OSPF Sham Links are concerned with the fact that OSFP selects the best route based on a number of rules:
- Intra-area routes (O) are preferred over Inter-area routes (OIA)
- Inter-area routes (OIA) are preferred over external routes (E1 and E2)
- E1 routes are preferred over E2 routes (recall E1 routes add the internal OSPF path costs, whereas E2 retains the same cost across the OSPF domain)
This is summed up as: O > OIA > E1 > E2
This is all fine and dandy except when it comes to an MPLS VPN. Consider the following network:
Routers R4 and R5 are configured in OSPF area 0 and connected to an MPLS VPN (named sham-vrf)
The design requires that traffic prefers the path across the MPLS VPN (shown by the red line). In order to make the direct link between R4 and R5 less preferred the OSPF cost is set to 1000.
However, there is a problem. The path via the MPLS VPN is OIA and consequently the direct link (which is intra-area, or “O”) is preferred, even with the cost set high. This can be seen if we shut down the link between R4 and R5 (forcing traffic over the MPLS VPN).
R4(config)#int gigabitEthernet 0/0
R4(config-if)#shut
R4#show ip route ospf
<snip>
Gateway of last resort is not set
3.0.0.0/29 is subnetted, 1 subnets
O IA 3.5.3.0 [110/2] via 1.4.1.1, 00:00:11, Gi1/0
5.0.0.0/32 is subnetted, 1 subnets
O IA 5.5.5.5 [110/3] via 1.4.1.1, 00:00:11, Gi1/0
But why is the route via the MPLS VPN path OIA? In simple terms, it’s because of the way OSPF is redistributed across the MPLS VPN.
OSPF redistributed across an MPLS VPN is treated as an inter-area route (OIA) – delivered to the CE router as a Type 3 LSA. The mechanisms behind why this is the case are beyond the scope of this article.
In order to fix this issue, we can create a “sham-link”. A sham link is an OSPF neighbour adjacency across an MPLS VPN. This is depicted in the diagram shown below (in blue):
A sham link forms an OSPF adjacency across the MPLS VPN allowing Type-1 LSAs to be distributed. The configuration is shown below:
R1 interface Loopback10 description sham-link ip vrf forwarding sham-vrf ip address 10.10.10.10 255.255.255.255 router ospf 2 vrf sham-vrf area 0 sham-link 10.10.10.10 30.30.30.30 R3 interface Loopback30 description sham-link ip vrf forwarding sham-vrf ip address 30.30.30.30 255.255.255.255 router ospf 2 vrf sham-vrf area 0 sham-link 30.30.30.30 10.10.10.10
To confirm the adjacency has formed, use the following commands:
R1#show ip ospf neighbor | i SL
3.5.3.3 0 FULL/ - - 30.30.30.30 OSPF_SL3
R1#show ip ospf sham-links
Sham Link OSPF_SL3 to address 30.30.30.30 is up
Area 0 source address 10.10.10.10
Run as demand circuit
DoNotAge LSA allowed. Cost of using 1 State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40,
Hello due in 00:00:02
Adjacency State FULL (Hello suppressed)
<snip>
R3#show ip ospf neighbor | i SL
1.4.1.1 0 FULL/ - - 10.10.10.10 OSPF_SL2
R3#show ip ospf sham-links
Sham Link OSPF_SL2 to address 10.10.10.10 is up
Area 0 source address 30.30.30.30
Run as demand circuit
DoNotAge LSA allowed. Cost of using 1 State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40,
Hello due in 00:00:02
Adjacency State FULL (Hello suppressed)
<snip>
If we now look at R4 we see that the route is now shown as a Type-1 intra-area route.
R4#show ip route ospf
<snip>
Gateway of last resort is not set
3.0.0.0/29 is subnetted, 1 subnets
O 3.5.3.0 [110/3] via 1.4.1.1, 00:29:09, GigabitEthernet1/0
5.0.0.0/32 is subnetted, 1 subnets
O 5.5.5.5 [110/4] via 1.4.1.1, 00:29:09, GigabitEthernet1/0
The full config files can be found below:
The Traceroute Blog 