When and where to use "capability vrf-lite"


I’m trying to get some clarity on when the “capability vrf-lite” command is necessary when using OSPF as the CE-PE routing protocol for site-to-site connectivity with MPLS L3VPN. Is this command is only necessary if the CE router has VRF-Lite implemented with the VRF assigned interface associated with the OSPF instance? If so this would be required on both sides/sites? I hope this makes sense.

See below quick topology:

Hello James

The capability vrf-lite command is used to suppress provider edge (PE) checks that are needed to prevent loops when the PE is performing mutual redistribution of packets between the OSPF and BGP protocols. When VRFs are being used on a router that is not a PE, that is, one that is not running BGP like a CE, then the checks can be turned off to allow for correct population of the VRF routing table.

Specifically, this command should be enabled:

  • only on the CE router
  • only when you have VRFs on your CE router

The specific check that is suppressed is the DN check. This Cisco documentation explains it like so. It describes the issue using the NX-OS, but the principle is the same:

In an L3VPN setup with OSPF used as a routing protocol between PE and CE routers, when MP-BGP (Border Gateway Protocol) routes that come over from an Multiprotocol Label Switching (MPLS) cloud are redistributed into OSPF on the PE router, all LSAs (whether type 3, type 5 or type 7) are generated with the DN bit set. When a PE receives, from a CE router, a type 3, 5, or 7 LSA with the DN bit set, the information from the LSA is not used in the OSPF route calculation. As a result, the LSA is not translated into a BGP route. The DN bit check prevents routing loops.

More detailed info can be found about this particular feature in the following Cisco links:

I hope this has been helpful!


1 Like

I appreciate your knowledge and answer. Thanks Laz!

1 Like