Unanswered Question
Mar 26th, 2008
User Badges:

I have a problem with Type 3 (inter Area) routes being injected in to the IP routing table.

CE router is configured as ABR between area 0 and each PE vrf is in its own area. On the PE the show ip ospf database shows all links in the database, however it only injects Type 1 and 2 in to the routing table.

To check my sanity I removed the VRF and using a single VPN in the global table, and voila all the routes (IA etc) no appear in the table.

Have I missed something obvious?

Is this even possible, I checked on a 7204 (NPE-G2) and a 3825 and both are the same.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
mheusing Wed, 03/26/2008 - 04:17
User Badges:
  • Cisco Employee,

Hi Graham,

Can you please provide further information, namely:

- topology with all PE, CE and areas

- configuration excerpt from your PE containing the VRF and OSPF related parts

- output from "show ip bgp vpnv4 vrf ...", "show ip route vrf ...", "show ip ospf database summary" and "show ip ospf database router" from a PE

Otherwise it is nearly impossible to guess all this and give an advice.

Regards, Martin

gwildfire Wed, 03/26/2008 - 07:09
User Badges:


Intrestingly I enabled "capability vrf-lite" under the OSPF procces and it then add routes to the vrf table.

Intrestingly the description of the command suggests its for CEs that dont have BGP enabled, this is not the case in my instance, however I have used OSPF to enable multicast (different topic for another day!)


I also setup a very basic lab, similar to the development network (I cant post real configs as it is a classified network).

mheusing Wed, 03/26/2008 - 16:57
User Badges:
  • Cisco Employee,


From the document you referenced:


Usage Guidelines

This command works only if the OSPF process is associated with the VRF.

When the OSPF process is associated with the VRF, several checks are performed when link-state advertisements (LSAs) are received. PE checks are needed to prevent loops when the PE is performing a mutual redistribution between OSPF and BGP interfaces.

Type-3 LSA received

The DN bit is checked. If the DN bit is set, the Type-3 LSA is not considered during the SPF calculation.

Type-5 or -7 LSA received

If the Tag in the LSA is equal to the VPN-tag, the Type-5 or-7 LSA is not considered during the SPF calculation.

In some situations, performing PE checks might not be desirable. The concept of VRFs can be used on a router that is not a PE router (that is, a router that is not running BGP). With the capability vrf-lite command, the checks can be turned off to allow correct population of the VRF routing table with routes to IP prefixes.


A "normal" PE redistributes OSPF into BGP (VRF routes into VPNv4 BGP) and vice versa. This can lead to routing loops in certain topologies. This is the reason, why OSPF LSA type 3, 5 and 7 coming from a PE are "marked" and based on those "markings" not used by another OSPF process running in a VRF. This is described above.

This kind of filtering can be turned off with the command "capability vrf-lite". If your CE is also running OSPF in a VRF, then you need to configure it.

Hope this helps! Please use the rating system.

Regards, Martin

gwildfire Thu, 03/27/2008 - 01:24
User Badges:


I missed that, cant see the tree for the wood!

Great answer, as its not MPLS as such no redistribution occurs, OSPF is used to allow flow of multicast within different VRFs (BGP seems to have no VRF based multicast address family).



This Discussion