Chapter 6: Advanced Features

Master advanced OSPF features including stub areas, virtual links, route filtering, authentication, and graceful restart.

Advanced Stub Areas

Stub areas are advanced OSPF features that reduce memory usage and improve performance by filtering external routing information while maintaining connectivity.

Stub Area Types Comparison

OSPF supports four types of stub areas, each with different filtering capabilities:

Area Type Type-1 LSA Type-2 LSA Type-3 LSA Type-4 LSA Type-5 LSA Type-7 LSA
Normal Area ✅ Yes ✅ Yes ✅ Yes ✅ Yes ✅ Yes ❌ No
Stub Area ✅ Yes ✅ Yes ✅ Yes ❌ No ❌ No ❌ No
Totally Stub ✅ Yes ✅ Yes ❌ No ❌ No ❌ No ❌ No
NSSA Area ✅ Yes ✅ Yes ✅ Yes ❌ No ❌ No ✅ Yes
Totally NSSA ✅ Yes ✅ Yes ❌ No ❌ No ❌ No ✅ Yes

Stub Area Requirements

Configuration Requirements
  • All routers in area must be configured as stub
  • No ASBRs allowed within stub areas
  • No virtual links can traverse stub areas
  • Backbone area (Area 0) cannot be stub

Standard Stub Areas

Standard stub areas block external LSAs (Type-4 and Type-5) but allow inter-area routes:

Stub Area Configuration

Cisco IOS - All Routers
# Configure stub area on all routers
router ospf 1
 area 2 stub
 network 192.168.2.0 0.0.0.255 area 2

# Internal router configuration
router ospf 1
 area 2 stub
 network 10.2.1.0 0.0.0.255 area 2
Cisco IOS - ABR Only
# ABR configuration with custom default cost
router ospf 1
 area 2 stub
 area 2 default-cost 50
 network 192.168.1.0 0.0.0.255 area 0
 network 192.168.2.0 0.0.0.255 area 2

NSSA (Not-So-Stubby Areas)

NSSA areas combine stub area benefits with the ability to import external routes:

NSSA Features
  • Type-7 LSAs: External routes within NSSA
  • LSA Translation: ABR converts Type-7 to Type-5
  • ASBR Support: Can contain redistribution points
  • Selective Blocking: Blocks Type-5 but allows Type-7

NSSA Configuration

Cisco IOS - NSSA Area
# Basic NSSA configuration
router ospf 1
 area 3 nssa
 network 192.168.3.0 0.0.0.255 area 3

# NSSA with default route injection
router ospf 1
 area 3 nssa default-information-originate
 area 3 nssa default-information-originate metric 100
Cisco IOS - ASBR in NSSA
# ASBR configuration in NSSA
router ospf 1
 area 3 nssa
 redistribute connected subnets
 network 192.168.3.0 0.0.0.255 area 3

# External routes become Type-7 LSAs

Virtual Links

Virtual links provide logical connectivity to the backbone area when physical connectivity is not possible, enabling OSPF to maintain hierarchical design principles.

Virtual Link Overview

Virtual links are logical connections that allow areas to connect to the backbone area (Area 0) through a transit area when direct physical connection is not feasible.

Virtual Link Requirements

Mandatory Requirements
  • Transit Area: Must be a normal area (not stub or NSSA)
  • ABR Endpoints: Both ends must be Area Border Routers
  • Stable Router IDs: Both endpoints need consistent Router IDs
  • Full Connectivity: Physical path must exist through transit area

Cisco IOS Virtual Link Configuration

Router A (ABR between Area 0 and Area 1)
# Basic virtual link configuration
router ospf 1
 router-id 1.1.1.1
 area 1 virtual-link 2.2.2.2
 network 192.168.1.0 0.0.0.255 area 0
 network 192.168.2.0 0.0.0.255 area 1

# Virtual link with authentication
router ospf 1
 area 1 virtual-link 2.2.2.2 authentication message-digest
 area 1 virtual-link 2.2.2.2 message-digest-key 1 md5 SecretKey123
Router B (ABR between Area 1 and Area 2)
# Corresponding virtual link configuration
router ospf 1
 router-id 2.2.2.2
 area 1 virtual-link 1.1.1.1
 network 192.168.2.0 0.0.0.255 area 1
 network 192.168.3.0 0.0.0.255 area 2

# Virtual link with authentication
router ospf 1
 area 1 virtual-link 1.1.1.1 authentication message-digest
 area 1 virtual-link 1.1.1.1 message-digest-key 1 md5 SecretKey123

Virtual Link Verification

Virtual Link Status
# Show virtual link status
Router# show ip ospf virtual-links
Virtual Link OSPF_VL0 to router 2.2.2.2 is up
  Run as demand circuit
  DoNotAge LSA allowed.
  Transit area 1, Cost of using 64
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:08
    Adjacency State FULL (Hello suppressed)

# Show virtual link neighbors
Router# show ip ospf neighbor
Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           0   FULL/  -           -        10.1.1.2        OSPF_VL0

Route Filtering

Route filtering controls which routes are advertised into and out of OSPF areas, enabling efficient route summarization and reducing routing table size.

OSPF Route Filtering Overview

Unlike distance-vector protocols, OSPF is a link-state protocol where all routers must have identical LSDBs within an area. This limits filtering options but provides several mechanisms for route control.

Inter-Area Route Filtering

ABRs can filter Type-3 LSAs (inter-area routes) using area range commands and route filtering.

Area Range Filtering

Route Summarization
# Summarize networks from Area 1
router ospf 1
 area 1 range 192.168.0.0 255.255.252.0
 network 192.168.1.0 0.0.0.255 area 1
 network 192.168.2.0 0.0.0.255 area 1
 network 192.168.3.0 0.0.0.255 area 1

# Result: Single summary route 192.168.0.0/22
# advertised to other areas instead of /24s
Route Filtering (Not-Advertise)
# Filter specific networks from Area 1
router ospf 1
 area 1 range 192.168.10.0 255.255.255.0 not-advertise
 area 1 range 192.168.20.0 255.255.255.0 not-advertise
 network 192.168.10.0 0.0.0.255 area 1
 network 192.168.20.0 0.0.0.255 area 1

# Result: These networks not advertised to other areas

External Route Filtering

ASBRs can filter external routes during redistribution using route maps, distribute lists, and prefix lists.

Cisco IOS External Route Filtering

Route Map Filtering
# Create route map for filtering
route-map FILTER_EXTERNAL permit 10
 match ip address prefix-list ALLOWED_NETWORKS
 set metric 100
 set metric-type 1
 set tag 100

route-map FILTER_EXTERNAL deny 20
 match ip address prefix-list DENIED_NETWORKS

# Apply to redistribution
router ospf 1
 redistribute static subnets route-map FILTER_EXTERNAL
Prefix List Configuration
# Define prefix lists
ip prefix-list ALLOWED_NETWORKS seq 10 permit 10.0.0.0/8 le 24
ip prefix-list ALLOWED_NETWORKS seq 20 permit 172.16.0.0/12 le 24
ip prefix-list ALLOWED_NETWORKS seq 30 permit 192.168.0.0/16 le 24

ip prefix-list DENIED_NETWORKS seq 10 permit 192.168.100.0/24
ip prefix-list DENIED_NETWORKS seq 20 permit 0.0.0.0/0

Default Route Filtering

Cisco IOS Default Route
# Always advertise default route
router ospf 1
 default-information originate always

# Conditional default route
router ospf 1
 default-information originate route-map CHECK_DEFAULT

# Route map for conditional default
route-map CHECK_DEFAULT permit 10
 match ip address prefix-list DEFAULT_CHECK

ip prefix-list DEFAULT_CHECK permit 0.0.0.0/0
Juniper JunOS Default Route
# Always advertise default route
set protocols ospf export DEFAULT-ROUTE

# Define default route policy
set policy-options policy-statement DEFAULT-ROUTE term 1 from route-filter 0.0.0.0/0 exact
set policy-options policy-statement DEFAULT-ROUTE term 1 then accept

OSPF Authentication

OSPF authentication provides security by ensuring only authorized routers can participate in OSPF operations, preventing unauthorized access and routing attacks.

