300-410 Exam - Question 108

Question

An engineer configured a company's multiple area OSPF Head Office router and Site A Cisco routers with VRF lite. Each site router is connected to a PE router of an MPLS backbone:

Head Office & Site A -

ip cef

ip vrf abc

rd 101:101

!

interface FastEthernet0/0

ip vrf forwarding abc

ip address 172.16.16.X 255.255.255.252

!

router ospf 1 vrf abc

log-adjacency-changes

network 172.16.16.0 0.0.0.255 area 1

After finishing both site router configurations, none of the LSA 3, 4, 5, and 7 are installed at Site A router.

Which configuration resolves this issue?

Examice · Accepted Answer

To resolve the issue with LSA types not being installed at Site A router, you need to configure the 'capability vrf-lite' command on both the Head Office and Site A routers under router OSPF 1 VRF ABC. The 'capability vrf-lite' command disables the DN-bit (down bit) and domain-tag checks within OSPF, which is necessary because these routers are acting as Customer Edge (CE) devices that need to treat VRFs the same way as Provider Edge (PE) routers in an MPLS network. This setup ensures that the Site A router correctly installs the LSA types.

myrmike · Answer

Notice that three of the answers involve configuring the PE router also.  Since the engineer configured the company's router he presumably works for the company and not the ISP so the engineer would not have access to the PE router(s)

wts · Answer

capability vrf-lite command should be enabled:
- only on the CE router
- only when you have VRFs on your CE router

GreatDane · Answer

Ref: Solved: Where to configure the "capability vrf lite", on CE or PE? - Cisco Community

Post by Jon Marshall

“The DN bit is a check that, usually, PE routers use to check whether to install certain types of LSAs into a VRF and is used as a loop prevention method.

If your CE router is not running VRFs but using OSPF to connect to the PE router then you do not need that command anywhere.

If however you configure VRFs on your CE router then it now uses the same checks as the PE routers because it believes it is directly connected to the MPLS network in the way the PE is, even though it isn't.

And then you would need to use that command on your CE router.

So, put simply, you only need to use that command if your CE router is using "VRF-Lite" and OSPF is in use between the CE and PE routers.
…”

Edwinmolinab · Answer

Answer: A

Explanation

In this case both Head Office and Site A routers run VRF (and OSPF) although they are CE routers.

So we must configure “capability vrf-lite” on them too.

For your information, the capability vrf-lite command disables the DN-bit (down bit) and domain-tag checks in OSPF. Since the CE router acts as the PE router in VRF-lite, these checks should be disabled, because the PE routers advertise VPN routes with DN-bit set to the CE routers. If the CE routers receive routes with DN-bit set, it will discard them. Hence, the checks should be disabled.

examShark · Answer

The given answer is correct
https://community.cisco.com/t5/routing/where-to-configure-the-quot-capability-vrf-lite-quot-on-ce-or-pe/td-p/2812305

Budh · Answer

Answer is D

inteldarvid · Answer

the answer corret is D:

https://forum.networklessons.com/t/when-and-where-to-use-capability-vrf-lite/14877

inteldarvid · Answer

https://community.cisco.com/t5/routing/where-to-configure-the-quot-capability-vrf-lite-quot-on-ce-or-pe/td-p/2812305

guy276465281819372 · Answer

D is right

Masashi_O · Answer

A is the answer, I think.

error_909 · Answer

The given answer is correct D

XBfoundX · Answer

This capability needs to be enabled on the CE router, this command prevent to set to 0 the DN bit, this bit is a ospf loop prevention mechanism in mpls enviroment because if you have traverse the mpls network you should not traverse the mpls again so there is something wrong this is the logic of this check.

The vrf lite capability is activated only in the ospf process of the CE router.

SeMo0o0o0 · Answer

D is correct

300-410 Exam - Question 108

Discussion