Why OSPF Is Still the Default Interior Gateway Protocol
Every CCNA and CCNP candidate eventually has the same realization: in production, on real enterprise networks, the routing protocol you will configure most often is OSPF. EIGRP is a Cisco-only fallback when the network is uniformly Cisco; BGP is what you run between autonomous systems, not within them; RIP is a relic. OSPFv2 is the standards-based, link-state, hierarchical protocol that almost every enterprise IGP runs on. Knowing it cold — areas, LSA types, the configuration verbs, the failure modes — is non-negotiable.
This article is a working reference for OSPFv2 on Cisco IOS. It covers the metric model, the LSA type system, the five area types you actually see in the wild, the configuration commands, authentication, and the two or three pitfalls that catch people on day one. The commands are short; the operational nuance is where the value is.
The Metric: Cost
OSPF picks the best path by cost. Cost is calculated per interface as:
Cost = Reference Bandwidth / Interface BandwidthThe default reference bandwidth on Cisco IOS is 108 bps (100 Mbps). That default was reasonable in 1998 and has been embarrassing since about 2002 — with a 100 Mbps reference, every interface at or above 100 Mbps gets a cost of 1, and the protocol cannot tell a 100 Mbps link from a 100 Gbps link. The first thing you do on a real network is raise it:
Router(config)# router ospf 1
Router(config-router)# auto-cost reference-bandwidth 100000That sets the reference to 100 Gbps, which lets OSPF distinguish bandwidths between 1 Mbps and 100 Gbps with sensible costs. Set it to the same value on every router in the OSPF domain — if neighbors disagree on the reference bandwidth, they compute different costs for the same path and you get suboptimal routing that’s painful to debug.
To override cost on a single interface (e.g. to deprefer a backup link without touching the bandwidth statement):
Router(config-if)# ip ospf cost 100Hello and Dead Intervals
OSPF maintains adjacencies with periodic hello packets. Two timers govern this:
- Hello interval. How often hellos are sent. Default 10 seconds on broadcast/point-to-point networks, 30 seconds on NBMA (Frame Relay) networks.
- Dead interval. How long the router waits without hearing a hello before declaring the neighbor down. Default is 4× hello — 40 seconds on LAN, 120 seconds on NBMA.
The two timers must match on both ends of an adjacency or the neighbors will never form a full adjacency — you’ll see them stuck in INIT or 2WAY in show ip ospf neighbor. Tweak with:
Router(config-if)# ip ospf hello-interval 5
Router(config-if)# ip ospf dead-interval 20LSA Types — What Each One Carries
OSPF builds its topology database from Link-State Advertisements (LSAs). There are six types you will see in the field, plus a seventh used only inside NSSAs:
| Type | Name | Originated by | Carries |
|---|---|---|---|
| 1 | Router LSA | Every router | The router’s own links and their costs, flooded within the area |
| 2 | Network LSA | Designated Router (DR) | The list of routers attached to a multi-access network |
| 3 | Summary LSA | ABR | Inter-area routes — networks reachable through other areas |
| 4 | ASBR Summary LSA | ABR | How to reach an ASBR in another area |
| 5 | External LSA | ASBR | Routes redistributed from another routing protocol or static |
| 7 | NSSA External LSA | ASBR inside an NSSA | Stand-in for Type 5 inside NSSAs; converted to Type 5 by the NSSA ABR |
Type 6 (Multicast) is defined but not implemented on Cisco. Types 8 through 11 are opaque LSAs used by extensions like MPLS-TE. For day-to-day enterprise OSPF you only need 1, 2, 3, 5, and (if you have NSSAs) 7.
The Five Area Types
OSPF’s defining feature is that it’s hierarchical. The whole domain is split into areas, and one of them — Area 0, the backbone — must touch every other area, directly or via a virtual link. Areas exist to limit LSA flooding and bound the SPF calculation: a router only sees the topology inside its own area, plus summary information about the rest of the domain.
Four non-backbone area types exist, each progressively stricter about which LSAs it allows in:
| Area Type | Allows in | Used when |
|---|---|---|
| Backbone (Area 0) | All LSA types (1, 2, 3, 4, 5) | Always — required by design |
| Normal Area | 1, 2, 3, 4, 5 | You need full external visibility (rare) |
| Stub Area | 1, 2, 3 + default route | Branch with no external routes; ABR injects a default |
| Totally Stubby Area (TSA) | 1, 2 + default route | Tightly-controlled spoke; only a default route in |
| NSSA | 1, 2, 3, 7 | Stub-like, but the area has its own ASBR (e.g. dial-out, BGP edge) |
| NSSA-TSA | 1, 2, 7 + default route | NSSA but only a default route from other areas |
Area types are how you keep a 500-router domain’s SPF calculations sane. Spoke sites that don’t need to know every external route should be Stub or TSA; they save memory, CPU, and recovery time. NSSAs are the right call when a remote site has its own external connection (a backup ISP, a partner trunk) and needs to inject a route locally without giving up the stub benefits.
Router Types
- Internal Router (IR). All interfaces are in the same area.
- Backbone Router (BR). At least one interface is in Area 0.
- Area Border Router (ABR). Connects two or more areas; almost always also a Backbone Router. Generates Type 3 and Type 4 LSAs to translate between areas.
- Autonomous System Border Router (ASBR). Has at least one interface that exchanges routes with another routing process (BGP, EIGRP) or static routes. Generates Type 5 LSAs (or Type 7 inside an NSSA).
One router can be all four at once.
Basic Configuration
OSPF on Cisco IOS uses a process ID that is locally significant — it does not have to match between neighbors. Pick something memorable:
Router(config)# router ospf 1
Router(config-router)# router-id 1.1.1.1Always set the router-id explicitly. If you don’t, OSPF picks the highest IP on a loopback (or, if no loopback exists, the highest IP on a physical interface). That works the first time the router boots, but if the chosen interface goes down, the router-id changes, every adjacency re-forms, and your operations team learns about it from the alert flood.
Two equally valid ways to enable OSPF on an interface:
1. The network statement (under the OSPF process)
Router(config-router)# network 10.0.0.0 0.255.255.255 area 0Every interface whose IP falls within 10.0.0.0/8 joins area 0. Note the wildcard mask, not subnet mask — 0.255.255.255, not 255.0.0.0. Decades of CCNA labs lost to that mistake.
2. The ip ospf interface command (preferred)
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip ospf 1 area 0This is more explicit, doesn’t depend on which subnet the interface is in, and is the modern best practice. Use it for new configs.
Multi-Area Configuration
Adding a Stub Area
Both the ABR and every internal router in the area must be configured as stub. If even one is missing the stub command, the adjacency will not form.
! On the ABR (in addition to area 0):
Router(config)# router ospf 1
Router(config-router)# network 192.168.10.0 0.0.0.255 area 10
Router(config-router)# area 10 stub
! On internal routers in Area 10:
Router(config-router)# area 10 stubTotally Stubby Area
Only the ABR adds no-summary; internal routers stay as a regular stub. The no-summary tells the ABR not to flood Type 3 summaries into the area — only a default route makes it through.
! On the ABR:
Router(config-router)# area 20 stub no-summary
! On internal routers in Area 20:
Router(config-router)# area 20 stubNSSA
The NSSA exists for one specific use case: a stub-style area that has its own external routing source (a partner BGP peer, a dial-out router, a redistributed static route). Type 5 LSAs aren’t allowed in, but the local ASBR can generate Type 7s, and the NSSA ABR converts those to Type 5s for the rest of the domain.
! On the ABR:
Router(config-router)# area 30 nssa
! On the ASBR inside the NSSA:
Router(config-router)# area 30 nssa
Router(config-router)# redistribute static subnets
! NSSA-TSA variant - only ABR adds no-summary:
Router(config-router)# area 30 nssa no-summarySummarization at the ABR
One of the main reasons to use multiple areas is to summarize at area boundaries. Two commands, both at the ABR:
! Summarize an internal range when entering Area 0:
Router(config-router)# area 10 range 192.168.0.0 255.255.0.0
! Summarize external (Type 5) routes:
Router(config-router)# summary-address 172.16.0.0 255.255.0.0area X range works on intra-area routes (Type 1/2) being summarized into Type 3. summary-address works on external Type 5 LSAs at the ASBR. Pick the right one based on what kind of route you’re summarizing.
