Cisco ASA Series Command Reference, S Commands
show nac-policy -- show ospf virtual-links
Downloads: This chapterpdf (PDF - 308.0KB) The complete bookPDF (PDF - 9.19MB) | The complete bookePub (ePub - 793.0KB) | The complete bookMobi (Mobi - 2.91MB) | Feedback

Table of Contents

show nac-policy through show ospf virtual-links Commands

show nac-policy

show nameif

show nat

show nat divert-table

show nat pool

show ntp associations

show ntp status

show object-group

show ospf

show ospf border-routers

show ospf database

show ospf flood-list

show ospf interface

show ospf neighbor

show ospf request-list

show ospf retransmission-list

show ospf summary-address

show ospf traffic

show ospf virtual-links

show nac-policy through show ospf virtual-links Commands

show nac-policy

To show the NAC policy usage statistics and the assignment of NAC policies to group policies, use the show nac-policy command in privileged EXEC mode.

show nac-policy [ nac-policy-name ]

 
Syntax Description

nac-policy-name

(Optional) Name of the NAC policy for which to display usage statistics.

 
Defaults

If you do not specify a name, the CLI lists all NAC policy names along with their respective statistics.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

8.0(2)

This command was introduced.

Examples

The following example shows the data for the NAC policies named framework1 and framework2:

ciscoasa(config)# show nac-policy
nac-policy framework1 nac-framework
applied session count = 0
applied group-policy count = 2
group-policy list: GroupPolicy2 GroupPolicy1
nac-policy framework2 nac-framework is not in use.
 

The first line of each NAC policy indicates its name and type (nac-framework). The CLI shows the text “is not in use” next to the policy type if the policy is not assigned to any group policies. Otherwise, the CLI displays the usage data for the group policy. Table 10-1 explains the fields in the show nac-policy command.

 

Table 10-1 show nac-policy Command Fields

Field
Description

applied session count

Cumulative number of VPN sessions to which this ASA applied the NAC policy.

applied group-policy count

Cumulative number of group polices to which this ASA applied the NAC policy.

group-policy list

List of group policies to which this NAC policy is assigned. In this case, the usage of a group policy does not determine whether it appears in this list; if the NAC policy is assigned to a group policy in the running configuration, then the group policy appears in this list.

 
Related Commands

clear nac-policy

Resets the NAC policy usage statistics.

show vpn-session.db

Displays information about VPN sessions, including NAC results.

show vpn-session_summary.db

Displays the number IPSec, Cisco WebVPN, and NAC sessions.

show nameif

To view the interface name set using the nameif command, use the show nameif command in privileged EXEC mode.

show nameif [ physical_interface [ . subinterface ] | mapped_name ]

 
Syntax Description

mapped_name

(Optional) In multiple context mode, identifies the mapped name if it was assigned using the allocate-interface command.

physical_interface

(Optional) Identifies the interface ID, such as gigabit ethernet0/1 . See the interface command for accepted values.

subinterface

(Optional) Identifies an integer between 1 and 4294967293 designating a logical subinterface.

 
Defaults

If you do not specify an interface, the ASA shows all interface names.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

In multiple context mode, if you mapped the interface ID in the allocate-interface command, you can only specify the mapped name in a context. The output for this command shows only the mapped name in the Interface column.

Examples

The following is sample output from the show nameif command:

ciscoasa# show nameif
Interface Name Security
GigabitEthernet0/0 outside 0
GigabitEthernet0/1 inside 100
GigabitEthernet0/2 test2 50

 
Related Commands

Command
Description

allocate-interface

Assigns interfaces and subinterfaces to a security context.

interface

Configures an interface and enters interface configuration mode.

nameif

Sets the interface name.

show interface ip brief

Shows the interface IP address and status.

show nat

To display statistics of NAT policies, use the show nat command in privileged EXEC mode.

show nat [ interface name ] [ ip_ addr mask | { object | object-group } name ] [ translated [ interface name ] [ ip_ addr mask | { object | object-group } name ]] [ detail ] [ divert-table [ ipv6 ] [ interface name ]]

