cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8994
Views
75
Helpful
11
Replies

why OSPF virtual-link is not recommended ?

Dears,

Would like your assistance regarding below plz

I always read that OSPF virtual-link is not recommeded and should not be used.

But Why ? What is the limitation ?

Also If I used GRE tunnel instead, will it also be not recommended ?

Thanks

BR,

Sherif Ismail

11 Replies 11

Peter Paluch
Cisco Employee
Cisco Employee

Hello,

The use of virtual links is generally discouraged simply because if you need to use them, your network does not align to the strict hierarchic model that OSPF requires - all non-backbone areas are physically adjacent to the backbone area and the inter-area communication always goes through the backbone. Judicious usage of virtual links is perfectly fine as long as the virtual links are used only as a temporary measure before the network can be restructured to adhere to the OSPF requirements. However, they are not meant to be deployed permanently because they would then be simply misused as an excuse for a poor network topology.

Virtual links can not be directly compared to GRE tunnels. Virtual links are an internal hack to the OSPF database to make the backbone area appear connected, and they allow the two virtually linked OSPF routers to sync their database in a targeted OSPF adjacency session. However, routed packets are not tunneled. The transit area (i.e. the area over which the virtual link is built) will contain routing information about all areas and external routes, and will therefore be capable of routing packets natively. GRE tunnels, on the other hand, perform tunneling with all the nice and unpleasant effects.

Best regards,

Peter

Thanks Peter for your reply

That what I read in documentaions, but no one said why technically it is not recommended

I mean whats the dangers with not following the recommendation

A difference I know is that in virtual-link, OSPF packets are sent as unicast and not multicast .. but still dont see this an issue

|||

When I compared virtual-link to GRE tunnel, I did so cause both accomplish same role which is connecting an area to a backbone area via a transit area

Best Regards

Sherif Ismail

Hello,

To my best knowledge, there are no technical dangers related to using virtual links. You are only losing some advantages given to you by the proper design. For example, the transit area must be a regular area. You can never configure it as stubby or NSSA. Also, should one of the endpoints of the virtual link fail, the backbone will become partitioned again although the network may still be physically connected. Also, area ranges (summarization) that are configured for backbone area will be inactive for a transit area (i.e. networks internal to the backbone will be advertised without summarization into transit areas even if there are area ranges configured for the backbone). There may also be another annoyances that decrease the advantage of having your network split into areas in the first place.

A difference I know is that in virtual-link, OSPF packets are sent as  unicast and not multicast .. but still dont see this an issue 

That is correct - it is necessary in order to establish OSPF adjacency over several hops. Certainly, that is not an issue at all, on the contrary - it is absolutely necessary for the virtual link to come up.

When I compared virtual-link to GRE tunnel, I did so cause both  accomplish same role which is connecting an area to a backbone area via a  transit area

The primary difference is that the GRE tunnel hides the real recipients under the outer IP header. The "transit" area, in that case, does not need to actually know all the prefixes. What it needs, though, is a default route that points towards the backbone. Suboptimal routing may occur, then, because the traffic from the "transit" area must first reach the backbone in order to get GRE-encapsulated and carried again through the "transit" area to the disconnected area.

Once again, the virtual links are not something outright dangerous - if they were, they would not be implemented in OSPF and a part of regular RFC 2328 in the first place. However, their existence could create a false feeling that the network design may be arbitrary and sloppy. Therefore, it is quite good they are not considered something too common.

Best regards,

Peter

WoW ... Thanks Peter for your explanation

One more thing plz ... You mentioned

Suboptimal routing may occur, then, because the traffic from the "transit" area must first reach the backbone in order to get GRE-encapsulated and carried again through the "transit" area to the disconnected area.


I didnt get your point .. Appreciate if you can verify

Appreciate your assistance

BR,

Sherif Ismail

Hi,

Imagine you have three areas in a row:

Area 0 --- Area 1 --- Area 2

This would call either for a virtual link through the Area 1, or for a GRE tunnel. Now, if you use a GRE tunnel through Area 1, the Area 1 may not know about routes in Area 2. That could happen if, for example, Area 1 was configured as a totally stubby area, or if the GRE tunnel was already made part of Area 2.

In both those cases, Area 1 would be unaware of the prefixes located in Area 2. If communication between Area 1 and Area 2 should take place, the traffic will need to go from Area 1 to Area 0 (because of the default route), and in Area 0, it will get routed via the GRE tunnel, over the Area 1 again, to the Area 2. The communication in the opposite direction would most probably follow the same suboptimal path - from Area 2 via GRE tunnel to Area 0 and from there to Area 1.

