configure the "capability vrf lite"

 It is noteworthy to mention that on Cisco routers, if an OSPF process is run in a VRF then it automatically and unconditionally considers itself to be an ABR - it believes to be connected to a so-called MPLS Superbackbone (even though there may be no BGP/MPLS configured on the router at all).

This may pose problems if such a router is actually a part of a network that uses multiple areas. Consider the following scenario:

R1 (VRF) --- Link in Area 1 --- R2 --- Link in Area 0 --- R3

Here, R2 is obviously an ABR because it has two links, one in Area 0, the other in Area 1. R1 is, by all means, an internal router in Area 1. However, because R1 runs the link toward R2, and OSPF over this link, in a VRF, R1 considers itself to also be an ABR toward the MPLS Superbackbone.

As a result, R1 - thinking it is an ABR - will not place any networks from Area 0 nor from any other area behind R2 into its routing table, because by OSPF rules, an ABR processes only those inter-area routes (that is, LSA-3 and LSA-4) that have been received over an adjacency in Area 0, and R1 has no such adjacency. The end result will be that R1 will be unable to talk with any network outside its own Area 1.

This behavior on R1 is also deactivated by the

"capability vrf-lite" command.

Thus, "capability vrf-lite" has several effects:

• The router stops considering itself as the ABR connected to the MPLS Superbackbone
• The router will ignore the DN bit set in LSA-3, LSA-5 and LSA-7, and will not set this bit when doing redistribution into OSPF
• The router will ignore the tag value received in LSA-5 and LSA-7, and it will not set this value to any specific value when doing redistribution into OSPF.

Refer:

https://community.cisco.com/t5/routing/where-to-configure-the-quot-capability-vrf-lite-quot-on-ce-or-pe/td-p/2812305

Advertise directly connected subnet in BGP in Palo alto

To advertise a directly connected subnet in BGP on Palo alto FW, you will need to create a redistribution profile. In that profile you will need to mention the protocol i.e. BGP or OSPF you want to run.

AWS - Direct Connect things to consider

 1. Direct connect gateway to number of vpc contraint. We can only connect 10 VPCs(via VGW - virtual pvt gateway) per direct connect gateway.

 - https://docs.aws.amazon.com/directconnect/latest/UserGuide/limits.html

2. Can have only 1 transit VIF per direct connect circuit.

3. Consider latency on the circuit and the physical path

4. Make sure that Direct connect circuits are not connected on a single hardware. Should raise a ticket with AWS to confirm that.

Broadcast traffic handling on Cisco 9500

 

Broadcast traffic handling on Cisco 9500

 

Faced interesting issue today - 

Traffic coming from remote site with destination IP of broadcast IP was not getting any replies. Performed packet capture on C9500 outgoing SVI and found that traffic was not going out.

Found this link of cisco blog to fix the issue.

Need to apply ip network-broadcast on incoming SVI and ip directed-broadcast on outgoing SVI to fix the issue!

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/17-3/configuration_guide/rtng/b_173_rtng_9500_cg/configuring_ip_unicast_routing.html#topic_jgn_gxx_kgb

 

Feature Information for IP Unicast Routing

Release	Feature	Feature Information
Cisco IOS XE Everest 16.5.1a	IP Unicast Routing	IP Unicast Routing is a routing process that forwards traffic to an unicast address. Routers and Layer 3 switches route packets either through preprogrammed static routes or through default routes.
Cisco IOS XE Amsterdam 17.3.1	New command ip network-broadcast	ip network-broadcast command was introduced to receive and accept network-prefix-directed broadcast packets.
Table 5. Feature Information for IP Unicast Routing