Hi, All. I was doing a hub-and-spoke vpn lab with OSPF as PE-CE routing protocol.
vpnA: CE1=PE1\ CE2-PE2-P CE3-PE3/ PE1 is the hub PE with 2 interfaces connecting CE1, where CE2/3 are spokes. When I omit the domain-id and domain-vpn-tag, PE1 will set the DN-bit in LSAs and flood them to CE1. When the LSAs got flooded back into the vpnA-downstream instance, PE1 will not consider them in SPF algorithm. To get these routes advertised as hub-routes to spoke sites, I have 2 options: Option 1: 1a. Put CE1's vpnA-dowstream interface in another area, so the Type-3 LSAs will be re-originated at ABR CE1 with DN-bit cleared. 1b. Configure "domain-id disable" in vpnA-downstream instance, to allow these Type-3 LSAs(DN-bit cleared) to be considered in SPF algorithm. (set ref#1) 1c. Configure "domain-vpn-tag 0" in vpnA-upstream instance, to allow Type-5 LSAs to be considered in SPF algorithm. Option 2: 2a. Both of the CE's vpnA-upstream/downstream interfaces are in the same area. 2b. Configure "domain-id disable" in vpnA-upstream instance, to flood Type-3 LSAs with DN-bit cleared. (I found that these LSAs will be converted to Type-5 LSAs) 2c. Configure "domain-vpn-tag 0" in vpnA-upstream instance, to allow Type-5 LSAs to be considered in SPF algorithm. The only difference between Options 1&2 is the route type of remote OSPF internal spoke routes. Option 1 will consider them as OSPF/10(Type-3 LSAs) Option 2 will consider them as OSPF/150(Type-5 LSAs) Q1: What is the best practice? Option 1, 2 or another approach? Q2: What are the side effects of "domain-id disable"? Different domain-ids will make PEs convert remote Type-3 LSAs to Type-5 LSAs. And "domain-id disable" will clear the DN-bit in Type-3 LSAs. But I cannot find whether "domain-id disable" makes PEs convert Type-3 LSAs to Type-5 LSAs or not. (According to my test, it will.) Q3: What are the side effects of "domain-vpn-tag 0"? It will clear the DN-bit in Type-5 LSAs and set vpn-tag to 0. Anything else? Q4: In this case, will sham-links help? Q5: I cannot find usage guidelines of "domain-id disable" and "domain-vpn-tag 0" for versions after JunOS 12.2. Do these behaviors change in later versions? Thank You! ref#1: http://www.juniper.net/techpubs/en_US/junos12.2/topics/usage-guidelines/vpns-configuring-routing-between-pe-and-ce-routers-in-layer-3-vpns.html#id-10954391 "You can change the configuration of the PE router’s routing instance to cause the PE router to act as a non-ABR by including the disable statement at the [edit routing-instances routing-instance-name protocols ospf domain-id] hierarchy level." _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp