The sham-link command configures a sham link or sets parameter values for a sham link.
The undo sham-link command deletes a sham link or restores the default parameter values of a sham link.
By default, no sham link is configured for OSPF.
Product |
Support |
|---|---|
S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S |
Supported |
S2720-EI, S5720I-SI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI |
Not supported |
sham-link source-ip-address destination-ip-address [ [ simple [ plain plain-text | [ cipher ] cipher-text ] | { md5 | hmac-md5 | hmac-sha256 } [ key-id { plain plain-text | [ cipher ] cipher-text } ] | authentication-null | keychain keychain-name ] | smart-discover | cost cost | dead dead-interval | hello hello-interval | retransmit retransmit-interval | trans-delay trans-delay-interval ] *
undo sham-link source-ip-address destination-ip-address [ [ simple | md5 | hmac-md5 | hmac-sha256 | authentication-null | keychain ] | smart-discover | cost | dead | hello | retransmit | trans-delay ] *
| Parameter | Description | Value |
|---|---|---|
source-ip-address |
Specifies the source IP address. |
The value is in dotted decimal notation. |
destination-ip-address |
Specifies the destination IP address. |
The value is in dotted decimal notation. |
smart-discover |
Indicates that Hello packets are sent automatically and immediately. |
- |
simple |
Indicates simple authentication. In simple authentication, the password type is cipher by default. NOTICE:
Simple authentication carries potential security risks. As such, HMAC-SHA256 authentication is recommended. |
- |
plain |
Indicates plain authentication. Only plain text can be entered, and only plain text is displayed when the configuration file is viewed. NOTICE:
If plain is selected, the password is saved in the configuration file in plain text. This carries security risks. You are advised to select cipher to save the password in cipher text. |
- |
plain-text |
Specifies a plain text password. |
|
cipher |
Indicates cipher authentication. Either plain text or cipher text can be entered, and cipher text is displayed when the configuration file is viewed. |
- |
cipher-text |
Specifies a cipher text password. |
|
md5 |
Indicates MD5 authentication. NOTICE:
MD5 authentication carries potential security risks. As such, HMAC-SHA256 authentication is recommended. |
- |
hmac-md5 |
Indicates hmac-md5 authentication. NOTICE:
HMAC-MD5 authentication carries potential security risks. As such, HMAC-SHA256 authentication is recommended. |
- |
hmac-sha256 |
Indicates HMAC-SHA256 authentication. |
- |
key-id |
Specifies the authentication key ID of the interface's cipher authentication. The key ID must be consistent with that of the peer. |
The value is an integer that ranges from 1 to 255. |
authentication-null |
Indicates that no authentication is used. |
- |
keychain |
Indicates keychain authentication. NOTE:
Before configuring this parameter, run the keychain command to create a keychain. Then, run the key-id, key-string, and algorithm commands to configure a key ID, a password, and an authentication algorithm for this keychain. Otherwise, OSPF authentication will fail. Currently, only the HMAC-MD5, SM3, and HMAC-SHA256 algorithms can be used in OSPF. |
- |
keychain-name |
Specifies the keychain name. |
The value is a string of 1 to 47 case-insensitive characters. Except the question mark (?) and space. However, when double quotation marks (") are used around the string, spaces are allowed in the string. |
cost cost |
Specifies the cost of the sham link. |
The value of the cost is an integer that ranges from 1 to 65535. The default value is 1. |
dead dead-interval |
Specifies the dead interval. This value must be equal to dead-interval of the switch that sets up a virtual link with the local switch, and must be at least four times that of hello-interval. |
The value of the interval is an integer that ranges from 1 to 23592600, in seconds. |
hello hello-interval |
Specifies an interval for transmitting Hello packets on an interface. This value must be equal to hello-interval of the switch that sets up a virtual link with the local switch. |
The value is an integer that ranges from 1 to 65535, in seconds. |
retransmit retransmit-interval |
Specifies an interval for retransmitting the LSA packets on an interface. |
The value is an integer that ranges from 1 to 3600, in seconds. |
trans-delay trans-delay-interval |
Specifies the delay in transmitting LSA packets on an interface. |
The value is an integer that ranges from 1 to 3600, in seconds. |
Usage Scenario
The sham-link command can be used only in VPN scenarios.
This command can create a sham link to allow VPN traffic to be preferentially forwarded through routes within the backbone area. This prevents traffic from the same VPN in the same OSPF area from being forwarded through intra-area OSPF routes.
Before enabling neighbors of a sham link to set up adjacencies quickly, configure the smart-discover parameter to actively send Hello packets immediately.
Configuration Impact
After a sham link is configured between two PEs, the sham link is considered as an intra-area OSPF route. This configuration enables a route passing through an MPLS VPN backbone network to become an intra-area OSPF route, preventing VPN traffic from being transmitted through this route. A 32-bit loopback interface address is specified as the source and destination addresses of the sham link. The loopback interface must be bound to a VPN instance and advertised using BGP.
Precautions
The route to the endpoint address of a sham link cannot be advertised to the remote PE using an OSPF process in a private network. Otherwise, two routes to the endpoint address of the sham link exist on the remote PE. One route is learned from the OSPF process and the other is learned using MP-BGP. OSPF routes have higher priorities over BGP routes. As such, the remote PE selects an incorrect OSPF route. As a result, the sham link cannot be created.