Monday, September 28, 2009

OSPF capability VRF-Lite Command, down-bit and domain-tag

OSPF capability VRF-Lite Command, down-bit and domain-tag




  1. MP-BGP sets the Downbit or Domain TAG when redistributing from MP-BGP into OSPF. VRF-based-OSPF only performs the checking, (also forwards them) but doesn't set them.


  2. Whenever OSPF is enabled via a VRF process, by default the process becomes "no capability vrf-lite" which means DOWN-BIT and DOMAIN-TAG checks are turned ON.

    When checking is enabled –

  • If the DN bit is set, the Type-3 LSA is not considered during the SPF calculation.
  • If the Tag in the LSA is equal to the VPN-tag, the Type-5 or-7 LSA is not considered during     the SPF calculation.


  1. When Domain ID on PE's are same, when MP-BGP redistributes routes into OSPF as Type3 LSA, it sets the DOWN-BIT


  2. When domain ID of PE's are different, MP-BGP sets DOMAIN-TAG = Local BGP AS no.

    The down bit is not set because LSA Type 5 does not support the down bit.

    When the route is redistributed into another OSPF domain, the tag field is propagated. Another PE router running OSPF-VRF-process receives the external OSPF route and filters the route based on the tag field. The tag field matches the AS number so the route is not redistributed into MP-BGP.

  3. When a normal CE with plain OSPF (without VRF) router receives a Type3-LSA or Type-5LSA with downbit/DomainTag set from a PE (PE has MP-BGP so PE will set downbit or Domaintag), it doesn't perform any check on the LSA and is allowed to forward the LSA to other neighbors.


  4. In case of VRF based CE , the case is different. In VRF mode, OSPF-VRF processes will autocheck the DownBit and domaintag and filters accordingly. This means it will not forward a Type3 LSA to anybody. In case of Type7, it'll forward the same domain tag further. IF this forwarded Type-7LSA is passed onto MP-BGP at somepoint of time, the MP-BGP enabled router will check the LSA against it's own AS and will drop the LSA if Domain-TAG matches its own AS.


  1. This is actually the most detailed post on old previous capability vrf lite post in the internet!
    Thanks man

  2. Thank for your sharing. However currently I’m facing a loop issue in VPN environment although I turn on downbit checking by command no capability vrf-lite. I posted this question to cisco support forum ( but haven’t got any answer. Can you help to share your ideas on it. Thanks

  3. This comment has been removed by the author.

  4. Great Job! This blog is very interesting...
    Thanks for share awesome blog. i think it's very useful for me.. really amazing content... keep it up.
    Visit my site:- Cisco Router Support

  5. Really appreciate this post!

  6. After this Gmail will ask you to enter your new password and confirm it. In the next step you have to click continue. You will see a message that will tell you that you have successfully changed your Gmail account password. Click continue to finish the process. Call Gmail customer service team to know more about password reset process.