 
Syntax Description

detail

(Optional) Includes more verbose expansion of the object fields.

divert-table

(Optional) Shows the NAT divert table.

interface name

(Optional) Specifies the source interface.

ip_addr mask

(Optional) Specifies an IP address and subnet mask.

ipv6

(Optional) Shows IPv6 entries in the divert table.

object name

(Optional) Specifies a network object or service object.

object-group name

(Optional) Specifies a network object group

translated

(Optional) Specifies the translated parameters.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.3(1)

This command was introduced.

9.0(1)

This command now supports IPv6 traffic, as well as translations between IPv4 and IPv6.

 
Usage Guidelines

Use the show nat command to show runtime representation of the NAT policy. Use the detail optional keyword to expand the object and view the object values. Use the additional selector fields to limit the show nat command output.

Examples

The following is sample output from the show nat command:

ciscoasa# show nat
Manual NAT Policies (Section 1)
1 (any) to (any) source dynamic S S' destination static D' D
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic A 2.2.2.2
translate_hits = 0, untranslate_hits = 0
Manual NAT Policies (Section 3)
1 (any) to (any) source dynamic C C' destination static B' B service R R'
translate_hits = 0, untranslate_hits = 0
 
ciscoasa# show nat detail
Manual NAT Policies (Section 1)
1 (any) to (any) source dynamic S S' destination static D' D
translate_hits = 0, untranslate_hits = 0
Source - Real: 1.1.1.2/32, Mapped: 2.2.2.3/32
Destination - Real: 10.10.10.0/24, Mapped: 20.20.20.0/24
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic A 2.2.2.2
translate_hits = 0, untranslate_hits = 0
Source - Real: 1.1.1.1/32, Mapped: 2.2.2.2/32
Manual NAT Policies (Section 3)
1 (any) to (any) source dynamic C C' destination static B' B service R R'
translate_hits = 0, untranslate_hits = 0
Source - Real: 11.11.11.10-11.11.11.11, Mapped: 192.168.10.10/32
Destination - Real: 192.168.1.0/24, Mapped: 10.75.1.0/24
Service - Real: tcp source eq 10 destination eq ftp-data , Mapped: tcp source eq
100 destination eq 200
 

The following is sample output from the show nat detail command between IPv6 and IPv4:

ciscoasa# show nat detail
1 (in) to (outside) source dynamic inside_nw outside_map destination static inside_map any
translate_hits = 0, untranslate_hits = 0
Source - Origin: 2001::/96, Translated: 192.168.102.200-192.168.102.210
Destination - Origin: 2001::/96, Translated: 0.0.0.0/0
 

The following is sample output from the show nat divert ipv6 command:

ciscoasa# show nat divert ipv6
Divert Table
id=0xcb9ea518, domain=divert-route
type=static, hits=0, flags=0x21, protocol=0
src ip/id=2001::/ffff:ffff:ffff:ffff:ffff:ffff::, port=0-0
dst ip/id=2001::/ffff:ffff:ffff:ffff:ffff:ffff::, port=0-0
input_ifc=in, output_ifc=outside
id=0xcf24d4b8, domain=divert-route
type=static, hits=0, flags=0x20, protocol=0
src ip/id=::/::, port=0-0
dst ip/id=2222::/ffff:ffff:ffff:ffff:ffff:ffff::, port=0-0
input_ifc=in, output_ifc=mgmt
 

 
Related Commands

Command
Description

clear nat counters

Clears NAT policy counters.

nat

Identifies addresses on one interface that are translated to mapped addresses on another interface.

show nat divert-table

To display statistics of NAT divert table, use the show nat divert-table command in privileged EXEC mode.

show nat divert-table [ ipv6 ] [ interface name ]

 
Syntax Description

divert-table

Shows the NAT divert table.

ipv6

(Optional) Shows IPv6 entries in the divert table.

interface name

(Optional) Specifies the source interface.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.4(2)

This command was introduced.

