[j-nsp] Best practices on domain-id/domain-vpn-tag in hub-and-spoke scenario?

Pyxis LX pyxislx at gmail.com
Mon Feb 29 03:28:21 EST 2016 

Hi, All.

I was doing a hub-and-spoke vpn lab with OSPF as PE-CE routing protocol.

vpnA:

CE1=PE1\
CE2-PE2-P
CE3-PE3/

PE1 is the hub PE with 2 interfaces connecting CE1, where CE2/3 are spokes.

When I omit the domain-id and domain-vpn-tag, PE1 will set the DN-bit
in LSAs and flood them to CE1. When the LSAs got flooded back into the
vpnA-downstream instance, PE1 will not consider them in SPF algorithm.

To get these routes advertised as hub-routes to spoke sites, I have 2 options:

Option 1:

1a. Put CE1's vpnA-dowstream interface in another area, so the Type-3
LSAs will be re-originated at ABR CE1 with DN-bit cleared.

1b. Configure "domain-id disable" in vpnA-downstream instance, to
allow these Type-3 LSAs(DN-bit cleared) to be considered in SPF
algorithm.
(set ref#1)

1c. Configure "domain-vpn-tag 0" in vpnA-upstream instance, to allow
Type-5 LSAs to be considered in SPF algorithm.

Option 2:

2a. Both of the CE's vpnA-upstream/downstream interfaces are in the same area.

2b. Configure "domain-id disable" in vpnA-upstream instance, to flood
Type-3 LSAs with DN-bit cleared. (I found that these LSAs will be
converted to Type-5 LSAs)

2c. Configure "domain-vpn-tag 0" in vpnA-upstream instance, to allow
Type-5 LSAs to be considered in SPF algorithm.

The only difference between Options 1&2 is the route type of remote
OSPF internal spoke routes.

Option 1 will consider them as OSPF/10(Type-3 LSAs)
Option 2 will consider them as OSPF/150(Type-5 LSAs)

Q1: What is the best practice? Option 1, 2 or another approach?

Q2: What are the side effects of "domain-id disable"?
Different domain-ids will make PEs convert remote Type-3 LSAs to
Type-5 LSAs. And "domain-id disable" will clear the DN-bit in Type-3
LSAs.
But I cannot find whether "domain-id disable" makes PEs convert Type-3
LSAs to Type-5 LSAs or not. (According to my test, it will.)

Q3: What are the side effects of "domain-vpn-tag 0"? It will clear the
DN-bit in Type-5 LSAs and set vpn-tag to 0. Anything else?

Q4: In this case, will sham-links help?

Q5: I cannot find usage guidelines of "domain-id disable"  and
"domain-vpn-tag 0" for versions after JunOS 12.2. Do these behaviors
change in later versions?

Thank You!

ref#1: http://www.juniper.net/techpubs/en_US/junos12.2/topics/usage-guidelines/vpns-configuring-routing-between-pe-and-ce-routers-in-layer-3-vpns.html#id-10954391

"You can change the configuration of the PE router’s routing instance
to cause the PE router to act as a non-ABR by including the disable
statement at the [edit routing-instances routing-instance-name
protocols ospf domain-id] hierarchy level."

More information about the juniper-nsp mailing list