OSPF

Routing Protocol
Theory and Practice
LIST OF CONTENTS

A Brief Introduction to OSPF

OSPF States
How LSDB, SPF-Tree and OSPF Routing Table are formed
OSPF Lab
OSPF Router Type
LSA type
OSPF Network Broadcast and Point-to-point type
OSPF Metric type and Redistribution
OSPF Area types
OSPF Route Summarization
OSPF Authentication
OSPF Virtual Link

Note : The material in this book is compiled from the advanced IP routing course series organized by
Komunitas Indonetworkers and led by Mr. M. Aditya Hananto as a trainer.

You can find the Indonesian language course series here:

https://www.youtube.com/watch?v=85WOPLCudZk&list=PLkiWVEWnNVJ8AzGvR5dudpTjewslVpPrE
OSPF is categorized as one of the the link state routing protocol.

In a link state routing protocol, a router knows the overall condition of the link. When a router has
neighbor, the router knows what is behind it.

If router A has router B as its neighbor, router A knows that there are router C and D behind its
neighbor. So in this link state routing protocol, it knows the topology, its like looking at a map. If we
look at a map of a city, we could know what city is next to it, and then what city is next to it, and so
on. This is different from the distance vector routing protocol, it only knows its neighbors, and it
doesn’t know in detail what is behind its neighbor.

The following are several concepts and terms in OSPF routing protocol which will be explained
further:
Area ID : 0 - 4,2 M (32 bit)
Router Types : Backbone Router (BBR)
Area Border Router (ABR)
Internal Router (IR)
Autonomous System Boundary Router (ASBR)

OSPF packet : Hello

Database Description (DBD)
Link State Request (LSR)
Link State Update (LSU)
Link State Acknowledgement (LSAck)

OSPF state : Down

Init
2-Way
Exstart
Exchange
Loading
Full

LSA Types : Router LSA

Network LSA
Summary LSA
ASBR Summary LSA
External LSA
NSSA External LSA
OSPF States

OSPF State Explanation

Down When routers A and B have never sent and received hello packets

Init When routers A and B have sent hello packets

2-Way When routers A and B have received each other's Hello packets.
After the 2-way state process, each router will record the Hello packet
information received in the adjacency database or neighbor table. B records
that its neighbor is A, likewise A will record that its neighbor is B.

Exstart Choose who will be the master with the greatest Router ID. The first selection is
based on the loopback interface, if there is no loopback, the physical interface
that has the largest IP will be selected.

Exchange The router that is selected as master will send a DBD containing a brief
description of the LSA it has, in this case router A and router B will also respond
by sending a DBD to router A. This DBD exchange process is called Exchange
state.
Loading After receiving a DBD from its neighbors, each router will request the complete
contents of the LSA that own by its neighbors except the LSA that the router
already owned. In this case, router A will send a Link State Request (LSR) to
router B which only contains the LSA request of routers B and E because router
A has already received an updated LSA of router C. Likewise, router B will only
send an LSR to router A which contains LSA request from routers A and D. After
both routers receive the LSA request from their neighbor router, each router
will exchange Link State Updates (LSU) which is the contents of the LSA
requested by its neighbor, and after the router receives the LSU from its
neighbor, then this LSU will be recorded in the Link State Database (LSDB). LSDB
is what is usually called a topology table.

Full When both routers have received LSU updates from their neighbors, the routers
will send a Link State Acknowledgment (LSAck).
When a router receives an LSA, the LSA will be inserted into the LSDB, and the
LSDB will be converted into an SPF-Tree.

In the topology above, router A and its neighbors send and receive hello to each other. After router A
receives hello, router A will fill in the database adjacency table.
Adjcacency Database A
B
C
D

Next, each router will generate an LSA. Unlike a hello packet which is only sent to its neighbor, router
B and C that receives an LSA from router A will forward LSA A again to another neighbor. For example,
router A gives LSA to B and C, then routers B and C will forward LSA A to router D. The LSA received
will be used to form the LSDB.
The contents of LSA are simply who are the neighbors of the router that is sending the LSA, and how
many networks attached to it. If you look at router A in the topology above, router A will have LSA A,
B, C and D. From this LSDB, an SPF-Tree will be formed.
The following is an illustration and explanation

In constructing the SPF Tree, if we look at from router A's perspective, router A will be at the top.
Then each LSA owned by router A will be checked. The first is your own LSA. Remember that LSA
contains a list of neighbors and which networks are connected directly. When router A checks LSA A,
it will be seen that its neighbors are routers B, C and D and router A has 1 stub network.

Then router A will check LSA B, which informs that B has neighbors A, C and has 1 stub network.

Then router A checks LSA C and gets information that C is connected to A, B, D and has 1 stub network.

Likewise, the LSA of D will be checked and it will be known that D is connected to A and C and has 1
stub network. The arrangement of the SPF-Tree depends on whose SPF-Tree we are looking at. If we
look at router C's SPF-Tree, then router C is at the top.
After the SPF-Tree is formed, the next process is to construct the routing table.
Routing Table A
Connected 10.1.1.0
OSPF 10.2.2.0 via B M=20
OSPF 10.3.3.0 via C M=20
OSPF 10.4.4.0 via D M=20

Note: assuming all links have the same interface bandwidth of 10 Mbps, then the cost = reference
bandwidth/interface bandwidth = 100Mbps/10Mbps=10. (Default reference bandwidth value is 100).
If router A wants to go to 10.2.2.0 that is connected behind router B, it need to pass 2 links with a cost
of 10+10, so the metric recorded in the routing table is 20.

OSPF LAB using cisco vIOS on eve-ng.

Initial configuration

(R1)
conf t
router OSPF 1
router-id 172.16.1.1
network 10.1.1.0 0.0.0.7 area 12
network 10.1.2.0 0.0.0.7 area 12
network 172.16.1.1 0.0.0.0 area 12
network 192.168.0.0 0.0.3.255 area 12
passive-interface g0/1
end
___________________________________
(R2)
conf t
router OSPF 2
router-id 172.16.2.2
network 10.1.2.0 0.0.0.7 area 0
network 10.2.3.0 0.0.0.7 area 0
network 10.2.4.0 0.0.0.7 area 0
network 172.16.2.2 0.0.0.0 area 0
end
___________________________________
(R3)
conf t
router OSPF 3
router-id 172.16.3.3
network 10.1.2.0 0.0.0.7 area 0
network 10.2.3.0 0.0.0.7 area 0
network 10.2.4.0 0.0.0.7 area 0
network 172.16.3.3 0.0.0.0 area 0
end
___________________________________
(R4)
conf t
router OSPF 4
router-id 172.16.4.4
network 10.4.5.0 0.0.0.7 area 0
network 10.3.4.0 0.0.0.7 area 0
network 10.2.4.0 0.0.0.7 area 0
network 172.16.4.4 0.0.0.0 area 0
end
___________________________________
(R5)
conf t
router OSPF 5
router-id 172.16.5.5
network 10.3.5.0 0.0.0.7 area 0
network 10.4.5.0 0.0.0.7 area 0
network 10.5.6.0 0.0.0.7 area 56
network 172.16.5.5 0.0.0.0 area 0
end
___________________________________
(R6)
conf t
router OSPF 6
router-id 172.16.6.6
network 10.5.6.0 0.0.0.7 area 56
network 10.6.6.0 0.0.0.7 area 56
network 172.16.6.6 0.0.0.0 area 56
passive-interface g0/1
end

Troubleshoot command

-sh ip protocol
-sh ip ospf
-sh ip ospfF interface
-sh ip ospf neighbor
-sh ip ospf database
-sh ip route ospf

Command explanation.
(R1)
router ospf 1 #number 1 here is OSPF Process id. One router can have more than 1 OSPF Process ID.
router-id 172.16.1.1 #Router ID functions as the router identity. In order to make troubleshooting
easier, the router-ID is configured the same as the loopback IP address.
network 10.1.1.0 0.0.0.7 area 12 #Enter the network that will be advertised into OSPF by entering the
network address followed by the wildcard mask. After that, specify which area the router is in.
network 10.1.2.0 0.0.0.7 area 12
network 172.16.1.1 0.0.0.0 area 12
network 192.168.0.0 0.0.3.255 area 12
passive-interface g0/1 #passive-interface as the name suggests, this interface does not send and
receive OSPF packets, this command is practically applied to the interface to the local area network.
end

LSA type 1 Router LSA

LSA
Type Name Origin Scope Content
1 Router LSA All routers 1 area Neighbor, Network

This router LSA is created or generated by all routers. And this LSA is only distributed within the same
area. So all routers in the same area will get LSA type 1 from other routers in that area. If we refer to
the lab topology, for example we are in area 12, then LSA type 1 on area 12, will only be distributed in
area 12, and will not cross to area 0 or area 56.
And the contents of LSA type 1 are who the neighbors are and how many networks are on the router.

We will check LSA type 1 on router 1

The red box in the image shows LSA type 1, that is the router LSA. It shows that R1 has its own LSA
type 1 (we can see from ADV Router column, there is 172.16.1.1 which is loopback ip address of R1)
and it also shows that R1 receive LSA type 1 from R2 (which can be indicated from loopback ip
address belonging to R2 172.16.2.2. So LSA type 1 will only be sent to other routers within the same
area.

We can see the contents of LSA type 1 with the following command

#show ip OSPF database router adv-router 172.16.1.1

Take a look at LSDB/ LSA Name Who advertised it.

Topology table

As can be seen from the capture above, the router LSA advertised by R1 (172.16.1.1) informs that R1
has 2 stub networks, the network of loopback IP 172.16.1.1, the network which is connected to the
LAN 10.1.1.0 , and then its neighbor which is represent as a transit network, that is the DR router with
IP 10.1.2.2 (Link ID) via IP 10.1.2.1 (Link Data).

LSA type 2 Network LSA

LSA
Type Name Origin Scope Content
2 Network LSA DR 1 area attached router

Before looking at the contents of LSA type 2, we will discuss network types that involve DR.
OSPF network types:
1 Broadcast, this type is the default on Ethernet links.

For example, if we have several routers that are connected to each other with layer 2 segments, the 5
routers above will not become neighbor to each other, but among the 5 routers will be choosed who
will be the Designated Router (DR). DR will represent one router cluster. DR has a backup called
Backup Designated Router (BDR). Routers other than DR and BDR are called DR Other. DR Other is a
neighbor of DR and BDR (full adjacency only with DR and BDR, routers between DR Other do not
establish neighborship and the state is 2-way). This multicast IP 224.0.0.6 is reserved for DR. When a
router wants to send an LSA, it is addressed to 224.0.0.6 (to DR), and by DR it will be forwarded to
another router using the multicast address 224.0.0.5 (to OSPF). The purpose of DR is to save
adjacency, so a router does not need to have adjacency with many other routers, no matter how
many routers there are in the segment, the router only needs to establish full adjacency with DR and
BDR.
The hello timer has a default value of 10 s, and the dead timer is 40 s. The hello timer and dead time
must be the same between neighbors.
Let's look at the lab

From the command in the capture above we can see that R2 has 3 neighbors, neighbor 172.16.1.1 has
full adjacency and its state is BDR, while neighbors 172.16.3.3 and 172.16.4.4 have its state as DR.

R2 knows that R1 is the BDR of R2, if we look at R1, then R2 is the DR of R1. if we want to get more
detail information about DR/BDR we can use the command below.
When we send the show ip ospf interface command as captured above, we will see who the DR and
BDR are.

Let's look at the DR and BDR selection process by running debug.

We try to shutdown the link from R1 to R2.

After we shutdown, we no longer shutdown, and look at the debug results.

we can see that after the 2-way state process, DR/BDR selection will be carried out. and here you can
see that from the R1 perspective, the DR is R2 172.16.2.2 and the BDR is R1 172.16.1.1
How to determine who becomes DR/BDR?
DR selection is selected based on:
1 Higher OSPF Priority
2 Higher OSPF RID
OSPF priority can be seen in show ip ospf interface.

From here, besides being able to see that R1's state is BDR, and its Priority is 1, we can also see other
parameters that we studied previously such as Cost, Hello timer, and Deadtimer. The default priority
value is 1, so when the values are the same, what is compared is the router ID value.
We return to LSA type 2, namely Network LSA, this network LSA is generated by the DR and contains
other routers attached to the DR.
When we type the show ip ospf database command, we will see the LSA packets received by a router.
In the picture above, we know that on router R1 there is LSA type 2, Network LSA (Net Link States)
which is generated by R1's DR, 172.16.2.2. For every 1 Ethernet segment there is only 1 DR, because
R1 is only connected to R2, then on R1 there is only 1 DR.

To view the contents of LSA type 2 we can type the following command

show ip OSPF database network adv-router 172.16.2.2 ( R1 wants to see the LSA type 2 that is
generated byR2 )

In the capture above we can see the contents of the Network LSA from R2 in the form of the physical
IP of the DR, who is advertising the LSA, what the network mask is on the link and who is attached to
the router that is sending the LSA.
When we use OSPF with an ethernet link, the OSPF network type will by default use the broadcast
type and of course this will involve a DR and BDR selection process before the adjacency is formed.
For best practice, if our network is only point to point, like the lab topology we have, then DR and BDR
selection should not be necessary, because it will speed up the process of adjacency formation. DR
BDR is only needed when there are many routers in one Ethernet segment. When there is no DR BDR
selection, the multicast address to send hello, LSR, LSU, LSAck is only 224.0.0.5, all OSPF packets use
this 1 multicast address.
Here's how to change the default network type from broadcast to point-to-point

On router R1

On router R2

Let's take a look at the OSPF state changes when we define the network type point-to-point
It turns out that after the 2 way state there is no longer a DR BDR selection process, and the Database
Description (DBD) is directly exchanged, so that the adjacency is formed more quickly.

Let's look at LSA type 2 on router R2. Router R2 is in area 0 and in area 0 there are 5 ethernet link
segments. In the default network type, namely broadcast type, each ethernet link must have 1 DR,
then R2 will receive 5 LSA type 2 from the 5 DR in area 0.

In the lab topology, Area 0 has 5 Ethernet link

segments.

Capture LSA type 2 above shows R2 receiving 5 LSA type 2 from DR which is in area 0. Link ID is the IP
interface of DR and ADV Router is the RID router from DR.

Segment Network address Link ID DR

R2-R3 10.2.3.0/29 10.2.3.3 R3
R2-R4 10.2.4.0/29 10.2.4.4 R4
R3-R4 10.3.4.0/29 10.3.4.4 R3
R3-R5 10.3.5.0/29 10.3.5.5 R3
R4-R5 10.4.5.0/29 10.4.5.5 R5

On router R1 which has been set as a point-to-point network to R2, it will no longer receive LSA type 2,
because LSA type 2 is only generated by DR in one area. Meanwhile, between R1 and R2 the network
type is point-to-point so that DR BDR selection is no longer carried out. Apart from making the
adjacency formation process faster, changing the network type from broadcast to point-to-point also
saves the link state database, because it eliminates 1 LSA. And in this lab topology, network type
changes can be made on all routers.

LSA type 3 Summay LSA

LSA
Type Name Origin Scope Content
3 Summary LSA ABR Other area Network/prefix

This Summary LSA is advertised by Area Border Routers, this ABR generates LSA type 3 to be
forwarded to other routers, and its contents are network or area prefix.
ABR or Area Border Router is a router that connects to area 0 and other areas.
If we refer to the lab topology that we have, the ABR is R2 and R5.
Let's have a look at router R2.

Router R2 is connected to 2 areas, area 12 and area 0. In area 12, there is LSA type 1 and LSA type 2
(optional), but because the link between R1 and R2 has changed into network type to point-to-point,
then LSA type 2 no longer exists because DR BDR selection is no longer carried out. All information in
area 12 is summarized into LSA type 3 and forwarded to area 0, and vice versa, all information from
the right, LSA type 1, LSA type 2 (optional), and LSA type 3 from area 56, all of this summarized into 1
LSA type 3 and forwarded to area 12. Likewise with R5 which becomes the ABR for area 0 and area 56.
Now let's look at the point of view of R1. R1 will receive LSA type 3 from R2. we can check the LSA
type 3 received by R1 with the command #show ip ospf database.
As we mentioned earlier, the name is Summary LSA, and the one advertising it is the ABR, namely R2.
we can see the contents of LSA 3 by sending the command
#show ip ospf database summary adv-router 172.16.2.2
If we check the LSA summary table in R2, we can see that there are 2 ABRs, those are R2 which
advertises network 10.1.1.0 (LAN area 0), 10.1.2.0 (area 12), loopback ip R1 and R5 which advertises
network 10.5.6.0 and 10.6 .6.0 (LAN area 56), as well as loopback ip R6.

Before we get to know LSA type 4 and 5, lets we get to know about OSPF router type.

Internal router: router in 1 area outside area 0.

Backbone router: router in area 0.
Area Border Router: Routers in 2 areas, area 0 and another area.
And to find out about LSA type 4, there is 1 more area, namely the Autonomous System Boundary
Router (ASBR).
Autonomous System Boundary Router (ASBR): A router that advertises non-OSPF networks from
outside (redistribution).

So ASBR is a router that connects to external network. R1 and R2 connections use OSPF, while
external connections use non-OSPF (can be BGP, connected, static and so on). this is what is called
ASBR. Its job is to redistribute non-OSPF to OSPF networks. In the lab, we simulate as if we have an
external network behind R1 192.168.x.x which is directly connected but not registered with OSPF via
the command #network <network address > <wildcard mask> area <area-id>. We will try to register
this network with the redistribute command to OSPF. So the characteristic of ASBR is that it
redistributes from one protocol to another protocol.
Here we simulate that we have an external network 192.168.0.0/22 which is connected to R1.

Network 192.168.0.0 wants to be injected into OSPF. We can do this with the command #redistribute
connected subnet, meaning we will redistribute the connected network and all its subnets (not the
major network).

Now we check on R2, whether network 192.168.0.0 has appeared in the routing table.
After redistributing, 192.168.0.0 appears on R2 with the E2 flag which by default is a characteristic of
a redistributed network. We compare it with the R6 routing table at the very end.

There is a network 192.168.0.0 obtained from external OSPF which is marked with E2 and it turns out
that the metrics recorded on R2 and R6 for this network are both 20.
From R2 to R6 the metric value remains 20 and does not change.

