Hello James
The capability vrf-lite command is used to suppress provider edge (PE) checks that are needed to prevent loops when the PE is performing mutual redistribution of packets between the OSPF and BGP protocols. When VRFs are being used on a router that is not a PE, that is, one that is not running BGP like a CE, then the checks can be turned off to allow for correct population of the VRF routing table.
Specifically, this command should be enabled:
- only on the CE router
- only when you have VRFs on your CE router
The specific check that is suppressed is the DN check. This Cisco documentation explains it like so. It describes the issue using the NX-OS, but the principle is the same:
In an L3VPN setup with OSPF used as a routing protocol between PE and CE routers, when MP-BGP (Border Gateway Protocol) routes that come over from an Multiprotocol Label Switching (MPLS) cloud are redistributed into OSPF on the PE router, all LSAs (whether type 3, type 5 or type 7) are generated with the DN bit set. When a PE receives, from a CE router, a type 3, 5, or 7 LSA with the DN bit set, the information from the LSA is not used in the OSPF route calculation. As a result, the LSA is not translated into a BGP route. The DN bit check prevents routing loops.
More detailed info can be found about this particular feature in the following Cisco links:
I hope this has been helpful!
Laz