Hub-and-Spoke Layer 3 VPNs and OSPF Domain ID

The default behavior of an OSPF domain ID can cause the following problems for hub-and-spoke Layer 3 VPNs using OSPF between the PE and CE routers:

• PE routers set the down (DN) bit on all OSPF summary LSAs originating from area 0. PE routers are designated as area 0 by default because of the OSPF domain ID. When a PE router receives a summary LSA with the DN bit set, the LSA is not used in the OSPF calculation. This is done to prevent routing loops.

  For a hub-and-spoke Layer 3 VPN, when the hub PE router generates an OSPF summary LSA, it also sets the DN bit before sending it to the hub CE router. When the hub CE router sends the LSA back to the PE router, the PE router does not use the LSA in the OSPF calculation because the DN bit is set. Routes aggregated within the CE router are not affected.

• PE routers generating external LSAs learned from BGP updates set the domain-vpn-tag field to a value derived from the PE router’s autonomous system (AS) number and an arbitrary tag. When a PE router receives an external LSA with a vpn-route-tag field that matches its own domain-vpn-tag field, the LSA is not used in the OSPF calculation. This is done to prevent routing loops.

  For a hub-and-spoke Layer 3 VPN, an external LSA originated by a hub PE router is sent to the hub CE router, which then sends it back to the same PE router. Because the vpn-route-tag field matches the PE router’s domain-vpn-tag field, the LSA is not used in the OSPF calculation. Routes aggregated within the CE router are not affected.

  For hub-and-spoke Layer 3 VPNs using OSPF between the PE and CE routers to work, you need to configure the following on the hub PE router:

• Configure the disable statement at the [edit routing-instances routing-instance-name protocols ospf domain-id] hierarchy level on the routing instance for the hub CE router. This removes area 0 from the PE router, allowing the PE router to forward LSAs without setting the DN bit. When an LSA comes back from the hub CE router, the PE router can install it because the DN bit is not set.
• Configure 0 for the domain-vpn-tag statement at the [edit routing-instances routing-instance-name protocols ospf] hierarchy level on the routing instance for the spoke CE router. This removes any VPN route tags that are set on the external LSAs, preventing a VPN route tag match and allowing the PE router to install the LSA.

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.