LSA type 4 ASBR Summary LSA

LSA
Type Name Origin Scope Content
4 ASBR Summary LSA ABR Other area RID ASBR

LSA type 4 is called ASBR Summary, and its origin is ABR (ABR which has ASBR). in our current lab
topology, R1 is ASBR, and R1 is in area 12, and the ABR of R1 is R2.
R2 is what generates LSA type 4. Notifying other areas, that R2 has an ASBR, namely R1. Let's check in
R3 whether there really is LSA type 4.

From here we can see that there is type 4 LSA, namely Summary ASBR LSA which is advertised by R2
(172.16.2.2) and its contents informed that there is an ASBR which has RID 172.16.1.1 in area 12 ,
namely R1.
Let's check it in detail.

We can see that detailed information from LSA type 4 is advertised by R2 (because R2 is ABR of R1).
This LSA tells R3 that there is ASBR with router ID 172.16.1.1 and it advertised by R2 172.16.2.2. This
metric is measured from R2 to R1.

LSA type 5 External LSA.

LSA
Type Name Origin Scope Content
5 External LSA ASBR Semua area external/ redistributed network

LSA type 5 is generated by ASBR (in this lab topology, namely R1) and will be forwarded to all areas.
The contents of LSA type 5 are external or redistributed networks. Let's check in R3.

We can see that R3 receives LSA type 5 advertised by R1 and its contents are networks that have been
redistributed.
When we look at the details, LSA type 5 contains network addresses originating from outside OSPF
(redistributed), then advertised by R1 (ASBR), the router is configure with metric type E2 and a metric
value of 20. Currently, we have studied 5 types of LSA. If we understand the LSA types, this will make
it easier for us to troubleshoot, because we know what the function is from type 1 to type 5. Types 4
and 5 will appear if there is ASBR. The characteristic is that the redistribution was taking place. Then
type 2 will appear if there is DR. If the network is point-to-point, then type 2 LSA will disappear. For
type3 LSA, this will come out if we have multi-area. If it's just a single area, area 0, then type 3 will not
appear. Only LSA type 1 must always be present.

LSA Type LSA Name Origin Scope Content

1 Router All Routers 1 area Neighbor, Network
2 Network DR 1 area Attached router
3 Summary ABR Other area Network/Prefix
4 ASB Summary ABR Other area ASBR ID
5 External ASBR All area External/reditributed network
OSPF Metric Type

We will explain about metric type in OSPF.

-Seed/ default metric

For example, if we redistribute BGP into OSPF, the default metric or what is called the seed metric has
a value of M=1. everything that comes from BGP when redistributed into OSPF, the metric is 1. But if
it is non-BGP such as IS-IS, EIGRP, then the default metric is M = 20.

The difference between E2 and E1.

OSPF E2 (default).
When we redistribute anything into OSPF, the default metric type is E2.

Example in topology lab. The R1 metric towards the external network is M=20 (seed). because the
metric type use E2, when the external network prefix is given to R2, the metric doesn’t change and it
will be 20, to R3 to R6 the metric is still 20. So if the metric type is E2, the metric value given by the
ASBR to subsequent routers does not change. R2 and the subsequent routers will keep the seed
metric value from the very first router who calculate the prefix.

Meanwhile, for E1, the metric value can be known by M=seed metric + interface cost. So when the
prefix is forwarded, the metric value will increase according to the interface cost.
Metric type E2 will be prefered, if there is only 1 exit to the external network. As in the lab topology,
R1 only has 1 path going to the external network, so E2 is sufficient for this scenario. This is because
metrics is no longer a problem. In the end the exit will definitely be through R1. So if there is only one
ASBR for going to external network, then just use the default E2. but if for example there is more than
one exit route, E1 will be prefered.
Here is the scenario

When we use E2, if router A wants to go to the external network via ASBR1, then the metric is M=20,
via ASBR2 the metric is also M=20. but if we use E1, router A's metric towards the external network
via ASBR1 is M=20+10=30 and via ASBR2 the metric is M=20+5=25. so when we use E1 we will see
which is better, ASBR 1 or 2.
We will try to change the default metric value and metric type.

Currently the default metric is 20. Let's try to change the metric to 25.
We can check show ip route on R6 before the default metric is changed.
After we change the default metric value in R1, the metric for the external network in R6 becomes 25.

Then we will change the metric type in R1 to E1.

After changing the metric type to E1, we try to change all OSPF costs along the links in the lab
topology by changing the reference bandwidth value. This change in reference bandwidth is
configured on all routers connected to OSPF so that all routers have the same reference in
determining costs.
Example of OSPF cost configuration on R6 with a value of 10 Gbps or 10000 Mbps.

Enter the command show ip ospf interface to check what cost value is recorded on each interface

After all routers have the same reference bandwidth, we can check how many metrics are recorded in
R6 for the external network prefix 192.168.0.0

After the metric type was changed to E1, the metric value on R6 for external network 192.168.0.0
which was previously 25, is now 65.

Let's see where the metric value of 65 comes from. Each link passed from R1 to R6 has a cost of 10,
which is obtained from calculating cost = reference bandwidth/interface bandwidth. Previously, we
changed the reference bandwidth to 10 Gbps or 10,000 Mbps, so the cost of each link = 10^10/10^9=
10.
From here we can calculate the metric from R6 to the external network 192.168.0.0 which is
10+10+10+10+25=65. If we check R3, the metric value will definitely be 45, because 10+10+25=45.

Let's take a look at LSA type 5 on R6 with show ip OSPF database

then we check in more detail the contents of LSA type 5 by showing ip OSPF database external adv-
router 172.16.1.1
Here we can see the metric type is now E1 and the default metric (non BGP) which was 20 is now 25.
Previously we briefly explained the OSPF cost calculation with a reference bandwidth of 100 Mbps /
interface bandwidth. By default, the reference bandwidth of the OSPF cost is 100 Mbps. If we applied
to current real network conditions with this default reference bandwidth value, it will be difficult to
represents actual conditions, because there are many interfaces with throughput greater than 100
Mbps, there are 1G, 10G, 40G and other interfaces. So the best practice is to use the interface router
on the OSPF network with the largest throughput as the reference bandwidth. Because if for example
the reference bw is not changed, then the costs of the 1Gbps and 10Gbps links will look the same.
Example

1 Gbps : 10^6/10^9=0.001 ~ 1
10 Gbps : 10^6/10^10 = 0.0001 ~ 1.

It's different when the interface with the largest bandwidth is the reference bw. For example, one
network has bw 1 Gbps, and 10 Gbps. When we change the default reference bandwidth to the
largest bandwidth on a link, namely 10 Gbps, then the cost calculation is

1 Gbps : 10^10 / 10^9 = 10

10 Gbps : 10^10 / 10^10 = 1

Area types

1 Normal Area: the area that receives all LSAs. Currently in our lab there are 3 areas, and all 3 of them
are normal areas, because we have seen that all LSA types 1 to 5 are in areas 12, 0, and 56. All LSAs
are accepted, and none are filtered.
2 Stub Area: an area that can filter certain LSA types. The goal is to save resources on the internal
router (IR). By reducing the LSA type, the LSDB will be smaller, thereby saving CPU and memory
resources.
Stub area requirements:

1 Not area 0
2 No ASBR
3 No OSPF virtual-link

In the LSA stub area only types 1,2,3 are allowed. For types 4 and 5, it is changed to the default route
0.0.0.0/0 sent by ABR.
In our lab topology, only area 56 is eligible to be a stub area. Area 56 has R5 as ABR and R6 as internal
router R6. In normal area conditions, there are LSA types 1 to 5 on R6. when we change it to stub area,
then the remaining LSA in R6 are type 1,2,3. while LSA types 4 and 5 do not exist and are changed to
default route 0.0.0.0/0 sent by ABR.
Let's check R6 while its condition is still in the normal area.

We can see that there are LSA types 1 - 5 on R6 when the type area is still a normal area. Now we try
to configure area 56 on R6 as a stub area.
When we only configure the stub area on R6, the OSPF adjacency with its neighbors is down due to
the area type mismatch, so we need to match the area type on another router that is R5.

When the area type is well-matched, then we check the LSDB again in R6.

And now we can see that in R6 there are no longer LSA types 4 and 5, and have been replaced with
the default route 0.0.0.0 which is advertised by the ABR, namely R5. If we check the routing table on
R6, then the route to network 192.168.0.0 no longer exists, and has been replaced with the default
route. It's as if R5 is saying to R6, you don't need to know how to access the external network, the
important thing is that if you want to access the external network, just go through me.
Ping and traceroute to 192.168.1.1 and it works.

As we said previously, this stub area functions to reduce LSA types 4 and 5 recorded in the LSDB of the
Internal Router and replace them with the default route sent by ABR. Therefore, if we check the ABR,
namely R5, LSA types 4-5 are still readable.
3 Totally Stubby Areas
This type of area has 1 difference with the stub area, in this type of area, there are only LSA types 1
and 2 + 0.0.0.0/0.

From R5's perspective, R5 will generate LSA type 3 (summary LSA). and this LSA Summary contains
networks that are in other areas or outside area 56, those are network area 0 and 12 (if we refer to
lab topology). Prefixes from area 0 and 12, it is received by R5, and will be converted into LSA type 3.
after being received by R6, route prefix with O IA code will appears originating from areas 0 and 12.
When we change it to totally stubby area, this O IA will disappear, and all networks outside area 56
will become the default route. Let's check on R6 when the ABR R5 router has not been configured as a
totally stubby area.
Here we can see the output from show ip route on R6, there are still many routes recorded with code
O IA. Now lets try to configure R5 so that area 56 becomes a totally stubby area. And this totally
stubby area configuration only needs to be done in the ABR.
After area 56 become a totally stubby area, the O IA route recorded on R6 disappears, and is replaced
with 0.0.0.0/0. Let's try ping an external network.
4 Not So Stubby Area (NSSA)

NSSA is a Stub area that has ASBR.

