IEOC - INE's Online Community

I am trying to understand what exactly this command does "capability vrf-lite".  I came into a situation where I needed it.

Topology

PE1----------------------PE2---------------PE3

|                                  |          /

CE1                            CE2

CE2 is dual-homed to PE2 and PE3.  CE2 is running vrf-lite.  I am running OSPF as my PE-CE routing protocol at every site.  My OSPF routes from CE1 were not showing up on CE2 until I added "capability vrf-lite" on the ospf process on CE2.  I know that OSPF Support for Multi-VRF on CE Routers feature provides the capability of suppressing provider edge (PE) checks that are needed to prevent loops when the PE is performing a mutual redistribution of packets between the OSPF and BGP protocols (from Cisco website).  But what is happening under the hood?

Many thanks in advance!

Simply put: "capability vrf-lite" will disable checks of both "down bit" and "domain-tag" set by a PE-router when redistributing routes from MPBGP to OSPF. "down bit" is used with all other LSA types except 5 and 7 and domain-tag with external LSAs (5 and 7) as they do not have "down bit" available in their options field.

Down bit is only checked by the CE router if an advertisement is received over a VRF interface. So under normal circumstances you don't need it on a CE-router, but if you are running vrf-lite you will need it.

Thanks Jent for the response.  I am still a little confused.  Here is a more descriptive explanation of the setup.

PE1(R5)----------------------PE2(R4)---------------PE3(R2)

|                                           |          /

CE1(R6)                      CE2(R8,vrf-lite)

R6 advertises 192.6.6.6 via OSPF.

On R5
Rack1R5(config)#do sh ip route vrf VPN_A          
O       192.6.6.6 [110/2] via 192.56.1.6, 11:02:29, Virtual-Access1.1

Rack1R5(config)#do sh ip ospf data

            OSPF Router with ID (192.56.1.5) (Process ID 1001)

                Router Link States (Area 51)

Link ID         ADV Router      Age         Seq#       Checksum Link count
192.6.6.6       192.6.6.6       1631        0x80000026 0x008BEF 3

On R4

Rack1R4# sh ip route vrf VPN_A     

B       192.6.6.6 [200/2] via 27.1.5.5, 12:51:53

Rack1R4#sh ip ospf database summary

            OSPF Router with ID (204.84.1.4) (Process ID 1002)

            OSPF Router with ID (192.48.1.4) (Process ID 1001)

                Summary Net Link States (Area 51)

  LS age: 23
  Options: (No TOS-capability, DC, Downward)     <<<< I see the down bit set
  LS Type: Summary Links(Network)
  Link State ID: 192.6.6.6 (summary Network Number)
  Advertising Router: 192.48.1.4
  LS Seq Number: 80000018
  Checksum: 0xEFEA
  Length: 28
  Network Mask: /32
        TOS: 0  Metric: 2

So on R4 I do see the network in the OSPF database with the down bit set.  I also understand that the down bit is set so that R2 does not redistribute this route back into MP-BGP once it learns it from R8.  My question is why doesn't R8 put it in the routing table without "capability vrf-lite"?  I thought the down bit was to prevent a PE from redistributing an OSPF route with the down bit set back into MP_BGP.

With "capability vrf-lite" configured

Rack1R8#sh ip ospf database summary

            OSPF Router with ID (204.84.1.8) (Process ID 1002)

            OSPF Router with ID (192.48.1.8) (Process ID 1001)

                Summary Net Link States (Area 51)

  Routing Bit Set on this LSA
  LS age: 234
  Options: (No TOS-capability, DC, Downward)
  LS Type: Summary Links(Network)
  Link State ID: 192.6.6.6 (summary Network Number)
  Advertising Router: 192.48.1.4
  LS Seq Number: 80000018
  Checksum: 0xEFEA
  Length: 28
  Network Mask: /32
        TOS: 0  Metric: 2

  Rack1R8#sh ip route vrf VPN_A
O IA    192.6.6.6 [110/3] via 192.48.1.4, 12:56:29, Vlan48
                  [110/3] via 192.10.1.2, 12:56:29, Vlan192

Without "capability vrf-lite" configured, notice 192.6.6.6 is in the OSPF database, but not in the routing table.

Rack1R8#sh ip route vrf VPN_A

Routing Table: VPN_A
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     51.0.0.0/32 is subnetted, 1 subnets
O E2    51.51.51.51 [110/20] via 192.10.1.254, 00:00:05, Vlan192
     54.0.0.0/24 is subnetted, 1 subnets
O E2    54.1.1.0 [110/20] via 192.48.1.4, 00:00:05, Vlan48
                 [110/20] via 192.10.1.2, 00:00:05, Vlan192
C    192.10.1.0/24 is directly connected, Vlan192
C    192.48.1.0/24 is directly connected, Vlan48
O E2 212.18.0.0/22 [110/20] via 192.48.1.4, 00:00:05, Vlan48
                   [110/20] via 192.10.1.2, 00:00:05, Vlan192

Rack1R8#sh ip ospf database summary

            OSPF Router with ID (204.84.1.8) (Process ID 1002)

            OSPF Router with ID (192.48.1.8) (Process ID 1001)

                Summary Net Link States (Area 51)

  LS age: 422
  Options: (No TOS-capability, DC, Downward)
  LS Type: Summary Links(Network)
  Link State ID: 192.6.6.6 (summary Network Number)
  Advertising Router: 192.48.1.4
  LS Seq Number: 80000018
  Checksum: 0xEFEA
  Length: 28
  Network Mask: /32
        TOS: 0  Metric: 2

Many thanks in advance!

Never mind, I understand now.  Thanks Jent.  The key is what you wrote - "Down bit is only checked by the CE router if an advertisement is received over a VRF interface."

Many thanks!

basically, the DN will cause a PE router to do (actually, not do) 2 things :

1. not redistribute the LSA into MP-BGP

2. ignore the LSA in when running SPF

so just think of it like the vrf-cap cmd is your way of telling  the router "you are NOT a PE"

HTH

As RFC 4577 states that DN bit (or route tag) is set in LSAs type 3 and 5, which PE sends to CE. PE due to the same RFC is an ABR (if no sham-link is present). Whithout sham-link PE doesn't send LSA 1 or LSA 2 when redistributing BGP to OSPF and LSA type 4 is absolutely forbidden.