An OSPF sham link is a virtual link between PE routers over the MPLS backbone, used when a backdoor link exists between two OSPF sites in the same area. It ensures that the MPLS VPN path is seen as intra-area and preferred over the backdoor, which would otherwise appear more attractive to OSPF. This lesson covers the concept and simulates its behavior.

OSPF Sham Link Fundamental

When two OSPF sites in the same area are connected both through an MPLS VPN backbone and a backdoor link, OSPF typically prefers the backdoor path. This is because routes over the backdoor are seen as intra-area, while those over the MPLS VPN are treated as inter-area or external.

Traffic over Backdoor without OSPF Sham Link
Traffic over Backdoor without OSPF Sham Link

An OSPF sham link is a virtual, point-to-point intra-area link configured between PE routers across the MPLS core. It allows Type 1 and Type 2 LSAs to be exchanged directly between the PEs, maintaining intra-area route consistency. As a result, OSPF treats VPN routes as intra-area, ensuring the MPLS path is preferred over the backdoor when its cost is lower.

Traffic over MPLS backbone with OSPF Sham Link
Traffic over MPLS backbone with OSPF Sham Link

OSPF Sham Link Configuration Example

This configuration example involves Customer “A”, which has three sites connected to PE1, PE2, and PE3, all linked through an MPLS Layer 3 VPN backbone. Sites A1 and A2 belong to OSPF Area 0, while Site A3 is in Area 1.

In addition to MPLS connectivity, A1 and A2 also have a redundant backdoor link, intended to serve as a backup path if MPLS connectivity fails.

However, contrary to our intention, OSPF prefers the backdoor link by default. This happens because A1 and A2 receive each other’s routes via Type 3 LSAs (inter-area) over the MPLS backbone (the OSPF Superbackbone), but see each other via Type 1 or 2 LSAs (intra-area) over the backdoor.

Since OSPF always prefers intra-area routes over inter-area routes, the backdoor path becomes the primary one — even when MPLS is fully functional.

Traffic over Backdoor Before Configuring OSPF Sham Link
Traffic over Backdoor Before Configuring OSPF Sham Link

Traffic over Backdoor Before Configuring OSPF Sham Link

Let’s review the configuration and examine the LSA types exchanged between different sites before adding the OSPF sham link.

The MPLS and OSPF backbone is already configured, and VPNv4 BGP is established between PE1, PE2, and PE3. On each PE router, OSPF is configured toward the CE routers. To distinguish between the backbone OSPF process and the PE-CE OSPF process, the latter is configured under VRF A using OSPF process ID 100.

We redistribute OSPF routes from VRF A into BGP, and vice versa — BGP routes into OSPF within VRF A. This setup enables end-to-end routing between customer sites over the MPLS backbone.

Additionally, OSPF Area 0 is configured directly between Sites A1 and A2 over the backdoor link.

## A1
interface Loopback0
 ip address 172.16.11.1 255.255.255.0
!
interface Loopback100
 ip address 100.100.100.100 255.255.255.255
!
interface Ethernet0/0
 ip address 172.16.1.2 255.255.255.0
!
interface Ethernet0/1
 ip address 10.1.2.1 255.255.255.0
 ip ospf cost 50
!
router ospf 1
 redistribute connected subnets
 network 10.1.2.0 0.0.0.255 area 0
 network 172.16.0.0 0.0.255.255 area 0
## A2
interface Loopback0
 ip address 172.16.12.1 255.255.255.0
!
interface Ethernet0/0
 ip address 172.16.2.2 255.255.255.0
!
interface Ethernet0/1
 ip address 10.1.2.2 255.255.255.0
!
router ospf 1
 network 10.1.2.0 0.0.0.255 area 0
 network 172.16.0.0 0.0.255.255 area 0
## A3
interface Loopback0
 ip address 172.16.13.1 255.255.255.0
!
interface Ethernet0/0
 ip address 172.16.3.2 255.255.255.0
!
router ospf 1
 network 172.16.0.0 0.0.255.255 area 1
## PE1
hostname PE1
!
ip vrf A
 rd 1:100
 route-target export 1:100
 route-target import 1:100
!
ip cef
!
mpls label protocol ldp
!
interface Loopback0
 ip address 10.10.10.1 255.255.255.255
!
interface Ethernet0/0
 ip address 10.0.1.1 255.255.255.0
 mpls ip
!
interface Ethernet0/1
 ip vrf forwarding A
 ip address 172.16.1.1 255.255.255.0
!
router ospf 100 vrf A
 redistribute bgp 65001 subnets
 network 172.16.0.0 0.0.255.255 area 0
!
router ospf 1
 network 10.0.0.0 0.255.255.255 area 0
!
router bgp 65001
 bgp log-neighbor-changes
 neighbor 10.10.10.2 remote-as 65001
 neighbor 10.10.10.2 update-source Loopback0
 neighbor 10.10.10.3 remote-as 65001
 neighbor 10.10.10.3 update-source Loopback0
 !
 address-family vpnv4
  neighbor 10.10.10.2 activate
  neighbor 10.10.10.2 send-community both
  neighbor 10.10.10.2 next-hop-self
  neighbor 10.10.10.3 activate
  neighbor 10.10.10.3 send-community both
  neighbor 10.10.10.3 next-hop-self
 exit-address-family
 !
 address-family ipv4 vrf A
  redistribute ospf 100 match internal external 1 external 2
 exit-address-family
!
mpls ldp router-id Loopback0
## PE2
hostname PE2
!
ip vrf A
 rd 1:100
 route-target export 1:100
 route-target import 1:100
!
ip cef
!
mpls label protocol ldp
!
interface Loopback0
 ip address 10.10.10.2 255.255.255.255
!
interface Ethernet0/0
 ip address 10.0.2.2 255.255.255.0
 mpls ip
!
interface Ethernet0/1
 ip vrf forwarding A
 ip address 172.16.2.1 255.255.255.0
!
router ospf 100 vrf A
 redistribute bgp 65001 subnets
 network 172.16.0.0 0.0.255.255 area 0
!
router ospf 1
 network 10.0.0.0 0.255.255.255 area 0
!
router bgp 65001
 bgp log-neighbor-changes
 neighbor 10.10.10.1 remote-as 65001
 neighbor 10.10.10.1 update-source Loopback0
 neighbor 10.10.10.3 remote-as 65001
 neighbor 10.10.10.3 update-source Loopback0
 !
 address-family vpnv4
  neighbor 10.10.10.1 activate
  neighbor 10.10.10.1 send-community both
  neighbor 10.10.10.1 next-hop-self
  neighbor 10.10.10.3 activate
  neighbor 10.10.10.3 send-community both
  neighbor 10.10.10.3 next-hop-self
 exit-address-family
 !
 address-family ipv4 vrf A
  redistribute ospf 100
 exit-address-family
!
mpls ldp router-id Loopback0
## PE3
hostname PE3
!
ip vrf A
 rd 1:100
 route-target export 1:100
 route-target import 1:100
!
ip cef
!
mpls label protocol ldp
!
interface Loopback0
 ip address 10.10.10.3 255.255.255.255
!
interface Ethernet0/0
 ip address 10.0.3.3 255.255.255.0
 mpls ip
!
interface Ethernet0/1
 ip vrf forwarding A
 ip address 172.16.3.1 255.255.255.0
!
router ospf 100 vrf A
 redistribute bgp 65001 subnets
 network 172.16.0.0 0.0.255.255 area 1
!
router ospf 1
 network 10.0.0.0 0.255.255.255 area 0
!
router bgp 65001
 bgp log-neighbor-changes
 neighbor 10.10.10.1 remote-as 65001
 neighbor 10.10.10.1 update-source Loopback0
 neighbor 10.10.10.2 remote-as 65001
 neighbor 10.10.10.2 update-source Loopback0
 !
 address-family vpnv4
  neighbor 10.10.10.1 activate
  neighbor 10.10.10.1 send-community both
  neighbor 10.10.10.1 next-hop-self
  neighbor 10.10.10.2 activate
  neighbor 10.10.10.2 send-community both
  neighbor 10.10.10.2 next-hop-self
 exit-address-family
 !
 address-family ipv4 vrf A
  redistribute ospf 100
 exit-address-family
!
mpls ldp router-id Loopback0
## P
hostname P
!
ip cef
!
mpls label protocol ldp
!
interface Loopback0
 ip address 10.10.10.10 255.255.255.255
!
interface Ethernet0/1
 ip address 10.0.1.10 255.255.255.0
 mpls ip
!
interface Ethernet0/2
 ip address 10.0.2.10 255.255.255.0
 mpls ip
!
interface Ethernet0/3
 ip address 10.0.3.10 255.255.255.0
 mpls ip
!
router ospf 1
 network 10.0.0.0 0.255.255.255 area 0
!
mpls ldp router-id Loopback0

