CCNP Route Lab 3-2, Multi-Area OSPF with Stub Areas and Authentication

CCNP Route Lab 3-2, Multi-Area OSPF with Stub Areas and Authentication




  • Configure multiple-area OSPF on a router.
  • Verify multiple-area behavior.
  • Configure OSPF stub, totally stubby, and not-so-stubby areas.
  • Configure OSPF authentication.

You are responsible for configuring the new network to connect your company’s engineering, marketing, and accounting departments, represented by loopback interfaces on each of the three routers. The physical devices have just been installed and connected by serial cables. Configure multiple-area OSPF to allow full connectivity between all departments.

R3 also has a loopback representing a connection to another autonomous system that is not part of OSPF.

Note: This lab uses Cisco 1841 routers with Cisco IOS Release 12.4(24)T1 and the Advanced IP Services image c1841 -advipservicesk9-mz.124-24.T1 .bin. You can use other routers (such as a 2801 or 2811) and Cisco IOS Software versions if they have comparable capabilities and features. Depending on the router model and Cisco IOS Software version, the commands available and output produced might vary from what is shown in this lab.

Required Resources

  • 3 routers (Cisco 1841 with Cisco IOS Release 12.4(24)T1 Advanced IP Services or comparable)
  • Serial and console cables

Step 1: Configure addressing and loopbacks.
a. Using the addressing scheme in the diagram, apply IP addresses to the serial interfaces on R1, R2, and R3. Create loopbacks on R1, R2, and R3, and address them according to the diagram.

Note: Depending on the router models you have, you might need to add clock rates to the DCE end of each connection (newer equipment adds this automatically). Verify connectivity across each serial link.

Step 2: Add interfaces into OSPF.
a. Create OSPF process 1 on routers R1 and R2. Configure the subnet of the serial link between R1 and R2 to be in OSPF area 0 using the network command. Add loopback 1 on R1 and loopback 2 on R2 into OSPF area 0. Change the network type on the loopback interfaces so that they are advertised with the correct subnet.

Note: Another option for adding individual directly connected networks into the OSPF process is to use the ip ospf process-id area area-id interface command that is available with Cisco IOS version 12.3(11)T and later.

b. Verify that both routers have OSPF neighbors using the show ip ospf neighbors command.

c. Verify that the routers can see each other’s loopback with the show ip route command.

d. Add the subnet between R2 and R3 into OSPF area 23 using the network command. Add loopback 3 on R3 into area 23.

e. Verify that this neighbor relationship comes up using the show ip ospf neighbors command.

f. If you look at the output of the show ip route command on R1, you see a route to the R3 loopback. Notice that it is identified as an inter-area route.

g. Issue the show ip route command on R2. Notice that R2 has no inter-area routes because R2 is in both areas. It is an ABR, or area border router.

h. Using a Tcl script, verify connectivity to all interfaces from any router, with the exception of loopback 20 on R3 (, which has not yet been configured as part of OSPF.

i. Use the following Tcl script to verify that you can ping all addresses in the topology.

Step 3: Configure a stub area.
a. Under the OSPF process on R2 and R3, make area 23 the stub area using the area area stub command. The adjacency between the two routers might go down during the transition period, but it should come back up afterwards.

b. Confirm that it comes up by using the show ip ospf neighbors command.

c. Using the show ip route command, you can see that R3 now has a default route pointing toward R2. A stub area does not receive any external routes. It receives a default route and OSPF inter-area routes.

d. Look at the output of the show ip ospf command to see what type each area is.

What are the advantages of having a router receive a default route rather than a more specific route?
Router memory and processing are conserved because the router has fewer routes to contend with.

Why do all routers in a stub area need to know that the area is a stub?
Routers need to know that an area is a stub for consistency so that no routers generate type 5 LSAs or other OSPF features (such as virtual links) in an area in which they cannot exist.

Step 4: Configure a totally stubby area.
A modified version of a stubby area is a totally stubby area. A totally stubby area ABR only allows in a single, default route from the backbone. To configure a totally stubby area, you only need to change a command at the ABR, R2 in this scenario. Under the router OSPF process, you will enter the area 23 stub no-summary command to replace the existing stub command for area 23. The no-summary option tells the router that this area will not receive summary (inter-area) routes.

a. To see how this works, issue the show ip route command on R3. Notice the inter-area routes, in addition to the default route generated by R2.

b. Look at the output of the show ip ospf database command on R2 to see which LSAs are in its OSPF

c. Enter the stub no-summary command on R2 (the ABR) under the OSPF process.

d. Go back to R3 and issue the show ip route command again. Notice that it shows only one incoming route from OSPF.

e. Look at the show ip ospf database output to see which routes are in area 23.

What are the advantages of making an area totally stubby instead of a regular stub area? What are the disadvantages?
By making an area totally stubby, routers in the area only see intra-area routes and a default route. This can save a lot of router memory and processor time. However, as with any type of route aggregation, the loss of routing detail makes it possible for a non-optimal route to be chosen.

Why did only the ABR need to know that the area was totally stubby rather than all routers in the area?
The ABR is the gateway to the rest of the area and therefore is the boundary that all inter-area LSAs need to pass through. Because of this, it only needs to filter out the type 3 LSAs and let the default route through.

Step 5: Configure a not-so-stubby area.
Not-so-stubby areas (NSSAs) are similar to regular stub areas, except that they allow routes to be redistributed from an ASBR into that area with a special LSA type, which gets converted to a normal external route at the ABR.

a. Change area 23 into an NSSA. NSSAs are not compatible with stub areas, so the first thing to do is issue the no area 23 stub command on routers R2 and R3. Next, issue the area area nssa command on routers R2 and R3 to change area 23 to an NSSA. To generate an external route into the NSSA, use the redistribute connected subnets command on R3. This adds the previously unreachable loopback 20 into OSPF. Be sure to include the subnets keyword; otherwise, only classful networks are redistributed.

b. In the output of the show ip ospf command on R2, notice that area 23 is an NSSA and that R2 is performing the LSA type 7 to type 5 translation. If there are multiple ABRs to an NSSA, the ABR with the highest router ID performs the translation.

c. Look at the show ip route output on R2. Notice that the external route comes in as type N2 from R3. This is because it is a special NSSA external route.

d. Look at the show ip route output on R1. Notice that the route is now a regular E2 external route, because R2 has performed the type 7 to type 5 translation.

e. Look at the show ip route output on R3. Notice that it no longer has a default route in it, but inter-area routes are coming in.

Note: An NSSA does not have the default route injected by the ABR (R2) automatically. It is possible to make the ABR inject the default route into the NSSA using the area 23 nssa default-informationoriginate command on R2.

f. Yet another type of area is a totally-stubby NSSA that combines the property of an NSSA area (injecting external routing information into OSPF) with a totally stubby behavior (accepting only default route from the backbone). Issue the area 23 nssa no-summary command on R2, similar to converting a stub area into a totally stubby area.

g. Check the routing table on R3. Notice that the inter-area routes have been replaced by a single default route.

h. On R2, look at the show ip ospf database output to see the various LSA types.

Where would it be useful to make an area into an NSSA?
An NSSA is useful if you want to allow an area to inject external routes into an OSPF domain while still retaining some of the stub characteristics of the area such as not accepting external routes that are originated in other areas.

Step 6: Configure OSPF interface authentication.

For security purposes, you can configure OSPF interfaces to use authentication.

a. Configure the link between R2 and R3 for plaintext authentication. To set up plaintext authentication on an interface, type ip ospf authentication at the interface command prompt. Then set the password to cisco with the ip ospf authentication-key key-string command.

Note: While configuring the authentication, the adjacency might go down if the dead timer expires on one of the routers. The relationship should be reestablished once authentication is configured on both sides.

b. Verify the authentication using the show ip ospf interface interface command.

c. MD5 authentication encrypts the password for stronger security. Configure the link between R1 and R2 for MD5 authentication using the ip ospf authentication message-digest interface command. Then set the password to cisco with the ip ospf message-digest-key key_number md5 key-string command. Make sure that the key number is the same on both routers. In this case, use 1 for simplicity.

Note: The MD5 key number works differently than key chains. The router uses the most recently added key for authenticating sent packets. The key number does not have a direct influence on this behavior, that is, if the interface was configured with the MD5 key number 10 and later the key with number 5 was added, the router would use the key number 5 to digitally sign outbound sent packets. If a router having several MD5 keys on an interface detects that at least one of its neighbors has not yet started using the most recently added key, it engages in a simple key migration procedure: it sends each OSPF packet multiple times, with each instance of the packet authenticated by a particular MD5 key configured on the interface, one instance for each key. This ensures a smooth, gradual migration.

d. Verify the configuration using the show ip ospf interface interface command.

Why is configuring authentication for OSPF, or any routing protocol, a good idea?
Configuring routing protocol authentication is beneficial because without it, you could have a rogue router on a subnet advertising false routes.

e. Use the following Tcl script to verify connectivity to all addresses in the topology.

Router Interface Summary Table

Router Interface Summary
Router Model Ethernet Interface
Ethernet Interface
Serial Interface
Serial Interface
1700 Fast Ethernet 0
Fast Ethernet 1
Serial 0 (S0) Serial 0/0/1
1800 Fast Ethernet 0/0
Fast Ethernet 0/1
Serial 0/0/0
Serial 0/0/1
2600 Fast Ethernet 0/0
Fast Ethernet 0/1
Serial 0/0 (S0/0) Serial 0/1 (S0/1)
2800 Fast Ethernet 0/0
Fast Ethernet 0/1
Serial 0/0/0
Serial 0/0/1
Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many interfaces the router has. Rather than list all combinations of configurations for each router class, this table includes identifiers for the possible combinations of Ethernet and serial interfaces in the device. The table does not include any other type of interface, even though a specific router might contain one. For example, for an ISDN BRI interface, the string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to represent the interface.

Device Configurations (Instructor version)
Router R1

Router R2

Router R3

More Resources

About the author


Leave a Comment