Best regards,

Peter

Thanks Peter

But wouldnt this be the same case also for virtual-link

As area 2 will advertize its routes to area 0 via virtual-link

Then area 0 will advertzie these routes to area 2

So If communication between area 1 & area 2 is needed, area 1 will go to area 0 then to area 2

So in both cases virtual-link & GRE suboptimal routing will occur , correct ?

Many thanks for your assistance

Best Regards

Sherif Ismail

Hello,

As area 2 will advertize its routes to area 0 via virtual-link

Then area 0 will advertzie these routes to area 2

So If communication between area 1 & area 2 is needed, area 1 will go to area 0 then to area 2

Certainly not. Virtual links work differently. A virtual link is a virtual point-to-point interconnection that, within the link state database, always belongs into Area 0 even though it is configured over a different area, and allows its endpoints, the ABRs, to be logically adjacent to Area 0. This virtual link is subsequently used to synchronize the contents of the link state database for Area 0 (recall that each area has its own link-state database). Now, this has to be understood very carefully: Area 0 contains detailed information about its own topology in form of LSA-1 and LSA-2, plus summarized information in form of LSA-3 and LSA-4 about networks and ASBRs in other areas, plus summarized external routing information in form of LSA-5. This means that even if a virtual link is used to connect Area 2 to Area 0 through Area 1, through this virtual link, the synchronization is performed from the viewpoint of the Area 0 - not any other areas!

It is therefore incorrect to say that "area 2 will advertise its routes to area 0 via virtual link", as the virtual link does not belong to area 2 at all. Even though Area  0 will learn about networks in Area 2 via the virtual link, it is not because Area 2 sent them through the virtual link; rather, it is becase the ABR between Area 1 and Area 2 took all networks from Area 2, imported them into Area 0 link-state database as LSA-3 and subsequently advertised them via the virtual link.

In the precisely same way, the ABR between Area 1 and Area 2 will take all networks from Area 2 and import them into Area 1 as LSA-3, and vice versa, it will take all networks from Area1 and import them as LSA-3 into Area 2. This means that the Area 1 will know about all networks in Area 2 and Area 2 will know about all networks in Area 1. Therefore, the suboptimal routing as explained with GRE tunnels will not take place at all because the Area 1 is completely populated with networks from Area 2. This is why I stressed in one of my previous posts that the transit Area 1 must be a regular area and will therefore know all inter-area, intra-area and external routes. Hence, suboptimal routing is not an issue here.

Best regards,

Peter

Thanks Peter

thanks for the discussion  but If using a Virtual Link is not the answer,  what is the Cisco recommended work around for connecting 2 OSPF networks ( obviously this would not be intended to be a permanent solution, but if you are the I.T. guy, your boss wants an answer how to implement this now)






 


Virtual links can not be directly compared to GRE tunnels. Virtual links are an internal hack to the OSPF database to make the backbone area appear connected, and they allow the two virtually linked OSPF routers to sync their database in a targeted OSPF adjacency session. However, routed packets are not tunneled. The transit area (i.e. the area over which the virtual link is built) will contain routing information about all areas and external routes, and will therefore be capable of routing packets natively. GRE tunnels, on the other hand, perform tunneling with all the nice and unpleasant effects.


@Peter Paluch @Sherif Atef Ahmed Ismail 


If capability transit is enabled, though!


As per RFC 2328, 

TransitCapability        
This parameter indicates whether the area can carry data traffic
that neither originates nor terminates in the area itself.

which in Cisco IOS, by default, is enabled, in which case (as per RFC 2328, section 16.3.),

        the actual path the transit data traffic takes does not follow the 
virtual link. In other words, virtual links allow transit traffic
to be forwarded through an area, but do not dictate the precise
path that the traffic will take.


It can be disabled though with (config-router)# no capability transit router mode command.


Best,
S.u.l.t.a.n

Hi .

 

 

The answers are pretty straight forward.

 

But Why ? What is the limitation ?

 

There is no limitation, however, when you are going to use Virtual Link it means we have a bad network setup. Virtual link is used as a rescue when we dont follow the ospf rule of all non-backbone area should have direct connectivity to a backbone area. 

 

Also If I used GRE tunnel instead, will it also be not recommended ?

 

You can use GRE also instead of a virtual link. There is no limitation.

Please do not hesitate to click the STAR button if you are satisfied with my answer.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: