How to configure OSPF Virtual Link

If you studied Cisco’s CCNA you have learned that when you use OSPF all the areas have to be directly connected to the backbone area. Is this really true? Areas have to be connected to the backbone area but if they aren’t we can fix it with a virtual link.

If you studied Cisco's CCNA you have learned that when you use OSPF all the areas have to be directly connected to the backbone area. Is this really true? Areas have to be connected to the backbone area but if they aren't we can fix it with a virtual link. Let me show you an example: Look at my pict

Let me show you an example:

Look at my picture above. We have three areas and on the left side is area 0. Area 2 is behind area 1. Normally this is not going to work since area 2 has to be directly connected to area 0. We can make this work by using a virtual link. By using a virtual link we can extend area 0 through area 1 so area 2 will be “directly connected” to area 0. Let’s take a look at how a virtual link can solve this problem:

This is basically how a virtual link works. It’s like a tunnel through area 1 to reach area 2. This way area 2 will be directly connected. Now let me show you how to configure a virtual link:

In the example above area 2 is not directly connected to area 0 so we’ll have to use a virtual link between routers R1 and R2, here’s how we do it:

R1(config)#router ospf 1
R1(config-router)#network 1.1.1.0 0.0.0.255 area 0
R1(config-router)#network 192.168.12.0 0.0.0.255 area 1

R2(config)#router ospf 1
R2(config-router)#network 192.168.12.0 0.0.0.255 area 1
R2(config-router)#network 192.168.23.0 0.0.0.255 area 2

R3(config)#router ospf 1
R3(config-router)#network 192.168.23.0 0.0.0.255 area 2

I’ll start with a default OSPF configuration.

R1(config)#router ospf 1
R1(config-router)#area 1 virtual-link 192.168.23.2

R2(config)#router ospf 1
R2(config-router)#area 1 virtual-link 1.1.1.1

We configure the virtual-link between ABRs and we use the area virtual-link command. First you need to specify the area 1 where we need the virtual-link which is area 1 in my example. Second step is to configure the OSPF router ID of the other ABR. Keep this in mind…you need to configure the OSPF router ID and NOT the IP address of the ABR. If everything is OK area 2 will have be directly connected to area 0 through our virtual-link.

R1# %OSPF-5-ADJCHG  Process 1, Nbr 192.168.23.2 on OSPF_VL0 from LOADING to FULL, Loading Done

R2# %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on OSPF_VL0 from LOADING to FULL, Loading Done

You will see the message above that tells us the virtual link is established.

R1#show ip ospf virtual-links 
Virtual Link OSPF_VL0 to router 192.168.23.2 is up
  Run as demand circuit
  DoNotAge LSA allowed.
  Transit area 1, via interface FastEthernet0/0, Cost of using 1
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:06
    Adjacency State FULL (Hello suppressed)
    Index 1/2, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec

R2#show ip ospf virtual-links 
Virtual Link OSPF_VL0 to router 1.1.1.1 is up
  Run as demand circuit
  DoNotAge LSA allowed.
  Transit area 1, via interface FastEthernet0/0, Cost of using 1
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:05
    Adjacency State FULL (Hello suppressed)
    Index 1/3, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec

You can use the show ip ospf virtual-links command to check if your virtual-link is working.

R1#show ip ospf database 

            OSPF Router with ID (1.1.1.1) (Process ID 1)

		Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
1.1.1.1         1.1.1.1         189         0x80000004 0x00E333 2
192.168.23.2    192.168.23.2    1     (DNA) 0x80000002 0x009816 1

R2#show ip ospf database 

            OSPF Router with ID (192.168.23.2) (Process ID 1)

		Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
1.1.1.1         1.1.1.1         1     (DNA) 0x80000004 0x00E333 2
192.168.23.2    192.168.23.2    159         0x80000002 0x009816 1

If you look at the LSDB you will see that the virtual-link shows up as a type 1 router LSA. You can also see DNA which means do not age.

Configurations

Want to take a look for yourself? Here you will find the configuration of each device.

R2

hostname R2
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
!
interface FastEthernet1/0
 ip address 192.168.23.2 255.255.255.0
!
router ospf 1
 area 1 virtual-link 1.1.1.1
 network 192.168.12.0 0.0.0.255 area 1
 network 192.168.23.0 0.0.0.255 area 2
!
end

R1

hostname R1
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
!
router ospf 1
 area 1 virtual-link 192.168.23.2
 network 1.1.1.0 0.0.0.255 area 0
 network 192.168.12.0 0.0.0.255 area 1
!
end

R3

hostname R3
!
interface FastEthernet0/0
 ip address 192.168.23.3 255.255.255.0
!
router ospf 1
 network 192.168.23.0 0.0.0.255 area 2
!
end

Any other situation where we need a virtual-link? What about a discontinuous backbone area? Let me show you an example:

Forum Replies

rockyxiao says:

For this Topology

Why I can ping 1.1.1.1 source 2.2.2.2 even without virtual link, let alone the authentication? Is it the IOS bug or others?
rockyxiao says:
Thanks for your reply.

I will show my config as follows,
- IOS: c3725-adventerprisek9-mz.124-15.T14.image
- GNS3: 2.1.11
- My topology:
  
  //cdn-forum.networklessons.com/uploads/default/original/2X/d/d38b442b5f8bfc274748c70eef023fb3178e216b.png
  r1 config.txt (1.2 KB)
  r2 config.txt (1.2 KB)
As you can see, I didn’t config virtual link. But I could

//cdn-forum.networklessons.com/uploads/default/original/2X/2/26430e35842458f7f6d495a1ea72508b5d59a877.jpeg

and its routing table is,

//cdn-forum.networklessons.com/uploads/default/original/2X/1/1d147ba470a388118166562f61b5b62
... Continue reading in our forum
lagapides says:

Hello Rocky

This is indeed puzzling. This may have to do with the fact that these are Loopback addresses that you are pinging and also because on R1, the router ID is explicitly defined as the same IP as the loopback and as the IP you’re pinging.

Now the fact that the routing table includes the 1.1.1.1 destination in its routing table makes sense, because it sees it in a neighboring area, which is what should happen. What shouldn’t happen however is for there to be L3 connectivity between the loopbacks.

However, notice that the routing table indicates that the
... Continue reading in our forum
chrisnewnham17 says:

I believe there is another way of enabling authentication?

router ospf 1
area 1 virtual-link 2.2.2.2 authentication message-digest
area 1 virtual-link 2.2.2.2 message-digest-key 1 md5 NWL
lagapides says:
Hello Chris

Yes you are right this too is a valid way to enable MD5 authentication over a virtual link. The difference here is that this configures message-digest just for the virtual link. Authentication in the area need not be globally configured. The configuration in Rene’s lesson, enables MD5 authentication on the whole of each area. Here is Rene’s configuration for comparison purposes.
```
R1(config)#router ospf 1
R1(config-router)#area 0 authentication
R1(config-router)#area 1 virtual-link 2.2.2.2 authentication-key NWL
```
I hope this has been helpful!

Laz

5 more replies! Ask a question or join the discussion by visiting our Community Forum