One of our students in the INE RS bootcamp today, asked about an OSPF sham-link. I thought it would make a beneficial addition to our blog, and here it is. Thanks for the request Christian!
Reader’s Digest version: MPLS networks aren’t free. If a customers is using OSPF to peer between the CE and PE routers, and also has an OSPF CE to CE neighborship, the CE’s will prefer the Intra-Area CE to CE routes (sometimes called the “backdoor” route in this situation), instead of using the Inter-Area CE to PE learned routes that use the MPLS network as a transit path. OSPF sham-links correct this behavior.
This blog post walks through the problem and the solution, including the configuration steps to create and verify a sham-link.
To begin, MPLS is set up in the network as shown with R2 and R4 acting as Provider Edge (PE) routers, and MPLS is enabled throughout R2-R3-R4.
R1 and R5 are Customer Edge (CE) routers, and the Serial0/1.15 interfaces of R1 and R5 are temporarily shut down, (this means the backdoor route isn’t in place yet, and at the moment, there is no problem).
Currently, R1 and R5 see the routes to each others local networks through the VPNv4 MPLS network, and the routes show up as Inter-Area OSPF routes with the PE routers as the next hop.
Let’s do some testing and verification of what is currently in place. Notice that R1 and R5 can see each others Fa0/0 and Fa0/1 connected networks. These routes show up as Inter-Area (IA) routes.
R1#show ip route ospf 10.0.0.0/24 is subnetted, 2 subnets O IA 10.45.0.0 [110/2] via 10.12.0.2, 00:00:58, FastEthernet0/0 O IA 192.168.1.0/24 [110/3] via 10.12.0.2, 00:00:43, FastEthernet0/0 R5#show ip route ospf 172.16.0.0/24 is subnetted, 1 subnets O IA 172.16.0.0 [110/3] via 10.45.0.4, 00:01:49, FastEthernet0/1 10.0.0.0/24 is subnetted, 2 subnets O IA 10.12.0.0 [110/2] via 10.45.0.4, 00:01:49, FastEthernet0/1
Next, we will enable the Serial0/1.15 interfaces of R1 and R5. When we enable these interfaces, R1 and R5 will become neighbors, and see each others routes to the Fa0/0 and Fa0/1 networks as Intra-Area routes. Even though the OSPF cost will be worse via the serial interfaces, take a close look at what happens and which routes end up in the routing table.
R1(config)#int ser 0/1.15 R1(config-subif)#no shut R5(config)#int ser 0/1.15 R5(config-subif)#no shut
We’ll wait a few moments, to give the network time to converge, then take a look at the OSPF routes on the CE routers R1 and R5, just as we did earlier, and see if the routes are different.
R1#show ip route ospf 10.0.0.0/24 is subnetted, 3 subnets O 10.45.0.0 [110/65] via 10.15.0.5, 00:02:52, Serial0/1.15 O 192.168.1.0/24 [110/65] via 10.15.0.5, 00:02:52, Serial0/1.15 R5#show ip route ospf 172.16.0.0/24 is subnetted, 1 subnets O 172.16.0.0 [110/65] via 10.15.0.1, 00:03:19, Serial0/1.15 10.0.0.0/24 is subnetted, 3 subnets O 10.12.0.0 [110/65] via 10.15.0.1, 00:03:19, Serial0/1.15
Notice, that the remote customer networks attached to Fa0/0 and Fa0/1 are now reachable via the serial 0/1.15 interface, and they appear as Intra-Area routes. Even though the metric of 65 is worse than before, and using the slower serial link, the routers prefer these routes instead of using the PE learned routes, because Intra-Area routes are preferred over Inter-Area routes. Now the Service Provider’s MPLS network will only be used as a backup in the event the serial connection fails. (I don’t think they will be providing a price break either).
To train the network to use the MPLS network as the primary transit path, we need to make the remote Ethernet customer networks look like Intra-Area routes via the PE routers, with a better metric than the serial interfaces, so they can be used instead of the slower serial link. We are actually going to pull a fast one, or a “sham”, on OSPF because the MPLS network is really acting as a “superbackbone” for OSPF, and therefore routes between the CEs are indeed Inter-Area by default. To create the illusion of the CEs not being separated by a backbone, we will create an OSPF sham-link. We will create a couple loopback interfaces in the VRFs on both PEs, and make sure those loopbacks are originated and advertised via BGP. We will use those loopbacks as the source/destination of the OSPF sham-link.
Because the sham-link is seen as an Intra-Area link between PE routers (R2 and R4), an OSPF adjacency is created and database exchange takes place across the sham-link. The two PE routers can then flood LSAs between sites from across the MPLS VPN backbone. As a result, the desired Intra-Area routes are created.