 
Usage Guidelines

Use the show nat divert-table command to show runtime representation of the NAT divert table. Use the ipv6 optional keyword to view the IPv6 entries in the divert table. Use the interface optional keyword to view the NAT divert table for the specific source interface.

Examples

The following is sample output from the show nat divert-table command:

ciscoasa# show nat divert-table
Divert Table
id=0xad1521b8, domain=twice-nat section=1 ignore=no
type=none, hits=0, flags=0x9, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0-0
dst ip/id=10.86.119.255, mask=255.255.255.255, port=0-0
input_ifc=outside, output_ifc=NP Identity Ifc
id=0xad1523a8, domain=twice-nat section=1 ignore=no
type=none, hits=0, flags=0x9, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0-0
dst ip/id=10.86.116.0, mask=255.255.255.255, port=0-0
input_ifc=outside, output_ifc=NP Identity Ifc
id=0xad1865c0, domain=twice-nat section=1 ignore=no
type=none, hits=0, flags=0x9, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0-0
dst ip/id=192.168.255.255, mask=255.255.255.255, port=0-0
input_ifc=amallio-wizard, output_ifc=NP Identity Ifc
id=0xad1867b0, domain=twice-nat section=1 ignore=no
type=none, hits=0, flags=0x9, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0-0
dst ip/id=192.168.0.0, mask=255.255.255.255, port=0-0
input_ifc=amallio-wizard, output_ifc=NP Identity Ifc
id=0xad257bf8, domain=twice-nat section=1 ignore=no
type=none, hits=0, flags=0x9, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0-0
dst ip/id=172.27.48.255, mask=255.255.255.255, port=0-0
input_ifc=folink, output_ifc=NP Identity Ifc
id=0xad257db8, domain=twice-nat section=1 ignore=no
type=none, hits=0, flags=0x9, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0-0
dst ip/id=172.27.48.0, mask=255.255.255.255, port=0-0
input_ifc=folink, output_ifc=NP Identity Ifc
 

 
Related Commands

Command
Description

clear nat counters

Clears NAT policy counters.

nat

Identifies addresses on one interface that are translated to mapped addresses on another interface.

show nat

Displays runtime representation of the NAT policies.

show nat pool

To display statistics of NAT pool usage, use the show nat pool command in privileged EXEC mode.

show nat pool [ cluster ]

 
Syntax Description

cluster

(Optional) When ASA clustering is enabled, shows the current assignment of a PAT address to the owner unit and backup unit.

 
Defaults

This command has no default settings.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.3(1)

This command was introduced.

8.4(3)

The output was modified to show the destination address for extended PAT. The PAT range was also modified depending on the use of the flat and include-reserve keywords.

9.0(1)

This command now supports IPv6 traffic. We added the cluster keyword to show the current assignment of a PAT address to the owner unit and backup unit.

 
Usage Guidelines

A NAT pool is created for each mapped protocol/IP address/port range, where the port ranges are 1-511, 512-1023, and 1024-65535 by default. If you use the flat keyword for a PAT pool in the nat command, you will see fewer, larger ranges.

Each NAT pool exists for at least 10 minutes after the last usage. The 10 minute hold-down timer is canceled if you clear the translations with clear xlate .

Examples

The following is sample output for the NAT pools created by a dynamic PAT rule shown by the show running-config object network command.

ciscoasa(config)# show running-config object network
object network myhost
host 10.10.10.10
nat (pppoe2,inside) dynamic 10.76.11.25
 
ciscoasa# show nat pool
TCP inside, address 10.76.11.25, range 1-511, allocated 0
TCP inside, address 10.76.11.25, range 512-1023, allocated 0
TCP inside, address 10.76.11.25, range 1024-65535, allocated 1
 

The following is sample output from the show nat pool command showing use of the PAT pool flat option. Without the include-reserve keyword, two ranges are shown; the lower range is used when a source port below 1024 is mapped to the same port.

