OSPF and EIGRP Advanced Features
OSPF and EIGRP Advanced Features
Introduction
As you prepare for the CCNP ENCOR exam, a solid command of OSPF and EIGRP advanced features is essential. These two routing protocols form the backbone of most enterprise networks, and the exam expects you to not only understand their differences but also configure, verify, and troubleshoot their more sophisticated capabilities.
In this lesson we move beyond basic neighbor adjacencies and route advertisement. You will learn how OSPF area types control LSA propagation, how OSPF authentication secures routing updates, how the default-information originate command injects a default route into OSPF, and how EIGRP stub routing limits query scope in hub-and-spoke designs. By the end you will be able to configure each feature from scratch and verify correct operation using standard show commands.
Key Concepts
OSPF Area Types
OSPF uses a hierarchical design built around areas. Beyond the standard backbone (Area 0) and normal areas, OSPF defines several special area types that restrict the LSAs an area will accept. Understanding these types is a core ENCOR objective.
| Area Type | LSAs Allowed | External Routes (OE2) | Inter-Area Summary (LSA 3) | Key Command |
|---|---|---|---|---|
| Stub | LSA 1, LSA 2, LSA 3 | Blocked | Allowed | area <id> stub |
| Totally Stubby | LSA 1, LSA 2 only | Blocked | Blocked (default route injected) | area <id> stub no-summary |
| NSSA | LSA 1, LSA 2, LSA 7 | Blocked (OE2) | Allowed | area <id> nssa |
| Totally NSSA | LSA 1, LSA 2 only | Blocked (OE2) | Blocked (default route injected) | area <id> nssa no-summary |
OSPF Authentication
OSPF supports MD5 authentication to protect routing updates from being spoofed or tampered with. Authentication can be applied at two levels:
- Area-based authentication -- applied under the OSPF process; all interfaces in that area inherit the authentication requirement.
- Interface-based authentication -- applied directly on individual interfaces, giving you granular control over which links are authenticated.
OSPF Default Route Injection
The default-information originate command under the OSPF process advertises a default route to all other OSPF routers. There are two variants:
- default-information originate -- advertises the default route only when a default route already exists in the local routing table.
- default-information originate always -- advertises the default route unconditionally, even if no default route exists locally.
EIGRP Stub Routing
In EIGRP, a stub router tells its neighbors that it should not be used as a transit router. When a hub router receives a query, it will not forward that query to any neighbor that has declared itself a stub. This dramatically reduces query scope and speeds convergence in hub-and-spoke topologies. The stub router advertises only the route types you specify -- commonly connected and summary routes.
EIGRP vs. OSPF at a Glance
| Attribute | EIGRP | OSPF |
|---|---|---|
| Algorithm type | Advanced distance vector (DUAL) | Link state (Dijkstra SPF) |
| Load balancing | Equal and unequal cost | Equal cost only |
| Path selection metric | Bandwidth + delay (composite) | Cost (based on bandwidth) |
| Area concept | No areas (flat or named mode) | Hierarchical areas required |
| Stub support | Stub router (query limiting) | Stub/NSSA area types |
How It Works
OSPF Stub and NSSA Processing
Consider a topology with Area 0 at the core, Area 1 branching off through an ABR, and Area 2 branching off through a different ABR. When you configure Area 1 as a stub, every router in that area -- both the ABR and the internal routers -- must have the area 1 stub command. Once applied, the ABR filters all Type 5 external LSAs (OE2 routes) from entering the area. Internal routers in Area 1 will no longer see any external destinations but still receive inter-area summaries (LSA 3).
Taking it further, when the ABR is configured with area 1 stub no-summary, it becomes a totally stubby area. Now the ABR also suppresses LSA 3 summaries. Internal routers receive only LSA 1 and LSA 2 (intra-area information) plus a single default route injected by the ABR. This simplifies the routing table dramatically for spoke routers.
NSSA areas work similarly but add a twist: they allow an ASBR inside the area to redistribute external routes as LSA Type 7. These Type 7 LSAs are converted to Type 5 at the ABR boundary. The area 2 nssa command blocks incoming OE2 routes just like a stub, but it permits local redistribution. When the ABR adds area 2 nssa no-summary, it becomes totally NSSA -- blocking both external and inter-area summaries, leaving only LSA 1 and LSA 2 plus a default route.
OSPF Default Route Injection Process
When a router such as R4 serves as the gateway to an external network (for example, toward a server on R5), you first create a static default route pointing to the next hop. Then, under the OSPF process, you enable default-information originate. All OSPF neighbors -- R1, R2, R3 -- will receive the default route and install it in their tables.
If you remove the static default route from R4, the OSPF-advertised default disappears as well because the base variant requires a local default route to exist. To maintain the default advertisement regardless, you use default-information originate always. This guarantees that downstream routers always have a path of last resort.
EIGRP Stub Behavior
When a branch router (BR) is configured with eigrp stub connected, it advertises only its connected networks to hub neighbors. The hub router recognizes the neighbor as a stub peer and suppresses queries toward it. If you examine the hub's neighbor detail output, you will see the line Stub Peer Advertising (CONNECTED SUMMARY) Routes along with the note Suppressing queries. Removing the stub command on the hub side (with no eigrp stub) causes the neighbor relationship to reset -- the adjacency goes down and comes back up as the routers renegotiate their capabilities.
