Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

OSPF Sham Links

The Problem

A customer with L3VPN service via OSPF-BGP-VPNv4 decides to connect two sites together via OSPF backdoor, a direct connection they manage themselves.

When they turn on their private OSPF peering, all the traffic between these two sites now prefers the new link, vs the L3VPN cloud.

The Solution

Sham links are needed because the routes provided by an L3VPN are O IA. When the OSPF backdoor link comes up it will be preferred for two reasons:

  • OSPF has a lower AD than BGP
  • O routes are preferred over O IA

A sham link makes two PE routers at different sites in the same customer VRF form an intra-area connection.

From OSPF Sham-Link Support for MPLS VPN - Cisco.

Before you create a sham-link between PE routers in an MPLS VPN, you must:

  • Configure a new interface with a /32 address on the remote PE so that OSPF packets can be sent over the VPN backbone to the remote end of the sham-link. The /32 address must meet the following criteria:
    • Belong to a VRF
    • Not be advertised by OSPF
    • Be advertised by BGP
    • You can use the /32 address for other sham-links

References

What is OSPF Sham Links? how to configure OSPF Sham Links? - Cisco Community

Last Modified • Sunday, June 14, 2026. 5:02 pm UTC+00:00 • Commit: 3aedc3f