How to Optimize Your MPLS VPN with OSPF Sham-Link

How to Optimize Your MPLS VPN with OSPF Sham-Link

Have you ever wondered how internet service providers manage to deliver reliable and fast internet connections to your home or office? One of the key technologies they use is called Multiprotocol Label Switching (MPLS), which enables the creation of virtual private networks (VPNs) that securely connect different locations over a shared infrastructure. But how do they ensure that your data is routed properly and efficiently over this complex network?

Enter the Open Shortest Path First (OSPF) routing protocol, which is commonly used in enterprise networks to dynamically exchange routing information between routers. In some cases, where providers deliver MPLS links to customer locations, OSPF may also be used as the CE-PE routing protocol, allowing for seamless integration between the customer's network and the provider's backbone.

MPLS VPN with OSPF Sham-Link
Fig 1.1- MPLS VPN with OSPF Sham-Link

So how does it work? The PE router connected to the CE router collects all the routes in a VRF routing table based on the VRF applied to the incoming interface. These routes are then propagated across other PEs using MP-BGP, a variant of the Border Gateway Protocol that supports VPNs. Eventually, the routes reach the remote CE after being redistributed from BGP into OSPF process running between CE and PE for a specific VRF.

But what makes OSPF particularly powerful in the context of MPLS VPNs is its ability to propagate routes over the VPN backbone while preserving additional information about the prefix in the form of BGP extended communities. 

These communities, such as the route type and domain ID, are appended to the BGP update and used by the receiving PE router to decide the type of link-state advertisement (LSA) to be generated when the BGP route is redistributed to the OSPF PE-CE process. This means that internal OSPF routes within the same VPN that are advertised over the VPN backbone appear as inter-area routes on the remote sites, allowing for efficient routing and traffic engineering.

But what if the two CEs aren’t peering over OSPF? In this case, the only path to reach from CE1 to CE2 is via the MPLS VPN backbone. However, if there happens to be an OSPF neighborship between the two CEs, then the traffic would directly flow across the directly connected link between the two CEs, ignoring the path via the MPLS VPN backbone which will act only as a backup in this case.

Why does this happen? It’s simple – the route from the direct connection over the OSPF link between CE1-CE2 is an intra-area route, and the route received from the MPLS backbone is an inter-area route. Keeping in mind the OSPF route selection, the intra-area route is always preferred over the inter-area route.

So, what’s the solution? Enter the OSPF sham-link, a virtual link that is created between the two PEs, allowing them to appear as a point-point link between OSPF. These links are able to fool/trick routers in the OSPF domain that this is a better path, thus preserving the LSAs as type 1 or type 3.

To create a sham link, two loopbacks on the respective devices are advertised into the BGP address family that corresponds to the customer VRF. This creates a virtual connection between the two CEs over the MPLS VPN backbone that is treated as an intra-area link by OSPF, ensuring optimal routing and failover capabilities.

Backdoor Link Configurations

CE1(config)#router ospf 1
CE1(config-router)#network area 0

CE2(config)#router ospf 1
CE2(config-router)#network area 0

Lets add the cost to both the CE routers for the Backdoor Link

CE1(config)#interface GigabitEthernet 0/0/1
(config-if)#ip ospf cost 10

CE2(config)#interface GigabitEthernet 0/0/1
CE2(config-if)#ip ospf cost 10

CE1#show ip route ospf is subnetted, 1 subnets
O [110/11] via, 00:00:05, GigabitEthernet 0/0/1
O [110/11] via, 00:00:05, GigabitEthernet 0/0/1

CE2#show ip route ospf is subnetted, 1 subnets
O [110/11] via, 00:00:06, GigabitEthernet 0/0/1
O [110/11] via, 00:00:06, GigabitEthernet 0/0/1

OSPF Sham Link Configurations

PE1(config)# interface lo0
PE1(config-if)# ip vrf forwarding NDNA
PE1(config-if)# ip address
PE1(config-if)# end
PE1(config)# router ospf 100 vrf NDNA
PE1(config-if)# area 1 sham-link cost 5

PE2(config)# interface lo0
PE2(config-if)# ip vrf forwarding NDNA
PE2(config-if)# ip address
PE2(config-if)# end
PE2(config)# router ospf 100 vrf NDNA
PE2(config-if)# area 1 sham-link cost 5

The VPN-IPv4 address for the Sham-link Endpoint Address must be published by BGP and NOT by OSPF. An unnumbered point-to-point intra-area link called the Sham-link is marketed as a Type-1 link in router-LSA. 

The default Hey interval is therefore 10 seconds, while the default Router Dead interval is 40 seconds. The OSPF measure (cost) can be customized when a fake link is created.


So that the sites in a VPN may be connected over the MPLS backbone network, OSPF is used as the routing protocol between PEs and CEs in Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) configuration. The intra-area route between VPN sites should also be taken into consideration, even while connectivity between OSPF PEs and CEs guarantees connectivity between VPN sites. 

Because an intra-area path is always favored over an inter-area path, according to OSPF standards, the path connecting two sites to the same site must transit through the intra-area route. Hence, when an intra-area route is present, think about regulating routes through policies.

Continue Reading...

More about MPLS...