If we look at the topology, R1 in area 12 acts as an IR as well as an ASBR. Area 12 qualifies as NSSA,
because it is not area 0, there is no virtual link, and there is at least single ASBR. The only LSAs that are
allowed to enter this area are LSA 1,2,3,7. LSA 4 and 5 are replaced by default route. If we look at
NSSA, it is similar to Stub Area, but the difference is that ASBR usually redistributes the external
network into OSPF using LSA type 5 or External LSA, in NSSA, to redistribute from External to OSPF it
uses LSA type 7 or External NSSA LSA . The contents of LSA type 7 are the same as LSA type 5, namely
external network or prefix. In the normal area it is type 5, but in NSSA it is type 7. When R1 sends LSA
type 7 to ABR R2, R2 will forward this LSA type 7 in the form of LSA type 5. So this LSA type 7 only
exists in NSSA. When R2 receives LSA type 5 from another ASBR, R2 will not forward this LSA type 5 to
R1, and instead R2 will send the default route to R1. So the default route 0.0.0.0/0 replaces the
External LSA originating from the ASBR in another area.

Let's add 1 more external network to R3.

After we add network 172.31.1.0/24 to R3, we will try to redistribute the connected network to OSPF.
Because R3 redistributes networks outside OSPF into OSPF, R3 is also called ASBR. When ASBR R3
sends LSA type 5 to R2, we will see the difference in area 12 before and after it is converted to NSSA.

Configure the new network on R3 and redistribute it to OSPF

Lets check LSDB in R1

In normal area conditions, there is an LSA type 4, that is ASBR summary LSA advertised by ABR R2,
which indicates that there is an ASBR with router ID 172.16.3.3. There is also LSA type 5 in the form of
an additional external network advertised by R3.

Now lets change type of area 12 to NSSA. To be Full adjacency, the NSSA area type must be
configured by a router and its neighbors. If not, the status will be down.

When we change the area type in area 12 to NSSA, ASBR R1 will generate LSA type 7 (External NSSA
LSA) as mentioned previously. Then R2 will change the LSA type 5 sent by R3 to the default route
which is then sent to R1.
We have found LSA type 7 in LSDB R1, which means that R1 generates external NSSA LSA. But we
don't find the default route 0.0.0.0 in the Summary LSA.
when we check the routing table, we also cannot find the default route, because NSSA deletes LSA
types 4 and 5, then R1 will not be able to connect to the external network 172.31.1.0/24 until R1 has
the default route sent by ABR.

We only enter command #area 12 nssa in R2 , the same as we configured in R1. However, in order for
R2 or ABR generate default route information to R1, an additional command needs to be given
#area 12 nssa default-information-originate.

Let's check what changes is occured in R1.

We can see that R1 has received default route information from its ABR and there is code N2, which
means it is obtained from OSPF NSSA external type 2. Type 2 and Type 1 means the E1 and E2 metrics
that we discussed previously. If it is N2, it means that when it is forwarded to another router, the
metrics remain the same as default. If it isN1, the metric value will be added to the interface cost of
each link.
Lets try to ping 172.31.1.
Then we check the LSDB on R2. The function of ABR in NSSA is also to translate LSA type 7 into LSA
type 5 and then forward it to other areas.
Areas that only allow LSA type 1,2,7 + 0.0.0.0/0. The difference with NSSA is, that in Totally NSSA,
there is no LSA type 3 or Summary LSA.

When we change area 12 to totally NSSA, the only LSAs that enter area 12 are type 1,2,7 and the
default route. ASBR in area 12 also still sends LSA type 7 to ABR and then translates it into LSA type 5.
Let's look at the LSDB in R1 before it is changed to Totally NSSA.
R1’s LSDB and R1's routing table shows that R1 is still receiving LSA type 3 from other areas.
Totally NSSA Configuration.

Internal Router R1 Area Border Router R2

#conf t #conf t
#router OSPF 1 #router OSPF 2
#area 12 nssa #area 12 nssa no-summary
After changing it to totally NSSA, we can see that now R1 (Internal Router) no longer accepts LSA type
3 or O IA details, we can check R1's routing table, everything has changed to the default route.
Because fewer LSAs are recorded in the LSDB, CPU and memory resource usage will be more efficient.