Virtual Links
Sometimes a remote area cannot physically touch Area 0 — you bought a company, inherited their OSPF domain, and merging the two backbones is a project for next quarter. A virtual link lets a non-backbone area transit through another area to reach Area 0:
! On both ABRs that bridge Area 1 (the transit area) and the remote area:
ABR1(config-router)# area 1 virtual-link 10.10.10.10
ABR2(config-router)# area 1 virtual-link 1.1.1.1The IP addresses are the OSPF router-ids of the two ABRs, not interface addresses. Virtual links should be considered a temporary fix — design out of them as soon as you can.
Authentication
OSPF supports two authentication modes: plain text and MD5. Plain text is symbolic at best (anyone who can sniff the link can read it); always use MD5 in production:
! Per-interface MD5 (recommended):
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip ospf message-digest-key 1 md5 SecretString
Router(config-if)# ip ospf authentication message-digest
! Per-area, applied to every OSPF interface in the area:
Router(config-router)# area 0 authentication message-digestBoth ends must have the same key-id and key string, and you have to enable authentication on every adjacency — mixing authenticated and unauthenticated interfaces in the same area breaks adjacencies.
Verifying OSPF
The five commands you reach for daily:
| Command | Shows |
|---|---|
show ip ospf |
Process ID, router-id, areas, SPF stats, reference bandwidth |
show ip ospf interface brief |
Which interfaces run OSPF, in which area, with what cost and state |
show ip ospf neighbor |
Adjacency list with state — should be FULL or 2WAY (DROTHER on broadcast) |
show ip ospf database |
The full LSDB — every LSA the router holds, by type and area |
show ip route ospf |
Just the OSPF-learned routes in the routing table |
For neighbor state in particular: a neighbor stuck in EXSTART/EXCHANGE almost always means an MTU mismatch on the link. 2WAY on a broadcast network is normal between non-DR/BDR routers and is fine. INIT on both sides means hellos are getting through one direction only — suspect an ACL or a hello/dead timer mismatch.
Troubleshooting
When OSPF isn’t doing what you expect, debug it carefully — the debug commands are noisy and can saturate a busy router’s CPU. Filter and time-limit them.
! Watch adjacency formation:
Router# debug ip ospf adj
! Watch hello packets:
Router# debug ip ospf hello
! See which LSAs are being flooded:
Router# debug ip ospf eventsIf everything looks broken at once, the cleanest reset is:
Router# clear ip ospf processThat tears down every OSPF adjacency on the router and rebuilds the LSDB from scratch — disruptive, but useful when something has gotten into a confused state. Always know what you’re about to clear before you press enter.
Common Pitfalls
- Mismatched reference bandwidth. If two routers disagree on
auto-cost reference-bandwidth, they compute different costs for the same path and the SPF results don’t agree. Standardize at the design phase. - Wildcard vs subnet mask. The
networkstatement uses a wildcard mask (0.255.255.255), not a subnet mask. Yes, every CCNA student has typed it wrong at least once. - Area type mismatch on adjacency. The whole area must agree on its type. One router missing
area 10 stubwill refuse to form an adjacency with the others. - MTU mismatch. EXSTART loop — one side has 1500, the other has 9000 (jumbo frames on the WAN side). Check
show ip ospf interfacefor the MTU. - Implicit router-id changes. Without a static
router-id, the highest loopback (or interface) IP picks for you. The day someone shuts down that loopback for unrelated reasons, your router-id changes and every adjacency re-forms. - Believing ‘no auto-summary’ matters. That’s an EIGRP / RIPv2 thing. OSPFv2 does not auto-summarize at classful boundaries. The command does nothing for OSPF.
Conclusion
OSPFv2 is a deceptively simple protocol with a deeply layered set of design choices. The base configuration — router ospf 1, network, router-id — takes ten minutes to type. The hierarchical design choices that determine whether the network scales gracefully take real thought:
- Set the reference bandwidth on day one and standardize it across the domain.
- Pin the router-id manually on every router.
- Pick area types deliberately — spokes that don’t need external routes are stub or TSA, not normal.
- Summarize at the ABR using
area rangeandsummary-address— that’s the whole point of multiple areas. - Authenticate with MD5, even on internal links. The cost is a configuration line and a key-string; the upside is a routing protocol that can’t be hijacked by anyone with link access.
The commands are short. The protocol is well-documented. The pitfalls are well-known. What separates a working OSPF deployment from one that pages on-call at 3 AM is whether the design choices were made deliberately or by default.