Hi Davis,

There’s a lot of things that could be wrong. Here’s a simple checklist you can use:

Here’s what you should check and in what order:

  1. Make sure your PE/P routers have established LDP neighbor adjacencies using loopback interfaces as the transport addresses.

  2. Make sure the VRF is created on both PE routers.

  3. Make sure you use the correct RD for each VRF.

  4. Make sure you have the correct import/export route-targets.

  5. Check if you see routes in the VRF routing table on the PE routers.

  6. Check if you have an IBGP neighbor adjacency between the PE routers for the VPN address-family.

  7. Make sure that extended communities are sent between the PE routers.

  8. Make sure you see VPN routes on each PE router.

  9. Make sure you see routes on both CE routers.

These are basically all the things you should check.


Hi Rene,

Do we have a lesson for OSPF Sham link available?

Hi Jinbee,

Not yet, I’ll let you know once I published it.


Hi Rene,

Pls explain about the use of Sham links in mpls vpn


Hi Shyam,

Once I have a lesson on it, I’ll post it here.


Hi Rene,
Cleared posting as usual. However I don’t see lesson on the Sham Link topic. Would you mind advise ?



In the post right above yours Rene mentions he will let everyone know when he has a sham link lesson.

In the post right above yours Rene mentions he will let everyone know when he has a sham link lesson.

I want to share my studies in MPLS VPN,

The previous chapters described how MP-BGP Extended attributes are used to preserve some OSPF routing information and to allow two OSPF VPN sites remaining in same OSPF domain while they are connected via MPLS/VPN. In such approach, the MPLS/VPN is acting as OSPF area 0 and the PE router is regarded as an ABR router advertising the inter-site routes in type 3 Summary LSA. The routes are therefore inter-area routes.
However, this may not be a desirable situation for the following scenarios:
> When there is a backdoor connection on two VPN sites and it is desired to use the MPLS VPN connection to reach the other site rather than the backdoor connection
> When one site has two or more connections to MPLS VPN and it is desired to route packets over the VPN connection than over the routes inside of the site
> When two VPN sites want to be in the same OSPF area (for migration purposes or desired objective)


Sham Link provides virtual intra-area‘ connectivity across the MPLS VPN Super-Backbone so that traffic can be attracted to the backbone rather than taking the backdoor link between sites. A Sham link is required between any two sites that share a backdoor link. If no backdoor link exists between the sites, then a sham-link is NOT required.

Hello Adrian.

Thanks for sharing that, it’s much appreciated!



If i add a ASA box on the site CE1 with the ip address of and all the clients connected to that site have internet access, and i want to allow users on the second site to access the internet how would i add a static route through the MPLS to the ip of my asa box


Hi Thomas,

You will have to configure “hairpinning” on your ASA so that it translates traffic that arrived on its OUTSIDE interface and forwards it out of the same OUTSIDE interface again. Here is an example I created before for remote VPN users, your setup will be similar:

Cisco ASA Hairpin Remote VPN users

In your case, you don’t have remote VPN users but the idea is the same.


19 posts were merged into an existing topic: MPLS Layer 3 VPN PE-CE OSPF

Urgent Request
Hi Rene,

Please explain the sham link concept and OSPF loop prevention mechanism as mentioned by you.

Thanks and Regards,

@karan I figured it was about time I wrote something about the sham link:

Thank you Rene , that’s superb writeup and enjoyed as usual.

I was wondering if you have any plan to write the blog for CCIE-SP track…

I might add some SP material sometime but first I want to work on Nexus material.


I notice RD, and RT are configured on PE1 and PE2 routers. Can you configure RD, and RT on CE1 and CE2 with the same values of the PEs the CEs are connected to? Is there a reason/benefit to configuring RD, and RT on CE1 and CE2. I notice an organization has done this. When I saw this it was confusing to me after your example didn’t include RD, and RT on CE1 and CE2.

I appreciate the work you do in explaining networking where exmaples are easy to understand.


Hello Timothy

RD and RT are concepts and functionalities that should be confined to the provider’s network. Their functionality should be transparent from the point of view of the CE routers. However, if the provider has extended their MPLS functionality into the customer router for some reason, then you would see RD and RT configs in the CE. This is highly unusual and irregular, however, technically it can happen.

I hope this has been helpful!


Was there ever a lesson about the loop prevention required? Would you need to tag routes that are redistributed on the PE’s?