OSPF as PE-CE routing protocol in MPLS VPN

OSPF as PE-CE routing protocol in MPLS VPN

OSPF Domain: Two sites are considered to be in the same OSPF Domain if the routes from one site to other are considered intra-network routes. Both sites will run OSPF as their intra-site routing protocol.This can be done by presenting such routes as inter-area routes in Type 3 LSAs.

A PE router should run an independent instance of OSPF for each domain. If PE is running OSPF as IGP, the instance of OSPF should be seperate and independent from any other instances.

When OSPF is used to connect PE and CE routers, all routing information learned from a VPN site is placed in a VRF associated to the incoming interface. The PE routers that attach to the VPN use BGP to distributeVPN routes to each other. A CE router can learn the routes to other sites in the VPN by peering with its attached PE router.

If normal BGP/OSPF interaction procedures are implemented, the routes from one site to be delivered to another site as External routes in Type 5 LSAs. This makes them impossible to be distinguished from "real" external routes in the VPN. Hence, a modified version of BGP/OSPF interaction procedure is implemented so that routes delivered from one site to another are atleast interarea routes.

If a VRF contains both an OSPF-distributed route and a VPNv4 route for the same IP prefix, then the OSPF-distributed route is preferred because of its lower AD. Hence, forwarding is done according to OSPF route. The only exception is when the sham-link is present.

BGP Extended Communities for OSPF PE/CE routing:

A Domain Identifier (Domain ID) is defined as BGP Extended Community which is carried with VPNv4 routes between PE routers. This Domain ID is used to identify the OSPF instance from which it was redistributed into BGP.

OSPF metric, OSPF Router-ID and OSPF Route-Type are also carried as BGP attributes of the route.

Inter-area, intra-area and external routes:

If the route is from an OSPF domain different from that of the OSPF instance into which it is being redistributed, or the route is not from an OSPF domain at all, then the route is considered an external route.

If the route is from the same OSPF domain as the OSPF instance into which it is being redistributed, and if it was originally advertised to the PE router as an external route or OSPF NSSA route, it will be treated as an external route. The PE router may advertise these routes to the CE router in Type 5 or Type 7 LSA or not at all- depending on the type of area to which PE/CE link belongs.

If the route is from the same OSPF domain as the OSPF instance into which it is being redistributed, and if it was originally advertised to the PE router as intra-area or inter-area route, it will be treated as inter-area routes delivered to the CE router in Type 3 LSAs.

PEs and OSPF Area 0:

The PE/CE link can belong to any area including area 0 for an OSPF domain. If the PE attaches to the CE using a non-zero area, then the PE router acts as an ABR for that area. The MPLS VPN backbone acts as a Super Backbone.

If the OSPF domain has area 0 routers other than PE routers, then one of those must be CE router and must have an area 0 link to atleast one PE router using virtual-link to the PE router. This is necessary because Area 0 should be contiguous and so that inter-area and external routes can be leaked between PE routers and the non-PE OSPF backbone.

OSPF Domain Identifier:

Each OSPF instance must be assigned a unique Domain ID. On Cisco IOS, the OSPF Domain ID is the OSPF Process ID by default. The Domain ID is configurable using domain-id type <type-value> value <value> command from OSPF router configuration on the PE routers for a particular VRF instance.

The Domain ID is an 8-byte quantity that is a valid BGP Extended Community Attribute. When BGP distributes VPNv4 routes to other PE routers, the Domain ID is carried with the routes as extended community. When the PE router redistributes the VPNv4 routes to the OSPF domain, it checks the Domain ID to decide whether the routes should be redistributed as inter-area (same Domain ID) or external (different Domain ID) routes to the CE router.

Handling LSAs from the CE router:

For every address prefix installed in its VRF by one of its associated OSPF instance, the PE router should create a VPNv4 route in BGP. Each such route will have the following BGP Extended Communities attributes-

1) OSPF Domain ID (8-bytes): In Cisco IOS, the Domain ID is set to the OSPF Process ID by default. The Domain ID is encoded with a 2-byte Type field, and its type is 0x0005, 0x0105 or 0x0205 (8005 for backwards compatibility). Cisco uses type 0x0005 by default. The next 2-bytes carry the actual Domain ID and the remaining 4-bytes are Unused.

2) OSPF Route Type (8-bytes): This attribute must be present. It is encoded with a 2-byte Type field and the type is 0x0306. The remaining 6 bytes are encoded as-

Area Number: 4- byte representation of area ID. For external routes, it is set to 0. Any non-zero number indicates internal (inter and intra area) route.