Route Summarization

Its function is the same as in other protocols, that is to summarize the prefixes that we have.
And this summarization can only be done in ABR and ASBR. Examples in our lab, ABR that can perform
Summarization are R1 and R5.
For example, if we have many prefixes/networks, we will summarize them into a prefix that includes
all the other prefixes.

We will try to do summarization in R5 for network 10.5.6.0/29. For example, in R5 there are many
prefixes in the range between 10.4.x. Have good enough understanding about subnetting, by God
willing (InsyaAllah), we will be able to easily carry out summarization.

LSDB on R2 before summarization is carried out on R5.

summarize with prefix 10.5.6.0/29 with 10.4.0.0/15.

We check the LSDB again on R2
We can see that the LSA type 3 received by R2 from R5 no longer has the 10.5.6.0 subnet and has
been replaced with 10.4.0.0. let's try checking ping and traceroute from R2 to ip interface g0/2
10.5.6.5 on R5.

If we summarize it with network 10.4.0.0/15 then all 10.4.x.x and 10.5.x.x prefixes will fall into that
network range. But if we summarize with network 10.5.0.0/16 the prefix is only in the 10.5.x.x range.
We just have to adjust it according to our needs. For best practice, don't provide a network that is too
wide, in this case we just summarize 10.5.6.0/29 to 10.5.0.0/16.
Apart from ABR, another router that can do summarization is ASBR. We check ASBR R3, there are
external sub network prefixes, 172.31.1.0/26, 172.31.1.64/26, 172.31.1.128/26, and 172.31.1.192/26.
These 4 subnets can be summarized with network 172.31.1.0/24.

Lets check LSA type 5 in R2.

We can see that previously R2 got 4 prefixes 172.31.1.x/26, and now it is summarized to
172.31.1.0/24.

Example of summarization in area 0 (refer to the lab topology)

Network in area 0 :
Summarized
10.2.3.0/29
10.2.4.0/29
10.3.4.0/29 10.2.0.0/15
10.3.5.0/29
10.4.5.0/29
This summarized network 10.2.0.0/15 can cover all 5 subnets on its left side.

OSPF Authentication

Authentication is needed when we really want to ensure that the hello packet exchanged between
two routers matches the desired router.

For example we want to make sure that the hello that is exchanged is correct between the R5 and R6
routers that we have. Don't let there be a man in the middle. Therefore, we are advised to use
authentication in any routing protocol.
There are 2 types of authentication in OSPF.
-Plain text auth (type 1): the user provides a password that must be configured on R5 and R6. then
the password in the hello packet is sent in plain text. If this hello packet is captured between R5 and
R6, the password will be visible because it can be intercepted.
-has auth (type 2): password is scrambled using md5 or using sha algorithm.
By default OSPF has type 0 auth, that is null authentication (no authentication).
We try configuring authentication type 2 with MD5 on R1 and R2.

#conf t
#int gx/x
#ip OSPF authentication message-digest -> Choose type 2 authentication with md5 encryption
#ip OSPF message-digest-key <1-255> md5 <OSPF password (key) (max 16 characters) >
The type 2 authentication configuration above shows that in order to become a neighbor, the two
routers must have the same authentication type, then have an agreed ID key in the range 1 - 255, and
the same OSPF password key.
If we enable #debug ip ospf adj , when we configure R1 with MD5, a message like this will appear.

When R2 is configured with the same authentication parameters as R1, the OSPF state will become
full adjacency. When we check R1 a message appears like the following

Before we have configured R1 and R2 with md5 authentication. Lets try another authentication type 2
that is sha in R5 and R6. Sha has stronger cryptographic algorithm compared to md5. The length can
be up to 512 bits.
conf t
key chain <key chain-name>
key <Key ID>
key-string <Password>
cryptographic-algorithm <algorithm authentication type>
exit
int g0/02
ip OSPF authentication key-chain <key-chain name>
end

OSPF Virtual Link

The ideal OSPF design is area 0 as a backbone area that connects other areas. so every area that
wants to be connected to another area must pass through area 0. However, for example, there is a
case where area 9 is connected to area 7 for some reason, with this condition area 9 will not be able
to connect to other areas, in order for area 9 appears to be connected to area 0, we can create a
virtual link between ABR in areas 0 and 7 with ABR in areas 7 and 9. as if there is a connection from
area 9 to area 0 (the transit area is area 7).
Another case example is when there are 2 companies that each have area 0, so that these 2 area 0s
can be connected, they can temporarily pass through area 17 and then configure a virtual link
between their ABRs.
But the two examples above are not the recommended design, and usually the project should have
the correct design, area 0 is contiguous and other areas are connected to area 0.

Virtual link configuration in area 17.

Should be applied on each ABR router which will become a virtual link.
#conf t
#router OSPF <OSPF Process ID>
#area <area ID> virtual-link
#<opposite ABR ID>