MPLS Lab 014 OSPF Configuring Sham-link

Image requirements:
VIRL: IOSv 15.7
EVE-NG: Cisco vIOS Router vios-15.6
GNS3: vios-adventerprisek9-m.vmdk.SPA.156-2.T



Description:
This lab provides information on how to configure OSPF sham-link, in order to direct traffic via the L3 MPLS VPN path when the backdoor link in the topology exists. MPLS VPN is enabled in the topology but traffic between CE routers' LAN networks flows over backdoor instead of the main path over MPLS core, you will implement a solution that will fix the current behavior of the OSPF.



Topology:


Download Lab: EVE-NG | GNS3




Scenario:
ISP's customer using OSPF protocol for PE-CE routing, currently at each client's site the OSPF is implemented and working but prefixes are not being learned over MPLS connections at the CE routers because of the backdoor path existence over the MetroE cloud. Routes from MPLS core learned as an inter-area type while via MetroE as intra-area type, and that is why the problem exists, OSPF choosing the intra-area over inter-area routes. The resolution of the issue will be in the configuration of the sham-links between PE routers which will combine three separate backbone areas into one, which in turn will transform inter-area routes into intra-area over MPLS core, and this will make both paths equal in terms of the OSPF route types. 



Lab tasks:
1. Understanding prerequisites for sham-link implementation.
2. Configure loopback interfaces for sham-link to use as source and destination IP addresses.
3. Advertise the loopback interfaces' IP addresses by BGP.
4. Configure sham-link between PE2 and PE4.
5. Configure sham-link between PE2 and PE3.
6. Configure sham-link between PE3 and PE4.
7. Verify IP routing tables on the CE routers after the implementation of sham-links.
8. Modify the OSPF path cost over the MetroE connection.
9. Clean up the mess caused by sham-links on the PE routers in their BGP VPNv4 tables.



Lab procedure:

Task1: Understanding prerequisites for sham-link implementation. 
a. Sham-link is enabled under OSPF global configuration on the PE routers, it needs source and destination IP addresses to be specified in the same way as with the GRE tunnel configuration.
b. Require a new loopback interface with /32 an IP address configured on the PE routers for the desired client's VRF.
c. IP addresses of loopback interfaces have to be redistributed into the MPLS core by BGP only.



Task2: Configure loopback interfaces for sham-link to use as source and destination IP addresses.

Step1. Before enabling any interfaces, verify what are configurations of the interfaces:
PE2#show ip interface brief | exclude unassigned
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.255.2.163 YES NVRAM administratively down down
GigabitEthernet0/1 10.0.1.6 YES NVRAM up up
GigabitEthernet0/2 10.0.3.6 YES NVRAM up up
GigabitEthernet0/3 10.150.0.2 YES NVRAM up up
Loopback0 10.100.0.12 YES NVRAM up up
Loopback1000 172.16.255.1 YES NVRAM up up
Loopback2000 172.16.255.2 YES NVRAM up up
Loopback3000 172.16.255.3 YES NVRAM up up


Step2. Configuring nodes PE2, PE3, and PE4 by adding new loopback 90 interfaces into VRF CE1:
PE2(config)#interface lo90
PE2(config-if)#description CE1_SHAM_LINK
PE2(config-if)#vrf forwarding CE1
PE2(config-if)#ip address 10.90.0.0 255.255.255.255
PE2(config-if)#
PE3(config)#interface lo90
PE3(config-if)#description CE1_SHAM_LINK
PE3(config-if)#vrf forwarding CE1
PE3(config-if)#ip address 10.90.0.1 255.255.255.255
PE3(config-if)#
PE4(config)#interface lo90
PE4(config-if)#description CE1_SHAM_LINK
PE4(config-if)#vrf forwarding CE1
PE4(config-if)#ip address 10.90.0.2 255.255.255.255
PE4(config-if)#


Step3.  Verify loopback interfaces:
PE2#show running-config interface lo90
Building configuration...
Current configuration : 113 bytes
!
interface Loopback90
description CE1_SHAM_LINK
vrf forwarding CE1
ip address 10.90.0.0 255.255.255.255
end

PE2#show ip interface brief | include k90
Loopback90 10.90.0.0 YES manual up up



Task3: Advertise the loopback interfaces' IP addresses by BGP.

Step1: Only the BGP protocol has to propagate the /32 prefix, otherwise the sham-link will not work, when you are dealing with the redistribution of IP addresses for sham-links, it is a good idea to filter what are you going to redistribute to avoid routing inconsistency, for example, loopback90's IP address appears as connected in the routing table for VRF CE1 if you just going to redistribute connected without filtering when you going to redistribute also the link's subnet between CE and PE routers, which already will be advertised by OSPF and you will end up with BGP RIB-failure for this particular route in the BGP table for VPNv4 due to OSPF's lower administrative distance. That is why you going to configure redistribution with route-map, but before you need to identify the connected loopback90's subnet with prefix-list:
PE2(config)#ip prefix-list CE1_SHAM_LINK permit 10.90.0.0/32
PE3(config)#ip prefix-list CE1_SHAM_LINK permit 10.90.0.1/32
PE4(config)#ip prefix-list CE1_SHAM_LINK permit 10.90.0.2/32


Step2. Create route-map to match ip prefix-list you just configured in the step above:
PE2(config)#route-map SHAM_LINK permit 10
PE2(config-route-map)#match ip address prefix-list CE1_SHAM_LINK
PE2(config-route-map)#exit
PE3(config)#route-map SHAM_LINK permit 10
PE3(config-route-map)#match ip address prefix-list CE1_SHAM_LINK
PE3(config-route-map)#exit
PE4(config)#route-map SHAM_LINK permit 10
PE4(config-route-map)#match ip address prefix-list CE1_SHAM_LINK
PE4(config-route-map)#exit


Step3. Perform redistribution into BGP VPNv4 table:
PE2(config)#router bgp 64500
PE2(config-router)#address-family ipv4 unicast vrf CE1
PE2(config-router-af)#redistribute connected route-map SHAM_LINK
PE2(config-router-af)#end
PE3(config)#router bgp 64500
PE3(config-router)#address-family ipv4 unicast vrf CE1
PE3(config-router-af)#redistribute connected route-map SHAM_LINK
PE3(config-router-af)#end
PE4(config)#router bgp 64500
PE4(config-router)#address-family ipv4 unicast vrf CE1
PE4(config-router-af)#redistribute connected route-map SHAM_LINK
PE4(config-router-af)#end


Step4. Verify the proper redistribution:
PE2#show bgp vpnv4 unicast vrf CE1 | section 10.90.
*> 10.90.0.0/32 0.0.0.0 0 32768 ?
*>i 10.90.0.1/32 10.100.0.13 0 100 0 ?
*>i 10.90.0.2/32 10.100.0.14 0 100 0 ?
As you can see the BGP VPNv4 table contains all prefixes for loopback90's interfaces.


Step5. Verify if redistribution occurs with filtering enabled: 
PE2#show ip prefix-list detail
Prefix-list with the last deletion/insertion: CE1_SHAM_LINK
ip prefix-list CE1_SHAM_LINK:
count: 1, range entries: 0, sequences: 5 - 5, refcount: 3
seq 5 permit 10.90.0.0/32 (hit count: 2, refcount: 1)
The hit count 2 indicates that route filtering is working.


Step6. Ping each prefix from the loopback90 as the source interface:
PE2#ping vrf CE1 10.90.0.1 source lo90
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.90.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.90.0.0
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms

PE2#ping vrf CE1 10.90.0.2 source lo90
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.90.0.2, timeout is 2 seconds:
Packet sent with a source address of 10.90.0.0
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/6 ms
PE2#



Task4: Configure sham-link between PE2 and PE4.

Configuring PE2:
PE2(config)#router ospf 10 vrf CE1
PE2(config-router)#area 0 sham-link 10.90.0.0 10.90.0.2
PE2(config-router)#end

Configuring PE4:
PE4(config)#router ospf 10 vrf CE1
PE4(config-router)#area 0 sham-link 10.90.0.2 10.90.0.0
PE4(config-router)#end

Verify sham-link:
PE2#show ip ospf sham-links
Sham Link OSPF_SL0 to address 10.90.0.2 is up
Area 0 source address 10.90.0.0
Run as demand circuit
DoNotAge LSA allowed. Cost of using 1 State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40,
Hello due in 00:00:06
Adjacency State FULL (Hello suppressed)
Index 1/2/2, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec
PE2#



