Solved: OSPF deisgn in an MPLS environment

rays · ‎08-26-2010

Hello, i was wondering you're thoughts were on the following:

customer has HQ and DR site. They have 2x other offices. All four sites are connected via an SP MP-BGP MPLS cloud.

Each site has its own OSPF area 0 (this is historical). The way the SP PE rtrs are configured is causing each site to learn each others routes as OSPF Type E2.

I understand this behaviour can be changed by configuring SHAM links (on PE) and setting up a domain-id which is carried in the VPN4 packet and allows each site to learn IA routes or even O routes. I am looking to have this option configured at the PE.

My question is, what is the best design option for this scenarion with regards to OSPF and backbone area 0?

Should place all 4 sites in Area0, (since there are only 4 locations) and have the CE routers as ABRs , ie. each site has own unique Area and also connects to Area 0?

Or should i place HQ and DR in Area 0 and use another area for each of the remote locations?

I am having a mental block just now with regards to the best way of setting this up, so any information would be great.

thanks

rays

Peter Paluch · ‎08-26-2010

Hello Rays,

Your suggested scenario should work - the sham link will allow the sites to see their networks as intra-area (O) routes, and if its cost will be significantly lower than the cost of the L2 VPN interconnection, it should be the preferred way of communication between the sites.

Yes, the interfaces towards the L2 VPN should also be in Area 0. Actually, if you decide to have all your sites in Area 0, it would be highly incorrect to place the L2 VPN in a different area because that would essentialy create a partitioned backbone (Area 0 segments on sites interconnected with a different area).

Best regards,

Peter

View solution in original post

Giuseppe Larosa · ‎08-27-2010

Hello Rays,

the OSPF sham-link is needed only if you have also this L2 VPN backup link or it will be the primary link for all traffic because it provide OSPF intra-area routes.

The current settings of your provider can be tuned up to provide O IA routes without the use of sham-link just to note.

OSPF sham-link has to be configured by MPLS L3 VPN SP not on your CE nodes.

In order to divert part of traffic over the backup link you will need PBR policy based routing on CE nodes.

I agree that putting all 4 sites CE links to L3 VPN in area 0 and L2 VPN links in area 0 is the safe move.

put an high OSPFcost on L2 VPN facing interface on CE and ask to provider for OSPF sham-link do not enable OSPF over the L2 VPN until the provider has done its changes

Hope to help

Giuseppe

View solution in original post

Peter Paluch · ‎08-26-2010

Hello Rays,

Regarding the area number selection on your individual sites - if you are planning to use a sham link then the area numbers must be identical on both sites being interconnected with the sham link.

In general, however, the area numbers on your sites may be arbitrary. Personally, I would suggest numbering the existing areas on your sites as backbone areas (i.e. area 0). That will provide you with the maximum flexibility should you ever decide to extend the network on a site with new areas - in such case, a backbone area is absolutely necessary. There is no need to make the CE work as an ABR - currently, all routers, that is, the PE, CE and internal C routers should be placed into area 0. Note that it is not necessary to split your network into several areas unless you have a particular need to do that because of summarization needs, failure domain containment or reducing the LSDB size.

I am not sure if I answered all your questions - please ask further.

Best regards,

Peter

rays · ‎08-26-2010

Hi Peter! Thanks for replying me, that makes perfect sense. One other thing i should maybe have mentioned, i am looking to connect the 4 sites via a L2 VPN as backup to the primary L3 VPN. I will use this L2 for data replication also. This is the driver for me creating the sham link , in order to make sure the L3 is still preferred over the L2 vpn. I assume then, based on you're answer, that it is ok to place the interfaces connecting the to L2 VPN in Area 0 also and just adjust the ospf cost to make it less preferred than the L3???

I hope that makes sense.

thanks

rays

Peter Paluch · ‎08-26-2010

Hello Rays,

Your suggested scenario should work - the sham link will allow the sites to see their networks as intra-area (O) routes, and if its cost will be significantly lower than the cost of the L2 VPN interconnection, it should be the preferred way of communication between the sites.

Yes, the interfaces towards the L2 VPN should also be in Area 0. Actually, if you decide to have all your sites in Area 0, it would be highly incorrect to place the L2 VPN in a different area because that would essentialy create a partitioned backbone (Area 0 segments on sites interconnected with a different area).

Best regards,

Peter

rays · ‎08-26-2010

Thanks for the great advice Peter.

Many thanks

rays

Giuseppe Larosa · ‎08-27-2010

Hello Rays,

the OSPF sham-link is needed only if you have also this L2 VPN backup link or it will be the primary link for all traffic because it provide OSPF intra-area routes.

The current settings of your provider can be tuned up to provide O IA routes without the use of sham-link just to note.

OSPF sham-link has to be configured by MPLS L3 VPN SP not on your CE nodes.

In order to divert part of traffic over the backup link you will need PBR policy based routing on CE nodes.

I agree that putting all 4 sites CE links to L3 VPN in area 0 and L2 VPN links in area 0 is the safe move.

put an high OSPFcost on L2 VPN facing interface on CE and ask to provider for OSPF sham-link do not enable OSPF over the L2 VPN until the provider has done its changes

Hope to help

Giuseppe

rays · ‎08-30-2010

Thanks Giuseppe, that makes sense.

regards,

rays

rays · ‎09-08-2010

Hi Guiseppe, you mentioned in you're reply to my original post, that i would need to run some PBR routing on the CE routers in order to make use of both IP VPN and ethernt VPN... I would like to use both the IP VPN and Ethernet VPN in active/active scenario and i am trying to figure out the best method of utilizing both circuits while providing resilience, i.e. both provide backup to one another.

I realize that there are probably many ways to achieve this type of setup (PBR being one of them) but would i like to hear how other people have managed to achieve the same goal.

So the setup would be:

Customer has multiple sites connected to each other via both IP VPN and EtherVPN. Both IP VPN and EtherVPN are all in OSPF AREA 0.... SHAM links are enabled across SP so routes from both IP And EtherVPN are seen as O or O IA type routes.

Based on this what would be the best method of achieving active/active scenario and what are benefits or issues with each option?

- PBR routing?

- Adjusting distance for certain learned routes so they are less or more preferred?

- Adjusting COST on OSPF interfaces?

- running another routing protocol for so that lower AD protocol uses one VPN and the higher AD protocol uses the other...

I realize a lot depends on what the customer's requirements are. For example, he may need L2 connectivity for some application/DR functions, which would mean using EtherVPN...

Any other options??

It would be great to hear from anyone who has experience of this type of setup.

rays

Giuseppe Larosa · ‎09-09-2010

Hello Rays,

>> Based on this what would be the best method of achieving active/active scenario and what are benefits or issues with each option?

- PBR routing?

- Adjusting distance for certain learned routes so they are less or more preferred?

- Adjusting COST on OSPF interfaces?

- running another routing protocol for so that lower AD protocol uses one VPN and the higher AD protocol uses the other..

I would use PBR in order to decide what IP flows go on the L2VPN link.

I would also use higher OSPF cost on the L2VPN link

in this way the L2VPN link will be used by:

L2 replication traffic and selected IP flows that you can control.

>> - Adjusting distance for certain learned routes so they are less or more preferred?

I would stay away from this as it is not easy to manage and troubleshoot, playing with AD should be considered last hope

making the two links equally preferred may not work as well.

And even if it works you miss control on what goes over L2VPN and what over L3VPN I would not recommend this.

Using two different routing protocols is safer as it gives you an additional level of control.

because most specific route is used first you could be able to have selected traffic over the L2VPN by allowing some component routes and using aggregate routes (less specific then OSPF routes) for all others.

EIGRP per interface summarization could be handy for this.

Hope to help

Giuseppe