Here is finally. Sorry

Hi Alfredo,

What do you use between the PE/CE routers? Also OSPF? Should the london and italy sites always use their direct 100M link or is this only used as a backup?


Hi Rene,

What do you use between the PE/CE routers? I am using eBGP
Should the london and italy sites always use their direct 100M link or is this only used as a backup? Yes that should be on so Italy site can reach the DATACENTER located in London.


Hi Alfredo,

Are your London and Italy sites only advertising their own prefixes?

If you want your users from CE2 to be able to reach London in case CE-1 is down then you should advertise the prefixes from London from OSPF into BGP on Italy so that CE3 can learn them. You could use conditional advertising or use some of the BGP attributes so that this path is not preferred as long as CE-1 is up and running.


Hi Rene,

I tried to redistributed the route into the OSPF in CE1 router, and the PE1 did received the route as E2 route. But the other PE2 not received the VPNV4 route from PE1 and also can not advertised it to CE2. Any idea how to fix this?


Hi Davis,

There’s a lot of things that could be wrong. Here’s a simple checklist you can use:

Here’s what you should check and in what order:

  1. Make sure your PE/P routers have established LDP neighbor adjacencies using loopback interfaces as the transport addresses.

  2. Make sure the VRF is created on both PE routers.

  3. Make sure you use the correct RD for each VRF.

  4. Make sure you have the correct import/export route-targets.

  5. Check if you see routes in the VRF routing table on the PE routers.

  6. Check if you have an IBGP neighbor adjacency between the PE routers for the VPN address-family.

  7. Make sure that extended communities are sent between the PE routers.

  8. Make sure you see VPN routes on each PE router.

  9. Make sure you see routes on both CE routers.

These are basically all the things you should check.


Hi Rene,

Do we have a lesson for OSPF Sham link available?

Hi Jinbee,

Not yet, I’ll let you know once I published it.


Hi Rene,

Pls explain about the use of Sham links in mpls vpn


Hi Shyam,

Once I have a lesson on it, I’ll post it here.


Hi Rene,
Cleared posting as usual. However I don’t see lesson on the Sham Link topic. Would you mind advise ?



In the post right above yours Rene mentions he will let everyone know when he has a sham link lesson.

In the post right above yours Rene mentions he will let everyone know when he has a sham link lesson.

I want to share my studies in MPLS VPN,

The previous chapters described how MP-BGP Extended attributes are used to preserve some OSPF routing information and to allow two OSPF VPN sites remaining in same OSPF domain while they are connected via MPLS/VPN. In such approach, the MPLS/VPN is acting as OSPF area 0 and the PE router is regarded as an ABR router advertising the inter-site routes in type 3 Summary LSA. The routes are therefore inter-area routes.
However, this may not be a desirable situation for the following scenarios:
> When there is a backdoor connection on two VPN sites and it is desired to use the MPLS VPN connection to reach the other site rather than the backdoor connection
> When one site has two or more connections to MPLS VPN and it is desired to route packets over the VPN connection than over the routes inside of the site
> When two VPN sites want to be in the same OSPF area (for migration purposes or desired objective)


Sham Link provides virtual intra-area‘ connectivity across the MPLS VPN Super-Backbone so that traffic can be attracted to the backbone rather than taking the backdoor link between sites. A Sham link is required between any two sites that share a backdoor link. If no backdoor link exists between the sites, then a sham-link is NOT required.

Hello Adrian.

Thanks for sharing that, it’s much appreciated!



If i add a ASA box on the site CE1 with the ip address of and all the clients connected to that site have internet access, and i want to allow users on the second site to access the internet how would i add a static route through the MPLS to the ip of my asa box


Hi Thomas,

You will have to configure “hairpinning” on your ASA so that it translates traffic that arrived on its OUTSIDE interface and forwards it out of the same OUTSIDE interface again. Here is an example I created before for remote VPN users, your setup will be similar:

Cisco ASA Hairpin Remote VPN users

In your case, you don’t have remote VPN users but the idea is the same.


19 posts were merged into an existing topic: MPLS Layer 3 VPN PE-CE OSPF

Urgent Request
Hi Rene,

Please explain the sham link concept and OSPF loop prevention mechanism as mentioned by you.

Thanks and Regards,

@karan I figured it was about time I wrote something about the sham link: