Routing
Highlighted
Routing

Hub Spoke VPN with PE-CE OSPF

[ Edited ]
‎01-25-2016 07:42 PM

Hi bros.

 

I have VPN Hub Spoke topology. CE-PE routing protocols I used OSPF. At Hub PE, I had two vrf (CE-SPOKE and HUB-VPN).

 

At CE-SPOKE vrf, I received all routes from Spoke CE (172.80.0/24)

root@M5X> show route logical-system AS1-PE-02 table CE-SPOKE.inet.0

CE-SPOKE.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.80.0.0/24 *[BGP/170] 00:08:10, MED 0, localpref 100, from 203.162.1.5
AS path: I, validation-state: unverified
> to 10.10.10.9 via ge-1/1/3.0, label-switched-path LSP-TO-1.5
and from HUB-CE, it also had this route

 

root@E4200-03> show route table HUB-CE.inet.0 protocol ospf 172.80.0.0

HUB-CE.inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.80.0.0/24 *[OSPF/150] 00:24:05, metric 0, tag 3489700928
> to 10.10.8.1 via ge-0/0/23.10

But at HUB-VPN vrf at HUB-PE, I did not find this route, although it appeared in ospf database

> show route logical-system AS1-PE-02 table HUB-VPN.inet.0 172.80.0.0 

root@M5X> show ospf database logical-system AS1-PE-02 instance HUB-VPN lsa-id 172.80.0.0 extensive
OSPF AS SCOPE link state database
Type ID Adv Rtr Seq Age Opt Cksum Len
Extern 172.80.0.0 10.10.8.1 0x80000001 1579 0xa2 0x2f3b 36
mask 255.255.255.0
Topology default (ID 0)
Type: 2, Metric: 0, Fwd addr: 0.0.0.0, Tag: 208.0.156.64
Aging timer 00:33:41
Installed 00:26:17 ago, expires in 00:33:41
Last changed 00:26:17 ago, Change count: 1

 

So, what happens ? And how to fix it ?

6 REPLIES 6
Highlighted
Routing

Re: Hub Spoke VPN with PE-CE OSPF

‎01-25-2016 10:47 PM

Could you please provide the current configuration (and preferably the network topology) in order to better understand what you are doing?

 

Thanks,

Carsten

Highlighted
Routing

Re: Hub Spoke VPN with PE-CE OSPF

‎01-27-2016 06:26 PM

Yeah, here is my topology

 

CE(SPK1)----------PE(SP1)------------------  PE-HUB(vrf-hub)------------------CE(HUB)

                                                                         PE-HUB(vrf-spk) ----------------------CE(HUB)

From CE(SPK1) I advertised a route 10.10.10.1 as LSA Type 1, of course PE-SP1 will receive this route as LSA Type 1, and it advertises this route (10.10.10.1) as MP-BGPVPN to PE(HUB). And CE-HUB will obtain this route.

In theory, this route (10.10.10.1) will be advertised to PE-HUB as LSA Type 3, but with Junos, I see it will be LSA Type 5 ???

And if I change some thing at PE-HUB, it will be LSA TYpe 3, but in PE-HUB vrf-spk, it has only LSA withou route. I mean, ospf database cannot caculate route based on this LSA.

Highlighted
Routing

Re: Hub Spoke VPN with PE-CE OSPF

‎01-27-2016 11:26 PM

Ok, first of all, if you receive a route from another PE router via MP-BGP and export it via OSPF to your CE router it will be of type-5 by default. That's standard OSPF behaviour as the route is originated in other protocol. In case you want to export it as type-3 LSA you eed to configure the domain-id in the VRF to be the same. From your output, I see that the prefix you mentioned is still type-5 (BTW, the prefix and the VRF naming in your show outputs and the topology is not consistent).

 

If I understand you correctly, than CE(HUB) recieves the prefix correctly from PE-HUB/vrf-hub but PE-HUb does not get it readvertised from the CE router on vrf-spk, right? Can you give us a clue about the OSPF areas? Everything configured to area 0?

 

Cheers,

Carsten

Highlighted
Routing

Re: Hub Spoke VPN with PE-CE OSPF

[ Edited ]
‎01-28-2016 02:17 AM

Thanks for following up my post, please find the attachement for more details about my topology.

Let me describe briefly.

PE-HUB has two vrf, one called CE-SPOKE (would import all routes from other PEs), one called HUB-VPN (would export all routes to other PE).

Here is my advertisement.

