MPLS Layer 3 VPN PE-CE OSPF Sham Link

This topic is to discuss the following lesson:

Hi Rene,
So, the sham link is required only for MPLS VPN scenario ?? Thx


That’s correct. MPLS VPN PE-CE with OSPF as the routing protocol between PE/CE.

Hi Rene,

In order for redistribution other routing protocols into OSPF on CE works properly, we have to setup Sham Link. Is that correct?
Looks like LSA type 5 & 7 are not exchanged cross MPLS backbone? Correct me if I’m wrong. Because I have tried redistribution other routing protocols into OSPF on CE without Sham Link and result is PE which connected directly with CE got the routes but other PEs didn’t got it.


Hello Minh,

Redistributed routes in OSPF on a CE router is no problem. You only need a sham link when you have a backdoor link in between your CE routers.

By default, OSPF external routes don’t get redistributed into BGP but you can change that. Here’s a quick example:

CE1(config)#interface Loopback 1
CE1(config-if)#ip address

CE1(config)#ip access-list standard CE1_L0
CE1(config-std-nacl)#permit host

CE1(config)#route-map CE1_L1 permit 10    
CE1(config-route-map)#match ip address CE1_L1

CE1(config)#router ospf 1
CE1(config-router)#redistribute connected route-map CE1_L1

On the PE1 router:

PE1(config)#router bgp 234
PE1(config-router)#address-family ipv4 vrf CUSTOMER
PE1(config-router-af)# redistribute ospf 2 match internal external 1 external 2

And it will show up on the other end:

CE2#show ip route | include 11.11
O E2 [110/20] via, 00:02:29, GigabitEthernet0/1

Hope this helps!


1 Like

Thank you, Rene.

1 Like

Hello @pradyumnayadavgla

It seems that you posted this in a private message. I will quote it here, and respond to it so that all of our readers can benefit.

Hi Rene,

Q1- Sham link can only be used for CE-PE OSPF not with other IGP like EIGRP and RIP?
Q2- can it is possible to use sham link when we are using OSPF for CE-PE connectivity
and other IGP using for providing reachability b/w IBGP neighbors or vice versa?
Q3- Did not understand concept of MPLS VPN backbone mean which link will act as
MPLS VPN backbone and if sham link is the MPLS VPN backbone link mean we are
having primary and sec MPLS VPN link and total two backbone link for each

Q1 A sham link is an OSPF concept and cannot be implemented using other routing protocols.

Q2 A sham link can only be created when OSPF is the IGP in the MPLS backbone. If you are running EIGRP between the CE and PE, then a sham link, although it can be created, is of no benefit, because the redistribution between OSPF and EIGRP takes place in the PE, and there, you can adjust the metric of the EIGRP routes to achieve what you would with the sham link. Remember, the sham link is there because OSPF will always prefer an intra-area route (O) over an inter area route (O IA). The sham link simply changes the categorization of the O IA route to an O route so that it can be preferred. EIGRP doesn’t have such a concept, so it is not necessary.

Q3 The “VPN Backbone” is simply the MPLS network composed of the PE and P routers. The sham link isn’t the backbone, it is simply a mechanism that changes the categorization of the actual OSPF route. It’s not a tunnel of any sort, nor a backbone. The backbone is the MPLS network itself.

I hope this has been helpful!


Hi Laz,

Thanks for clarifying same but one more question is that, How many links are there for Customer to Customer reachabillity ?, I think there are two one is MPLS link and other one is OSPF link ( Through which customers connected directly ) .

Hello Pradyumna

Whenever you require a sham link for OSPF, this is due to the fact that a customer has obtained a backup link between the customer sites, most often with the goal of providing redundancy. This means that there will be two possible paths that data can take between two particular customer sites, one via the MPLS network, and the other via the backup link.

Usually, an MPLS network will be the primary method of interconnecting sites, due to the fact that it is typically a high performance network, and because customers will often have more than two sites. But some customers may want to use MPLS as backup. So the sham link is used only when you want the MPLS network to be the primary link that OSPF routing chooses.

You are correct, there are indeed two links between customer sites in a topology such as the one that is described in this lesson, one via MPLS and one via the backup link.

I hope this has been helpful!


Can we change the metric of the sham link?

Hello Muhammad

An example of the command used to implement the sham link is the following:

PE2(config-router)#area 0 sham-link cost 10

The parameter cost 10 configures the metric of the sham link. If this is not configured, then the default cost is set to 1, which means it will most likely be chosen as the best path over alternate routes, which is what is desired.

I hope this has been helpful!