I decided to use ISIS as my PE-CE routing protocol during a lab and found that I can easily introduce a loop into ISIS, without a backdoor link or anyting too complex!
+-----+ +-----+
L1/2| PE1 |---------| PE2 |L1/2
+-----+ +-----+
| |
| |
+-----+ +-----+
| CE1 | | CE2 |
+-----+ +-----+
So normal MPLS L3VPN...CE/PEs are both running in L2L1 (default). Each CE originates a loopback.
PEs have the loopback addresses of the CEs in their VRF table as a Leve1 (since Leve1 is prefered over Level2).
PEs exchange this over their VPNv4 session.
PEs redistribute from BGP into ISIS...but here is the interesting part...instead of just issuing "redistribute bgp X" (which would by default inject the BGP prefixes into Level2 only) we use "redistribute bgp X level-1-2", forcing the redistributed prefixes to go into BOTH level 1 and leve 2.
The CEs receives both LSPs (level1 and level2...the prefix injected on the CE-PE we are going to look at is 91.91.91.91/32
91.91.91.91/32
[115/L1/10] via 10.90.92.90(Ethernet1/0), from 10.90.92.90, tag 0, LSP[2/85]
(installed)
[115/L2/10] via 10.90.92.90(Ethernet1/0), from 10.90.92.90, tag 0, LSP[6/36]
But the CE only installs the L1 of course. As soon as this hapens, this prefix starts flapping. One second its installed, one second its not. Both L1 and L2 instances of this prefixes flap (observed by doing "show isis rib" )
On the PE, the same flapping happens. Only the PE is oscilating between a L2 route and a BGP route
R90#show ip route vrf ISIS | b Gate
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.90.92.0/24 is directly connected, Ethernet1/1
L 10.90.92.90/32 is directly connected, Ethernet1/1
91.0.0.0/32 is subnetted, 1 subnets
i L2 91.91.91.91 [115/20] via 10.90.92.92, 00:00:01, Ethernet1/1
Then a sec later:
R90#show ip route vrf ISIS | b Gate
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.90.92.0/24 is directly connected, Ethernet1/1
L 10.90.92.90/32 is directly connected, Ethernet1/1
91.0.0.0/32 is subnetted, 1 subnets
B 91.91.91.91 [200/10] via 89.89.89.89, 00:00:00
Why is this feedback loop occuring? The PE has the prefix installed through BGP, injects it into L1 and L2, the CE installs it as L1, but not L2...however, it sends the L2 advertisement BACK to the PE...the PE installs the L2 (since it has a lower AD) and preempts the BGP route.
Why is this CE sending this back?
Of course, I can just run L1 or L2 and not both, or just not redistribute into both levels...but isnt there any type of loop prevention mechasim for this situation? I know there is the U/D bit, but this is used for route leaking between levels.
I was reading MPLS and VPN Architectures, Volume II, which is an older book. The version of code they are using seems to treat redistributed routes from MPLS into the PE-CE ISIS instance as if they were leaked (inter-area)...which in this case then they get the U/D bit.
Has anyone else run into this problem?
Pablo