ciscoasa# show nat pool
 
ICMP PAT pool outside:dynamic-pat, address 172.16.2.200, range 1-65535, allocated 2
TCP PAT pool outside:dynamic-pat, address 172.16.2.200, range 1-1024, allocated 0
TCP PAT pool outside:dynamic-pat, address 172.16.2.200, range 1024-65535, allocated 2
UDP PAT pool outside:dynamic-pat, address 172.16.2.200, range 1-1024, allocated 0
UDP PAT pool outside:dynamic-pat, address 172.16.2.200, range 1024-65535, allocated 2
 

The following is sample output from the show nat pool command showing use of the PAT pool flat include-reserve options.

ciscoasa# show nat pool
 
ICMP PAT pool outside:dynamic-pat, address 172.16.2.200, range 1-65535, allocated 2
TCP PAT pool outside:dynamic-pat, address 172.16.2.200, range 1-65535, allocated 2
UDP PAT pool outside:dynamic-pat, address 172.16.2.200, range 1-65535, allocated 2
 

The following is sample output from the show nat pool command showing use of the PAT pool extended flat include-reserve options. The important items are the parenthetical addresses. These are the destination addresses used to extend PAT.

ICMP PAT pool outside:dynamic-pat, address 172.16.2.200, range 1-65535, allocated 0
ICMP PAT pool outside:dynamic-pat, address 172.16.2.200(172.16.2.99), range 1-65535, allocated 2
TCP PAT pool outside:dynamic-pat, address 172.16.2.200(172.16.2.100), range 1-65535, allocated 1
UDP PAT pool outside:dynamic-pat, address 172.16.2.200(172.16.2.100), range 1-65535, allocated 1
TCP PAT pool outside:dynamic-pat, address 172.16.2.200, range 1-65535, allocated 0
ICMP PAT pool outside:dynamic-pat, address 172.16.2.200(172.16.2.100), range 1-65535, allocated 1
TCP PAT pool outside:dynamic-pat, address 172.16.2.200(172.16.2.99), range 1-65535, allocated 2
UDP PAT pool outside:dynamic-pat, address 172.16.2.200, range 1-65535, allocated 0
 

 
Related Commands

Command
Description

nat

Identifies addresses on one interface that are translated to mapped addresses on another interface.

show nat

Displays NAT policy statistics.

show ntp associations

To view NTP association information, use the show ntp associations command in user EXEC mode.

show ntp associations [ detail ]

 
Syntax Description

detail

(Optional) Shows additional details about each association.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

See the “Examples” section for a description of the display output.

Examples

The following is sample output from the show ntp associations command:

ciscoasa> show ntp associations
address ref clock st when poll reach delay offset disp
~172.31.32.2 172.31.32.1 5 29 1024 377 4.2 -8.59 1.6
+~192.168.13.33 192.168.1.111 3 69 128 377 4.1 3.48 2.3
*~192.168.13.57 192.168.1.111 3 32 128 377 7.9 11.18 3.6
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
 

Table 10-2 shows each field description.

 

Table 10-2 show ntp associations Fields

Field
Description

(leading characters in display lines)

The first characters in a display line can be one or more of the following characters:

  • * —Synchronized to this peer.
  • # —Almost synchronized to this peer.
  • + —Peer selected for possible synchronization.
  • - —Peer is a candidate for selection.
  • ~ —Peer is statically configured, but not synchronized.

address

The address of the NTP peer.

ref clock

The address of the reference clock of the peer.

st

The stratum of the peer.

when

The time since the last NTP packet was received from the peer.

poll

The polling interval (in seconds).

reach

The peer reachability (as a bit string, in octal).

delay

The round-trip delay to the peer (in milliseconds).

offset

The relative time of the peer clock to the local clock (in milliseconds).

disp

The dispersion value.

 

The following is sample output from the show ntp associations detail command:

ciscoasa> show ntp associations detail
172.23.56.249 configured, our_master, sane, valid, stratum 4
ref ID 172.23.56.225, time c0212639.2ecfc9e0 (20:19:05.182 UTC Fri Feb 22 2002)
our mode client, peer mode server, our poll intvl 128, peer poll intvl 128
root delay 38.04 msec, root disp 9.55, reach 177, sync dist 156.021
delay 4.47 msec, offset -0.2403 msec, dispersion 125.21
precision 2**19, version 3
org time c02128a9.731f127b (20:29:29.449 UTC Fri Feb 22 2002)
rcv time c02128a9.73c1954b (20:29:29.452 UTC Fri Feb 22 2002)
xmt time c02128a9.6b3f729e (20:29:29.418 UTC Fri Feb 22 2002)
filtdelay = 4.47 4.58 4.97 5.63 4.79 5.52 5.87 0.00
filtoffset = -0.24 -0.36 -0.37 0.30 -0.17 0.57 -0.74 0.00
filterror = 0.02 0.99 1.71 2.69 3.66 4.64 5.62 16000.0
 

Table 10-3 shows each field description.

 

Table 10-3 show ntp associations detail Fields

Field
Description

IP-address configured

The server (peer) IP address.

(status)

  • our_master—The ASA is synchronized to this peer.
  • selected—Peer is selected for possible synchronization.
  • candidate—Peer is a candidate for selection.

(sanity)

  • sane—The peer passes basic sanity checks.
  • insane—The peer fails basic sanity checks.

(validity)

  • valid—The peer time is believed to be valid.
  • invalid—The peer time is believed to be invalid.
  • leap_add—The peer is signalling that a leap second will be added.
  • leap-sub—The peer is signalling that a leap second will be subtracted.

stratum

The stratum of the peer.

(reference peer)

unsynced—The peer is not synchronized to any other machine.

ref ID—The address of the machine that the peer is synchronized to.

time

The last time stamp the peer received from its master.

our mode client

Our mode relative to the peer, which is always client.

peer mode server

The mode of the peer relative to the server.

our poll intvl

Our poll interval to the peer.

peer poll intvl

The peer poll interval to us.

root delay

The delay along the path to the root (ultimate stratum 1 time source).

root disp

The dispersion of the path to the root.

reach

The peer reachability (as a bit string in octal).

sync dist

The peer synchronization distance.

delay

The round-trip delay to the peer.

offset

The offset of the peer clock relative to our clock.

dispersion

The dispersion of the peer clock.

precision

The precision of the peer clock (in hertz).

version

The NTP version number that the peer is using.

org time

The originate time stamp.

rcv time

The receive time stamp.

xmt time

The transmit time stamp.

filtdelay

The round-trip delay (in milliseconds) of each sample.

filtoffset

The clock offset (in milliseconds) of each sample.

filterror

The approximate error of each sample.

 
Related Commands

Command
Description

ntp authenticate

Enables NTP authentication.

ntp authentication-key

Sets an encrypted authentication key to synchronize with an NTP server.

ntp server

Identifies an NTP server.

ntp trusted-key

Provides a key ID for the ASA to use in packets for authentication with an NTP server.

show ntp status

Shows the status of the NTP association.

show ntp status

To show the status of each NTP association, use the show ntp status command in user EXEC mode.

show ntp status

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

See the “Examples” section for a description of the display output.

Examples

The following is sample output from the show ntp status command:

ciscoasa> show ntp status
Clock is synchronized, stratum 5, reference is 172.23.56.249
nominal freq is 99.9984 Hz, actual freq is 100.0266 Hz, precision is 2**6
reference time is c02128a9.73c1954b (20:29:29.452 UTC Fri Feb 22 2002)
clock offset is -0.2403 msec, root delay is 42.51 msec
root dispersion is 135.01 msec, peer dispersion is 125.21 msec
 

Table 10-4 shows each field description.

 

Table 10-4 show ntp status Fields

Field
Description

Clock

  • synchronized—The ASA is synchronized to an NTP server.
  • unsynchronized—The ASA is not synchronized to an NTP server.

stratum

NTP stratum of this system.

reference

The address of the NTP server to which the ASA is synchronized.

nominal freq

The nominal frequency of the system hardware clock.

actual freq

The measured frequency of the system hardware clock.

precision

The precision of the clock of this system (in hertz).

reference time

The reference time stamp.

clock offset

The offset of the system clock to the synchronized peer.

root delay

The total delay along the path to the root clock.

root dispersion

The dispersion of the root path.

peer dispersion

The dispersion of the synchronized peer.

 
Related Commands

Command
Description

ntp authenticate

Enables NTP authentication.

ntp authentication-key

Sets an encrypted authentication key to synchronize with an NTP server.

ntp server

Identifies an NTP server.

ntp trusted-key

Provides a key ID for the ASA to use in packets for authentication with an NTP server.

show ntp associations

Shows the NTP servers with which the ASA is associated.

show object-group

To display object group information and the relevant hit count if the object group is of the network object-group type, use the show object-group command in privileged EXEC mode.

show object-group [ protocol | service | icmp-type | id object-group name]

 
Syntax Description

icmp-type

(Optional) An ICMP-type object group.

id

(Optional) Identifies the existing object group.

object-group name

(Optional) Assigns a given name to the object group.

protocol

(Optional) Protocol-type object group.

service

(Optional) Service-type object.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.3(1)

This command was introduced.

 
Usage Guidelines

A routine attempt to show object groups also shows the object hit count if the object group is of the network object-group type. Hit counts do not display for service, protocol, and icmp-type object groups.

Examples

The following is sample output from the show object-group command and shows information about the network object group named “Anet”:

ciscoasa# show object-group id Anet
Object-group network Anet (hitcnt=10)
Description OBJ SEARCH ALG APPLIED
network-object 1.1.1.0 255.255.255.0 (hitcnt=4)
network-object 2.2.2.0 255.255.255.0 (hitcnt=6)
 

The following is sample output from the show object-group command and shows information about a service group:

ciscoasa (config)# show object-group service
object-group service B-Serobj
description its a service group
service-object tcp eq bgp
 
object-group protocol C-grp-proto
protocol-object ospf
 

The following is sample output from the show object-group command and shows information about a protocol:

ciscoasa (config)# show object-group protocol
object-group protocol C-grp-proto
protocol-object ospf

 
Related Commands

Command
Description

clear object-group

Clears the network objects hit count for a given object group.

show access list

Shows all access lists, relevant expanded access list entries, and hit counts.

show ospf

To display the general information about the OSPF routing processes, use the show ospf command in privileged EXEC mode.

show ospf [ pid [ area_id ] ]

 
Syntax Description

area_id

(Optional) ID of the area that is associated with the OSPF address range.

pid

(Optional) The ID of the OSPF process.

 
Defaults

Lists all OSPF processes if no pid is specified.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

9.0(1)

Multiple context mode is supported.

 
Usage Guidelines

If the pid is included, only information for the specified routing process is included.

Examples

The following is sample output from the show ospf command, showing how to display general information about a specific OSPF routing process:

ciscoasa# show ospf 5
Routing Process "ospf 5" with ID 127.0.0.1 and Domain ID 0.0.0.5
Supports only single TOS(TOS0) routes
Supports opaque LSA
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 0. Checksum Sum 0x 0
Number of opaque AS LSA 0. Checksum Sum 0x 0
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 0. 0 normal 0 stub 0 nssa
External flood list length 0
 

The following is sample output from the show ospf command, showing how to display general information about all OSPF routing processes:

ciscoasa# show ospf
Routing Process "ospf 5" with ID 127.0.0.1 and Domain ID 0.0.0.5
Supports only single TOS(TOS0) routes
Supports opaque LSA
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 0. Checksum Sum 0x 0
Number of opaque AS LSA 0. Checksum Sum 0x 0
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 0. 0 normal 0 stub 0 nssa
External flood list length 0
 
Routing Process "ospf 12" with ID 172.23.59.232 and Domain ID 0.0.0.12
Supports only single TOS(TOS0) routes
Supports opaque LSA
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 0. Checksum Sum 0x 0
Number of opaque AS LSA 0. Checksum Sum 0x 0
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 0. 0 normal 0 stub 0 nssa
External flood list length 0
 

 
Related Commands

Command
Description

router ospf

Enables OSPF routing and configures global OSPF routing parameters.

show ospf border-routers

To display the internal OSPF routing table entries to ABRs and ASBRs, use the show ospf border-routers command in privileged EXEC mode.

show ospf border-routers

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

9.0(1)

Multiple context mode is supported.

Examples

The following is sample output from the show ospf border-routers command:

ciscoasa# show ospf border-routers
 
OSPF Process 109 internal Routing Table
 
Codes: i - Intra-area route, I - Inter-area route
 
i 192.168.97.53 [10] via 192.168.1.53, fifth, ABR, Area 0, SPF 20
i 192.168.103.51 [10] via 192.168.96.51, outside, ASBR, Area 192.168.12.0, SPF 14
i 192.168.103.52 [10] via 192.168.96.51, outside, ABR/ASBR, Area 192.168.12.0, SPF 14
 

 
Related Commands

Command
Description

router ospf

Enables OSPF routing and configures global OSPF routing parameters.

show ospf database

To display the information contained in the OSPF topological database on the ASA, use the show ospf database command in privileged EXEC mode.

show ospf [ pid [ area_id ]] database [ router | network | summary | asbr-summary | external | nssa-external ] [ lsid ] [ internal ] [ self-originat e | adv-router addr ]

show ospf [ pid [ area_id ]] database database-summary

 
Syntax Description

addr

(Optional) Router address.

adv-router

(Optional) Advertised router.

area_id

(Optional) ID of the area that is associated with the OSPF address range.

asbr-summary

(Optional) Displays an ASBR list summary.

database

Displays the database information.

database-summary

(Optional) Displays the complete database summary list.

external

(Optional) Displays routes external to a specified autonomous system.

internal

(Optional) Routes that are internal to a specified autonomous system.

lsid

(Optional) LSA ID.

network

(Optional) Displays the OSPF database information about the network.

nssa-external

(Optional) Displays the external not-so-stubby-area list.

pid

(Optional) ID of the OSPF process.

router

(Optional) Displays the router.

self-originate

(Optional) Displays the information for the specified autonomous system.

summary

(Optional) Displays a summary of the list.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

9.0(1)

Multiple context mode is supported.

 
Usage Guidelines

The OSPF routing-related show commands are available in privileged mode on the ASA. You do not need to be in an OSPF configuration mode to use the OSPF-related show commands.

Examples

The following is sample output from the show ospf database command:

ciscoasa# show ospf database
OSPF Router with ID(192.168.1.11) (Process ID 1)
 
Router Link States(Area 0)
Link ID ADV Router Age Seq# Checksum Link count
192.168.1.8 192.168.1.8 1381 0x8000010D 0xEF60 2
192.168.1.11 192.168.1.11 1460 0x800002FE 0xEB3D 4
192.168.1.12 192.168.1.12 2027 0x80000090 0x875D 3
192.168.1.27 192.168.1.27 1323 0x800001D6 0x12CC 3
 
Net Link States(Area 0)
Link ID ADV Router Age Seq# Checksum
172.16.1.27 192.168.1.27 1323 0x8000005B 0xA8EE
172.17.1.11 192.168.1.11 1461 0x8000005B 0x7AC
 
Type-10 Opaque Link Area Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Opaque ID
10.0.0.0 192.168.1.11 1461 0x800002C8 0x8483 0
10.0.0.0 192.168.1.12 2027 0x80000080 0xF858 0
10.0.0.0 192.168.1.27 1323 0x800001BC 0x919B 0
10.0.0.1 192.168.1.11 1461 0x8000005E 0x5B43 1
 

