so this is the running configuration of our 7 and as you can see it's a very very basic I'm just running OSPF 0 on all interfaces this is the configuration on our 5 so show run vrf shows me that here I'm running OSPF 57 and when you are running when you're configuring OSPF for vrf this is what you need to specify but mind you you just need to do this once so any subsequent reference to OSPF 57 will actually take you into this process in VF so you don't have to type router OSPF t7v RFA every time just the first time when you actually create the process now the reason why used OSPF 57 or why I didn't run OSPF 1 process is because I only have OSPF 1 running in the main routing table now even though OSPF process generally speaking is not relevant for the v v RF routing or shouldn't be relevant for VF routing I should say you cannot have the same process ID on multiple processes so I need to have a separate process ID for this process running in v RF but because v RF because the OSPF process should be locally significant i can run any number here without any consequences or should be without any consequences so here I have redistributed BGP sublet so let's go back here and also in BGP I have redistributed OSPF fifty-seven into the v RF so I have seen pretty much replicated the configuration that I already had with AI GRP on our eight side configuration is just about the same I have OSPF process one I have the Network statement running on all the interfaces and on our six I have pretty much the same configuration except on this side I have actually used OSPF process 68 again I have reduced ability from B Jeep into SPF and from OSPF into BGP and hence I do have reach ability end to end now if I take a look at our seven at show IP route OSPF I am getting two routes these routes here are external routes now it's perfectly understandable why these are external routes their external routes because at this point here I have redistributed them from multi-protocol BGP and I have actually injected them into the OSPF process when we redistribute the routes paced router here becomes the asbr and it injects the routes as type v LSAs this is all perfectly fine now the task in the lab says make sure that 1000 8 and this route 10 6 8 0 / 24 is visible on our seven as inter area route so not as an external route like we have now but as the inter area route I can see couple problems with that one is this is area 0 and this is area 0 if I ran let's say a tunnel or something between them the the best thing that I can do is make them intra area routes but how can I have divided area zero I cannot have that well you cannot have that in traditional OSPF where all areas must connect to area zero when you are dealing with OSPF in MPLS VPNs there is one more level of hierarchy so in traditional OSPF what we have is the route of hierarchy where we have the backbone area and all other areas must connect to the backbone so if you had multiple backbone area non backbone areas they would all need to connect to the same backbone area right - all these here would need to connect to our common shared backbone so this would need to connect here this would need to connect here and let's say that we had another area here that would need to connect to that backbone area why because we need to have that hub-and-spoke communication between the areas right so this is in traditional or a spear now OSPF in MPLS VPN scenario actually introduces one more level of hierarchy because here in multiple sites multiple independent sites we can actually have the backbone area that connects to lon backbone areas so we can have this set up in multiple sites so we can have multiple independent backbones in our case now all these backbones are connecting to something that is called super backbone now super backbone is just a fancy name for another protocol that is also commonly called multi-protocol BGP so multi-protocol BGP acts as something that we call super backbone now the rules of hierarchy for OSPF in MPLS VPN are if there is a backbone in the site so backbone here I'm in area zero it must directly connect to the super back bar so if we have area zero in a site it must be directly connected to the cell super backbone or it must be extended to it now how do we extend it either using virtual links or gr8 house now in plain English this means that area zero must be present on the PE device inside the earth now rule number two if there is no backbone in the site it can freely connect to the super banker now inside the site the rules still apply apply nan backbone areas must connect directly to the backbone but we can also have another site that doesn't have area zero and in that case it's okay for this nan backbone site to actually connect directly to the super backbone but if you do have a backbone in the site if you do have area zero you can connect to the super backbone now if we have this level of hierarchy these levels of hierarchy then it is entirely conceivable how we could actually get inter area routes now the way we could get into earlier out is we could inject them here from this say backbone area we could inject them into the super backbone and when they are advertised back here they would simply be injected as type threes now we will all remember the split horizon rule that when we are receiving the type 3 is from a non backbone area going into the backbone area they are going to be rejected but look in this case in this case it is ok because super backbone is that it's just an area that sits above the backbone so our level of hierarchy is still maintained the split horizon still kind of works but the problem here is that I already have this set up but my setup is actually even simpler because in my set up all I have is super backbone and two backbone sites so I don't even have non backbone areas so what I have here is I have the route that is advertised to super backbone and it's coming in here but it's coming as external well it's coming as an external because my OSPF treats this side and this side here as separate domains so this one here is going to be let's call it red domain and this one here is going to be a blue domain now these domains actually have their own technical identity let me show you that so I cannot see that on our seven this is all PE based so this has nothing to do with customer edge devices this is all happening on the PE so now I'm on our five if I do show bgp VPN v for unicast v RF l so I want to see the route for 1000 seven take a look at this it says OSPF domain ID and then I have this large number here now this is the domain ID type and it's one of those situations where you know sometimes that you have known something and you have forgotten it and then you tell people I've known this some time in the past in my chase I have never actually known what the domain type 5 means now I know many things but this is one of those things that I just never actually bothered to figure out also I'm not entirely sure what this 0 to 0 0 means but I don't think that this calls me against knowing what this here is this here is the actual value of the domain and we can see that it is a hex value 0 0 0 0 0 0 39 now important thing here is 1 2 3 4 these are for octet for bytes 32-bit so this 39 here is an actual value of the domain so let's go here and so this would be the domain that is on the red side so it is 0 X 39 which incidentally if you translate it will be 57 and here you might be seeing where I'm going with this and this is the domain that is identified for our 8th route or the route learned from our 6 so my blue domain here has the value of 0 X 44 which incidentally is value 68 in other words this was the OSPF process ID on our five and this one here was OSPF process ID on our six so if you remember back in those days of CCNA when you were learning or ccmp even when you were learning about OSPF and when the books told you that there you can use whatever process number you like it's locally significant and it doesn't really matter well as it turns out sometimes there are situations when this process number actually does matter so now because my OSPF process on our five here so this is happening on our five things that the routes arriving from our six going into the super backbone and back into our five are actually from a different domain it is going to inject them to other routers it's going to inject these routes from the super backbone as external routes now if my domain here and my domain here actually matched when these routes would have been inserted they'd have been inserted as inter area routes so I have to find a way to match this domain to this domain here now the easiest solution would be to actually change the process numbers but let me show you the solution without actually changing the process numbers so I'm going to go to our five again a reminder this is strictly happening on provider edge devices customer edge devices in our case r7 and r8 they have nothing to do with this so on our five I'm going to go into router OSPF 57 and here I can configure the actual domain ID now I can say that I don't want any domain ID or I can specify the type followed by the value or I can simply specify the domain ID now let's use 56 56 56 56 now it helps if you clear IP routes okay IP route vrf a star this will speed up the process just a little bit so here if I take a look at these routes now this is the domain I have 38 38 38 38 which in hex is really 56 56 56 56 decimal so now I'm going to do the exact same thing on our six I'm going to go to router OSPF 68 I'm going to say domain ID 56 56 56 56 and of course it helps if you type correctly again clear IP route BRF and star just to speed things up a little bit so if I go to our five now I will see okay maybe I didn't speed them up enough so let's let's wait just a second there we go now it happened so this is route four seven this is the domain and this is the route four eight and this is the domain so now I can see that domains actually match if I go to our seven and if I do show IP route OSPF now these routes are inserted as in Terraria rot so as you can see here I have done no changes on our seven in the meantime I have done no changes on our eight in the meantime and yet here the routes are now showing up as in Terraria because now what I have done now my OSPF on these two routers is treating these two here as the same domain so this is now the same domain the one our five this is the same domain to sites but the same domain so now the routes that are being injected are actually in the question that I had there is do I need to change the domain ID to match for inter area routes to happen the answer is yes because if the domain ID on this side and this side doesn't match the routes will be injected as external rods if you are receiving the route with the same domain ID as is configured locally for that process if that is the case then the routes will be injected as type 3 routes so if the dominate is don't match external if they do match in Terraria now that this is clear I'm going to make our example here just a little bit more complicated so our example involved couple of routers and they were all running OSPF and MPLS and everything that we've done so I'm just buying myself time now because I want to drag one other thing here into the mix so this is the new network here that we are going to be running so the only change that we are going to have here is now that there is this link between r7 and r8 so we are still running OSPF here so this is OSPF area 0 we are still running OSPF here this is still OSPF area 0 now what I want to run here is also OSPF in area sir and I'm going to repeat that what I'm going to show you next is completely unrelated to the domain IDs so they are now completely relevant I was doing that that was one exercise this is now completely unrelated problem so let me bring my routers in and I'm going to bring the link so interface fast means you want to know shut down and the link here interface passenger one know shopper so this is the configuration that I have on faster than zero one and you can see that these are configured as point to point again this is also irrelevant the only reason why they're configured as point to point is so that my OSPF could converge maybe a little bit faster then if they were just configured as broadcast so again fast mean zero one on this side and on this side of course I haven't configured it so really so much about faster convergence so let me then remove it on this side here so just to up to have some consistency I don't know why it wasn't configured on the other side so so if I do show IP ospf interface is brief I'm now in weight State so I need to be patient for a little while so now we have patiently waited for the wait time to expire and our OSPF here is now converged so what we have is area zero here on the back and we have our super backbone or our MP BGP here so this is where we have our super backbone or MP BGP now my task is very simple this link here between r7 and r8 is extremely expensive what I want to do is I want the traffic between these two loop PACs to actually take this path here so instead of taking the shortcut link then the backdoor link here I want to take this traffic to go across my MPLS cloud now let's take a look at what's the situation right now so if I do show IP route OSPF I will see that my path to reach the loopback Zero of our eight is actually now using that backdoor link why is it using that back to link well because it probably has the lower cost it has cost too so let me address that right away I know the solution this is it going to be an easy one this is the easiest task in the lab I'm going to say IP ospf cost what is the maximum cost 65535 yeah that'll do it so I'm going to do show IP route or spear but I need to wait maybe just couple more seconds so about now if I take a look at this this didn't quite work I'm still using the back door link here and the cost is now 65536 why would that be well we have to go back to basics avoids PF now the basics of OSPF say that the routes are divided into three categories internal routes inter area routes and external rot now this is the order of preference right so if I have an internal route no matter what the cost on it it will always be better than the inter area route so if I go back to this example that I have I have the super backbone and I have a backbone here and I have a background here and these are my connections now this route here learned over this backbone link will always be better than the inter area route that goes this way so this route will never be used as long as I'm getting the route here but this is a backup link I can't just get rid of this link this I still need to have this route in my database but I have to find a way to actually prefer this path here what I need to do here is somehow interconnect my two sides on these are actually two sides so there is a separation here so I need to find a way to interconnect these two sides through the super backbone area in such a way that these routes actually show up as internal routes on this side now in regular OSPF if I had area 0 and I had area 50 here and I had area 0 I could always run a virtual link here now the problem with this approach here is that super backbone here is not an OSPF area now there are no L essays in this area so virtual link unfortunately is out of the question but the spare not there is another solution that other solution is very similar to the virtual link but it's not exactly the same and it's called the Sham link now sham link and I am again going to do my emphasis thing shame link is quite possibly the most complex thing that you might be asked to configure in the lab now on its own the configuration for the sham link itself is incredibly simple it's a one command line it's just area XM link source destination done but what you need to have in place for sham link to work is an incredible set of practices you need to have IP routing in your backbone set you need to have a fully functional MPLS you need to have a fully functional MPLS VPN you need to have a fully functional p0t and you need to have a full reach ability between your PE c pn c-- insight then you need to have an operational backdoor link you need to have operation of OSPF on the backdoor link you need to have redistribution between bgp and OSPF in place then you need to create new interfaces on PE routers those interfaces must be advertised in BGP but not inside OSPF and they need to be inside vrf then you need to have reach ability between those loop backs then you need to advertise then you need to create a sham link and then you may need to perform traffic engineering try to repeat that well you see what I was talking about it's an incredibly complex set of prerequisites incredibly complex set of things that must be in place for sham link to even have a hope in fixing the problem so that said let's write some of those down so that you have at least step some checklist of things that you might need to do when you are implementing shamming so my assumption here is that backbone IP routing is in place that MPLS is in place the MPLS VPN is in place that OSPF as PE c e is in place that OSPF as CP c e is in place so at this point here you're actually starting Shemin configuration so these are the prerequisites so shaming steps you need new loopback interfaces on your PP routers in v RF so not in the main routing table but in v RF where you're trying to solve this problem number two loop backs must be advertised into multi-protocol bgp but not in OSPF pece number 3 PP router must be a beer actually this step is ok must be a SBR the best way to ensure that PE must be a SBR is to actually configure something to redistribute to actually redistribute from MP BGP into our spirit now if you don't do this step the OSPF process on the PE device will not even attempt to form a sham link so it's very very crucial that PE is considered to be an SBR now in most cases you don't actually have to worry about this because you already have the redistribution between OSPF into MP BGP this is how you build your MPLS VPN to begin with now but I have seen some people who try to be very very pedantic about the configuration and they realize oh okay I have a shame link there so that I don't actually have to redistribute so they remove that redistribution statement and basically they bring down their shamming so leave that redistribution in place don't touch it just make sure that your PE is the SBR now once you have this in place what you need to do is actually build sham link between your loop backs and finally you may need to perform some cost adjustments so some cost modifications must be done to accommodate for the solution so these are the five steps that you need to do to build your sham link if you already have these prerequisites in place so let's build a sham link and in our network and try to solve the problem of getting the traffic from a loopback of our seven across our MPLS backbone over to our eight so what I'm going to do next is I'm going to start with my step so I'm going to keep this here so just so that we can reference what are the steps that need to be done so I'm just going to resize this so that I can have maximum space but I will need I believe the full size of this node but right now so I need to create new loop X I'm going to start from r5 so I'm going to say interface look back let's call it 56 this needs to be in the V ref so which side are we using the new configuration I believe it was on our six show run yeah it was our six but okay so here I would say IP vrf forwarding so let me just bring that down forwarding a and let's give it an IP address so IP address 10-5 or actually 1000 v now one thing about these loop backs here and let me write that here as a practice that forgot to mention that so new loopback interface will periodic in BRF and these must be on separate subnets the best way to ensure that is to actually use them as / 32 now in some versions of iOS there is actually a requirement for this to be / 32 but I haven't seen that in recent days so the next thing that we need to do here it says the loop packs must be advertised into an PPP but not in OSPF now this not in OSPF is the step that is usually not mentioned in these steps here but I have seen situations when OSPF router when PE router would refuse to even initiate the Sham link if it had the endpoint of the Sham link in a SPF database now to avoid that situation this is why I personally like to take extra step to ensure this doesn't happen so here I'm going to create a prefix list and I'm going to call it sham and I'm going to say permit 1000 5/32 and I'm also going to permit the other side now then I'm going to have a route map which is going to be BGP to OSPF deny 10 and here I'm going to say match IP address prefix list Shem and then I'm going to permit everything else so basically I know that there is a redistribution between BGP and OSPF which I'm going to keep in place and what I'm going to do is I'm going to prevent these loop packs from actually making it into OSPF I'm not going to be distributing them there then I'm going to say router bgp 56 address family IP v4 v RF 8 and here I'm either going to redistribute this loop back or I'm going to advertise it with the network statement so I'm going to say Network 1000 5 mask and finally here I will have router OSPF and this is on our five so this is going to be 57 erfa and I'm going to say redistribute bgp 56 subnets roadmap bgp to OSPF so I want to have that in place or I can maybe just resize this this way and then at this spot I can build the Sham link so I'm going to say area 0 this is where I need the Sham link shambling I specify the source 10005 destination 10006 and I can specify the cost if I don't specify the cost the cost will actually be 1 so this is the configuration of the Sham link on our 5 so I'm going to go to our 5 and going to paste the same so now when I paste this in on our 6 here if I do show IP route vrf a I should be getting the route for our 5 loopback so let's see maybe just takes a little there we go so I'm getting the route for our 5s loopback so let's do the same configuration for our 6 on our 6 side there are a couple of changes so this is vrf forwarding because of the new configuration and this is going to be 6 everything else remains pretty much the same until this point where this changes to 68 sorry this change is also to 6 and this is now reversed so I'm going to go to our 6 and I'm going to paste this in 1 or 6 so now when this is in place on our 5 for the show IP route the RF a I should be getting at some point soon enough all right there we go I should be getting the route from our 6 so there it is and I can see here that there was a log message that the neighbor actually came up on the shamon so if I do on our 5 show IP ospf 56 neighbors actually 57 sorry neighbors I should be seeing the neighbor here on the shimmering and you can see that that neighbor actually used some other router ID from from before but remember router ID is not an IP address so this here is actually our six and I can see that we are now neighbors on the Sham link so if I go to arson and if I do show IP route OSPF now take a look at the path that my traffic to r8 is going to take it's going to take me directly to my MPLS backbone so if I do a trace route to here I can see that it actually goes across the backbone so problem solved not so fast because on r8 the problem still exists the reason why this actually worked on our seven was this right so this is that last step that I mentioned that you might need to do some cost modifications now I am in a position to actually solve this problem because now I'm actually getting an intra area route from my super backbone but on r8 this still has higher cost than this direct link so I'm going to go on interface faster than zero one I'm going to say IP ospf costs ten that should be more than enough I need to wait about ten seconds before I check for the route so about now oh and I got it spot-on so here on 10007 now we can see that it actually goes too fast ethernet zero zero so now we are in position and we can see the actual difference in metric so here the metric is two and here the metric is four so this is the reason why I needed to change the cost so now the traffic is actually going to be going across the MPLS backbone in both cases now take a look at the difference in trace routes and this is really interesting because I actually forgot that we've done that now remember some time ago we actually configured on our five this command here no MPLS IP propagated TTL forwarded so this is now configured look at the trace right here we're seeing five and immediately we are seeing six but on our six we don't have that configured so when I do the trace route from r8 basically I'm seeing much longer path here I'm actually seeing my r2 and r4 in place there and they are actually showing me even the transport labels that were used and I'm seeing the actual VPN labels that we use

Info

Channel: CCIEORDIE.COM

Views: 3,301

Rating: undefined out of 5

Keywords:

Id: bWSAQihRQeg

Channel Id: undefined

Length: 39min 5sec (2345 seconds)

Published: Fri Feb 02 2018