SPOKE1-CE advertised 190.90.90.1/32 as direct routes into SP1-PE, and of course this route could be LSA Type 1

root@SRX-02> show ospf database instance SPOKE-VPN lsa-id 190.90.90.1

OSPF database, Area 0.0.0.0
Type ID Adv Rtr Seq Age Opt Cksum Len
Router 190.90.90.1 190.90.90.1 0x80000004 2676 0x22 0x155f 60

 

SP1-PE advertised this route via MP-BGP. And, HUB-PE would get this route, at CE-SPOKE vrf

root@M5X> show ospf database logical-system AS1-PE-02 instance CE-SPOKE lsa-id 190.90.90.1

OSPF database, Area 0.0.0.0
Type ID Adv Rtr Seq Age Opt Cksum Len
Summary *190.90.90.1 10.10.8.1 0x80000004 944 0xa2 0x45e1 28

 

Of course, here, I configued domain-id at SPOKE-PE (vrf SPOKE) and HUB-PE (vrf CE-SPOKE). You are right.

But, at HUB-PE vrf HUB-VPN, I did not find this route although this LSA had appeared in ospf database

 

root@M5X> show ospf database logical-system AS1-PE-02 instance HUB-VPN lsa-id 190.90.90.1

OSPF database, Area 0.0.0.0
Type ID Adv Rtr Seq Age Opt Cksum Len
Summary 190.90.90.1 10.10.8.1 0x80000004 1098 0xa2 0x45e1 28

root@M5X> show route logical-system AS1-PE-02 table HUB-VPN 190.90.90.1

root@M5X>

Why ?

And, if I remove domain-id (replaced by domain-id disabled at HUB-PE), this LSA will appear as Type 5, but there is still no this route in HUB-VPN table.

 

root@M5X> show ospf database logical-system AS1-PE-02 instance HUB-VPN lsa-id 190.90.90.1
OSPF AS SCOPE link state database
Type ID Adv Rtr Seq Age Opt Cksum Len
Extern 190.90.90.1 10.10.8.1 0x80000001 26 0xa2 0x1d7d 36

root@M5X> show route logical-system AS1-PE-02 table HUB-VPN 190.90.90.1

No routes.?? Why?

 

And if I added more the command domain-vpn-tag, but only with value 0 ( domain-vpn-tag 0), the route will be appear. Other values will meaningless.

Why ?

Thank for reading a long post 🙂

Attachments

Highlighted
Routing

Re: Hub Spoke VPN with PE-CE OSPF

‎01-29-2016 01:28 AM

Hello,

 

You have DN bit set in OSPF LSA:

 

 

root@M5X> show ospf database logical-system AS1-PE-02 instance HUB-VPN lsa-id 190.90.90.1 
OSPF AS SCOPE link state database
Type ID Adv Rtr Seq Age Opt Cksum Len 
Extern 190.90.90.1 10.10.8.1 0x80000001 26 0xa2 0x1d7d 36

0xa2 means:

 

            Options: 0xa2 (DN, DC, E)
                1... .... = DN: Set
                .0.. .... = O: Not set
                ..1. .... = DC: Demand Circuits are supported
                ...0 .... = L: The packet does NOT contain LLS data block
                .... 0... = NP: NSSA is NOT supported
                .... .0.. = MC: NOT Multicast Capable
                .... ..1. = E: External Routing Capability
                .... ...0 = MT: NO Multi-Topology Routing

Please read RFC 4577 for more information on OSPF DN bit

https://tools.ietf.org/html/rfc4577

 


@hoand wrote:

 

And if I added more the command domain-vpn-tag, but only with value 0 ( domain-vpn-tag 0), the route will be appear. Other values will meaningless.

Why ?

Thank for reading a long post 🙂


"domain-vpn-tag 0" clears DN bit. Check with "show ospf database extensive" and look for Options field.

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Routing

Re: Hub Spoke VPN with PE-CE OSPF

‎02-15-2017 05:03 PM

@camtable wrote:

Ok, first of all, if you receive a route from another PE router via MP-BGP and export it via OSPF to your CE router it will be of type-5 by default. That's standard OSPF behaviour as the route is originated in other protocol.


This is incorrect per the JUNOS MPLS and VPN student guide from JMV course.  The behavior outlined in the guide is consistent with my experience as well.

 

"In operation, a PE router generates a summary LSA when the received route type is internal and carries a domain ID community matching the domain ID configured under the local OSPF VRF instance (a missing domain ID on both the received route and the local OSPF VRF instance is also considered to be a match)."  Mismatched domain IDs, or routes with external types, result in the generation of external LSAs."

Feedback