OSPF VPN extension

This section describes the OSPF VPN extension. For more information about OSPF, see Layer 3—IP Routing Configuration Guide.

OSPF is a commonly used IGP protocol. Running OSPF between a PE and a CE can simplify CE configuration and management because the CEs only need to support OSPF. In addition, if the customers require MPLS L3VPN services through a conventional OSPF backbone, using OSPF between a PE and a CE can simplify the transition.

For OSPF to run between CE and PE, the PE must support multiple OSPF processes. Each OSPF process corresponds to a VPN instance and maintains its own interfaces and routing table.

The following describes OSPF configurations between a PE and a CE:

• OSPF area configuration between a PE and a CE:

  The OSPF area between a PE and a CE can be either a non-backbone area or a backbone area.

  In the OSPF VPN extension application, the MPLS VPN backbone is considered the backbone area (area 0). The area 0 of each VPN site must be connected to the MPLS VPN backbone (physically connected or logically connected through a virtual link) because OSPF requires that the backbone area be contiguous.

• BGP/OSPF interaction:

  If OSPF runs between PEs and CEs, each PE redistributes BGP routes to OSPF and advertises the routes to CEs through OSPF. OSPF considers the routes redistributed from BGP as external routes but the OSPF routes actually might belong to the same OSPF domain. This problem can be resolved by configuring the same domain ID for sites in an OSPF domain.

  Figure 47: Network diagram for BGP/OSPF interaction

As shown in Figure 47, CE 11, CE 21, and CE 22 belong to the same VPN and the same OSPF domain.

Before a domain ID is configured, VPN 1 routes are advertised from CE 11 to CE 21 and CE 22 by using the following process:

1. PE 1 redistributes OSPF routes from CE 11 into BGP, and advertises the VPN routes to PE 2 through BGP.

2. PE 2 redistributes the BGP routes to OSPF, and advertises them to CE 21 and CE 22 in AS External LSAs (Type 5) or NSSA External LSAs (Type 7).

After a domain ID is configured, VPN 1 routes are advertised from CE 11 to CE 21 and CE 22 by using the following process:

1. PE 1 redistributes OSPF routes into BGP, adds the domain ID to the redistributed BGP VPNv4 routes as a BGP extended community attribute, and advertises the routes to PE 2.

2. PE 2 compares the domain ID in the received routes with the locally configured domain ID. If they are the same and the received routes are intra-area or inter-area routes, OSPF advertises these routes in Network Summary LSAs (Type 3). Otherwise, OSPF advertises these routes in AS External LSAs (Type 5) or NSSA External LSAs (Type 7).

• Routing loop detection:

  If a CE and a PE are connected through the OSPF backbone area, when a PE advertises BGP VPN routes learned from MPLS/BGP to the VPN site through LSAs, the LSAs might be received by another PE, resulting in a routing loop.

  To avoid routing loops, when creating Type 3 LSAs, the PE always sets the flag bit DN for BGP VPN routes learned from MPLS/BGP, regardless of whether the PE and the CE are connected through the OSPF backbone. When performing route calculation, the OSPF process of the PE ignores the Type 3 LSAs whose DN bit is set.

  If the PE needs to advertise routes from other OSPF domains to a CE, it must indicate that it is the ASBR, and advertise the routes in Type 5 LSAs.

As shown in Figure 48, two routes exist between site 1 and site 2 of VPN 1:

• A route connected through PEs—Inter-area route or external route.

  • Inter-area route—The route is an inter-area route if the two PEs have the same domain ID configured for the OSPF process of VPN 1.

  • External route—The route is an external route if the two PEs have no or different domain IDs configured for the OSPF process of VPN 1.

• A route directly connected through CEs—Intra-area route, which is called a backdoor link.

The inter-area route priority is lower than the intra-area route priority. To use the inter-area route, you can establish a sham link between the two PEs to change the inter-area route to an intra-area route. VPN traffic are forwarded over the sham link through metric adjustment.

A sham link is considered a virtual point-to-point link within a VPN and is advertised in a Type 1 LSA. It is identified by the source IP address and destination IP address that are the local PE address and the remote PE address in the VPN address space. Typically, the source and destination addresses are loopback interface addresses with a 32-bit mask.

To add a route to the destination IP address of a sham link to a VPN instance, the remote PE must advertise the source IP address of the sham link as a VPN-IPv4 address through MP-BGP. To avoid routing loops, a PE does not advertise the sham link's destination address.