Authentication Overview

OSPF supports three types of authentication to secure routing updates and prevent unauthorized routers from injecting false routing information.

Authentication Types

Authentication Type Security Level Performance Impact Use Case
None (Type 0) No Security Lowest Isolated networks
Simple Password (Type 1) Low Low Basic protection
MD5 Cryptographic (Type 2) High Medium Production networks

MD5 Cryptographic Authentication

Type 2 authentication uses MD5 hashing to create a cryptographic digest, providing much stronger security than simple passwords.

MD5 Authentication Configuration

Cisco IOS - Area MD5
# Configure area-wide MD5 authentication
router ospf 1
 area 0 authentication message-digest
 network 192.168.1.0 0.0.0.255 area 0

# Configure interface with MD5 key
interface GigabitEthernet0/0
 ip ospf message-digest-key 1 md5 SecretKey123
Cisco IOS - Interface MD5
# Configure per-interface MD5 authentication
interface GigabitEthernet0/0
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 SecretKey123

# OSPF process configuration
router ospf 1
 network 192.168.1.0 0.0.0.255 area 0

Key Management

MD5 authentication supports multiple keys for seamless key rollover without network disruption.

Multiple Key Configuration

Cisco IOS - Key Rollover
# Initial configuration with key 1
interface GigabitEthernet0/0
 ip ospf message-digest-key 1 md5 OldKey123

# Add new key during rollover
interface GigabitEthernet0/0
 ip ospf message-digest-key 1 md5 OldKey123
 ip ospf message-digest-key 2 md5 NewKey456

# Remove old key after propagation
interface GigabitEthernet0/0
 no ip ospf message-digest-key 1 md5 OldKey123
 ip ospf message-digest-key 2 md5 NewKey456

OSPF Graceful Restart

OSPF Graceful Restart enables a router to maintain forwarding during control plane restarts, minimizing network disruption and improving convergence times.

Graceful Restart Overview

Graceful Restart is a mechanism that allows OSPF routers to continue forwarding traffic while the routing protocol recovers from a control plane restart, supervisory switchover, or software upgrade.

Key Benefits

Network Stability
  • Minimal Disruption: Reduces packet loss during restarts
  • Faster Recovery: Accelerated convergence after restart
  • Improved Availability: Higher network uptime
  • Seamless Upgrades: Non-disruptive software updates
Operational Benefits
  • Planned Maintenance: Scheduled restarts with minimal impact
  • Hardware Redundancy: Support for redundant control planes
  • Service Continuity: Maintained data forwarding
  • Reduced Reconvergence: Shorter SPF calculation times

Graceful Restart Configuration

Configure graceful restart on both the restarting router and its neighbors for optimal operation.

Cisco IOS Graceful Restart

Basic Graceful Restart
# Enable graceful restart
router ospf 1
 nsf
 nsf ietf

# Configure grace period (default 120 seconds)
router ospf 1
 nsf ietf restart-interval 180

# Configure helper mode
router ospf 1
 nsf ietf helper
 nsf ietf helper strict-lsa-checking
Juniper JunOS
# Enable graceful restart
set protocols ospf graceful-restart
set protocols ospf graceful-restart restart-duration 180
set protocols ospf graceful-restart notify-duration 30

# Configure helper mode
set protocols ospf graceful-restart helper-mode
set protocols ospf graceful-restart helper-mode strict-lsa-checking

Graceful Restart Verification

Status and Monitoring Commands
# Show NSF status
Router# show ip ospf nsf
 Non-Stop Forwarding is enabled
 Restart IP Address: 192.168.1.1
 Restart Instance: 1
 Time until next restart: 00:02:30
 Helper mode is enabled
 Helper mode strict LSA checking is enabled

# Show statistics
Router# show ip ospf statistics
 SPF calculation has been run 5 times
 NSF restart successful: 3
 NSF restart failed: 0
 NSF helper mode entered: 12
Previous: Configuration Basics Next: Troubleshooting