Sham Links vs. Virtual Links?(SL)

Let's continue our talking about sham-link and virtual-link, today is sham-link's turn.

Think about a scenario as this.
U'r Company has chosen MPLS/VPN service for connecting the abroad branches from the service provider, and use OSPF as the routing protocol. While at the same time U suggest that the company should also buy a E1/T1 link, act as a backup path for the MPLS/VPN. This ensure the high available for U'r network. So, the gateway router will be connected to the SP that offers U MPLS/VPN service. And this gateway router, we call it Customer Edge (CE) router, and the link is a primary link for data transmission. Then the router which U'r SP used to connect U'r site we call it Provider Edge (PE) router. Don't forget u'r backup link, the CE router may connected to another or the same SP, but a different WAN service -- E1/T1. U design the CE router will retain the communication with the remote site through this backup E1/T1 even if the MPLS/VPN service is down somehow. This backup link is known as backdoor path.

Although OSPF PE-CE connections assume that the only path between two client sites is across the MPLS VPN backbone, backdoor paths between VPN sites may exist. If these sites belong to the same OSPF area, the path over a backdoor link will always be selected because OSPF prefers intraarea paths to interarea paths. (PE routers advertise OSPF routes learned over the VPN backbone as interarea paths.) For this reason, OSPF backdoor links between VPN sites must be taken into account so that routing is performed based on policy. Now this is why we talking about sham-link here.

At this moment, U'r CE router may received two kinds of routes to reach the remote site,
1. Received from the MPLS/VPN that redistributed from BGP to OSPF, this route create U'r primary path, and flood as LSA3 (inter-area) route.
2. Received directly form the remote site router by the E1/T1 backdoor path, this route create U'r backup path, and flood as LSA1(intra-area) route.

Unexpected situation happens, the primary path and the backup path changes their role because OSPF prefers intraarea paths to interarea paths as we explain above.

If the backdoor links between sites are used only for backup purposes and do not participate in the VPN service, then the default route selection shown in the preceding example is not acceptable. To reestablish the desired path selection over the MPLS VPN backbone, U must create an additional OSPF intra-area (logical) link between ingress and egress VRFs on the relevant PE routers. This link is called a sham-link.

Note: A sham-link is required between any two VPN sites that belong to the same OSPF area and share an OSPF backdoor link. If no backdoor link exists between the sites, no sham-link is required.

Because the sham-link is seen as an intra-area link between PE routers, an OSPF adjacency is created and database exchange (for the particular OSPF process) occurs across the link. The PE router can then flood LSAs between sites from across the MPLS VPN backbone. As a result, the desired intra-area connectivity is created by specify a lower metric for the sham-link, than which is specified for the backdoor path.

In summary, U should configure an OSPF sham link under the following circumstances:

* Two CE routers are linked together by a Layer 3 VPN.
* These CE routers are in the same OSPF area.
* An intraarea link is configured between the two CE routers.

If there is no intraarea link between the CE routers, U do not need to configure an OSPF sham link.OSPF treats the link through the Layer 3 VPN as an interarea link. By default, OSPF prefers intraarea links to interarea links, so OSPF selects the backup intraarea link as the active path. This is not acceptable in configurations where the intraarea link is not the expected primary path for traffic between the CE routers.An OSPF sham link is also an intraarea link, except that it is configured between the PE routers. U can configure the metric for the sham link to ensure that the path over the Layer 3 VPN is preferred to a backup path over an intraarea link connecting the CE routers.