This document describes the down-bit (DN bit) ignore feature on Cisco NX-OS. This feature is used to allow a Provider Edge (PE) router to not ignore type 3, type 5, and type 7 link-state advertisements (LSAs) received from a Customer Edge (CE) router with the DN bit set and consider these LSAs in Open Shortest Path First (OSPF) route computation. The DN bit is used to prevent routing loops in a Layer 3 VPN (L3VPN) setup with OSPF in a PE-CE scenario. This feature allows the DN bit check to be ignored in certain special topologies, such as a hub-and-spoke topology of PE routers. It is applicable for only certain topologies and should be used carefully, otherwise it can result in routing loops.
The CLI command for the feature is:
The CLI command is visible only in the router OSPF Virtual Routing and Forwarding (VRF) mode on a PE router and is not visible in the router OSPF global mode (default VRF) on a PE router. The feature is disabled in the router OSPF VRF mode on a non-PE router.
In an L3VPN setup with OSPF used as a routing protocol between PE and CE routers, when MP-BGP (Border Gateway Protocol) routes that come over from an Multiprotocol Label Switching (MPLS) cloud are redistributed into OSPF on the PE router, all LSAs (whether type 3, type 5 or type 7) are generated with the DN bit set. When a PE receives, from a CE router, a type 3, 5, or 7 LSA with the DN bit set, the information from the LSA is not used in the OSPF route calculation. As a result, the LSA is not translated into a BGP route. The DN bit check prevents routing loops.
However, there are certain special scenarios, such as a hub-and-spoke topology in OSPF PE-CE setup (that is, a topology where there are multiple PE routers which are all connected to a central hub PE router). LSAs from one spoke PE reach the hub PE and a CE router, where they loop and come back into a different VRF. However, these LSAs (type 3, 5 or 7) will not be used in the OSPF route calculation because they have the DN-bit set. The expectation is that when the LSA loops and comes back into a different VRF on the hub PE, they should be processed and finally make their way into another spoke PE. Therefore, the DN bit ignore feature provided a knob to disable DN bit checking on the PE router.
Hub-and-Spoke OSPF PE-CE Setup
Interoperability of the DN Bit Ignore Feature with VPN Tags
Type 5 and type 7 LSAs have an external tag associated with them. Most OSPF implementations of OSPF on a PE router accept a type 5 or type 7 LSA if the external route tag (VPN tag) is different from the domain tag assigned to the PE subrouter. When you interoperate the DN bit ignore feature with an external route tag, a PE router processes a type 5 or type 7 LSA with a DN bit set only if the DN bit ignore feature is enabled and the external route tag of the LSA does not match the domain tag assigned to the subrouter. You need to ensure the tags do not match if the routes are type 5 or type 7.
Comparison of the NX-OS Behavior with Cisco IOS®
Cisco IOS behavior is described here:
- Cisco IOS uses the concept of "capability VRF-lite" in order to achieve the functionality of ignoring the DN-bit for multi-VRF CE router. VRF-lite is suite of features that include what makes the PE act as if it is a CE router, in addition the DN-bit ignore. Other checks such as Domain tag match is disabled and it processes summary routes from all areas.
- Cisco NX-OS does not have an explicit VRF-lite. The normal NX-OS VRFs are indeed VRF-lite.
- This VRF mode command is used by Cisco IOS:
# capability vrf-lite
In conclusion, enable this feature with caution. Otherwise, if you ignore the DN bit check it can result in routing loops.