sham link

HI I am learning sham link on Junos and found 2 problems:

I have CE1 connects to both PE1 and PE2, while CE2 connects PE3

1: if the backdoor link between CEs is 1GE, which means ospf cost is 1 (backdoor link is in ospf area 0), and this is already the minimum that remote-sham-link can support. So as the result, CE1 and CE2 will learn CE routes from both VPN and backdoor and will be doing load-balancing. If CEs are not configurable to increase the cost, is there any solution to prevent this happening?
2: I expected to see the routes learned from CE being distributed back to the same CE, but this did not happen as long as there is no sham link config. But, as soon as sham link was configured in vrf proto ospf, then CE1 got its own routes back from its connected PEs, and same as CE2. I tried to set site of origin and reject community origin before exporting bgp to ospf, but it just did not work.
I suppose sham-link made the core like an ospf area 0 and vpn bgp routes behavior as intra-area routes so the intra-area lsp could not be filtered by any means??? The CE routes are type3 and 5. This is not a huge problem since these routes are not active on CEs due to higher preference. But is there any way to do filtering?

Please advice! Thanks.

Find more posts tagged with

Comments

hoogen82

1. I understand why CE's may not be configured... but its certainly hard to figure out..if you don't have access on CE's
2. I don't quite understand it... I am assuming Ce1 routes are advertised back to it by Pe1.. ? there was a solution in JNCIE book to filter these..

yren

hoogen82 wrote: »

1. I understand why CE's may not be configured... but its certainly hard to figure out..if you don't have access on CE's
2. I don't quite understand it... I am assuming Ce1 routes are advertised back to it by Pe1.. ? there was a solution in JNCIE book to filter these..

Sorry for confusing. For the question 2 (VPNB of lab 1), the solution you mentioned on the book is to set origin on routes received from the CE and reject them in export policy bgp-ospf, right? This works only before sham-link has not been configured, but once it is configured, CE routes will be advertised back to the same CE (from R1 and R2 to P1), and the filter does not work any more. Also, I noticed all inter-area type 5 routes (they were converted from type3 to type 5 due to configured domain id) were changed back to type 3. Not sure if this is a normal behavior or due to something I did wrong.

I am also wondering if CE-PE and backdoor are using BGP instead of OSPF, is there any way to force the CE traffic going through VPN core? I dont think there is "sham link" for BGP

Hoogen, I also noticed if ldp-tunneling is used to build lsps between PEs, (the VPNB question of the 2nd lab scenario) there will be some hidden routes again (only IGP routes, since I configed 0/0 in inet.3 on all reflectors R3,4,5. These hidden routes will use lsp as next hop, but I did not config any TE shortcuts) Did you also encounter this issue in your test bed?

Sorry for asking so many questions, thanks a lot buddies!!!

hoogen82

Regarding ldp tunneling I did see some issues in the solution I put up...I will send you the final solution I created...It shouldn't have any hidden routes...

yren

hoogen82 wrote: »

Regarding ldp tunneling I did see some issues in the solution I put up...I will send you the final solution I created...It shouldn't have any hidden routes...

Thanks man!