The sham-link command configures an OSPF sham link.
The undo sham-link command deletes an OSPF sham link or restores the default setting.
By default, no OSPF sham links are configured.
sham-link source-ip-address destination-ip-address [ smart-discover | cost cost-interval | dead dead-interval | hello hello-interval | retransmit retransmit-interval | trans-delay trans-delay-interval | [ simple [ plain SPlainText | cipher SCipherText | SCipherText ] | { md5 | hmac-md5 | hmac-sha256 } [ key-id { plain MPlainText | cipher MCipherText | MCipherText } ] | authentication-null | keychain keychain-name ] ] *
undo sham-link source-ip-address destination-ip-address { smart-discover | simple | md5 | hmac-md5 | hmac-sha256 | cost | dead | hello | retransmit | trans-delay | authentication-null | keychain } *
undo sham-link source-ip-address destination-ip-address
| Parameter | Description | Value |
|---|---|---|
| source-ip-address |
Specifies a source IP address. |
The value is in dotted decimal notation. |
| destination-ip-address |
Specifies a destination IP address. |
The value is in dotted decimal notation. |
| smart-discover |
Enables the device to proactively send Hello packets. |
- |
| cost cost-interval |
Specifies a cost for the sham link. |
The value is an integer ranging from 1 to 65535, and the default value is 1. |
| dead dead-interval |
Specifies the dead interval. The value must be the same as that configured for the Router on the other end of the sham link and must be at least four times hello-interval. |
The value is an integer ranging from 1 to 235926000, in seconds. The default value is 40. |
| hello hello-interval |
Specifies the interval at which Hello packets are sent. The value must be the same as that configured for the Router on the other end of the sham link. |
The value is an integer ranging from 1 to 65535, in seconds. The default value is 10. |
| retransmit retransmit-interval |
Specifies the interval at which LSAs are retransmitted. |
The value is an integer ranging from 1 to 3600, in seconds. The default value is 5. |
| trans-delay trans-delay-interval |
Specifies the delay in sending LSAs. |
The value is an integer ranging from 1 to 3600, in seconds. The default value is 1. |
| simple |
Sets the simple authentication mode.
|
- |
| plain |
Sets the simple type. If the parameter is specified, only a simple password can be entered, and the password in the configuration file is displayed in simple form. Configuring the ciphertext mode is recommended because simple passwords are stored in simple form in the configuration file, which provokes high security risks. For security purposes, change passwords at regular intervals. |
- |
| SPlainText |
Specifies a cleartext. |
The value is a string of
The value cannot contain question marks (?).and spaces. However, when double quotation marks are used around the password, spaces are allowed in the password. In this case, the double quotation marks are used as a part of the password. |
| cipher |
Sets the ciphertext type. You can enter either a simple or ciphertext password, but the password is displayed in ciphertext in the configuration file. |
- |
| SCipherText |
Specifies a ciphertext. |
The value is a string of
The value cannot contain question marks (?).and spaces. However, when double quotation marks are used around the password, spaces are allowed in the password. In this case, the double quotation marks are used as a part of the password. |
| md5 |
Sets the MD5 authentication mode. By default, cipher takes effect for the md5 authentication mode. Configuring HMAC-SHA256 rather than MD5 is recommended for the sake of security. |
- |
| hmac-md5 |
Sets the HMAC-MD5 authentication mode. By default, cipher takes effect for the hmac-md5 authentication mode. Configuring HMAC-SHA256 rather than HMAC-MD5 is recommended for the sake of security. |
- |
| hmac-sha256 |
Sets the HMAC-MD5 authentication mode. Configuring HMAC-SHA256 rather than HMAC-MD5 is recommended for the sake of security. |
- |
| key-id |
Specifies a key ID for ciphertext authentication. The key ID must be the same as that on the remote end. |
The value is an integer ranging from 1 to 255. |
| MPlainText |
Specifies a simple password. |
The value is a string of characters.
Question marks (?) and spaces are not supported in the string. However, the string can contain spaces if it is enclosed with double quotation marks (" "). |
| MCipherText |
Specifies a ciphertext password. |
The value is a string of characters.
Question marks (?) and spaces are not supported in the string. However, the string can contain spaces if it is enclosed with double quotation marks (" "). |
| authentication-null |
Sets the null authentication mode. |
- |
| keychain |
Sets the keychain authentication mode. Before you configure keychain authentication, run the keychain command to configure a keychain, the key-id command to configure a key ID, the key-string command to configure a password, and the algorithm command to configure an algorithm. Otherwise, OSPF authentication fails. |
- |
| keychain-name |
Specifies a keychain name. |
The value is a string of 1 to 47 case-insensitive characters, question marks (?) and spaces not supported. However, the string can contain spaces if it is enclosed in double quotation marks (" "). |
Usage Scenario
The command applies only to VPN scenarios.
Generally, BGP peers use BGP extended community attributes to carry routing information over the BGP/MPLS IP VPN backbone network. PEs can use the routing information to exchange inter-area routes between PEs and CEs through OSPF. OSPF sham links are unnumbered P2P links between two PEs over an MPLS VPN backbone network. The source and destination IP addresses of each sham link are IP addresses with a 32-bit mask of loopback interfaces. The loopback interfaces must be bound to a VPN instance, and routes of the two IP addresses are advertised through BGP. On the BGP/MPLS IP VPN backbone network, if an intra-area OSPF link exists between the network segment where the local CE resides and the network segment where the remote CE resides, the route over this intra-area OSPF link is an intra-area route and has a higher priority than the inter-area route over the BGP/MPLS IP VPN backbone network. In this case, VPN traffic is always forwarded through this intra-area route. To prevent this problem, you can set up an OSPF sham link between the PEs so that the route over the MPLS IP VPN backbone network becomes an OSPF intra-area route and ensure that this route is preferentially selected.Precautions
When configuring a sham link, ensure that routes of the sham link's endpoint IP addresses are not exchanged by PEs through the VPN OSPF process. If routes of the sham link's endpoint IP addresses are exchanged by PEs through the VPN OSPF process, each PE has two routes to the other endpoint of the sham link. One of the routes is learned through the VPN OSPF process, and the other is learned through the MP-BGP connection. Because the OSPF route has a higher priority than the BGP route, the OSPF route is selected, causing a sham link establishment failure.
<HUAWEI> system-view [~HUAWEI] ip vpn-instance huawei [*HUAWEI-vpn-instance-huawei] ipv4-family [*HUAWEI-vpn-instance-huawei-af-ipv4] quit [*HUAWEI-vpn-instance-huawei] quit [~HUAWEI] ospf 100 vpn-instance huawei [*HUAWEI-ospf-100] area 1 [*HUAWEI-ospf-100-area-0.0.0.1] sham-link 1.1.1.1 2.2.2.2