Problems and Analysis of dual PE in mpls vpn environment (OSPF)

This document mainly discusses the possible problems, such as routing loops and sub-optimal paths, if a VPN site has a dual PE in an MPLS environment. Make an analysis, and introduce the problems related to OSPF In the mpls vpn environment.

1. Experiment description

Two sites on the left and right, The PE-CE is running OSPF.

Both the left and right sites place the customer route to the PE, so that the Site can communicate with each other. Focus on the routing of the Left Site.

We focus on the different OSPF network designs in the two sites, the impact on the network, and the problems and solutions of Site1 dual PES in various environments.

Ii. Device Configuration

The configurations of CE1, CE2, and S3.

The PE1 configuration is as follows:

Ip vrf cisco

Rd 1:1

Route-target export 3456: 12

Route-target import 3456: 3

Route-target import 3456: 12

!

Ip cef

Mpls label range 300 399

Mpls ldp router-id Loopback0

!

Interface Loopback0

Ip address 3.3.3.3 255.255.255.255

Interface Ethernet0/0

Ip vrf forwarding cisco

Ip address 10.1.13.3 255.255.255.0

Interface Ethernet0/1

Ip address 10.1.35.3 255.255.255.0

Mpls ip

!

Router ospf 1 vrf cisco

Redistribute bgp 3456 subnets

Network 10.1.13.3 0.0.0.0 area 0

!

Router ospf 100

Router-id 3.3.3.3

Network 3.3.3.3 0.0.0.0 area 0

Network 10.1.35.3 0.0.0.0 area 0

!

Router bgp 3456

No bgp default ipv4-unicast

Neighbor 5.5.5 remote-as 3456

Neighbor 5.5.5.5 update-source Loopback0

Address-family vpnv4

Neighbor 5.5.5 activate

Neighbor 5.5.5.5 send-community extended

Exit-address-family

Address-family ipv4 vrf cisco

No synchronization

Redistribute ospf 1 vrf cisco match internal external 1 external 2

Exit-address-family

The configurations of PE2 and PE3 are similar.

PE2 VRF Configuration:

Ip vrf cisco

Rd ://service.ap-southeast-1.maxcompute.aliyun-inc.com

Route-target export 3456: 12

Route-target import 3456: 3

Route-target import 3456: 12

PE3 VRF Configuration:

Ip vrf cisco

Rd :3

Route-target export 3456: 3

Route-target import 3456: 12

Ip vrf forwarding cisco

Iii. Experimental Phenomena

1. The vrf ospf process numbers on the sites on both sides of the PE are the same, and the Site1 is in the OSPF single region

First, consider the route transfer process from Site2 to Site1

Let's assume that we first configure PE1 and then configure PE2 to see the route transmission process. The key point is that after the VPNv4 route is transmitted from R5 to PE1, PE1 injects the route into OSPF to form three types of LSA. The DownBit of these three types of LSA is set. Therefore, even if it is transmitted to PE2 through the OSPF network in Site1, PE2 will not use these LSA3 for route computing, because they are all set to bit. If these three types of LSA are ignored, they will not be loaded into the route table, nor will they be reinjected back to BGP after OSPF to BGP on PE2, at this moment, PE2 always ignores the three types of lsa of the Downbit slot, even if the shutdown of PE2 e0/1 port is the same.

Therefore, in this environment, the network is very reliable thanks to the OSPF Downbit design.

Next, consider the route transfer process from Site1 to Site2.

Assume that PE1 first configured OSPF to BGP re-release, then the customer routing in site1, by PE1 injection to the MP-BGP to form a VPNv4 prefix, through RR reflection to PE2, at this time, for PE2, one side is learned from the vrf ospf routing process to the routes in Site1, and the other side, also learned from MP-iBGP, because the AD110 of OSPF is less than 200 of IBGP, PE2 is preferred for OSPF routes, which will not cause sub-optimal paths.

2. The vrf ospf process numbers on the sites on both sides are the same, but Site1 is multi-region

Note: In this test, our environment has changed, and the change is in site1, from the OSPF single region to the multi-region. R1 belongs to area0, R2 is the ABR, the CIDR Block directly connected to PE2 and its own loopback 2.2.2.2 belong to area1. What is the impact on the network.

