router ospf [pid]
Enables OSPF routing process configuration on the Cisco ASA Firewall.
Overview
The 'router ospf [pid]' command is used on Cisco ASA Firewalls to enter OSPF router configuration mode, where you can define OSPF routing parameters. OSPF (Open Shortest Path First) is a link-state routing protocol that calculates the shortest path to each destination using the Dijkstra algorithm. On ASA, OSPF is commonly used to dynamically exchange routes with internal routers, enabling efficient routing in complex network topologies. Unlike static routing, OSPF adapts to network changes automatically, making it ideal for environments with redundancy or frequent topology changes. On ASA, OSPF configuration differs slightly from IOS: you must use the 'network' command under router ospf to specify which interfaces participate, and you cannot configure OSPF directly on the interface. The command is the first step in OSPF configuration; subsequent commands include 'network', 'area', 'redistribute', and 'authentication'. Understanding OSPF is crucial for troubleshooting routing issues, as misconfigurations can lead to routing loops or black holes.
router ospf [pid]When to Use This Command
- Enable OSPF on an ASA to dynamically route between internal networks and a DMZ.
- Configure OSPF for route redistribution between OSPF and static routes.
- Set up OSPF authentication to secure routing updates between ASA and upstream routers.
- Troubleshoot OSPF neighbor relationships and route propagation in a multi-area design.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| pid | 1-65535 | The OSPF process ID, a locally significant number that identifies the OSPF process on the ASA. It does not need to match other routers. Multiple OSPF processes can run simultaneously, each with its own routing table. |
Command Examples
Enable OSPF Process 1
router ospf 1ASA(config)# router ospf 1 ASA(config-router)#
The command enters OSPF router configuration mode for process ID 1. The prompt changes to indicate OSPF subcommands are available.
Enable OSPF Process 100
router ospf 100ASA(config)# router ospf 100 ASA(config-router)#
Similar to the first example, but with process ID 100. Multiple OSPF processes can run simultaneously.
Understanding the Output
The command itself does not produce output beyond changing the prompt. The prompt changes from 'ASA(config)#' to 'ASA(config-router)#', indicating that subsequent commands will configure OSPF parameters. To see OSPF status, use commands like 'show ospf neighbor' or 'show ospf database'. A healthy OSPF process will show neighbors in FULL state and routes in the routing table. Problematic values include neighbors stuck in INIT or EXSTART, or missing routes.
Configuration Scenarios
Basic OSPF Configuration on ASA
An ASA is connected to an internal router via GigabitEthernet0/1 (10.1.1.0/24) and to a DMZ via GigabitEthernet0/2 (192.168.1.0/24). OSPF is used to advertise both networks.
Topology
ASA (G0/1) --- Router (10.1.1.0/24)
ASA (G0/2) --- DMZ (192.168.1.0/24)Steps
- 1.Enter global configuration mode.
- 2.Enable OSPF process 1.
- 3.Advertise the inside network in area 0.
- 4.Advertise the DMZ network in area 0.
! Enable OSPF process 1 router ospf 1 network 10.1.1.0 255.255.255.0 area 0 network 192.168.1.0 255.255.255.0 area 0
Verify: Use 'show ospf neighbor' to see neighbors; 'show route ospf' to see learned routes.
Watch out: The 'network' command uses wildcard mask, not subnet mask. For example, 10.1.1.0 0.0.0.255 area 0.
Troubleshooting with This Command
When troubleshooting OSPF on ASA, start with 'show ospf neighbor' to verify adjacency. If no neighbors appear, check that interfaces are up/up and that the 'network' statement includes the correct interface IP. Use 'debug ospf events' to see hello packets. Common issues include mismatched area IDs, authentication mismatches, or MTU mismatches. On ASA, OSPF does not support passive interfaces by default; use 'passive-interface default' under router ospf to suppress hellos on unwanted interfaces. Also, ensure that the ASA's routing table has the correct OSPF routes using 'show route ospf'. If routes are missing, check redistribution settings or area types (e.g., stub areas).
CCNA Exam Tips
Remember that OSPF process ID is locally significant and does not need to match between routers.
On ASA, OSPF must be enabled globally before configuring interfaces; use 'network' command under router ospf.
ASA supports OSPFv2 only; OSPFv3 is not supported.
Common Mistakes
Forgetting to configure the 'network' command to advertise interfaces, causing no OSPF routes.
Using the same process ID on multiple ASAs without understanding it's local; it's fine but can cause confusion.
Not enabling OSPF on the interface with 'ospf' command under interface config; the 'network' statement alone is sufficient.
Platform Notes
On Cisco ASA, OSPF configuration is similar to IOS but with key differences: the 'network' command is mandatory and uses wildcard masks; interface-level OSPF commands like 'ip ospf' are not supported. ASA supports OSPFv2 only. The maximum number of OSPF processes is platform-dependent but typically 2. In ASA version 9.x and later, OSPF can be used with VRF-lite. For equivalent commands on other platforms, on IOS the same 'router ospf' command is used, but interface configuration is done with 'ip ospf' commands. On Juniper, the equivalent is 'set protocols ospf area' under the routing-options hierarchy.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions