OSPF Virtual Links

The OSPF 2-tier or 2-layer area hierarchical structure requires that all areas to be directly connected to the backbone area; and the backbone area must be contiguous or else some OSPF areas in the OSPF routing domain will be unreachable. However, the backbone area needs not to be physically contiguous; backbone connectivity can be established and maintained using a logical OSPF virtual link between 2 ABRs. Virtual links belong to the backbone area.
Note: The next section explains why all OSPF areas must be connected to the backbone area.

OSPF Virtual Links

The idea of a OSPF virtual link is to extend the backbone area across non-backbone area. OSPF virtual links are part of the OSPF open standard and are often being implemented to:
i) Connect a disconnected area to the backbone area through a non-backbone area.
ii) Connect the 2 separate parts of a partitioned or discontiguous backbone area through a non-backbone area.
The non-backbone area through which a virtual link is configured is known as a transit area. A transit area must have full routing information and cannot be a stub area. However, a GRE tunnel can be used instead of a virtual link to encapsulate native OSPF packets across a stub area.

Note: OSPF virtual links should only be used as temporary connections to fix unavoidable network topology problems and should not be part of an initial OSPF network design. A virtual link shows the part of a network that requires review and reengineering. Permanent virtual links show a sign of poorly designed network, as well as add a layer of complexity and troubleshooting difficulty to any network. We should avoid them by ensuring that backbone areas are designed with redundant links to prevent partitioning. When merging networks, sufficient planning is important to make sure all areas are directly link to the backbone area.

An OSPF virtual link is similar to a standard OSPF adjacency; with the exception that the routers do not have to be directly connected on the same network segment to form an adjacency. A virtual link is interpreted as a point-to-point unnumbered connection.

The OSPF Hello mechanism works in the same way for both standard and virtual links, in which Hellos are sent out in every 10 seconds. The LSA updates work differently over virtual links. An LSA usually being refreshed every 30 minutes; however, an LSA learnt through a virtual link have the DoNotAge (DNA) bit set, which means that it is not aged out when held in the LSDB. The DNA mechanism suppresses the periodic LSA refresh reflooding over a virtual link.

The area {area-id} virtual-link {router-id} [authentication [message-digest | null]] [hello-interval sec] [retransmit-interval sec] [transmit-delay sec] [dead-interval sec] [authentication-key auth-key | message-digest-key key-id md5 key] OSPF router subcommand defines an OSPF virtual link. It must include the transit area ID (either a decimal value or dotted-decimal notation similar to an IP address) and the Router ID of the corresponding virtual link neighbor to properly configure a virtual link. Utilize the show ip ospf EXEC command to ensure the correct Router ID configuration.

Below describes the parameters available for the area area-id virtual-link router-id command:

Parameter	Description
area-id	Specifies an area as the transit area for the virtual link. It can be either a decimal value or in dotted-decimal notation format as like an IP address.
router-id	Specifies the Router ID of the virtual link neighbor.
authentication	Specifies an authentication type.
retransmit-delay	Specifies the interval between LSA retransmissions for adjacencies belonging to the interface. The value must be greater than the expected round-trip delay between any 2 routers on the attached network. The default value is 5 seconds.
transmit-delay	Specifies the estimated time to send an LSU packet out an interface. Its value must be greater than 0. The LSAge of the LSAs in the LSU packets will be incremented by this value before transmission. The default value is 1 second.
authentication-key	Specifies the password used for simple password authentication. The password is a continuous string up to 8 characters.
message-digest-key	Specifies the key ID and key (password) for MD5 authentication. The key is a continuous string up to 16 characters.

Network Setup for Disconnected OSPF Area

The figure above shows a typical OSPF network and 2 network setups of disconnected OSPF areas when the link between RT1 and RT3 fails. 2 configuration options are available to connect the disconnected OSPF area back to the backbone area.

Below shows the routing table and OSPF LSDB on RT1 after a virtual link is configured on RT1 and RT3 for the scenario shown on Figure 10-8a:

RT1#sh ip route

Gateway of last resort is not set

     23.0.0.0/24 is subnetted, 1 subnets
O       23.23.23.0 [110/74] via 12.12.12.2, 00:00:47, Serial0/0
C    192.168.0.0/24 is directly connected, FastEthernet1/0
     12.0.0.0/24 is subnetted, 1 subnets
C       12.12.12.0 is directly connected, Serial0/0
O    192.168.1.0/24 [110/74] via 12.12.12.2, 00:00:47, Serial0/0
O IA 192.168.2.0/24 [110/84] via 12.12.12.2, 00:00:37, Serial0/0
RT1#
RT1#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
3.3.3.3           0   FULL/  -           -        23.23.23.3      OSPF_VL0
2.2.2.2           0   FULL/  -        00:00:38    12.12.12.2      Serial0/0
RT1#
RT1#sh ip ospf virtual-links
Virtual Link OSPF_VL0 to router 3.3.3.3 is up
  Run as demand circuit
  DoNotAge LSA allowed.
  Transit area 1, via interface Serial0/0, Cost of using 74
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:02
    Adjacency State FULL (Hello suppressed)
    Index 1/1, retransmission queue length 0, number of retransmission 1
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 1, maximum is 1
    Last retransmission scan time is 0 msec, maximum is 0 msec
RT1#
RT1#sh ip ospf database

            OSPF Router with ID (1.1.1.1) (Process ID 100)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
1.1.1.1         1.1.1.1         46          0x80000002 0x00151D 2
3.3.3.3         3.3.3.3         5     (DNA) 0x80000002 0x00D8A8 1

                Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
12.12.12.0      1.1.1.1         319         0x80000001 0x003C98
12.12.12.0      3.3.3.3         6     (DNA) 0x80000001 0x00645E
23.23.23.0      1.1.1.1         128         0x80000003 0x000F98
23.23.23.0      3.3.3.3         6     (DNA) 0x80000001 0x00548D
192.168.1.0     1.1.1.1         309         0x80000001 0x0095EE
192.168.1.0     3.3.3.3         6     (DNA) 0x80000001 0x003B77
192.168.2.0     3.3.3.3         6     (DNA) 0x80000001 0x00CBEF

--- output omitted ---

Below shows the routing table and OSPF LSDB on RT1 after a virtual link is configured on RT1 and RT2 for the scenario shown on Figure 10-8b:

RT1#sh ip route

Gateway of last resort is not set

     23.0.0.0/24 is subnetted, 1 subnets
O IA    23.23.23.0 [110/74] via 12.12.12.2, 00:00:34, Serial0/0
C    192.168.0.0/24 is directly connected, FastEthernet1/0
     12.0.0.0/24 is subnetted, 1 subnets
C       12.12.12.0 is directly connected, Serial0/0
O    192.168.1.0/24 [110/74] via 12.12.12.2, 00:00:44, Serial0/0
O IA 192.168.2.0/24 [110/84] via 12.12.12.2, 00:00:34, Serial0/0
RT1#
RT1#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           0   FULL/  -           -        12.12.12.2      OSPF_VL0
2.2.2.2           0   FULL/  -        00:00:39    12.12.12.2      Serial0/0
RT1#
RT1#sh ip ospf virtual-links
Virtual Link OSPF_VL0 to router 2.2.2.2 is up
  Run as demand circuit
  DoNotAge LSA allowed.
  Transit area 1, via interface Serial0/0, Cost of using 64
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:05
    Adjacency State FULL (Hello suppressed)
    Index 1/1, retransmission queue length 0, number of retransmission 1
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 1, maximum is 1
    Last retransmission scan time is 0 msec, maximum is 0 msec
RT1#
RT1#sh ip ospf database

            OSPF Router with ID (1.1.1.1) (Process ID 100)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
1.1.1.1         1.1.1.1         43          0x80000002 0x003E02 2
2.2.2.2         2.2.2.2         5     (DNA) 0x80000002 0x00D4E0 1

                Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
12.12.12.0      1.1.1.1         358         0x80000001 0x003C98
12.12.12.0      2.2.2.2         6     (DNA) 0x80000001 0x001EB2
23.23.23.0      2.2.2.2         6     (DNA) 0x80000001 0x007273
192.168.1.0     1.1.1.1         348         0x80000001 0x0095EE
192.168.1.0     2.2.2.2         6     (DNA) 0x80000001 0x00F4CB
192.168.2.0     2.2.2.2         6     (DNA) 0x80000001 0x004E67

--- output omitted ---

Note: OSPF does not require that the Router ID IP address to be existed in the IP routing table. As a result, the Router ID configured in the area virtual-link command may not be pingable, but the virtual link still work.

Network Setup for Partitioned Backbone Area

The figure above shows a sample implementation of OSPF virtual link – RT2 which resides in Area 0 has failed and the routers within the OSPF routing domain have lost their network connectivity. Note: OSPF virtual links should only be used as temporary connections to fix unavoidable network topology problems.

Below shows the output of the show ip ospf neighbor and show ip ospf virtual-links EXEC commands on RT4 upon configured the OSPF virtual link:

RT4#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
6.6.6.6           0   FULL/  -           -        56.56.56.6      OSPF_VL0
1.1.1.1           1   FULL/BDR        00:00:38    14.14.14.1      FastEthernet0/0
5.5.5.5           0   FULL/  -        00:00:39    45.45.45.5      Serial1/0
RT4#
RT4#sh ip ospf virtual-links
Virtual Link OSPF_VL0 to router 6.6.6.6 is up
  Run as demand circuit
  DoNotAge LSA allowed.
  Transit area 1, via interface Serial1/0, Cost of using 128 [1]
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:02
    Adjacency State FULL (Hello suppressed)
    Index 2/3, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec
RT4#

[1] – The cost to reach the virtual link neighbor through the intra-area path; it cannot be configured.

Note: Configure authentication on a virtual link when the backbone area 0 is using authentication!
A virtual link is really an extension of the backbone area; if the backbone area is running authentication, the virtual link must be configured for authentication as well.

A virtual link is treated as an unnumbered point-to-point network that belongs to the backbone and joins the 2 area border routers. An adjacency will be established over the virtual link. When the adjacency is established, the virtual link will be included in backbone router-LSAs, and OSPF packets belong to the backbone area will flow over the adjacency – virtual adjacency.

Note: When configuring a virtual link over an interface which has the maximum OSPF cost – 65536 or 0xffff, the virtual link will not come up. RFC 2328 – OSPF Version 2 quotes that a virtual link whose underlying path has cost greater than hexadecimal 0xffff (the maximum size of an interface cost in a router-LSA) should be considered inoperational.