Configuration Example
OSPF Stub and Totally Stubby Area
Configure Area 1 as a stub on all routers within the area (R2 as ABR, R1 and R6 as internal routers):
R2(config)# router ospf 10
R2(config-router)# area 1 stub
R1(config)# router ospf 10
R1(config-router)# area 1 stub
R6(config)# router ospf 10
R6(config-router)# area 1 stub
After applying these commands, verify on R1 and R6 that OE2 routes are no longer present in the routing table. To convert to totally stubby, apply the no-summary keyword on the ABR only:
R2(config)# router ospf 10
R2(config-router)# area 1 stub no-summary
Important: After configuring totally stubby, R1 and R6 will have only intra-area routes (O) and a default route. All inter-area and external routes are replaced by a single default.
OSPF NSSA and Totally NSSA
First remove any existing stub configuration, then configure Area 2 as NSSA. On the ABR (R4):
R4(config)# router ospf 10
R4(config-router)# area 2 nssa
On internal routers R5 and R7:
R5(config)# router ospf 10
R5(config-router)# area 2 nssa
R7(config)# router ospf 10
R7(config-router)# area 2 nssa
Verify on R5 and R7 that OE2 routes are absent. For totally NSSA, add the keyword on the ABR only:
R4(config)# router ospf 10
R4(config-router)# area 2 nssa no-summary
After this change, R5 and R7 will contain only LSA 1 and LSA 2 routes plus a default route.
OSPF Default Route Injection
Create a static default route on R4 toward R5, then advertise it via OSPF:
R4(config)# ip route 0.0.0.0 0.0.0.0 172.16.45.5
R4(config)# router ospf 10
R4(config-router)# default-information originate
Verify the default route appears on R1, R2, and R3:
R2# show ip route ospf
Now remove the static route and observe the effect:
R4(config)# no ip route 0.0.0.0 0.0.0.0 172.16.45.5
The default route disappears from downstream routers. To advertise unconditionally:
R4(config)# router ospf 10
R4(config-router)# default-information originate always
Now R1, R2, and R3 retain the default route even without a local static default on R4.
To provide reachability to R5's loopback, add a specific static route on R4:
R4(config)# ip route 10.5.5.5 255.255.255.255 172.16.45.5
EIGRP Stub Connected
Configure R1 as an EIGRP stub advertising only connected routes:
R1(config)# router eigrp 100
R1(config-router)# eigrp stub connected
R1 will share only its connected routes with neighbors R2, R3, and R4. When a hub router queries for a lost route, it will skip R1 entirely because R1 is a stub peer.
Verify from the hub side using the detailed neighbor command:
HQ2# show ip eigrp neighbor detail
EIGRP-IPv4 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.3.0.8 Et0/1 13 00:00:30 9 100 0 9
Version 10.0/2.0, Retrans: 0, Retries: 0, Prefixes: 1
Stub Peer Advertising (CONNECTED SUMMARY) Routes
Suppressing queries
Key detail: The output confirms the neighbor is a stub peer advertising CONNECTED and SUMMARY routes, and the hub is suppressing queries toward it.
Removing EIGRP Stub
When you remove the stub configuration from the hub side, the adjacency resets:
HQ2(config-router)# no eigrp stub
%DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.3.0.8 (Ethernet0/1) is down: peer info changed
%DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.2.0.8 (Ethernet0/0) is down: peer info changed
%DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.2.0.8 (Ethernet0/0) is up: new adjacency
%DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.3.0.8 (Ethernet0/1) is up: new adjacency
Warning: Changing the stub configuration causes neighbor adjacencies to flap. Plan this change during a maintenance window to avoid production impact.
Real-World Application
Hub-and-Spoke Branch Networks
EIGRP stub routing is a staple in enterprise branch designs. A headquarters data center runs as the hub, and dozens or hundreds of branch routers are configured as stubs. Without stub configuration, a single route loss at HQ could trigger queries to every branch -- consuming bandwidth and CPU on WAN links. With stubs in place, the hub knows it should never query a branch, and convergence completes in seconds rather than minutes.
Data Center and Campus OSPF Design
Totally stubby and totally NSSA areas are commonly deployed at campus edges or in data center pods where routers need only a default route to reach the rest of the network. This keeps routing tables small, reduces SPF computation time, and limits the blast radius of topology changes. NSSA is the go-to choice when an edge router must redistribute routes from a non-OSPF domain (such as a static connection to a partner network) while still blocking external LSAs from the core.
Securing Routing Updates
OSPF MD5 authentication should be enabled on all production links, especially across untrusted segments. Area-based authentication is efficient for large areas where every link needs protection. Interface-based authentication gives flexibility when only specific links traverse insecure infrastructure.
Default Route Strategy
Using default-information originate always is common on Internet edge routers that must always serve as the gateway of last resort. The conditional variant (without always) is preferred when the default should only be advertised if upstream connectivity is confirmed by the presence of a learned default route.
Summary
- OSPF stub and totally stubby areas filter external and inter-area LSAs, simplifying routing tables for downstream routers. The
no-summarykeyword on the ABR creates the totally stubby variant. - OSPF NSSA and totally NSSA provide the same filtering as stub areas while allowing local redistribution via LSA Type 7. Totally NSSA adds
no-summaryon the ABR to suppress inter-area summaries. - OSPF default-information originate injects a default route into OSPF; the
alwayskeyword advertises it unconditionally, even without a local default route. - EIGRP stub connected limits a branch router to advertising only connected routes and prevents the hub from sending queries to it, reducing convergence time across the network.
- Changing stub configuration on either OSPF or EIGRP causes adjacency resets -- always plan these changes during scheduled maintenance.
In the next lesson, continue building on these foundations by exploring OSPF route summarization, filtering, and policy-based routing to gain full control over path selection in your enterprise network.