Enough chat, lets create this sham-link!
R2(config)#int loop 100 R2(config-if)#ip vrf forwarding Vrf1 R2(config-if)#ip address 188.8.131.52 255.255.255.255 R2(config-if)#router bgp 24 R2(config-router)#address-family ipv4 vrf Vrf1 R2(config-router-af)#network 184.108.40.206 mask 255.255.255.255 R2(config-router-af)#exit R2(config-router)#router ospf 1 vrf Vrf1 R2(config-router)#area 1 sham-link 220.127.116.11 18.104.22.168 cost 5 R4(config)#int loop 100 R4(config-if)#ip vrf forwarding Vrf1 R4(config-if)#ip address 22.214.171.124 255.255.255.255 R4(config-if)#router bgp 24 R4(config-router)#address-family ipv4 vrf Vrf1 R4(config-router-af)#network 126.96.36.199 mask 255.255.255.255 R4(config-router-af)#exit R4(config-router)#router ospf 1 vrf Vrf1 R4(config-router)#area 1 sham-link 188.8.131.52 184.108.40.206 cost 5 %OSPF-5-ADJCHG: Process 1, Nbr 10.12.0.2 on OSPF_SL0 from LOADING to FULL, Loading Done
Looks like the sham-link came up. Let’s take a closer look at the sham link with a show command made just for that purpose.
R4#show ip ospf sham-links Sham Link OSPF_SL0 to address 220.127.116.11 is up Area 1 source address 18.104.22.168 Run as demand circuit DoNotAge LSA allowed. Cost of using 5 State POINT_TO_POINT, Timer intervals configured, Hello 10, Dead 40, Wait 40, Hello due in 00:00:06 Adjacency State FULL (Hello suppressed) Index 2/2, retransmission queue length 0, number of retransmission 0 First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0) Last retransmission scan length is 0, maximum is 0 Last retransmission scan time is 0 msec, maximum is 0 msec
Looks like it is in place, but is it creating the desired result, of having the CE routers R1 and R5 see the Ethernet remote networks as reachable through the PE routers R2 and R4? Let’s go to R1 and see!
R1#show ip route ospf 10.0.0.0/24 is subnetted, 3 subnets O 10.45.0.0 [110/7] via 10.12.0.2, 00:06:02, FastEthernet0/0 22.214.171.124/32 is subnetted, 2 subnets O E2 126.96.36.199 [110/1] via 10.12.0.2, 00:06:43, FastEthernet0/0 O E2 188.8.131.52 [110/1] via 10.12.0.2, 00:06:13, FastEthernet0/0 O 192.168.1.0/24 [110/8] via 10.12.0.2, 00:06:02, FastEthernet0/0
That looks perfect! How about R5?
R5#show ip route ospf 172.16.0.0/24 is subnetted, 1 subnets O 172.16.0.0 [110/8] via 10.45.0.4, 00:06:27, FastEthernet0/1 10.0.0.0/24 is subnetted, 3 subnets O 10.12.0.0 [110/7] via 10.45.0.4, 00:06:27, FastEthernet0/1 184.108.40.206/32 is subnetted, 2 subnets O E2 220.127.116.11 [110/1] via 10.45.0.4, 00:07:05, FastEthernet0/1 O E2 18.104.22.168 [110/1] via 10.45.0.4, 00:06:45, FastEthernet0/1
And just to be sure, a ping to verify connectivity. We will ping the remote Fa0/1 interface of CE router R1 from CE router R5.
R5#ping 172.16.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 120/130/148 ms
That’s cool, so we know we have connectivity, and based on the routing table output, we believe it is going through the SP MPLS network. Let’s do one more test to prove that as well. A traceroute.
R5#trace 172.16.0.1 Type escape sequence to abort. Tracing the route to 172.16.0.1 1 10.45.0.4 48 msec 92 msec 12 msec 2 10.34.0.3 [MPLS: Labels 16/24 Exp 0] 136 msec 180 msec 228 msec 3 10.12.0.2 [MPLS: Label 24 Exp 0] 124 msec 80 msec 88 msec 4 10.12.0.1 112 msec * 176 msec
Tags and all! I still love it when a plan comes together. Now our transit traffic is moving through the MPLS network, and the serial 0/1.15 interfaces are available as a backup.
More fun times regarding MPLS, OSPF and MPBGP can be found in our workbooks for RS and SP.
Best wishes, and enjoy the journey!
33 Responses to “A Sham-Link, Really? Yes, and it’s not used for Phishing!”
Leave a Reply