Route Type: 1-byte indicating the type of route.

1 or 2 - indicating intra-area routes

3 - indicating inter-area routes

5 - indicating external routes

7 - indicating NSSA routes

Options: 1-byte- used only if the route is type 5 or 7. If the least significant bit of the field is set to 1, it indicates the route carries a Type-2 metric for external routes. If not set, the metric is Type-1 metric.

3) OSPF Router ID (8-bytes): This attribute specifies the OSPF router-id of the system that is identified in the BGP Next Hop attribute. It specifies the OSPF router-id of the PE in the OSPF instance that installed the route in the VRF from which this route was exported. It is encoded in a 2-byte type field and its type is 0x0107. The remaining 6-bytes are encoded as-

Router ID: 4-byte Router ID value.

Unused: 2-byte unused value- set to a random value in Cisco IOS.

4) MED- Multi-Exit Discriminator: By default, set to OSPF distance of the route + 1

BGP carries these attributes to provide enough information about the route, to enable the route to be converted back to OSPF "transparently".

Consider the following topology-

Case 1: Using the default Domain ID (= OSPF Process ID)

PE1# show ip bgp vpnv4 all 192.168.2.0

BGP routing table entry for 1:1:192.168.2.0/30, version 5

Paths: (1 available, best #1, table CUST1)

Flag: 0x820

Not advertised to any peer

Local

10.200.254.3 (metric 21) from 10.200.254.3 (10.200.254.3)

Origin incomplete, metric 0, localpref 100, valid, internal, best

Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x000000010200

OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:192.168.2.1:0

mpls labels in/out nolabel/18

The above output shows PE2 distributes 192.168.2.0/30 prefix to PE1 using BGP. PE2 has included all OSPF related BGP Extended communities. The underlined information in OSPF Domain ID (01) is the actual process ID 1. The route-type is set as LSA Type-2 (intra-area) route. The Router ID is the router-id of PE2 router set for that VRF instance.

CE1# show ip route 192.168.2.0 255.255.255.252

Routing entry for 192.168.2.0/30

Known via "ospf 1", distance 110, metric 74, type inter area

Last update from 192.168.1.1 on Serial0/0, 00:00:10 ago

Routing Descriptor Blocks:

* 192.168.1.1, from 192.168.1.1, 00:00:10 ago, via Serial0/0

Route metric is 74, traffic share count is 1

Since the Domain IDs on both PE routers match, PE1 redistributes 192.168.2.0/30 prefix to CE1 router as inter-area route (Type-3 LSA).

Case 2: Domain ID is manually configured in OSPF VRF instance on PE2- Domain ID = 777 (Hex-data= 000000000309)

PE2(config)# router ospf 1 vrf CUST1

PE2(config-router)# domain-id type 0005 value 000000000309

PE2(config-router)# do clear ip bgp *

PE1# show ip bgp vpnv4 all 192.168.2.0

BGP routing table entry for 1:1:192.168.2.0/30, version 8

Paths: (1 available, best #1, table CUST1)

Flag: 0x820

Not advertised to any peer

Local

10.200.254.3 (metric 21) from 10.200.254.3 (10.200.254.3)

Origin incomplete, metric 0, localpref 100, valid, internal, best

Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x000000000309

OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:192.168.2.1:0

mpls labels in/out nolabel/19

PE2 router distributes 192.168.2.0/30 prefix with Domain ID 000000000309. PE1 matches that with its own Domain ID (kept as default here) before redistributing the prefix to CE1 router. Since the Domain IDs dont match, PE1 advertises the prefix as an External Type-2 (since the Options field LSB is not set) prefix to CE1 router.

CE1# show ip route 192.168.2.0 255.255.255.252

Routing entry for 192.168.2.0/30

Known via "ospf 1", distance 110, metric 10

Tag Complete, Path Length == 1, AS 100, , type extern 2, forward metric 64

Last update from 192.168.1.1 on Serial0/0, 00:00:06 ago

Routing Descriptor Blocks:

* 192.168.1.1, from 192.168.1.1, 00:00:06 ago, via Serial0/0

Route metric is 10, traffic share count is 1

Route tag 3489661028

Further reading:

1) RFC 4577: OSPF as PE/CE routing protocol in MPLS VPN http://www.faqs.org/ftp/rfc/pdf/rfc4577.txt.pdf

2) http://fengnet.com/book/IOS_MPLS/ch05lev1sec1.html