Introduction
Open Shortest Path First (OSPF) is the most widely deployed interior gateway protocol in enterprise and service-provider networks. This run book walks you through every aspect of OSPF configuration on Cisco IOS and IOS-XE platforms — from enabling a single-area backbone to designing a full multi-area hierarchy with stub, totally-stubby, and NSSA areas. Every command is production-tested, and every example uses realistic topologies you can adapt immediately.
Prerequisites
- Cisco router or Layer-3 switch running IOS 15.x+ or IOS-XE 16.x/17.x (Catalyst 8000, ASR 1000, ISR 4000, Catalyst 9000 series)
- Console or SSH access with privilege level 15
- Basic understanding of IP subnetting and routing concepts
- Loopback interfaces configured for router-IDs (recommended)
Lab Topology Overview
Throughout this run book we use the following topology:
Area 0 (Backbone)
┌──────────────────────────────────────┐
│ │
rtr-infrarunbook-01 rtr-infrarunbook-02 rtr-infrarunbook-03
Lo0: 10.255.0.1/32 Lo0: 10.255.0.2/32 Lo0: 10.255.0.3/32
Gi0/0: 10.0.12.1/30 Gi0/0: 10.0.12.2/30
Gi0/1: 10.0.23.1/30 Gi0/0: 10.0.23.2/30
│ │
│ Area 10 (Stub) │ Area 20 (NSSA)
│ rtr-infrarunbook-04 │ rtr-infrarunbook-05
│ Lo0: 10.255.0.4/32 │ Lo0: 10.255.0.5/32
└──────────────────────────────────────┘
rtr-infrarunbook-01 Gi0/1: 10.0.14.1/30 ── Gi0/0: 10.0.14.2/30 rtr-infrarunbook-04
rtr-infrarunbook-03 Gi0/1: 10.0.35.1/30 ── Gi0/0: 10.0.35.2/30 rtr-infrarunbook-05
1 — Enabling OSPF and Choosing a Router-ID
1.1 Why Router-ID Matters
The OSPF router-ID (RID) uniquely identifies each router in the OSPF domain. Cisco selects the RID in this order: (1) manually configured
router-id, (2) highest loopback IP, (3) highest active physical IP. Always set it explicitly to avoid surprises during interface flaps.
1.2 Configure Loopback and Router-ID
! rtr-infrarunbook-01
interface Loopback0
description OSPF Router-ID
ip address 10.255.0.1 255.255.255.255
no shutdown
!
router ospf 1
router-id 10.255.0.1
log-adjacency-changes detail
If you change the router-id on a running router you must issueclear ip ospf processfor it to take effect. Plan a maintenance window.
2 — Single-Area OSPF (Area 0)
2.1 Network Statement Method
! rtr-infrarunbook-01
router ospf 1
router-id 10.255.0.1
network 10.255.0.1 0.0.0.0 area 0
network 10.0.12.0 0.0.0.3 area 0
network 10.0.14.0 0.0.0.3 area 0
passive-interface default
no passive-interface GigabitEthernet0/0
no passive-interface GigabitEthernet0/1
2.2 Interface-Level Method (IOS-XE Preferred)
! rtr-infrarunbook-02 — IOS-XE style
interface Loopback0
ip ospf 1 area 0
!
interface GigabitEthernet0/0
ip ospf 1 area 0
ip ospf network point-to-point
!
interface GigabitEthernet0/1
ip ospf 1 area 0
ip ospf network point-to-point
!
router ospf 1
router-id 10.255.0.2
passive-interface default
no passive-interface GigabitEthernet0/0
no passive-interface GigabitEthernet0/1
2.3 Verify Adjacency
rtr-infrarunbook-01# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.255.0.2 0 FULL/ - 00:00:36 10.0.12.2 GigabitEthernet0/0
10.255.0.4 0 FULL/ - 00:00:33 10.0.14.2 GigabitEthernet0/1
rtr-infrarunbook-01# show ip ospf interface brief
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Lo0 1 0 10.255.0.1/32 1 LOOP 0/0
Gi0/0 1 0 10.0.12.1/30 1 P2P 1/1
Gi0/1 1 0 10.0.14.1/30 1 P2P 1/1
3 — OSPF Network Types and DR/BDR
3.1 Common Network Types
- broadcast — Default on Ethernet. Elects DR/BDR.
- point-to-point — No DR/BDR election. Recommended for /30 or /31 links.
- non-broadcast — Manual neighbor statements (NBMA environments like Frame Relay).
- point-to-multipoint — Hub-and-spoke NBMA, each neighbor treated as P2P.
3.2 Forcing Point-to-Point on Transit Links
interface GigabitEthernet0/0
ip ospf network point-to-point
This eliminates the 2-second wait for DR/BDR election and speeds convergence.
3.3 Controlling DR Election Priority
! Make rtr-infrarunbook-01 the DR on the LAN segment
interface GigabitEthernet1/0
ip ospf priority 200
!
! Prevent rtr-infrarunbook-04 from ever becoming DR
interface GigabitEthernet1/0
ip ospf priority 0
4 — Multi-Area OSPF Design
4.1 Why Multi-Area?
As the LSDB grows, SPF calculations become expensive. Multi-area OSPF confines Type-1 and Type-2 LSAs to their area, summarises routes at Area Border Routers (ABRs), and reduces memory and CPU usage. Area 0 is always the backbone — every other area must connect to it (physically or via virtual links).
4.2 ABR Configuration — rtr-infrarunbook-01
router ospf 1
router-id 10.255.0.1
!
! Backbone links
network 10.255.0.1 0.0.0.0 area 0
network 10.0.12.0 0.0.0.3 area 0
!
! Area 10 link
network 10.0.14.0 0.0.0.3 area 10
!
passive-interface default
no passive-interface GigabitEthernet0/0
no passive-interface GigabitEthernet0/1
4.3 Internal Router in Area 10 — rtr-infrarunbook-04
router ospf 1
router-id 10.255.0.4
network 10.255.0.4 0.0.0.0 area 10
network 10.0.14.0 0.0.0.3 area 10
network 10.10.0.0 0.0.255.255 area 10
passive-interface default
no passive-interface GigabitEthernet0/0
4.4 Verify ABR Status
rtr-infrarunbook-01# show ip ospf
Routing Process "ospf 1" with ID 10.255.0.1
...
This router is an ABR; area count 2
Area BACKBONE(0)
Number of interfaces in this area is 2
SPF algorithm executed 4 times
Area 10
Number of interfaces in this area is 1
SPF algorithm executed 2 times
5 — Stub, Totally Stubby, and NSSA Areas
5.1 Stub Area (Area 10)
A stub area blocks Type-5 (external) LSAs. The ABR injects a default route (Type-3 LSA) instead. Configure on every router in the area.
! rtr-infrarunbook-01 (ABR)
router ospf 1
area 10 stub
! rtr-infrarunbook-04 (internal)
router ospf 1
area 10 stub
5.2 Totally Stubby Area
Adds
no-summaryon the ABR only. This blocks both Type-3 (inter-area) and Type-5 (external) LSAs — only the default route is injected.
! rtr-infrarunbook-01 (ABR) — totally stubby
router ospf 1
area 10 stub no-summary
! rtr-infrarunbook-04 (internal) — stays as stub
router ospf 1
area 10 stub
5.3 Not-So-Stubby Area — NSSA (Area 20)
NSSA allows redistribution of external routes into the area via Type-7 LSAs, which the ABR converts to Type-5 for the backbone.
! rtr-infrarunbook-03 (ABR)
router ospf 1
area 20 nssa
! rtr-infrarunbook-05 (ASBR in NSSA)
router ospf 1
area 20 nssa
redistribute static subnets
!
ip route 203.0.113.0 255.255.255.0 10.0.35.1
5.4 Totally NSSA
! rtr-infrarunbook-03 (ABR) — totally NSSA
router ospf 1
area 20 nssa no-summary
5.5 Verify NSSA
rtr-infrarunbook-03# show ip ospf database nssa-external
OSPF Router with ID (10.255.0.3) (Process ID 1)
Type-7 AS External Link States (Area 20)
Link ID ADV Router Age Seq# Checksum Tag
203.0.113.0 10.255.0.5 124 0x80000001 0x00A3B2 0
6 — Route Summarization
6.1 Inter-Area Summarization (ABR)
Summarisation at the ABR reduces the number of Type-3 LSAs flooded into the backbone.
! rtr-infrarunbook-01 — summarise Area 10 subnets
router ospf 1
area 10 range 10.10.0.0 255.255.0.0
This advertises a single
10.10.0.0/16Type-3 LSA into Area 0 instead of individual /24 routes.
6.2 External Summarization (ASBR)
! rtr-infrarunbook-05 — summarise redistributed statics
router ospf 1
summary-address 203.0.113.0 255.255.255.0
6.3 Verify
rtr-infrarunbook-02# show ip route ospf | include 10.10.0.0
O IA 10.10.0.0/16 [110/21] via 10.0.12.1, 00:05:32, GigabitEthernet0/0
7 — OSPF Authentication
7.1 MD5 Authentication per Interface
! rtr-infrarunbook-01
interface GigabitEthernet0/0
ip ospf message-digest-key 1 md5 InFr@RunB00k!Key
ip ospf authentication message-digest
!
! rtr-infrarunbook-02
interface GigabitEthernet0/0
ip ospf message-digest-key 1 md5 InFr@RunB00k!Key
ip ospf authentication message-digest
7.2 Area-Wide Authentication
router ospf 1
area 0 authentication message-digest
!
interface GigabitEthernet0/0
ip ospf message-digest-key 1 md5 InFr@RunB00k!Key
7.3 HMAC-SHA-256 (IOS-XE 16.3+)
key chain OSPF-INFRARUNBOOK
key 1
key-string Infr@RB-SHA256!2026
cryptographic-algorithm hmac-sha-256
!
interface GigabitEthernet0/0
ip ospf authentication key-chain OSPF-INFRARUNBOOK
7.4 Verify Authentication
rtr-infrarunbook-01# show ip ospf interface GigabitEthernet0/0 | include auth
Message digest authentication enabled
Youngest key id is 1
8 — OSPF Timer Tuning and BFD
8.1 Fast Hello (Sub-Second Detection Without BFD)
interface GigabitEthernet0/0
ip ospf dead-interval minimal hello-multiplier 4
This sends hellos every 250 ms (1 s / 4) with a 1-second dead interval.
8.2 Standard Timer Adjustment
interface GigabitEthernet0/0
ip ospf hello-interval 5
ip ospf dead-interval 20
8.3 Bidirectional Forwarding Detection (BFD)
! Enable BFD on the interface
interface GigabitEthernet0/0
bfd interval 150 min_rx 150 multiplier 3
!
! Tie OSPF to BFD
router ospf 1
bfd all-interfaces
8.4 SPF Throttle
router ospf 1
timers throttle spf 50 200 5000
! spf-start 50ms, spf-hold 200ms, spf-max-wait 5000ms
timers throttle lsa all 0 200 5000
8.5 Verify BFD Neighbors
rtr-infrarunbook-01# show bfd neighbors
NeighAddr LD/RD RH/RS State Int
10.0.12.2 1/1 Up Up Gi0/0
10.0.14.2 2/1 Up Up Gi0/1
9 — OSPF Default Route Injection
9.1 Conditional Default (Only if Default Exists in RIB)
router ospf 1
default-information originate
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
9.2 Unconditional Default (always)
router ospf 1
default-information originate always metric 10 metric-type 1
10 — Route Redistribution into OSPF
10.1 Redistribute Static
router ospf 1
redistribute static subnets metric 100 metric-type 1
10.2 Redistribute BGP with Route-Map
ip prefix-list PFX-INFRARUNBOOK-ALLOW seq 10 permit 172.16.0.0/16 le 24
!
route-map RM-BGP-TO-OSPF permit 10
match ip address prefix-list PFX-INFRARUNBOOK-ALLOW
set metric 500
set metric-type type-1
route-map RM-BGP-TO-OSPF deny 20
!
router ospf 1
redistribute bgp 65010 subnets route-map RM-BGP-TO-OSPF
10.3 Redistribute Connected
router ospf 1
redistribute connected subnets metric 50 metric-type 2
11 — Virtual Links
When an area cannot physically attach to Area 0, a virtual link through a transit area provides the logical backbone connection.
! Assume Area 10 is the transit area
! ABR: rtr-infrarunbook-01 (RID 10.255.0.1)
! ABR: rtr-infrarunbook-04 (RID 10.255.0.4) — needs virtual link to reach Area 0
! On rtr-infrarunbook-01
router ospf 1
area 10 virtual-link 10.255.0.4
! On rtr-infrarunbook-04
router ospf 1
area 10 virtual-link 10.255.0.1
rtr-infrarunbook-01# show ip ospf virtual-links
Virtual Link OSPF_VL0 to router 10.255.0.4 is up
Run as demand circuit
Transit area 10, via interface GigabitEthernet0/1
Virtual links are a temporary workaround. Redesign the topology so every area connects directly to Area 0 when possible.
12 — OSPF Cost Manipulation and Path Control
12.1 Auto-Cost Reference Bandwidth
The default reference bandwidth is 100 Mbps, making all GigE and 10GigE links cost 1. Fix this:
router ospf 1
auto-cost reference-bandwidth 100000
! 100 Gbps — gives 10GigE cost 10, 1GigE cost 100
Apply the same value on every OSPF router in the domain.
12.2 Manual Interface Cost
interface GigabitEthernet0/0
ip ospf cost 50
12.3 Maximum Paths (ECMP)
router ospf 1
maximum-paths 8
13 — OSPF Graceful Restart and NSF
router ospf 1
nsf cisco helper
nsf ietf helper strict-lsa-checking
On platforms that support IETF graceful restart (RFC 3623) the restarting router signals its neighbours to maintain forwarding during a process restart.
rtr-infrarunbook-01# show ip ospf nsf
Routing Process "ospf 1"
IETF NSF helper support enabled
Cisco NSF helper support enabled
Last NSF restart: None
14 — OSPF Prefix Suppression
Transit link prefixes (/30, /31 between routers) do not need to appear in the routing table of every router. Prefix suppression advertises them only in the LSDB, reducing the RIB:
router ospf 1
prefix-suppression
!
! Override on a specific interface if needed
interface Loopback0
ip ospf prefix-suppression disable
15 — Comprehensive Troubleshooting Commands
! Neighbor table
show ip ospf neighbor
show ip ospf neighbor detail
! Interface participation
show ip ospf interface brief
show ip ospf interface GigabitEthernet0/0
! LSDB inspection
show ip ospf database
show ip ospf database router 10.255.0.1
show ip ospf database summary
show ip ospf database external
show ip ospf database nssa-external
! Route table
show ip route ospf
show ip route ospf | include O IA
show ip route ospf | include E2
! Process overview
show ip ospf
show ip ospf statistics
show ip ospf border-routers
! Debug (use sparingly in production)
debug ip ospf adj
debug ip ospf hello
debug ip ospf events
15.1 Common Adjacency Problems
- Stuck in INIT — One side sees hellos but the other does not. Check ACLs, firewall rules (protocol 89), and MTU mismatch.
- Stuck in 2-WAY — Normal on broadcast segments for non-DR/BDR routers. Only DR and BDR reach FULL with others on broadcast networks.
- Stuck in EXSTART/EXCHANGE — MTU mismatch. Verify
show interface GigabitEthernet0/0 | include MTU
on both sides. Useip ospf mtu-ignore
as a temporary fix. - Authentication mismatch — Check
show ip ospf interface Gi0/0 | include auth
on both sides. - Area mismatch — Both ends must be in the same area on the shared link.
- Hello/Dead timer mismatch — Both ends must agree. Check with
show ip ospf interface
.
16 — Full Production Configuration Example
rtr-infrarunbook-01 (ABR — Areas 0 and 10)
hostname rtr-infrarunbook-01
!
interface Loopback0
description OSPF-RID
ip address 10.255.0.1 255.255.255.255
ip ospf 1 area 0
!
interface GigabitEthernet0/0
description TO-rtr-infrarunbook-02-Gi0/0
ip address 10.0.12.1 255.255.255.252
ip ospf authentication key-chain OSPF-INFRARUNBOOK
ip ospf network point-to-point
ip ospf 1 area 0
bfd interval 150 min_rx 150 multiplier 3
no shutdown
!
interface GigabitEthernet0/1
description TO-rtr-infrarunbook-04-Gi0/0-AREA10
ip address 10.0.14.1 255.255.255.252
ip ospf authentication key-chain OSPF-INFRARUNBOOK
ip ospf network point-to-point
ip ospf 1 area 10
bfd interval 150 min_rx 150 multiplier 3
no shutdown
!
key chain OSPF-INFRARUNBOOK
key 1
key-string Infr@RB-SHA256!2026
cryptographic-algorithm hmac-sha-256
!
router ospf 1
router-id 10.255.0.1
auto-cost reference-bandwidth 100000
bfd all-interfaces
area 10 stub no-summary
area 10 range 10.10.0.0 255.255.0.0
timers throttle spf 50 200 5000
timers throttle lsa all 0 200 5000
passive-interface default
no passive-interface GigabitEthernet0/0
no passive-interface GigabitEthernet0/1
nsf ietf helper strict-lsa-checking
prefix-suppression
log-adjacency-changes detail
maximum-paths 4
default-information originate always metric 10 metric-type 1
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
rtr-infrarunbook-04 (Internal Router — Area 10 Totally Stubby)
hostname rtr-infrarunbook-04
!
interface Loopback0
ip address 10.255.0.4 255.255.255.255
ip ospf 1 area 10
!
interface GigabitEthernet0/0
description TO-rtr-infrarunbook-01-Gi0/1-AREA10
ip address 10.0.14.2 255.255.255.252
ip ospf authentication key-chain OSPF-INFRARUNBOOK
ip ospf network point-to-point
ip ospf 1 area 10
bfd interval 150 min_rx 150 multiplier 3
no shutdown
!
interface GigabitEthernet1/0
description INFRARUNBOOK-SERVER-VLAN
ip address 10.10.1.1 255.255.255.0
ip ospf 1 area 10
no shutdown
!
interface GigabitEthernet1/1
description INFRARUNBOOK-MGMT-VLAN
ip address 10.10.2.1 255.255.255.0
ip ospf 1 area 10
no shutdown
!
key chain OSPF-INFRARUNBOOK
key 1
key-string Infr@RB-SHA256!2026
cryptographic-algorithm hmac-sha-256
!
router ospf 1
router-id 10.255.0.4
auto-cost reference-bandwidth 100000
bfd all-interfaces
area 10 stub
timers throttle spf 50 200 5000
passive-interface default
no passive-interface GigabitEthernet0/0
log-adjacency-changes detail
17 — OSPF Security Hardening Checklist
- ✅ Enable authentication (HMAC-SHA-256 preferred) on every OSPF interface.
- ✅ Set
passive-interface default
— only un-passive router-facing interfaces. - ✅ Use stub/totally-stubby/NSSA areas to limit LSA flooding.
- ✅ Apply
ip ospf mtu-ignore
only as a temporary measure, not a permanent fix. - ✅ Set
auto-cost reference-bandwidth
identically on all routers. - ✅ Enable prefix-suppression to hide transit links from the RIB.
- ✅ Log adjacency changes:
log-adjacency-changes detail
. - ✅ Use route-maps on redistribution to avoid leaking unintended routes.
- ✅ Rate-limit debugs in production with
service timestamps debug datetime msec
. - ✅ Document all OSPF areas, router-IDs, and authentication keys in your CMDB.
Frequently Asked Questions
Q1: What is the default OSPF hello and dead interval on broadcast and point-to-point networks?
The default hello interval is 10 seconds and the dead interval is 40 seconds (4× hello) on broadcast and point-to-point network types. On NBMA networks, the hello interval defaults to 30 seconds with a 120-second dead interval.
Q2: Can I run multiple OSPF processes on one Cisco router?
Yes. You can run multiple OSPF processes (e.g.,
router ospf 1and
router ospf 2) on the same router. Each process maintains a separate LSDB. This is commonly used when redistributing between two OSPF domains, though it doubles SPF computation overhead.
Q3: What is the difference between Type-1 (E1) and Type-2 (E2) external metrics?
E1 metrics include the external cost plus the internal cost to reach the ASBR. E2 (default) metrics use only the external cost, ignoring the internal path cost. Use E1 when you have multiple exit points to the same external destination and want OSPF to prefer the closest ASBR.
Q4: How do I change the OSPF router-ID without reloading the router?
Configure the new router-id under
router ospf 1, then issue
clear ip ospf processand confirm with 'yes'. This resets all OSPF adjacencies, so plan a maintenance window.
Q5: When should I use a virtual link?
Virtual links are a temporary workaround when a non-backbone area cannot directly connect to Area 0. They transit through a regular (non-stub) area. Best practice is to redesign the physical topology instead. Virtual links add fragility and are difficult to troubleshoot.
Q6: What is the OSPF LSDB and how do I inspect it?
The Link-State Database (LSDB) contains all LSAs received from OSPF neighbours. Every router in the same area has an identical LSDB. Inspect it with
show ip ospf database, and drill into specific LSA types with
show ip ospf database router,
show ip ospf database summary, etc.
Q7: Why is my OSPF neighbor stuck in EXSTART/EXCHANGE?
The most common cause is an MTU mismatch between the two interfaces. OSPF includes the interface MTU in Database Description (DBD) packets. If the MTU values differ, neither side will proceed past EXSTART. Correct the MTU on both sides, or apply
ip ospf mtu-ignoreas a temporary workaround.
Q8: How does OSPF inter-area summarization differ from external summarization?
Inter-area summarization uses
area [id] range [network] [mask]on an ABR to aggregate Type-3 LSAs between areas. External summarization uses
summary-address [network] [mask]on an ASBR to aggregate Type-5 (or Type-7) LSAs generated by redistribution. Both reduce LSDB and routing table size.
Q9: Should I always set auto-cost reference-bandwidth?
Yes. The default reference of 100 Mbps assigns cost 1 to any link 100 Mbps or faster, meaning OSPF cannot distinguish between 1G, 10G, and 100G links. Set
auto-cost reference-bandwidth 100000(100 Gbps) on all routers in the OSPF domain to ensure accurate cost calculation.
Q10: How does BFD improve OSPF convergence?
BFD (Bidirectional Forwarding Detection) provides sub-second failure detection independent of OSPF hello timers. With BFD intervals as low as 50 ms and a multiplier of 3, a link failure can be detected in 150 ms. Without BFD, OSPF relies on its dead interval (default 40 seconds) before tearing down the adjacency. BFD dramatically reduces convergence time without increasing OSPF control-plane load.