When we check the OSPF routing table on Site A1, we observe the following:

  • The PE-to-PE path (via MPLS backbone) is seen as inter-area or external, e.g., for routes between A1 and A3.

  • The direct backdoor link between A1 and A2 is seen as an intra-area route.

  • As a result, OSPF prefers the backdoor path between Sites A1 and A2, even when MPLS is available.

A1#show ip route ospf
...
Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 8 subnets, 2 masks
O        172.16.2.0/24 [110/20] via 10.1.2.2, 00:02:12, Ethernet0/1
O IA     172.16.3.0/24 [110/11] via 172.16.1.1, 00:14:41, Ethernet0/0
O        172.16.12.1/32 [110/11] via 10.1.2.2, 00:02:12, Ethernet0/1
O IA     172.16.13.1/32 [110/21] via 172.16.1.1, 00:14:31, Ethernet0/0
A1#traceroute 172.16.12.1 source 172.16.11.1
Type escape sequence to abort.
Tracing the route to 172.16.12.1
VRF info: (vrf in name/id, vrf out name/id)
  1 10.1.2.2 6 msec 5 msec 6 msec
A1#

Configure OSPF Sham Link

To configure the OSPF sham link, I created Loopback50 interfaces on both PE1 and PE2 within VRF A, assigning them IP addresses 1.1.1.1 and 2.2.2.2 respectively. These loopbacks were redistributed into BGP under the VRF to ensure reachability across the MPLS backbone. Then, under the OSPF process 100 in VRF A, I configured a sham link in Area 0 between the two loopback addresses. This creates a virtual intra-area connection between PE1 and PE2, allowing OSPF to treat MPLS routes as intra-area and prefer them over the backdoor path.

## PE1
interface Loopback50
 ip vrf forwarding A
 ip address 1.1.1.1 255.255.255.255
!
router bgp 65001
 address-family ipv4 vrf A
  redistribute connected
!
router ospf 100 vrf A
 area 0 sham-link 1.1.1.1 2.2.2.2
## PE2
interface Loopback50
 ip vrf forwarding A
 ip address 2.2.2.2 255.255.255.255
!
router bgp 65001
 address-family ipv4 vrf A
  redistribute connected
!
router ospf 100 vrf A
 area 0 sham-link 2.2.2.2 1.1.1.1
Verifying OSPF Sham Link

After configuring the sham link between PE1 and PE2 using their loopback interfaces, the following output confirms successful verification:

  • ✅ Ping Success: ping vrf A 2.2.2.2 source 1.1.1.1 from PE1 succeeds with 100% success rate, verifying IP reachability between sham link endpoints across the MPLS core.

  • ✅ OSPF Adjacency Up: Syslog messages show that OSPF process 100 formed a FULL adjacency over the sham link interface (OSPF_SL0), confirming successful OSPF neighbor establishment.

  • ✅ Neighbor Table: show ip ospf 100 neighbor shows a FULL state with neighbor 172.16.2.1 over the OSPF_SL0 interface.

  • ✅ Sham Link Status: show ip ospf sham-links confirms the sham link is up, area is 0, state is POINT_TO_POINT, and the link runs as a demand circuit with a cost of 1.

  • ✅ Interface Verification: show ip ospf interface indicates OSPF_SL0 is up, type is SHAM_LINK, cost 1, and the link has 1 fully adjacent neighbor.

  • ✅ Routing Table Check: On CE router A1, routes to loopbacks of PE1 (1.1.1.1) and PE2 (2.2.2.2) appear as OSPF external (E2) routes via PE, confirming MPLS-based OSPF reachability is established.

PE1#ping vrf A 2.2.2.2 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/5 ms
PE1#
PE1(config-router)#
*Aug  4 11:34:07.796: %OSPF-5-ADJCHG: Process 100, Nbr 172.16.2.1 on OSPF_SL0 from LOADING to FULL, Loading Done
!
PE2(config-router)#
*Aug  4 11:34:07.796: %OSPF-5-ADJCHG: Process 100, Nbr 172.16.1.1 on OSPF_SL0 from LOADING to FULL, Loading Done
PE1#show ip ospf 100 neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
172.16.2.1        0   FULL/  -           -        2.2.2.2         OSPF_SL0
172.16.11.1       1   FULL/DR         00:00:38    172.16.1.2      Ethernet0/1
PE1#show ip ospf sham-links
Sham Link OSPF_SL0 to address 2.2.2.2 is up
Area 0 source address 1.1.1.1
  Run as demand circuit
  DoNotAge LSA allowed. Cost of using 1 State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40,
    Hello due in 00:00:08
    Adjacency State FULL (Hello suppressed)
    Index 2/2, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec
PE1#show ip ospf interface
...
OSPF_SL0 is up, line protocol is up
  Internet Address 0.0.0.0/0, Area 0, Attached via Not Attached
  Process ID 100, Router ID 172.16.1.1, Network Type SHAM_LINK, Cost: 1
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           1         no          no            Base
  Configured as demand circuit
  Run as demand circuit
  DoNotAge LSA allowed
  Transmit Delay is 1 sec, State POINT_TO_POINT
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:02
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 2/2, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 172.16.2.1  (Hello suppressed)
  Suppress hello for 1 neighbor(s)
...

Traffic over MPLS after Configuring OSPF Sham Link

Now, Sites A1 and A2 see each other through two intra-area paths: one over the MPLS VPN (via the OSPF sham link) and one over the backdoor link. To ensure that traffic is forwarded over the MPLS path, I increased the OSPF cost on the backdoor interface (Ethernet0/1) at Site A1 to 50. This adjustment makes the MPLS path more attractive to OSPF, ensuring it is selected as the preferred route over the higher-cost backdoor link.

## A1
interface Ethernet0/1
 ip ospf cost 50
A1#show ip route ospf
...
Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
O E2     1.1.1.1 [110/1] via 172.16.1.1, 00:01:37, Ethernet0/0
      2.0.0.0/32 is subnetted, 1 subnets
O E2     2.2.2.2 [110/1] via 172.16.1.1, 00:06:09, Ethernet0/0
      172.16.0.0/16 is variably subnetted, 8 subnets, 2 masks
O        172.16.2.0/24 [110/21] via 172.16.1.1, 00:00:05, Ethernet0/0
O IA     172.16.3.0/24 [110/11] via 172.16.1.1, 00:38:25, Ethernet0/0
O        172.16.12.1/32 [110/22] via 172.16.1.1, 00:00:05, Ethernet0/0
O IA     172.16.13.1/32 [110/21] via 172.16.1.1, 00:38:15, Ethernet0/0
A1#traceroute 172.16.12.1 source 172.16.11.1
Type escape sequence to abort.
Tracing the route to 172.16.12.1
VRF info: (vrf in name/id, vrf out name/id)
  1 172.16.1.1 6 msec 1 msec 4 msec
  2 10.0.1.10 [MPLS: Labels 19/16 Exp 0] 5 msec 5 msec 5 msec
  3 172.16.2.1 [MPLS: Label 16 Exp 0] 5 msec 1 msec 4 msec
  4 172.16.2.2 2 msec 4 msec 5 msec
A1#

After increasing the OSPF cost on the backdoor interface at Site A1 to 50, the routing table shows that OSPF now prefers routes via the MPLS VPN path (next hop 172.16.1.1) instead of the backdoor. The traceroute output confirms that traffic from A1 to a remote subnet passes through the MPLS network, traversing PE routers identified by MPLS labels. This confirms that adjusting the backdoor cost successfully forces OSPF to route traffic over the MPLS VPN instead of the backdoor link.

Back to: MPLS & MPLS VPN Fundamental (in Progress) > PE-CE Routing in MPLS VPN

Leave a Reply

Your email address will not be published. Required fields are marked *


Post comment