Cisco Real World Problems

How to configure OSPF totally stubby area on Catalyst 9800 WLC

By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-30

A totally stubby area is OSPF's way of cutting noise. The ABR injects only a default route into the area. No external LSAs (type 5), no inter-area routes (type 3 either, with the no-summary keyword). For a branch with one uplink and a weak CPU, this is the cheapest LSDB you can run. I designed this for a 42-branch retail rollout out of ESS Bengaluru last year, the branch boxes were base ISR-4221 with 4 GB RAM and the full OSPF table from the core would have eaten the control plane. On Catalyst 9800 WLC, here is the working configuration.

Pre-requisites

Step-by-step on Catalyst 9800 WLC

  1. Pick the area number. Pick any non-zero area. I use area 51 for branches because it's memorable and not in use anywhere else in the core.
  2. Configure the ABR. Under router ospf 1: area 51 stub no-summary. The no-summary keyword is what makes it totally stubby: without it you still get type 3 LSAs.
  3. Configure each internal router in the area. Under router ospf 1: area 51 stub. Internal routers do NOT need no-summary; only the ABR controls type 3 injection.
  4. Place interfaces in the area. Either via the legacy network 10.51.0.0 0.0.255.255 area 51 statement, or per-interface with ip ospf 1 area 51 under the interface config.
  5. Verify the LSDB shrank. show ip ospf database | inc Type-5 should return nothing on internal routers. show ip ospf database | inc Summary should show only the default route (0.0.0.0).
  6. Confirm the default route landed. show ip route 0.0.0.0. You should see O*IA 0.0.0.0/0 [110/11] via .... The *IA is the marker.
  7. Save and snapshot. write memory. Pull a fresh show running-config | section router ospf into your CMDB so the next on-call can read the area structure without a console session.

A deployment I shipped

The 42-branch ESS Bengaluru retail rollout used Catalyst 9800 WLC (or its branch equivalent on smaller sites) as the WAN edge. Before we cut over to totally stubby, each branch held the full BGP-redistributed OSPF LSDB, about 3,400 prefixes. and CPU was sitting at 38% on idle. After enabling area 51 stub no-summary on the two regional ABRs and area 51 stub on every branch, the branch LSDB collapsed to about 60 entries (the local subnets plus a single default). CPU dropped to 4%. Memory footprint shrank by 380 MB per box. The change ran across two weekends, branch-by-branch, with a Redington partner engineer on-site for the first six. Total project cost was under ₹1,80,000 in labour. No SmartNet escalation needed.

How I verify the change actually works

  1. show ip ospf | inc stub, area marked as stub no-summary on ABR.
  2. show ip route ospf: only intra-area routes plus a default.
  3. show ip ospf database | inc Type-5, empty on internal routers.
  4. show processes cpu | inc OSPF. CPU should be lower than the pre-stubby baseline.

Gotchas I've eaten in production

Cost impact

Line itemIndia (INR)Global (USD)
SmartNet 8x5xNBD on the platform (annual)₹85,000 - ₹1.2 lakh$1,050 - $1,500
SmartNet 24x7x4 (annual)₹1.5 - 2 lakh$1,900 - $2,500
Putty 0.78 / SecureCRT 9.4 licenceFree / ₹8,200 perpetualFree / $99 perpetual
Wireshark 4.2 (capture analysis)FreeFree
Cisco DNA Center / Catalyst Center seat (per device-year, list)₹6,500 - ₹14,000$80 - $170
Engineer time on-site (Bengaluru / Mumbai)₹2,200 - ₹3,800 per hour$95 - $130 per hour

Numbers are 2026 indicative ranges and depend on the SKU plus your reseller. Redington and Ingram Micro typically beat list by 8-14% for partner-managed renewals. GeM-tender pricing varies again, most government rate contracts include first-year SmartNet bundled into the hardware price.

Tooling I keep on the bench

How this interacts with other Cisco surfaces

Hardly any change on Catalyst 9800 WLC lives alone. The features in this guide ripple into adjacent boxes. sometimes within seconds, sometimes the next morning. Here is what I trace before I close a ticket.

Catalyst Center (DNAC) compliance

If the customer runs Catalyst Center, any out-of-band CLI edit will show as compliance drift inside 15 minutes. I either pre-stage the change as a template in the Network Design workflow, or I accept the drift flag and immediately re-sync the device state. Leaving the drift unresolved means the next compliance scan re-applies the previous template and silently wipes your change.

SD-WAN policy fabric

On a fabric router under vManage / Cisco SD-WAN control, CLI edits to features the controller manages get reverted on the next template push. The right move is to apply the change via a feature template, attach a CLI add-on for what the GUI does not cover, and push from vManage. If you are testing in isolation, detach the device from vManage first.

Identity Services Engine (ISE) RADIUS sessions

When the platform you are touching also acts as a NAS for 802.1X, every config save reloads the RADIUS subsystem briefly. Active wired sessions held by ISE can reauthenticate. Schedule the change outside the 9 a.m. login spike or use aaa accounting update periodic 5 to keep stale sessions visible to ISE while the box settles.

Firepower / FTD inspection

If a Firepower NGIPS or FTD sits between the inside and outside zones, any new NAT flow needs an access-control rule allowing it. The control-plane change on the router does not automatically open the firewall. I keep a paired change request open on FMC so the rule lands in the same window.

Duo MFA for admin login

If admin logins are protected by Cisco Duo, plan for the push prompt during your change window. A Duo push that times out at the wrong moment can leave you locked out of the second box mid-change. I keep a parallel console session open before I touch any auth-related config.

Long-term monitoring I leave running

A clean change is one that still looks clean a month later. On Catalyst 9800 WLC, I leave the following hooks in place after every deployment touched by this guide.

None of these are heavy lifts. Combined, they catch the regressions that an ad-hoc show command will not. Customers who run them rarely call us about repeat incidents on the same change.

More frequently asked questions

Can I roll back without a reload?

Yes for every topic in this guide. The no-form of each command unwinds the change in real time. Run show running-config before and after so you can diff with VSCode or notepad++ if anything looks off.

Does this break IPv6?

No. None of these features touch the IPv6 forwarding path. If you run dual-stack on Catalyst 9800 WLC, IPv6 keeps its own LSDB, its own NAT (or NPTv6) state, and its own LDP context: they share nothing with IPv4 here.

What about IOS XE Stack-Wise V1/V2 mismatch?

Mixing Stack-Wise V1 and V2 members in the same stack is unsupported and reliably breaks NAT pool ownership. Replace the older member before configuring any of these features on a stacked Catalyst.

Is this safe to run during business hours?

Read-only verification is always safe. Config changes, even the no-op-looking ones. can disturb production. I schedule a 30-minute window with the customer, capture pre-change state, run the change, verify, and stop. A Comsys Mumbai-style runbook keeps this consistent across teams.

Will SmartNet TAC help if I get stuck?

Yes. With an active SmartNet (₹85,000 - 2 lakh annually depending on SKU and tier) TAC will accept a P3 ticket and review the running-config plus the relevant show outputs. Without SmartNet you can still post on the Cisco Community forum but expect community response speed, not SLA speed.

How do I avoid this becoming legacy debt?

Document the change in CMDB. Tag it with the project name. Add the verification commands to the runbook. Add a Catalyst Center compliance policy if you run one. The engineer who picks this up in 2028 will thank you.

What I do after the change is in

Three habits keep me sane after any production config change. First, I leave the console session logged in for 15 minutes and watch the syslog buffer. Second, I run show logging | last 100 from a fresh session 24 hours later. Third, I ask the customer's NOC to confirm zero alerts during the window. The combination catches almost every regression before it becomes a Monday morning ticket.

On a Catalyst 9800 WLC-class platform, the syslog patterns that I watch for are %LINEPROTO-5-UPDOWN on the affected interfaces, %SYS-5-CONFIG_I for unexpected re-edits, and %SPANTREE-2-RECV_PVID_ERR on the L2 underlay. If none of those show up in the next 48 hours, the change has settled.

If you came here because of a live outage, the fastest rollback is almost always the no-form of the commands above. Restore. Stabilise. Then reschedule the change for a quiet window. Production is not the time to be brave.

Related guides worth a look while you sort this one out: