Sham links
---------------
---------------
Configuring OSPF Sham Links for Layer 3 VPNs
When you configure OSPF between the PE and CE routers
of a Layer 3 VPN, you can also configure OSPF sham links to compensate
for issues related to OSPF intra-area links.
The following sections describe OSPF sham links
and how to configure them:
OSPF Sham Links Overview
Figure 19 provides an illustration
of when you might configure an OSPF sham link. Router CE1 and Router
CE2 are located in the same OSPF area. These CE routers are linked
together by a Layer 3 VPN over Router PE1 and Router PE2. In addition,
Router CE1 and Router CE2 are connected by an intra-area link used
as a backup.
OSPF treats the link through the Layer 3 VPN as
an interarea link. By default, OSPF prefers intra-area links to interarea
links, so OSPF selects the backup intra-area link as the active path.
This is not acceptable in configurations where the intra-area link
is not the expected primary path for traffic between the CE routers.
An OSPF sham link is also an intra-area link, except
that it is configured between the PE routers as shown in Figure 19. You can configure the metric for the
sham link to ensure that the path over the Layer 3 VPN is preferred
to a backup path over an intra-area link connecting the CE routers.
Figure 19: OSPF Sham Link
You should configure an OSPF sham link under the
following circumstances:
- Two CE routers are linked together by a Layer 3 VPN.
- These CE routers are in the same OSPF area.
- An intra-area link is configured between the two CE routers.
If there is no intra-area link between the CE routers,
you do not need to configure an OSPF sham link.
For more information on OSPF sham links, see the
Internet draft draft-ietf-l3vpn-ospf-2547-01.txt, OSPF as
the PE/CE Protocol in BGP/MPLS VPNs.
Configuring OSPF Sham Links
The sham link is an unnumbered point-to-point intra-area
link and is advertised by means of a type 1 link-state advertisement
(LSA). Sham links are valid only for routing instances and OSPF version
2.
Each sham link is identified by a combination of
the local and remote sham link end-point address and the OSPF area
to which it belongs. Sham links must be configured manually. You configure
the sham link between two PE routers, both of which are within the
same VRF routing instance.
You need to specify the address for the local end
point of the sham link. This address is used as the source for the
sham link packets and is also used by the remote PE router as the
sham link remote end-point.
The OSPF sham link’s local address must be
specified with a loopback address for the local VPN. The route to
this address must be propagated by BGP. Specify the address for the
local end point using the local option of the sham-link statement:
You can include the sham-link statement at the following hierarchy levels:
- [edit routing-instances routing-instance-name protocols ospf]
- [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf]
The OSPF sham link’s remote address must
be specified with a loopback address for the remote VPN. The route
to this address must be propagated by BGP. To specify the address
for the remote end point, include the sham-link-remote statement:
You can include the sham-link-remote statement at the following hierarchy levels:
- [edit routing-instances routing-instance-name protocols ospf area area-id]
- [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf area area-id]
Optionally, you can include the metric option to set a metric value for the remote
end point. The metric value specifies the cost of using the link.
Routes with lower total path metrics are preferred over those with
higher path metrics.
You can configure a value from 1 through 65,535.
The default value is 1.
OSPF Sham Links Example
This example shows how to enable OSPF sham links
on a PE router.
The following is the loopback interface configuration
on the PE router. The address configured is for the local end point
of the OSPF sham link:
The following is the routing instance configuration
on the PE router, including the configuration for the OSPF sham link.
The sham-link local statement is configured with the address
for the local loopback interface:
- [edit]
- routing-instances {
-
- example-sham-links {
- instance-type vrf;
- interface e1-1/0/2.0;
- interface lo0.1;
- route-distinguisher 3:4;
- vrf-import vpn-red-import;
- vrf-export vpn-red-export;
-
- protocols {
-
- ospf {
- sham-link local 1-.1.1.1;
-
- area 0.0.0.0 {
- sham-link-remote 10.2.2.2 metric 1;
- interface e1-1/0/2.0 metric 1;
- }
- }
- }
- }
- }
- OSPF domain-id
- -------------
For most OSPF configurations involving Layer 3
VPNs, you do not need to configure an OSPF domain ID. However,
for a Layer 3 VPN connecting multiple OSPF domains, configuring OSPF
domain IDs can help you control LSA translation (for Type 3 and Type
5 LSAs) between the OSPF domains and back-door paths. Each VPN routing
and forwarding (VRF) table in a PE router associated with an OSPF
instance is configured with the same OSPF domain ID. The default OSPF
domain ID is the null value 0.0.0.0. As shown in Table 4, a route with a null domain ID is handled
differently from a route without any domain ID at all.
Table 4: How a
PE Router Redistributes and Advertises Routes
You can configure an OSPF domain ID for both version
2 and version 3 of OSPF. The only difference in the configuration
is that you include statements at the [edit routing-instances routing-instance-name protocols ospf] hierarchy level
for OSPF version 2 and at the [edit routing-instances routing-instance-name protocols ospf3] hierarchy
level for OSPF version 3. The configuration descriptions that
follow present the OSPF version 2 statement only. However, the substatements
are also valid for OSPF version 3.
To configure an OSPF domain ID, include the domain-id statement:
You can include this statement at the following
hierarchy levels:
- [edit routing-instances routing-instance-name protocols ospf]
- [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf]
You can set a VPN tag for the OSPF external routes
generated by the PE router to prevent looping. By default, this tag
is automatically calculated and needs no configuration. However, you
can configure the domain VPN tag for Type 5 LSAs explicitly by including
the domain-vpn-tag number statement: