Solved: MPLS VPNs with OSPF and Sham-Links

Haris P · ‎07-22-2010

im trying to create a scenario using GNS3 for my CCIE Lab preparation

the objective is to create a MPLS VPN thru AS1 to connect R6 and SW2. The

backdoor link between R6 and SW2 should only be used if the MPLS

But if do show ip route from R6 for the network 10.1.38.0/24 its always going thu the link thru SW2

Olivier ARRIGHI · ‎07-22-2010

Hi Haris

your sham link is down, then it cannot work :

loopbacks used for sham link should be learned from BGP and not from OSPF : remove the redistribute connected in BGP and OSPF on both PEs

remove network 10.1.3.3 in ospf in R3.

under adress family ipv4 under BGP, add a network 1.3.3.3 mask 255.255.255.255 on R3, and 1.4.4.4 on R4

then your loopbacks are learned through bgp, and your sham link should come up

good config on R3 :

router ospf 1 vrf R6-SW2
log-adjacency-changes
area 0 sham-link 10.1.3.3 10.1.4.4
redistribute bgp 1 subnets
network 10.1.38.3 0.0.0.0 area 0

!
router bgp 1

!
address-family ipv4 vrf R6-SW2
no synchronization
network 10.1.3.3 mask 255.255.255.255
redistribute ospf 1 vrf R6-SW2
exit-address-family

good config on R4 :

router ospf 1 vrf R6-SW2
log-adjacency-changes
area 0 sham-link 10.1.4.4 10.1.3.3
redistribute bgp 1 subnets
network 10.1.46.4 0.0.0.0 area 0

!
router bgp 1

!
address-family ipv4 vrf R6-SW2
no synchronization
network 10.1.4.4 mask 255.255.255.255
redistribute ospf 1 vrf R6-SW2
exit-address-family

sham link before change :

R4#sh ip ospf sham-links
Sham Link OSPF_SL0 to address 10.1.3.3 is down
Area 0 source address 10.1.4.4
Run as demand circuit
DoNotAge LSA allowed. Cost of using 1 State DOWN,
Timer intervals configured, Hello 10, Dead 40, Wait 40,

sham link after change :

R4#sh ip os sham-links
Sham Link OSPF_SL0 to address 10.1.3.3 is up
Area 0 source address 10.1.4.4
Run as demand circuit
DoNotAge LSA allowed. Cost of using 1 State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40,
    Hello due in 00:00:08
    Adjacency State FULL (Hello suppressed)
    Index 2/2, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec

then your ip route on R6 is good :

R6#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
O E2     10.1.3.3/32 [110/1] via 10.1.46.4, 00:06:41, GigabitEthernet1/0
O E2     10.1.4.4/32 [110/1] via 10.1.46.4, 00:07:28, GigabitEthernet1/0
C        10.1.6.0/24 is directly connected, Loopback0
L        10.1.6.1/32 is directly connected, Loopback0
O        10.1.8.1/32 [110/13] via 10.1.46.4, 00:06:31, GigabitEthernet1/0
O        10.1.38.0/24 [110/12] via 10.1.46.4, 00:06:31, GigabitEthernet1/0
C        10.1.46.0/24 is directly connected, GigabitEthernet1/0
L        10.1.46.6/32 is directly connected, GigabitEthernet1/0
C        10.1.68.0/24 is directly connected, GigabitEthernet2/0
L        10.1.68.6/32 is directly connected, GigabitEthernet2/0

have fun

olivier

View solution in original post

Olivier ARRIGHI · ‎07-22-2010

Hi Haris

your sham link is down, then it cannot work :

loopbacks used for sham link should be learned from BGP and not from OSPF : remove the redistribute connected in BGP and OSPF on both PEs

remove network 10.1.3.3 in ospf in R3.

under adress family ipv4 under BGP, add a network 1.3.3.3 mask 255.255.255.255 on R3, and 1.4.4.4 on R4

then your loopbacks are learned through bgp, and your sham link should come up

good config on R3 :

router ospf 1 vrf R6-SW2
log-adjacency-changes
area 0 sham-link 10.1.3.3 10.1.4.4
redistribute bgp 1 subnets
network 10.1.38.3 0.0.0.0 area 0

!
router bgp 1

!
address-family ipv4 vrf R6-SW2
no synchronization
network 10.1.3.3 mask 255.255.255.255
redistribute ospf 1 vrf R6-SW2
exit-address-family

good config on R4 :

router ospf 1 vrf R6-SW2
log-adjacency-changes
area 0 sham-link 10.1.4.4 10.1.3.3
redistribute bgp 1 subnets
network 10.1.46.4 0.0.0.0 area 0

!
router bgp 1

!
address-family ipv4 vrf R6-SW2
no synchronization
network 10.1.4.4 mask 255.255.255.255
redistribute ospf 1 vrf R6-SW2
exit-address-family

sham link before change :

R4#sh ip ospf sham-links
Sham Link OSPF_SL0 to address 10.1.3.3 is down
Area 0 source address 10.1.4.4
Run as demand circuit
DoNotAge LSA allowed. Cost of using 1 State DOWN,
Timer intervals configured, Hello 10, Dead 40, Wait 40,

sham link after change :

R4#sh ip os sham-links
Sham Link OSPF_SL0 to address 10.1.3.3 is up
Area 0 source address 10.1.4.4
Run as demand circuit
DoNotAge LSA allowed. Cost of using 1 State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40,
    Hello due in 00:00:08
    Adjacency State FULL (Hello suppressed)
    Index 2/2, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec

then your ip route on R6 is good :

R6#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
O E2     10.1.3.3/32 [110/1] via 10.1.46.4, 00:06:41, GigabitEthernet1/0
O E2     10.1.4.4/32 [110/1] via 10.1.46.4, 00:07:28, GigabitEthernet1/0
C        10.1.6.0/24 is directly connected, Loopback0
L        10.1.6.1/32 is directly connected, Loopback0
O        10.1.8.1/32 [110/13] via 10.1.46.4, 00:06:31, GigabitEthernet1/0
O        10.1.38.0/24 [110/12] via 10.1.46.4, 00:06:31, GigabitEthernet1/0
C        10.1.46.0/24 is directly connected, GigabitEthernet1/0
L        10.1.46.6/32 is directly connected, GigabitEthernet1/0
C        10.1.68.0/24 is directly connected, GigabitEthernet2/0
L        10.1.68.6/32 is directly connected, GigabitEthernet2/0

have fun

olivier

Haris P · ‎07-22-2010

Dear Olivar,

Thnks for your comments .

It worked after the changes specified by you

Regrads

haris

Mohamed Sobair · ‎07-22-2010

Hi,

Sham Link is introduced to correct OSPF backdoor links on MPLS-VPN using OSPF super backbone , your config needs some modification in order for you to get the desired result.

1- first of all, change the routing protocol from ISIS to OSPF in your MPLS VPN and place all links in AREA-0.

2- runs an IBGP between your PEs (R3 and R4) normally.

for the Sham Link do the following:

1- Create Two /32 Loopback on both PEs.

2- Assign them to thier respective VRFs.

3- Advertise them into BGP

then create a sham link between both PEs using the loopback addresses specified with lower cost than the original OSPF cost between R6 and SW2.

Now, check the (show ip route 10.x.x.x) from R6, it should go through R4..

HTH

Mohamed

Olivier ARRIGHI · ‎07-22-2010

Hi Mohamed. using OSPF in the core is not mandatory, it works well with IS-IS as it is now. ( i was not sure about it, but I tried the gns3 template, and it's ok)

cheers

olivier

inderdeeps · ‎07-22-2010

HI Oliver,

Can you please share the configuration using the sham link with IS-IS in the core?

Regards/Inder

Olivier ARRIGHI · ‎07-23-2010

Hi Inderdeeps.

Look at the top of this thread, there is an attachement in the first post. You will find there all the configs for this setup

cheers

olivier

Mohamed Sobair · ‎07-23-2010

Haris and Oliver,

However, its manadatory to understand the concept behind VPN Super Backbone in MPLS. I havent checked it using ISIS on the core, but based on my previous readings, I still believe we need OSPF Super Backbone Area 0.

Super backbone provides additional level of hierarchy in MPLS, Customers might run different Areas on the CEs and might run partisioned area between CEs, hence the need of Superbackbone Area0 on the core. implementing it eleminate the need of having the customer running only area 0 on thier sites.

I would appreciate if an some one could confirm what I have mentioned,

HTH

Mohamed

Olivier ARRIGHI · ‎07-23-2010

Hi Mohamed,

you are right, there is a need for a Superbackbone.However, this superbackbone does not rely on the IGP used in between the PEs.

The only role of the core IGP is to transport loopback adresses of your PEs to allow iBGP relationship.Here finishes the role of the Core IGP.

There is no relation between the core IGP and OSPF superbackbone concept.

The superbackbone, is nothing else that OSPF attributes that are pushed along vpnv4 routes(BGP routes).

In the PE, on IOS, when you look at routes in the vrf routing table, coming from the other PEs, you see them as OSPF routes, but they are in fact BGP routes,tweaked by BGP according the communities(different in IOS XR, where you see them as BGP routes).

The concept of Superbackbone is not user activated, it is implicit when configuring OSPF as CE protocol.In this config, the PEs are seen as ASBR, whatever the areas you are using.

Now the superbackbone is seen as a super area 0, and you can do whatever you want on the PE-CE relationship, like have area 0 on both side, or having differents areas also.

cheers

olivier