ospf sham-link


Today another episode of ”things that sound complex but are in reality very easy”.

Why create a sham-link?

Normally, prefixes received from your other PE look like IA routes (because of the existence of the super core concept in BGP VPNv4), so if you have a backup link between your CEs (just in case), the backup link will always be preferred because the intra area prefixes will be always preferred over the inter-area prefixes from your PE, who is treated as an ABR between a normal area and the supercore.

The problem is that the backup link is a private link, so it might be a more expensive link, something we want to use it for emergencies only, not as the primary link.

What we will be doing is creating a standard vpnv4 tunnel (BGP session through an MPLS core) and then creating another ospf virtual-link tunnel through it. This overlay tunnel is a sham-link. Think of the sham-link as an improved ospf virtual-link. This is why it’s called a shamlink – a false impression of a true link.



  • mpls-enabled core between loopbacks of PEs (command mpls ip everywhere or simply mpls ldp autoconfig under the ospf process everywhere)

Step 1

Assuming that you already have mpls between the /32 loopbacks of PEs, build a bgp session with the other PE router, creating effectively a tunnel across an OSPF provider core. So apart from the normal bgp session, you need to activate the address family vpnv4. Activating ipv4 family is not needed so you can add the command no bgp default ipv4-unicast to disable the default ipv4 address-family.

router bgp 100
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor remote-as 100
neighbor update-source Loopback0
address-family ipv4
address-family vpnv4
neighbor activate
neighbor send-community extended

Step 2

Create a new loopback address and advertise it into BGP address family ipv4 just like you would advertise your other addresses to the other PE.

interface Loopback 200
ip vrf forwarding VPN_A
ip address

router bgp 100
address-family ipv4 vrf VPN_A
network mask

Step 3

Create a sham link with the new loopback of the other PE.

router ospf 100 vrf VPN_A
area 1 sham-link cost 1

Additionally, you might want to make sure that the new loopback is not advertised to the CE.


Verification command:

show ip ospf sham-links

R6#show ip ospf sham-links
Sham Link OSPF_SL0 to address is up
Area 1 source address
Run as demand circuit
DoNotAge LSA allowed. Cost of using 1 State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40,
Hello due in 00:00:00
Adjacency State FULL (Hello suppressed)
Index 2/2, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec
You do the same thing on the other PE and voila! it’s done. Now your sham-link vpnv4 prefixes are also intra-area prefixes, just like your backup link prefixes. You can now use cost to prefer sham-link prefixes over backup link prefixes.

R8#show ip route ospf
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
a – application route
+ – replicated route, % – next hop override

Gateway of last resort is not set is subnetted, 4 subnets
O [110/11] via, 00:32:39, Ethernet0/0.78 is variably subnetted, 12 subnets, 2 masks
O [110/20] via, 00:32:39, Ethernet0/0.78
O [110/20] via, 00:32:39, Ethernet0/0.78
O [110/20] via, 00:01:44, Ethernet0/0.78
O [110/20] via, 00:32:39, Ethernet0/0.78 is variably subnetted, 3 subnets, 2 masks
O [110/11] via, 00:32:39, Ethernet0/0.78
O E2 [110/1] via, 00:26:42, Ethernet0/0.58


Then you can run:

show ip ospf topology network

show ip ospf topology router


to check the reasoning of OSPF (why it chooses intra area path through router 5 than through the backup link of router 7). Specifically, if you set the cost on r8, you need to check LSA router of R8 – what it thinks is the cost to get to r7. The same on the other end

LS age: 1263
Options: (No TOS-capability, DC)
LS Type: Router Links
Link State ID:
Advertising Router:
LS Seq Number: 8000000C
Checksum: 0x1987
Length: 108
Number of Links: 7

Link connected to: a Stub Network
(Link ID) Network/subnet number:
(Link Data) Network Mask:
Number of MTID metrics: 0
TOS 0 Metrics: 1

Link connected to: a Stub Network
(Link ID) Network/subnet number:
(Link Data) Network Mask:
Number of MTID metrics: 0
TOS 0 Metrics: 1

Link connected to: a Stub Network
(Link ID) Network/subnet number:
(Link Data) Network Mask:
Number of MTID metrics: 0
TOS 0 Metrics: 10

Link connected to: a Transit Network
(Link ID) Designated Router address:
(Link Data) Router Interface address:
Number of MTID metrics: 0
TOS 0 Metrics: 500



Wprowadź swoje dane lub kliknij jedną z tych ikon, aby się zalogować:

Logo WordPress.com

Komentujesz korzystając z konta WordPress.com. Wyloguj /  Zmień )

Zdjęcie z Twittera

Komentujesz korzystając z konta Twitter. Wyloguj /  Zmień )

Zdjęcie na Facebooku

Komentujesz korzystając z konta Facebook. Wyloguj /  Zmień )

Połączenie z %s

%d blogerów lubi to: