This article explains how to connect OSPF areas using a virtual-link.
Indeed, in OSPF rules, all areas need to be
connected directly to Area 0 (backbone). But in some cases, it is not possible
to physically connect area to backbone. For this purpose, virtual-links
can be used to establish connection to backbone area through non-backbone area.
Virtual-links are established between area border routers.
Scope
Basic OSPF configuration with virtual-link.
Diagram
Diagram consists of 3 firewalls. Loopbacks on firewall FGT1 will simulate networks in area 2, not connected to backbone area.
200.0.0.0/24
200.0.1.0/24 < AREA 2> FGT1 < - AREA1 10.222.0.0/20 - > FGT2 < - AREA0 10.223.0.0/20 - > FGT3
200.0.2.0/24
Router IDs:
FGT1 – 1.1.1.1
FGT2 – 2.2.2.2
FGT3 – 3.3.3.3
Expectations, Requirements
Configuration
After basic OSPF configuration, all neighbors are in FULL state, but networks 200.0.x.0/24 are not reachable on FGT3:
FG3:
FGT3 # get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 Full/ - 00:00:39 10.223.0.184 port1
FGT3 # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 10.109.31.254, wan1
C 2.2.2.2/32 is directly connected, T
C 10.109.16.0/20 is directly connected, wan1
O IA 10.222.0.0/20 [110/2] via 10.223.0.184, port1, 00:06:50
C 10.223.0.0/20 is directly connected, port1
C 192.168.100.0/24 is directly connected, lan
To fix this, configure virtual links between FGT1 and FGT2. These routers are area border routers for area2/area1 and area1/area0 respectively.
Important note: Virtual link is configured between router-ids (not actual IP). Also, virtual-link needs to be configured under area, that is used as transit – in our case transit area is Area1:
FGT1:
#FGT1 # show router ospf
config router ospf
set router-id 1.1.1.1
config area
edit 0.0.0.1
config virtual-link
edit "Area1_Virtual_link"
set peer 2.2.2.2 <<< Router ID of the peer
next
end
next
edit 0.0.0.2
next
FGT2:
#FGT2 # show router ospf
config router ospf
set router-id 2.2.2.2
config area
edit 0.0.0.0
next
edit 0.0.0.1
config virtual-link
edit "Area1_Virtual_link"
set peer 1.1.1.1 <<< Router ID of the peer
next
end
next
end
If needed, virtual-link also supports md5 authentication
Verification
FGT2 # get router info ospf virtual-links
Virtual Link VLINK0 to router 1.1.1.1 is up
Process ID 0, VRF 0, Router ID 2.2.2.2, Cost: 1
Transit area 0.0.0.1 via interface port1
Local address 10.222.0.184/32
Remote address 10.222.0.85/32
Transmit Delay is 1 sec, State Point-To-Point,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:05
Adjacency state Full
FGT2 # get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 Full/ - 00:00:40 10.222.0.85 port1
3.3.3.3 1 Full/ - 00:00:30 10.223.0.62 port2
1.1.1.1 1 Full/ - 00:00:38 10.222.0.85 VLINK0
And final verification that virtual-link is correctly configured is that on FGT3, there are 3 additional routes:
FGT3 # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 10.109.31.254, wan1
C 2.2.2.2/32 is directly connected, T
C 10.109.16.0/20 is directly connected, wan1
O IA 10.222.0.0/20 [110/2] via 10.223.0.184, port1, 00:19:09
C 10.223.0.0/20 is directly connected, port1
C 192.168.100.0/24 is directly connected, lan
O IA 200.0.0.0/24 [110/102] via 10.223.0.184, port1, 00:06:38
O IA 200.0.1.0/24 [110/102] via 10.223.0.184, port1, 00:06:38
O IA 200.0.2.0/24 [110/102] via 10.223.0.184, port1, 00:00:27
Troubleshooting
if virtual-link is not coming up, double check that peers are correctly configured with router-id and virtual-link on area-border is configured under correct area.
