We have a scenario where a customer is having a managed L3VPN installed and would like to run OSPF internally. The issue is that the provider will not allow us to provide and manage the CE device and they will only use BGP as the CE-PE protocol. They've told us that we can run OSPF internally and form a neighbourship between our L3 switch and their managed CE. They will then redistribute the routes into BGP and in turn, advertise those routes to their PE.
That doesn't seem like a valid design to me. That means at each site we'll need to run an instance of OSPF in area 0 and as far as OSPF is concerned every site will be a different autonomous system, right? Due to the BGP in the middle (between managed CE – PE) the routes will be external OSPF routes and we wont be able to connect our area 0's together.
I think it will work for now but I imagine it will cause headaches in future if we try to scale or make the solution slightly more complicated. I think if we ever decided to have a backup leased line or VPN tunnel the LSA's would be type 2 and therefor a preferred path than the external routes caused by type 5 LSAs.
I know OSPF as a CE-PE protocol is valid and would essentially address all the concerns above but I think that option is probably off the table.
Are there any caveats/concerns with the solution above? Should we be pushing harder for the provider to run OSPF as the CE-PE protocol?
Best Answer
Yes, as you say backup links will cause an issue in the future unless you provider lets you run OPSF CE-PE and sets up some sham links.
One workaround would be to use GRE tunnels between sites and run OSPF over the tunnels. The tunnel endpoints would need to be advertised through BGP. The OSPF routes would arrive over the tunnel. This does lower you MTU though, which may cause issues and obviously there is work to configure this from your side. I would push for the provider to enable OSPF on the PE-CE