The sham-link command configures a sham link, or sets the parameter values of a sham link.
The undo sham-link command restores the default setting, or restores the default parameter values of a sham link.
By default, no sham link is configured on OSPF.
sham-link source-ip-address destination-ip-address [ smart-discover | [ simple [ plain plain-text | [ cipher ] cipher-text ] | { md5 | hmac-md5 | hmac-sha256 } [ key-id { plain plain-text | [ cipher ] cipher-text } ] | authentication-null | keychain keychain-name ] | cost cost | dead dead-interval | hello hello-interval | retransmit retransmit-interval | trans-delay trans-delay-interval ] *
undo sham-link source-ip-address destination-ip-address [ smart-discover | { simple | md5 | hmac-md5 | hmac-sha256 | authentication-null | keychain } | cost | dead | hello | retransmit | trans-delay ] *
| Parameter | Description | Value |
|---|---|---|
source-ip-address |
Specifies the source IP address. |
In dotted decimal notation. |
destination-ip-address |
Specifies the destination IP address. |
In dotted decimal notation. |
smart-discover |
Indicates that Hello packets are sent automatically and immediately. |
- |
simple |
Indicates the simple authentication mode. By default, the simple authentication mode is plain. |
- |
plain |
Indicates the plain authentication. You can only type in the simple text, and it displays as simple text when the configuration file is viewed. NOTE:
When configuring an authentication password, select the ciphertext mode because the password is saved in configuration files in simple text if you select simple text mode, which has a high risk. To ensure device security, change the password periodically. |
- |
plain-text |
Specifies the simple-text password. |
|
cipher |
Indicates the cipher authentication. You can type in the simple text or the ciphertext, and it is displayed as the ciphertext when the configuration file is viewed. |
- |
cipher-text |
Specifies the ciphertext password. |
|
md5 |
Indicates the MD5 authentication mode. |
- |
hmac-md5 |
Indicates the HMAC-MD5 authentication mode. |
- |
hmac-sha256 |
Indicates the HMAC-SHA256 authentication mode. NOTE:
HMAC-SHA256 authentication mode is better and more secure than other authentication modes. To ensure high security, HMAC-SHA256 authentication algorithm is recommended. |
- |
key-id |
Specifies authentication key ID of the cipher authentication of the interface. The key ID must be consistent with that of the peer. |
The value is an integer ranging from 1 to 255. |
authentication-null |
Indicates that no authentication is used. |
- |
keychain keychain-name |
Indicates the keychain authentication. NOTE:
Before configuring this parameter, you must run the keychain command to create a keychain. Then, run the key-id, key-string, and algorithm commands to configure a key ID, a password, and an authentication algorithm for this keychain. Otherwise, the OSPF authentication will fail. |
The value must be the name of an existing keychain. |
cost cost |
Specifies the cost of the sham link. |
The value of the cost is an integer ranging from 1 to 65535. By default, it is 1. |
dead dead-interval |
Specifies the dead interval. This value must be equal to the dead-interval of the router that sets up virtual link with the local router, and must be at least four times that of hello-interval. |
The value of the interval is an integer ranging from 1 to 23592600, in seconds. |
hello hello-interval |
Specifies the interval for transmitting Hello packets on an interface. This value must be equal to the hello-interval of the router that sets up the virtual link with the local router. |
The value is an integer ranging from 1 to 65535, in seconds. |
retransmit retransmit-interval |
Specifies the interval for retransmitting the LSA packets on an interface. |
The value is an integer ranging from 1 to 3600, in seconds. |
trans-delay trans-delay-interval |
Specifies the delay for transmitting LSA packets on an interface. |
The value is an integer ranging from 1 to 3600, in seconds. |
Usage Scenario
The command can only be used in VPN scenarios.
The sham-link command can be used to create a sham link to make VPN traffic preferentially pass through the route within the backbone area. This prevents communication in the same VPN of the same OSPF area forwarded in the OSPF route.
By configuring the smart-discover parameter, you can actively send Hello packets to enable the neighbors of a sham link to reach the adjacencies more quickly.
Configuration Impact
After a sham link is configured between the two PEs, the sham link is considered as an OSPF local area route. In this manner, routes traveling through an MPLS VPN backbone network become intra-area OSPF routes, preventing VPN traffic from being transmitted through intra-area routes. The 32-bit loopback address is specified as the source and destination addresses of the sham link. The loopback interface must be bound to the VPN instance and advertised using BGP.
Precautions
When configuring a sham link, the route at the egress address of the sham link cannot be advertised to the remote PE using an OSPF process in a private network. Otherwise, there will be two routes to the egress address of the sham link on the remote PE. One route is learned from OSPF of a private network and the other is learned using MP-BGP. OSPf routes have higher priorities over BGP routes, the remote PE select a wrong OSPF route. As a result, the sham link cannot be created.