First, consider the route transfer process from Site2 to Site1

First, let's take a look at what happened on PE1. First, PE1 learned 7.7.7.7 through BGP, that is, the routes in Site2, and then re-published the routes to OSPF to form LSA3. These LSA3 Downbit slots. Then CE1 will be able to learn the OIA route for 7.7.7.7, and continue to pass LSA3 to CE2. CE2 will also accept it. Because it is an API, it will receive LSA3 from area0, therefore, LSA3 is injected into the regular region area1. However, this LSA3 is changed and the DOWNbit bit is cleared. Of course, this is not the worst. What's worse, after three types of LSA are passed to PE2, we have analyzed it before, for OSPF, mpls vpn Backbone is a super backbone area, so PE2 is an ASBR and An ABR at the moment. I am an ABR, But I have received three types of LSA from area1, this violates the OSPF principle that "three types of LSA must pass through area0". Therefore, PE2 ignores any three types of LSA from CE2 received at area1. Of course, within the area1 region that is generated from CE2, class 1 LSA will still receive it.

Another problem caused by the ABR attribute of PE2 is that the routes from area0 in Site1 are advertised to PE2 through CE2 in the form of LSA3, PE2 also ignores them during route computing. This will directly lead to the next problem: sub-optimal path. How can this problem be solved? We know that the OSPF route in Site1 has been learned on PE1. It resends the OSPF route to BGP and returns the RR to PE2. Therefore, PE2 learns the routes in Site1 from BGP. On the other hand, it ignores the three types of LSA in Site1 updated by CE2, therefore, the area0 route in Site1 loaded in the route table of PE2 is all BGP, which is the sub-optimal path. At this moment, the route table of PE2 is as follows:

B 1.1.1.1 [200/11] via 3.3.3.3, 01:27:08

O 2.2.2.2 [110/11] via 10.1.24.2, 00:00:04, Ethernet0/0

B 7.7.7.7 [200/11] via 6.6.6.6, 01:27:08

B 10.1.12.0/24 [200/20] via 3.3.3.3, 01:27:08

B 10.1.20./ 24 [200/0] via 3.3.3.3, 01:27:08

C 10.1.24.0/24 is directly connected, Ethernet0/0

B 10.1.67.0/24 [200/0] via 6.6.6.6, 01:27:08

The process described just now can be outlined in the figure above. During the experiment, the buddy conducted a test to shut down the interface connecting RR on PE2. The VRF route table of PE2 becomes:

O 2.2.2.2 [110/11] via 10.1.24.2, 00:10:48, Ethernet0/0

There is only one route in area1, but looking at the OSPF database of PE2, we found that there are still many LSA3 routes sent from CE2. Obviously, this verifies our previous statement, PE2 this guy thinks that Grandpa is an API and ignores you directly.

This problem has not been completed yet. Due to this problem in the PE2 routing table, PE2 has implemented two-way re-release of OSPF and BGP, so on PE2, because the routes in Site1 are in the routing table of PE2 at the moment, after the re-release from BGP to OSPF, these routes are poured back to Site1 by the pitfalls:

In this way, you have to look at CE2.

For routes in area0 in Site1, LSA1 and LSA2 are learned from area0, while LSA3 is returned from PE2. CE2 certainly selects the intra-region routes calculated by LSA1 and LSA2, therefore, it is natural to prevent loops.

For the Site2 route, CE2 learns the updated LSA3 from PE1 and PE2 at the same time. Therefore, compared with metric, PE2 is selected as the next hop.

The key point is to note that there is a detail here. R2 is an API, and you may have friends and relatives. Since it is an ABR, when it receives the OSPF LSA3 re-released by PE2, even if it is put into LSDB, it should have been ignored because it receives the LSA3 from the regular region area1, does it violate the OSPF rules? However, in this environment, CE2 not only loads the LSA into LSDB, but also participates in route computing. But these LSA3 and CE2 are their own employees, but they will not flood them into area0. That is to say, they only affect CE2.

To sum up, when multiple regions are planned in Site1, a series of potential problems may occur. Therefore:

In the mpls vpn environment, the OSPF network should be designed with caution.

For the above problem, you can consider creating a virtual-link between CE2 and PE2.

Then, you can use some policy work to filter out routes.

3. The vrf ospf process numbers on the sites on both sides of the PE are different, and the site 1 is in the OSPF single region

The vrf ospf process numbers on both sides are different. Everyone knows what will happen. After the Site2 route is injected into OSPF by PE1, it will be injected in the form of LSA5. Then, proceed:

Thanks to the Domain-Tag design, our network is still robust.

Similarly, there are also different concerns about the problem that the route in Site1 is injected into BGP by PE1 and then reflected back to PE2. Here, it is more difficult than the AD value and then the BGP is glorious.

Blog: http://blog.sina.com.cn/s/blog_5ec353710101eg0h.html