Task5: Configure sham-link between PE2 and PE3.
Configuring PE2:
PE2(config)#router ospf 10 vrf CE1
PE2(config-router)#area 0 sham-link 10.90.0.0 10.90.0.1
PE2(config-router)#end

Configuring PE4:
PE3(config)#router ospf 10 vrf CE1
PE3(config-router)#area 0 sham-link 10.90.0.1 10.90.0.0
PE3(config-router)#end



Task6: Configure sham-link between PE3 and PE4.
Configuring PE2:
PE3(config)#router ospf 10 vrf CE1
PE3(config-router)#area 0 sham-link 10.90.0.1 10.90.0.2
PE3(config-router)#end

Configuring PE4:
PE4(config)#router ospf 10 vrf CE1
PE4(config-router)#area 0 sham-link 10.90.0.2 10.90.0.1
PE4(config-router)#end

Verify OSPF neighborship:
PE2#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.150.0.10 0 FULL/ - - 10.90.0.1 OSPF_SL1
10.150.0.6 0 FULL/ - - 10.90.0.2 OSPF_SL0
10.155.7.1 1 FULL/DR 00:00:35 10.150.0.1 GigabitEthernet0/3
PE2#
There are two more neighbors which are PE3 and PE4 formed over sham-link.



Task7: Verify IP routing tables on the CE routers after the implementation of sham-links.
CE1-A#show ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 40 subnets, 4 masks
O E2 10.90.0.0/32 [110/1] via 10.150.0.19, 00:43:15, GigabitEthernet0/2
[110/1] via 10.150.0.18, 00:43:15, GigabitEthernet0/2
[110/1] via 10.150.0.2, 00:11:02, GigabitEthernet0/1
O E2 10.90.0.1/32 [110/1] via 10.150.0.2, 00:40:44, GigabitEthernet0/1
O E2 10.90.0.2/32 [110/1] via 10.150.0.2, 00:41:12, GigabitEthernet0/1
O 10.150.0.4/30 [110/2] via 10.150.0.19, 02:00:23, GigabitEthernet0/2
O 10.150.0.8/30 [110/2] via 10.150.0.18, 02:00:23, GigabitEthernet0/2
O 10.160.0.0/24 [110/2] via 10.150.0.19, 02:00:23, GigabitEthernet0/2
O 10.160.1.0/24 [110/2] via 10.150.0.19, 02:00:23, GigabitEthernet0/2
O 10.160.2.0/24 [110/2] via 10.150.0.19, 02:00:23, GigabitEthernet0/2
O 10.160.3.0/24 [110/2] via 10.150.0.19, 02:00:23, GigabitEthernet0/2
O 10.160.4.0/24 [110/2] via 10.150.0.19, 02:00:23, GigabitEthernet0/2
O 10.160.5.0/24 [110/2] via 10.150.0.19, 02:00:23, GigabitEthernet0/2
O 10.160.6.0/24 [110/2] via 10.150.0.19, 02:00:23, GigabitEthernet0/2
O 10.160.7.0/24 [110/2] via 10.150.0.19, 02:00:23, GigabitEthernet0/2
O 10.165.0.0/24 [110/2] via 10.150.0.18, 02:00:23, GigabitEthernet0/2
O 10.165.1.0/24 [110/2] via 10.150.0.18, 02:00:23, GigabitEthernet0/2
O 10.165.3.0/24 [110/2] via 10.150.0.18, 02:00:23, GigabitEthernet0/2
O 10.165.4.0/24 [110/2] via 10.150.0.18, 02:00:23, GigabitEthernet0/2
O 10.165.5.0/24 [110/2] via 10.150.0.18, 02:00:23, GigabitEthernet0/2
O 10.165.6.0/24 [110/2] via 10.150.0.18, 02:00:23, GigabitEthernet0/2
O 10.165.7.0/24 [110/2] via 10.150.0.18, 02:00:23, GigabitEthernet0/2
CE1-A#
Notice that all prefixes of the routers CE1-B and CE1-C still coming via MetroE path. As mentioned in the last lab this path should serve as backup only. Repeat this verifcation on other CE routers. 



Task8: Modify the OSPF path cost over the MetroE connection on all three CE routers:
Increase the OSPF cost to the 10 for the interfaces G0/2:
CE1-A(config)#interface g0/2
CE1-A(config-if)#ip ospf cost 10
CE1-A(config-if)#end
CE1-B(config)#interface g0/2
CE1-B(config-if)#ip ospf cost 10
CE1-B(config-if)#end
CE1-B(config)#interface g0/2
CE1-B(config-if)#ip ospf cost 10
CE1-B(config-if)#end

Verify how the change affected the state of the routing tables on the CE routers:
CE1-A#show ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 40 subnets, 4 masks
O E2 10.90.0.0/32 [110/1] via 10.150.0.2, 00:39:26, GigabitEthernet0/1
O E2 10.90.0.1/32 [110/1] via 10.150.0.2, 01:09:08, GigabitEthernet0/1
O E2 10.90.0.2/32 [110/1] via 10.150.0.2, 01:09:36, GigabitEthernet0/1
O 10.150.0.4/30 [110/3] via 10.150.0.2, 00:06:35, GigabitEthernet0/1
O 10.150.0.8/30 [110/3] via 10.150.0.2, 00:06:35, GigabitEthernet0/1
O 10.160.0.0/24 [110/4] via 10.150.0.2, 00:06:35, GigabitEthernet0/1
O 10.160.1.0/24 [110/4] via 10.150.0.2, 00:06:35, GigabitEthernet0/1
O 10.160.2.0/24 [110/4] via 10.150.0.2, 00:06:35, GigabitEthernet0/1
O 10.160.3.0/24 [110/4] via 10.150.0.2, 00:06:35, GigabitEthernet0/1
O 10.160.4.0/24 [110/4] via 10.150.0.2, 00:06:35, GigabitEthernet0/1
O 10.160.5.0/24 [110/4] via 10.150.0.2, 00:06:35, GigabitEthernet0/1
O 10.160.6.0/24 [110/4] via 10.150.0.2, 00:06:35, GigabitEthernet0/1
O 10.160.7.0/24 [110/4] via 10.150.0.2, 00:06:35, GigabitEthernet0/1
O 10.165.0.0/24 [110/4] via 10.150.0.2, 00:06:35, GigabitEthernet0/1
O 10.165.1.0/24 [110/4] via 10.150.0.2, 00:06:35, GigabitEthernet0/1
O 10.165.3.0/24 [110/4] via 10.150.0.2, 00:06:35, GigabitEthernet0/1
O 10.165.4.0/24 [110/4] via 10.150.0.2, 00:06:35, GigabitEthernet0/1
O 10.165.5.0/24 [110/4] via 10.150.0.2, 00:06:35, GigabitEthernet0/1
O 10.165.6.0/24 [110/4] via 10.150.0.2, 00:06:35, GigabitEthernet0/1
O 10.165.7.0/24 [110/4] via 10.150.0.2, 00:06:35, GigabitEthernet0/1
CE1-A#
Now all routes are coming from the PE2 node.



Task9: Clean up the mess caused by sham-links on the PE routers in their BGP VPNv4 tables.

Step1. Verify the BGP VPNv4 tables:
PE2#show bgp vpnv4 unicast vrf CE1
BGP table version is 63, local router ID is 10.100.0.12
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 2020:2020 (default for vrf CE1)
*> 10.90.0.0/32 0.0.0.0 0 32768 ?
*>i 10.90.0.1/32 10.100.0.13 0 100 0 ?
*>i 10.90.0.2/32 10.100.0.14 0 100 0 ?
* i 10.150.0.16/28 10.100.0.14 11 100 0 ?
*> 10.150.0.1 11 32768 ?
* i 10.100.0.13 11 100 0 ?
*> 10.155.0.0/24 10.150.0.1 2 32768 ?
*> 10.155.1.0/24 10.150.0.1 2 32768 ?
*> 10.155.2.0/24 10.150.0.1 2 32768 ?
*> 10.155.3.0/24 10.150.0.1 2 32768 ?
*> 10.155.4.0/24 10.150.0.1 2 32768 ?
*> 10.155.5.0/24 10.150.0.1 2 32768 ?
*> 10.155.6.0/24 10.150.0.1 2 32768 ?
*> 10.155.7.0/24 10.150.0.1 2 32768 ?
r>i 10.160.0.0/24 10.100.0.14 2 100 0 ?
r>i 10.160.1.0/24 10.100.0.14 2 100 0 ?
r>i 10.160.2.0/24 10.100.0.14 2 100 0 ?
r>i 10.160.3.0/24 10.100.0.14 2 100 0 ?
r>i 10.160.4.0/24 10.100.0.14 2 100 0 ?
r>i 10.160.5.0/24 10.100.0.14 2 100 0 ?
r>i 10.160.6.0/24 10.100.0.14 2 100 0 ?
r>i 10.160.7.0/24 10.100.0.14 2 100 0 ?
r>i 10.165.0.0/24 10.100.0.13 2 100 0 ?
r>i 10.165.1.0/24 10.100.0.13 2 100 0 ?
r>i 10.165.3.0/24 10.100.0.13 2 100 0 ?
r>i 10.165.4.0/24 10.100.0.13 2 100 0 ?
r>i 10.165.5.0/24 10.100.0.13 2 100 0 ?
r>i 10.165.6.0/24 10.100.0.13 2 100 0 ?
r>i 10.165.7.0/24 10.100.0.13 2 100 0 ?
As you can see that there are quite a lot of prefixes with RIB-failure, this happens because PE routers now learned routes via sham-links instead of iBGP, and OSPF has lower AD than the iBGP that is why when you use sham-link you do not need to have redistribution between BGP and OSPF. Use this command to check what are all routes with RIB-failure and the reason for this:
PE2#show bgp vpnv4 unicast vrf CE1 rib-failure
Network Next Hop RIB-failure RIB-NH Matches
Route Distinguisher: 2020:2020 (default for vrf CE1)
10.160.0.0/24 10.100.0.14 Higher admin distance n/a
10.160.1.0/24 10.100.0.14 Higher admin distance n/a
10.160.2.0/24 10.100.0.14 Higher admin distance n/a
10.160.3.0/24 10.100.0.14 Higher admin distance n/a
10.160.4.0/24 10.100.0.14 Higher admin distance n/a
10.160.5.0/24 10.100.0.14 Higher admin distance n/a
10.160.6.0/24 10.100.0.14 Higher admin distance n/a
10.160.7.0/24 10.100.0.14 Higher admin distance n/a
10.165.0.0/24 10.100.0.13 Higher admin distance n/a
10.165.1.0/24 10.100.0.13 Higher admin distance n/a
10.165.3.0/24 10.100.0.13 Higher admin distance n/a
10.165.4.0/24 10.100.0.13 Higher admin distance n/a
10.165.5.0/24 10.100.0.13 Higher admin distance n/a
10.165.6.0/24 10.100.0.13 Higher admin distance n/a
10.165.7.0/24 10.100.0.13 Higher admin distance n/a


Step2. Remove the redistribution from both OSPF and BGP:
PE2(config)#router ospf 10 vrf CE1
PE2(config-router)#no redistribute bgp 64500
PE2(config-router)#exit
PE2(config)#router bgp 64500
PE2(config-router)#address-family ipv4 unicast vrf CE1
PE2(config-router-af)#no redistribute ospf 10
PE2(config-router-af)#
Repeat this on the PE3 and PE4 routers.


Step3. Verify the BGP VPNv4 tables again:
PE2#show bgp vpnv4 unicast vrf CE1
BGP table version is 88, local router ID is 10.100.0.12
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 2020:2020 (default for vrf CE1)
*> 10.90.0.0/32 0.0.0.0 0 32768 ?
*>i 10.90.0.1/32 10.100.0.13 0 100 0 ?
*>i 10.90.0.2/32 10.100.0.14 0 100 0 ?
Now only the prefixes of the loopback90 interfaces are in the BGP VPNv4 table for VRF CE1. This configuration is neat and if there is a need to troubleshoot missing routes you just have to deal with OSPF and its sham-links. 



Summary:
This lab introduced sham-links, a concept which helps you deploy OSPF topology across the MPLS domain as if you just configured it over the simple flat network. Backdoor links are no longer the problem because, after implementation of the sham-links, both paths over MPLS and MetroE are considered equal in terms of the OSPF route type.

Comments

Popular Posts