OSPF Sham-link support for MPLS VPN

OSPF Sham-link support for MPLS VPN

Both sites are in the same OSPF area- Area 0. There is also a "backdoor" (intra-area) link connecting the two sites. There will be routes between sites that go through PE routers, but these routes will appear to be inter-area routes. Hence, OSPF will consider them less preferable over intra-area routes that are advertised over backdoor link.

It is desirable to have OSPF prefer the routes through the backbone (MPLS VPN) rather than backdoor link. In that case, the routes through the backbone should appear as intra-area routes rather than inter-area routes.

In order to do this, a sham-link is created between PE routers which appears as an intra-area link. A sham-link can be thought of as a relation between two VRFs. Each VRF must be associated to a 32-bit "Sham-link Endpoint Address" that is treated as an IP address of the PE router containing that VRF. The Sham-link Endpoint Addresses are in the VPN's address space, not SP address space.

The syntax to configure sham-link is

area <area-id> sham-link <source-address> <destination-address> cost <cost> from OSPF router configuration mode.

The Sham-link Endpoint Address must be advertised by BGP as VPN-IPv4 address; it must NOT be advertised by OSPF. The Sham-link is an unnumbered point-to-point intra-area link and is advertised as Type-1 link in router-LSA. Hence, the default Hello interval is 10 seconds and the default Router Dead interval is 40 seconds. The OSPF metric (cost) is configurable during sham-link creation.

Sham-link can belong to any area-including area 0.

Configuration of sham-link on PE1 router-

interface Loopback 12

ip vrf forwarding CUST1

ip address 1.1.1.1 255.255.255.255

!

This associates the sham-link endpoint to VRF CUST1.

router bgp 100

...

address-family ipv4 vrf CUST1

network 1.1.1.1 mask 255.255.255.255

..

!

This advertises the sham-link endpoint. This ensures PE routers have reachability to endpoints.

router ospf 1 vrf CUST1

..

area 0 sham-link 1.1.1.1 2.2.2.2 cost 2

!

This enables the sham-link. The area-id should match the VPN site's area-id. Cost should be configured so that the sham-link is preferred over the backdoor link.

The following output shows that sham-link is UP between PE1 and PE3. The sham-link acts as an intra-area link p2p link. It also shows that adjacency is formed over the link.

PE1#show ip ospf sham-links

Sham Link OSPF_SL0 to address 2.2.2.2 is up

Area 0 source address 1.1.1.1

Run as demand circuit

DoNotAge LSA allowed. Cost of using 2 State POINT_TO_POINT,

Timer intervals configured, Hello 10, Dead 40, Wait 40,

Hello due in 00:00:03

Adjacency State FULL (Hello suppressed)

Index 1/1, retransmission queue length 0, number of retransmission 0

First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)

Last retransmission scan length is 0, maximum is 0

Last retransmission scan time is 0 msec, maximum is 0 msec

The "show ip ospf neighbor" command shows the OSPF neighbors of PE1 router. It shows the adjacency formed with PE3 router over OSPF_SL0 sham-link.

PE1# show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

10.200.254.2 1 FULL/BDR 00:00:34 10.1.1.2 FastEthernet0/0

2.2.2.2 0 FULL/ - - 2.2.2.2 OSPF_SL0

The following output shows that 2 labels are imposed by PE1 router for sham-link endpoint 2.2.2.2

PE1# show ip cef vrf CUST1 2.2.2.2

2.2.2.2/32, version 22, epoch 0, cached adjacency 10.1.1.2

0 packets, 0 bytes

tag information set

local tag: VPN-route-head

fast tag rewrite with Fa0/0, 10.1.1.2, tags imposed: {17 18}

via 10.200.254.3, 0 dependencies, recursive

next hop 10.1.1.2, FastEthernet0/0 via 10.200.254.3/32

valid cached adjacency

tag rewrite with Fa0/0, 10.1.1.2, tags imposed: {17 18}

The prefixes 100.1.1.1/32, 210.1.1.1/32 and 192.168.2.0/30 are learnt as intra-area routes from PE3 router as shown below.

PE1#show ip route vrf CUST1 | begin Gateway

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets

C 1.1.1.1 is directly connected, Loopback12

2.0.0.0/32 is subnetted, 1 subnets

B 2.2.2.2 [200/0] via 10.200.254.3, 00:29:53

100.0.0.0/32 is subnetted, 1 subnets

O 100.1.1.1 [110/65] via 192.168.1.2, 00:07:25, Serial0/0

192.168.1.0/30 is subnetted, 1 subnets

C 192.168.1.0 is directly connected, Serial0/0

210.1.1.0/32 is subnetted, 1 subnets

O 210.1.1.1 [110/67] via 10.200.254.3, 00:07:25

192.168.2.0/30 is subnetted, 1 subnets

O 192.168.2.0 [110/66] via 10.200.254.3, 00:07:25

On CE1 router, the prefixes are advertised by PE1 router as intra-area routes rather than through the backdoor link.

CE1# show ip route | begin Gateway

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets

O E2 1.1.1.1 [110/10] via 192.168.1.1, 00:06:00, Serial0/0

2.0.0.0/32 is subnetted, 1 subnets

O E2 2.2.2.2 [110/10] via 192.168.1.1, 00:06:00, Serial0/0

100.0.0.0/32 is subnetted, 1 subnets

C 100.1.1.1 is directly connected, Loopback100

192.168.1.0/30 is subnetted, 1 subnets

C 192.168.1.0 is directly connected, Serial0/0

210.1.1.0/32 is subnetted, 1 subnets

O 210.1.1.1 [110/131] via 192.168.1.1, 00:06:00, Serial0/0

192.168.2.0/30 is subnetted, 1 subnets

O 192.168.2.0 [110/130] via 192.168.1.1, 00:06:05, Serial0/0

Finally, the traceroute shows that the path taken is through MPLS VPN backbone rather than backdoor link.

CE1# traceroute 210.1.1.1

Type escape sequence to abort.

Tracing the route to 210.1.1.1

1 192.168.1.1 8 msec 92 msec 204 msec

2 10.1.1.2 [MPLS: Labels 17/22 Exp 0] 572 msec 404 msec 408 msec

3 192.168.2.1 [MPLS: Label 22 Exp 0] 420 msec 384 msec 424 msec

4 192.168.2.2 396 msec 416 msec *