Tuesday 4 September 2012

CE-PE Routing: Configuring using OSPF


CE-PE Routing: Configuring using OSPF
·         There are many options for CE-PE routing.
·         In this post, let me configure routing between CE-PE using protocol OSPF

·         In PE router, we need to enable the CE-PE link under “router ospf process-id vrf <VRF_NAME>” in OSPF.
·         In CE router, we need to enable the CE-PE link normally in OSPF.

Let me take a basic topology to configure this:
 


VRF Configuration:

PE1:
PE1(config)#ip vrf VPN_A
PE1(config-vrf)#rd 100:1
PE1(config-vrf)#route-target both 100:1
PE1(config-vrf)#do show run int ser1/0
Building configuration...
Current configuration : 87 bytes
!
interface Serial1/0
 ip address 10.1.13.3 255.255.255.0
 serial restart-delay 0
end

PE1(config-vrf)#int ser1/0
PE1(config-if)#ip vrf forwarding VPN_A
% Interface Serial1/0 IP address 10.1.13.3 removed due to enabling VRF VPN_A
PE1(config-if)#ip address 10.1.13.3 255.255.255.0
PE1(config-if)#do ping vrf VPN_A 10.1.13.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.13.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/17/44 ms
PE1(config-if)#

CE1:

CE1(config-if)#do show run int ser1/0
Building configuration...
Current configuration : 87 bytes
!
interface Serial1/0
 ip address 10.1.13.1 255.255.255.0
 serial restart-delay 0
end

CE1(config-if)#do ping 10.1.13.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.13.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/25/44 ms
CE1(config-if)#

Observation:
·         CE1-PE1 link is up

PE1:
PE2(config-router-af)#ip vrf VPN_A
PE2(config-vrf)#rd 100:1
PE2(config-vrf)#route-target both 100:1
PE2(config-vrf)#do show run int ser1/0
Building configuration...
Current configuration : 87 bytes
!
interface Serial1/0
 ip address 10.1.24.4 255.255.255.0
 serial restart-delay 0
end
PE2(config-vrf)#int ser1/0
PE2(config-if)#do show run int ser1/0
Building configuration...
Current configuration : 87 bytes
!
interface Serial1/0
 ip address 10.1.24.4 255.255.255.0
 serial restart-delay 0
end

PE2(config-if)#ip vrf forwarding VPN_A
% Interface Serial1/0 IP address 10.1.24.4 removed due to enabling VRF VPN_A
PE2(config-if)#ip address 10.1.24.4 255.255.255.0
PE2(config-if)#do ping vrf VPN_A 10.1.24.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.24.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/16/36 ms
PE2(config-if)#

CE2:
CE2(config-if)#do show run int ser1/0
Building configuration...
Current configuration : 87 bytes
!
interface Serial1/0
 ip address 10.1.24.2 255.255.255.0
 serial restart-delay 0
end
CE2(config-if)#do ping 10.1.24.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.24.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/24/64 ms
CE2(config-if)#

Observation:
·         CE2-PE2 link is up

IGP-OSPF Configuration between PE1-PE2:

PE1(config-if)#do show run | begin router ospf
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 network 3.3.3.3 0.0.0.0 area 0
 network 100.1.34.3 0.0.0.0 area 0
!
PE2(config-if)#do show run | begin router ospf
router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 network 4.4.4.4 0.0.0.0 area 0
 network 100.1.34.4 0.0.0.0 area 0
!

MP-iBGP configuration between PE1-PE2:

PE1(config)#do show run | begin router bgp
router bgp 100
 bgp router-id 3.3.3.3
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 4.4.4.4 remote-as 100
 neighbor 4.4.4.4 update-source Loopback0
 !
 address-family vpnv4
  neighbor 4.4.4.4 activate
  neighbor 4.4.4.4 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf VPN_A
  no synchronization
 exit-address-family
!
PE2(config-router-af)#do show run | begin router bgp
router bgp 100
 bgp router-id 4.4.4.4
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 3.3.3.3 remote-as 100
 neighbor 3.3.3.3 update-source Loopback0
 !
 address-family vpnv4
  neighbor 3.3.3.3 activate
  neighbor 3.3.3.3 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf VPN_A
 no synchronization
 exit-address-family
!

Configuring MPLS in the Core (between PE1-PE2):

PE1(config)#int ser1/1
PE1(config-if)#mpls ip
PE1(config-if)#

PE2(config)#int ser1/1
PE2(config-if)#mpls ip
PE2(config-if)#

Configuring OSPF between CE1-PE1:

CE1(config)#router ospf 2
CE1(config-router)#network 10.1.13.1 0.0.0.0 area 0
CE1(config-router)#net
*Sep  3 10:23:46.659: %OSPF-5-ADJCHG: Process 2, Nbr 10.1.13.3 on Serial1/0 from LOADING to FULL, Loading Done
CE1(config-router)#network 1.1.1.1 0.0.0.0 area 0
CE1(config-router)#exit
CE1(config)#route-map LOOP
CE1(config-route-map)#match interface loopback1
CE1(config-route-map)#router ospf 2
CE1(config-router)#redistribute connected subnets route-map LOOP
CE1(config-router)#

PE1(config)#router ospf 1 vrf VPN_A
OSPF process 1 already exists and is attached to Default-IP-Routing-Table
PE1(config)#
PE1(config)#router ospf 2 vrf VPN_A
PE1(config-router)#network 10.1.13.3 0.0.0.0 area 0
PE1(config-router)#
*Sep  3 10:23:46.099: %OSPF-5-ADJCHG: Process 2, Nbr 11.11.11.11 on Serial1/0 from LOADING to FULL, Loading Done

PE1(config-router)#
PE1(config-router)#do show ip route vrf VPN_A
Routing Table: VPN_A
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 10.1.13.1, 00:01:27, Serial1/0
     10.0.0.0/24 is subnetted, 1 subnets
C       10.1.13.0 is directly connected, Serial1/0
     11.0.0.0/32 is subnetted, 1 subnets
O E2    11.11.11.11 [110/20] via 10.1.13.1, 00:00:08, Serial1/0
PE1(config-router)#do ping vrf VPN_A 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/41/88 ms
PE1(config-router)#
PE1(config-router)#do ping vrf VPN_A 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/44/112 ms
PE1(config-router)#

Observations:
·         CE1-PE1 OSPF has been configured successfully
·         CE1 is advertising 1.1.1.1/32 into OSPF and redistributing 11.11.11.11/32 into OSPF
·         PE1 received 1.1.1.1 and 11.11.11.11 from CE1
·         PE1 is able to reach 1.1.1.1 and 11.11.11.11

Configuring OSPF between CE2-PE2:

CE2(config)#router ospf 2
CE2(config-router)#network 10.1.24.2 0.0.0.0 area 0
CE2(config-router)#network 2.2.2.2 0.0.0.0 area 0
CE2(config-router)#exit
CE2(config)#route-map LOOP
CE2(config-route-map)#match interface loopback1
CE2(config-route-map)#router ospf 2
CE2(config-router)#redistribute connected subnets route-map LOOP
CE2(config-router)#
*Sep  3 10:32:28.651: %OSPF-5-ADJCHG: Process 2, Nbr 10.1.24.4 on Serial1/0 from LOADING to FULL, Loading Done
CE2(config-router)#

PE2(config)#router ospf 1 vrf VPN_A
OSPF process 1 already exists and is attached to Default-IP-Routing-Table
PE2(config)#router ospf 2 vrf VPN_A
PE2(config-router)#network 10.1.24.2 0.0.0.0 area 0
PE2(config-router)#no network 10.1.24.2 0.0.0.0 area 0
PE2(config-router)#network 10.1.24.4 0.0.0.0 area 0
PE2(config-router)#
*Sep  3 10:32:29.283: %OSPF-5-ADJCHG: Process 2, Nbr 22.22.22.22 on Serial1/0 from LOADING to FULL, Loading Done
PE2(config-router)#

PE2(config-router)#do show ip route vrf VPN_A
Routing Table: VPN_A
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     2.0.0.0/32 is subnetted, 1 subnets
O       2.2.2.2 [110/65] via 10.1.24.2, 00:00:09, Serial1/0
     22.0.0.0/32 is subnetted, 1 subnets
O E2    22.22.22.22 [110/20] via 10.1.24.2, 00:00:09, Serial1/0
     10.0.0.0/24 is subnetted, 1 subnets
C       10.1.24.0 is directly connected, Serial1/0
PE2(config-router)#do ping vrf VPN_A 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/12/28 ms
PE2(config-router)#
PE2(config-router)#do ping vrf VPN_A 22.22.22.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/13/28 ms
PE2(config-router)#

Observations:
·         CE2-PE2 OSPF has been configured successfully
·         CE2 is advertising 2.2.2.2/32 into OSPF and redistributing 22.22.22.22/32 into OSPF
·         PE2 received 2.2.2.2 and 22.22.22.22 from CE2
·         PE2 is able to reach 2.2.2.2 and 22.22.22.22

Mutual redistribution between OSPF and BGP in PE1 & PE2:
PE1(config)#router ospf 2 vrf VPN_A
PE1(config-router)#redistribute bgp 100 subnets
PE1(config-router)#router bgp 100
PE1(config-router)#address-family ipv4 vrf VPN_A
PE1(config-router-af)#redistribute ospf 2 vrf VPN_A
PE1(config-router-af)#

PE2(config)#router ospf 2 vrf VPN_A
PE2(config-router)#redistribute bgp 100 subnets
PE2(config-router)#router bgp 100
PE2(config-router)#address-family ipv4 vrf VPN_A
PE2(config-router-af)#redistribute ospf 2 vrf VPN_A
PE2(config-router-af)#

Lets check the Routing tables in CE routers:

CE1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set
    1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback0
     2.0.0.0/32 is subnetted, 1 subnets
O IA    2.2.2.2 [110/129] via 10.1.13.3, 00:02:06, Serial1/0
     10.0.0.0/24 is subnetted, 2 subnets
C       10.1.13.0 is directly connected, Serial1/0
O IA    10.1.24.0 [110/65] via 10.1.13.3, 00:02:06, Serial1/0
     11.0.0.0/32 is subnetted, 1 subnets
C       11.11.11.11 is directly connected, Loopback1
CE1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/20/52 ms
CE1#

CE2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/129] via 10.1.24.4, 00:01:13, Serial1/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback0
     22.0.0.0/32 is subnetted, 1 subnets
C       22.22.22.22 is directly connected, Loopback1
     10.0.0.0/24 is subnetted, 2 subnets
O IA    10.1.13.0 [110/65] via 10.1.24.4, 00:01:13, Serial1/0
C       10.1.24.0 is directly connected, Serial1/0
CE2#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/22/48 ms
CE2#

Observation:
·         CE1 is learning about CE2’s loopback0 2.2.2.2/32 and able to reach it also
·         CE2 is learning about CE1’s loopback0 1.1.1.1/32 and able to reach it also
·         But,
·         CE1 is not learning about CE2’s loopback1 22.22.22.22/32 and
·         CE2 is not learning about CE1’s loopback 11.11.11.11/32

To start with troubleshooting process let me check the BGP tables of PE1 and PE2 (basically verifying the mutual redistribution process between BGP-OSPF in PE1 & PE2):

PE1(config-router-af)#do show ip bgp vpnv4 all sum
BGP router identifier 3.3.3.3, local AS number 100
BGP table version is 9, main routing table version 9
4 network entries using 624 bytes of memory
4 path entries using 272 bytes of memory
5/4 BGP path/bestpath attribute entries using 840 bytes of memory
2 BGP extended community entries using 80 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 1 (at peak 1) using 32 bytes of memory
BGP using 1848 total bytes of memory
BGP activity 4/0 prefixes, 4/0 paths, scan interval 15 secs
Neighbor        V          AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
4.4.4.4         4        100      29      30        9    0    0 00:23:16        2
PE1(config-router-af)#

PE1(config-router-af)#do show ip bgp vpnv4 all
BGP table version is 9, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf VPN_A)
*> 1.1.1.1/32       10.1.13.1               65         32768 ?
*>i2.2.2.2/32       4.4.4.4                 65    100      0 ?
*> 10.1.13.0/24     0.0.0.0                  0         32768 ?
*>i10.1.24.0/24     4.4.4.4                  0    100      0 ?
PE1(config-router-af)#

PE2(config-router-af)#do show ip bgp vpnv4 all sum
BGP router identifier 4.4.4.4, local AS number 100
BGP table version is 9, main routing table version 9
4 network entries using 624 bytes of memory
4 path entries using 272 bytes of memory
5/4 BGP path/bestpath attribute entries using 840 bytes of memory
2 BGP extended community entries using 80 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 1 (at peak 1) using 32 bytes of memory
BGP using 1848 total bytes of memory
BGP activity 4/0 prefixes, 4/0 paths, scan interval 15 secs
Neighbor        V          AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
3.3.3.3         4        100      29      29        9    0    0 00:22:59        2
PE2(config-router-af)#

PE2(config-router-af)#do show ip bgp vpnv4 all
BGP table version is 9, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf VPN_A)
*>i1.1.1.1/32       3.3.3.3                 65    100      0 ?
*> 2.2.2.2/32       10.1.24.2               65         32768 ?
*>i10.1.13.0/24     3.3.3.3                  0    100      0 ?
*> 10.1.24.0/24     0.0.0.0                  0         32768 ?
PE2(config-router-af)#

Observation:
·         PE1 has only 1.1.1.1/32 in its BGP routing table (11.11.11.11/32 is not there)
·         PE2 has only 2.2.2.2/32 in its BGP routing table (22.22.22.22/32 is not there)
·         But, while configuring OSPF between CE1-PE1 and CE2-PE2; we have clearly seen that
·         PE1 learnt about CE1’s loopback1 11.11.11.11/32 as External route
·         PE2 learnt about CE2’s loopback1 22.22.22.22/32 as External route
·         That means there is a problem in redistributing OSPF routes into BGP in this case
·         Surprisingly this is working as expected here!
·         If we see how OSPF redistribution works in BGP, by default only INTERNAL routes gets redistributed. For the EXTERNAL routes, we need to mention explicitly.
·         So, let me configure the OSPF redistribution in BGP to carry EXTERNAL routes as well:

PE1(config-router-af)#redistribute ospf 2 vrf VPN_A match external 1 external 2
PE1(config-router-af)#

PE2(config-router-af)#redistribute ospf 2 vrf VPN_A match external 1 external 2
PE2(config-router-af)#

Now, let me check the Routing tables in CE1 and CE2:

CE1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
 
    1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback0
     2.0.0.0/32 is subnetted, 1 subnets
O IA    2.2.2.2 [110/129] via 10.1.13.3, 00:06:48, Serial1/0
     22.0.0.0/32 is subnetted, 1 subnets
O E2    22.22.22.22 [110/20] via 10.1.13.3, 00:00:36, Serial1/0
     10.0.0.0/24 is subnetted, 2 subnets
C       10.1.13.0 is directly connected, Serial1/0
O IA    10.1.24.0 [110/65] via 10.1.13.3, 00:06:48, Serial1/0
     11.0.0.0/32 is subnetted, 1 subnets
C       11.11.11.11 is directly connected, Loopback1
CE1#ping 22.22.22.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/32/76 ms
CE1#

CE2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/129] via 10.1.24.4, 00:07:03, Serial1/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback0
     22.0.0.0/32 is subnetted, 1 subnets
C       22.22.22.22 is directly connected, Loopback1
     10.0.0.0/24 is subnetted, 2 subnets
O IA    10.1.13.0 [110/65] via 10.1.24.4, 00:07:03, Serial1/0
C       10.1.24.0 is directly connected, Serial1/0
     11.0.0.0/32 is subnetted, 1 subnets
O E2    11.11.11.11 [110/20] via 10.1.24.4, 00:01:47, Serial1/0
CE2#

CE2#ping 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/28/80 ms
CE2#

Observation:
·         CE1 is learning about CE2’s loopback1 22.22.22.22
·         CE2 is learning about CE1’s loopback1 11.11.11.11

·         One more observation;
·         Routes from CE routers are redistributing into BGP in local PE routers and redistributed back to OSPF in remote routers
·         But surprisingly if we see the IP Routing tables in CE routers, we are seing them as O IA (OSPF Inter-Area routes) and External OSPF routes are still External OSPF routes
·         Ex: CE1 is advertising 1.1.1.1/32 into OSPF, and CE2 sees it as O IA (OSPF INTER-AREA )route
·         CE2 is advertising 2.2.2.2/32 into OSPF, and CE1 sees it as O IA (OSPF INTER-AREA) route.

·         This is because, MPLS backbone will act as OSPF SUPER BACKBONE area and thus we are seing these routes as O IA routes instead of External routes.
·         But this will create a problem if we have back-door link between CE1-CE2
·         Because CE routers learn the routes from each other as O routes (OSPF INTRA-AREA routes) and hence they route through the back-door link and not through the MP-BGPL

·         Solution is to create a OSPF SHAM-LINK
·         In simple terms, SHAM-LINK makes the customer routes to appear as OSPF INTRA-AREA routes instead of default INTER-AREA routes.

Back-door link enabling:

CE1(config-if)#do show run int ser1/0
Building configuration...
Current configuration : 87 bytes
!
interface Serial1/0
 ip address 10.1.13.1 255.255.255.0
 serial restart-delay 0
end
CE1(config-if)#

CE2(config-if)#do show run int ser1/0
Building configuration...
Current configuration : 87 bytes
!
interface Serial1/0
 ip address 10.1.24.2 255.255.255.0
 serial restart-delay 0
end
CE2(config-if)#

OSPF between CE1-CE2 backdoor link:

CE1(config-if)#router ospf 2
CE1(config-router)#net
CE1(config-router)#network 10.1.12.1 0.0.0.0 area 0
CE1(config-router)#
*Sep  3 11:13:35.847: %OSPF-5-ADJCHG: Process 2, Nbr 22.22.22.22 on Serial1/1 from LOADING to FULL, Loading Done
CE1(config-router)#

CE2(config-if)#router ospf 2
CE2(config-router)#network 10.1.12.2 0.0.0.0 area 0
CE2(config-router)#
*Sep  3 11:13:45.163: %OSPF-5-ADJCHG: Process 2, Nbr 11.11.11.11 on Serial1/1 from LOADING to FULL, Loading Done
CE2(config-router)#

CE1 & CE2 Routing Tables:

CE1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback0
     2.0.0.0/32 is subnetted, 1 subnets
O       2.2.2.2 [110/65] via 10.1.12.2, 00:02:11, Serial1/1
     22.0.0.0/32 is subnetted, 1 subnets
O E2    22.22.22.22 [110/20] via 10.1.12.2, 00:02:11, Serial1/1
     10.0.0.0/24 is subnetted, 3 subnets
C       10.1.13.0 is directly connected, Serial1/0
C       10.1.12.0 is directly connected, Serial1/1
O       10.1.24.0 [110/128] via 10.1.12.2, 00:02:11, Serial1/1
     11.0.0.0/32 is subnetted, 1 subnets
C       11.11.11.11 is directly connected, Loopback1
CE1#

CE2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 10.1.12.1, 00:02:37, Serial1/1
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback0
     22.0.0.0/32 is subnetted, 1 subnets
C       22.22.22.22 is directly connected, Loopback1
     10.0.0.0/24 is subnetted, 3 subnets
O       10.1.13.0 [110/128] via 10.1.12.1, 00:02:37, Serial1/1
C       10.1.12.0 is directly connected, Serial1/1
C       10.1.24.0 is directly connected, Serial1/0
     11.0.0.0/32 is subnetted, 1 subnets
O E2    11.11.11.11 [110/20] via 10.1.12.1, 00:02:37, Serial1/1
CE2#

Observation:
·         I have added a new link between CE1-CE2 (Ser1/1 ----- Ser1/1)
·         This new link 10.1.12.0/24 has been advertised into OSPF in CE1 and CE2.
·         Now, CE1 is using the back-door link to reach CE2’s loopbacks, 2.2.2.2, 22.22.22.22
·         CE2 is using the back-door link to reach CE1’s loopbacks 1.1.11, 11.11.11.11
·         If we need to use MPLS as the primary connection and the back-door link as the backup connection, we need to create a SHAM-LINK between PE1 and PE2.

SHAM-LINK:

·         Creating a new Loopback interface and assign it to the VRF:

PE1(config-router)#int loop1
PE1(config-if)#ip vrf forwarding VPN_A
PE1(config-if)#ip address 34.34.34.3 255.255.255.255
PE1(config-if)#

PE2(config-router-af)#int loop1
PE2(config-if)#ip vrf forwarding VPN_A
PE2(config-if)#ip address 34.34.34.4 255.255.255.255
PE2(config-if)#

·         Advertising the new loopback interface into BGP:

PE1(config-if)#router bgp 100
PE1(config-router)#address-family ipv4 vrf VPN_A
PE1(config-router-af)#network 34.34.34.3 mask 255.255.255.255
PE1(config-router-af)#

PE2(config-if)#router bgp 100
PE2(config-router)#address-family ipv4 vrf VPN_A
PE2(config-router-af)#network 34.34.34.4 mask 255.255.255.255
PE2(config-router-af)#

·         Creating the sham-link:

PE1(config)#router ospf 2 vrf VPN_A
PE1(config-router)#area 0 sham-link ?
  A.B.C.D  IP addr associated with sham-link source
PE1(config-router)#area 0 sham-link 34.34.34.3 ?
  A.B.C.D  IP addr associated with sham-link destination
PE1(config-router)#area 0 sham-link 34.34.34.3 34.34.34.4 ?
  cost  Associate a cost with the sham-link
  <cr>
PE1(config-router)#area 0 sham-link 34.34.34.3 34.34.34.4 cos
PE1(config-router)#area 0 sham-link 34.34.34.3 34.34.34.4 cost ?
  <1-65535>  Cost of the sham-link
PE1(config-router)#area 0 sham-link 34.34.34.3 34.34.34.4 cost 1
PE1(config-router)#
*Sep  3 11:32:38.071: %OSPF-5-ADJCHG: Process 2, Nbr 10.1.24.4 on OSPF_SL0 from LOADING to FULL, Loading Done
PE1(config-router)#

PE2(config)#router ospf 2 vrf VPN_A
PE2(config-router)#area 0 sham-link ?
  A.B.C.D  IP addr associated with sham-link source
PE2(config-router)#area 0 sham-link 34.34.34.4 ?
  A.B.C.D  IP addr associated with sham-link destination
PE2(config-router)#area 0 sham-link 34.34.34.4 34.34.34.3 ?
  cost  Associate a cost with the sham-link
  <cr>
PE2(config-router)#area 0 sham-link 34.34.34.4 34.34.34.3 cost ?
  <1-65535>  Cost of the sham-link
PE2(config-router)#area 0 sham-link 34.34.34.4 34.34.34.3 cost 1
PE2(config-router)#
*Sep  3 11:32:38.407: %OSPF-5-ADJCHG: Process 2, Nbr 10.1.13.3 on OSPF_SL0 from LOADING to FULL, Loading Done
PE2(config-router)#

PE1(config-router)#do show ip ospf sham-link
Sham Link OSPF_SL0 to address 34.34.34.4 is up
Area 0 source address 34.34.34.3
  Run as demand circuit
  DoNotAge LSA allowed. Cost of using 1 State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40,
    Hello due in 00:00:04
    Adjacency State FULL (Hello suppressed)
    Index 2/2, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec
PE1(config-router)#

 
PE2(config-router)#do show ip ospf sham-link
Sham Link OSPF_SL0 to address 34.34.34.3 is up
Area 0 source address 34.34.34.4
  Run as demand circuit
  DoNotAge LSA allowed. Cost of using 1 State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40,
    Hello due in 00:00:01
    Adjacency State FULL (Hello suppressed)
    Index 2/2, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec
PE2(config-router)#

Observation:
·         Sham-link has been created successfully between PE1 and PE2

Increasing the ospf cost for the back-door link:

CE1(config)#int ser1/1
CE1(config-if)#ip ospf cost 999
CE1(config-if)#

CE2(config)#int ser1/1
CE2(config-if)#ip ospf cost 999
CE2(config-if)#

Observation:
·         This step is required because OSPF INTRA-AREA routes are compared against the least cost for the best route.

Now, let me see the routing tables of CE routers:
CE1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     34.0.0.0/32 is subnetted, 2 subnets
O E2    34.34.34.3 [110/1] via 10.1.13.3, 00:06:54, Serial1/0
O E2    34.34.34.4 [110/1] via 10.1.13.3, 00:06:32, Serial1/0
     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback0
     2.0.0.0/32 is subnetted, 1 subnets
O       2.2.2.2 [110/130] via 10.1.13.3, 00:00:43, Serial1/0
     22.0.0.0/32 is subnetted, 1 subnets
O E2    22.22.22.22 [110/20] via 10.1.13.3, 00:00:43, Serial1/0
     10.0.0.0/24 is subnetted, 3 subnets
C       10.1.13.0 is directly connected, Serial1/0
C       10.1.12.0 is directly connected, Serial1/1
O       10.1.24.0 [110/129] via 10.1.13.3, 00:00:43, Serial1/0
     11.0.0.0/32 is subnetted, 1 subnets
C       11.11.11.11 is directly connected, Loopback1
CE1#

CE1#traceroute 2.2.2.2
Type escape sequence to abort.
Tracing the route to 2.2.2.2
  1 10.1.13.3 72 msec 16 msec 4 msec
  2 10.1.24.4 [MPLS: Label 17 Exp 0] 8 msec 16 msec 4 msec
  3 10.1.24.2 36 msec *  32 msec
CE1#

CE2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     34.0.0.0/32 is subnetted, 2 subnets
O E2    34.34.34.3 [110/1] via 10.1.24.4, 00:07:29, Serial1/0
O E2    34.34.34.4 [110/1] via 10.1.24.4, 00:07:22, Serial1/0
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/130] via 10.1.24.4, 00:01:17, Serial1/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback0
     22.0.0.0/32 is subnetted, 1 subnets
C       22.22.22.22 is directly connected, Loopback1
     10.0.0.0/24 is subnetted, 3 subnets
O       10.1.13.0 [110/129] via 10.1.24.4, 00:01:17, Serial1/0
C       10.1.12.0 is directly connected, Serial1/1
C       10.1.24.0 is directly connected, Serial1/0
     11.0.0.0/32 is subnetted, 1 subnets
O E2    11.11.11.11 [110/20] via 10.1.24.4, 00:01:19, Serial1/0
CE2#

CE2#traceroute 1.1.1.1
Type escape sequence to abort.
Tracing the route to 1.1.1.1
  1 10.1.24.4 28 msec 28 msec 4 msec
  2 10.1.13.3 [MPLS: Label 17 Exp 0] 8 msec 28 msec 8 msec
  3 10.1.13.1 4 msec *  60 msec
CE2#

Observations:
·         In CE1, 2.2.2.2 is installed as O (OSPF INTRA-AREA) route.
·         In CE2, 1.1.1.1 is installed as O (OSPF INTRA-AREA) route.
·         Both the CE routers are using the MPLS Backbone as the primary path.

·         22.22.22.22 is still appearing as O E2 route in CE1’s table
·         11.11.11.11 is still appearing as O E2 route in CE2’s table
·         This is because these 2 routes are External routes as they are redistributed into OSPF in CE routers
·         And they remain External routes throught the path.