The following is sample output from the show ospf database asbr-summary command:

ciscoasa# show ospf database asbr-summary
OSPF Router with ID(192.168.239.66) (Process ID 300)
Summary ASB Link States(Area 0.0.0.0)
Routing Bit Set on this LSA
LS age: 1463
Options: (No TOS-capability)
LS Type: Summary Links(AS Boundary Router)
Link State ID: 172.16.245.1 (AS Boundary Router address)
Advertising Router: 172.16.241.5
LS Seq Number: 80000072
Checksum: 0x3548
Length: 28
Network Mask: 0.0.0.0
TOS: 0 Metric: 1
 

The following is sample output from the show ospf database router command:

ciscoasa# show ospf database router
OSPF Router with id(192.168.239.66) (Process ID 300)
Router Link States(Area 0.0.0.0)
Routing Bit Set on this LSA
LS age: 1176
Options: (No TOS-capability)
LS Type: Router Links
Link State ID: 10.187.21.6
Advertising Router: 10.187.21.6
LS Seq Number: 80002CF6
Checksum: 0x73B7
Length: 120
AS Boundary Router
Number of Links: 8
Link connected to: another Router (point-to-point)
(link ID) Neighboring Router ID: 10.187.21.5
(Link Data) Router Interface address: 10.187.21.6
Number of TOS metrics: 0
TOS 0 Metrics: 2
 

The following is sample output from the show ospf database network command:

ciscoasa# show ospf database network
OSPF Router with id(192.168.239.66) (Process ID 300)
Displaying Net Link States(Area 0.0.0.0)
LS age: 1367
Options: (No TOS-capability)
LS Type: Network Links
Link State ID: 10.187.1.3 (address of Designated Router)
Advertising Router: 192.168.239.66
LS Seq Number: 800000E7
Checksum: 0x1229
Length: 52
Network Mask: 255.255.255.0
Attached Router: 192.168.239.66
Attached Router: 10.187.241.5
Attached Router: 10.187.1.1
Attached Router: 10.187.54.5
Attached Router: 10.187.1.5
 

The following is sample output from the show ospf database summary command:

ciscoasa# show ospf database summary
OSPF Router with id(192.168.239.66) (Process ID 300)
Displaying Summary Net Link States(Area 0.0.0.0)
LS age: 1401
Options: (No TOS-capability)
LS Type: Summary Links(Network)
Link State ID: 10.187.240.0 (summary Network Number)
Advertising Router: 10.187.241.5
LS Seq Number: 80000072
Checksum: 0x84FF
Length: 28
Network Mask: 255.255.255.0 TOS: 0 Metric: 1
 

The following is sample output from the show ospf database external command:

ciscoasa# show ospf database external
OSPF Router with id(192.168.239.66) (Autonomous system 300)
 
Displaying AS External Link States
LS age: 280
Options: (No TOS-capability)
LS Type: AS External Link
Link State ID: 172.16.0.0 (External Network Number)
Advertising Router: 10.187.70.6
LS Seq Number: 80000AFD
Checksum: 0xC3A
Length: 36
Network Mask: 255.255.0.0
 
Metric Type: 2 (Larger than any link state path)
TOS: 0
Metric: 1
Forward Address: 0.0.0.0
External Route Tag: 0
 

 
Related Commands

Command
Description

router ospf

Enables OSPF routing and configures global OSPF routing parameters.

show ospf flood-list

To display a list of OSPF LSAs waiting to be flooded over an interface, use the show ospf flood-list command in privileged EXEC mode.

show ospf flood-list interface_name

 
Syntax Description

interface_name

The name of the interface for which to display neighbor information.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

9.0(1)

Multiple context mode is supported.

 
Usage Guidelines

The OSPF routing-related show commands are available in privileged mode on the ASA. You do not need to be in an OSPF configuration mode to use the OSPF-related show commands.

Examples

The following is sample output from the show ospf flood-list command:

ciscoasa# show ospf flood-list outside
 
Interface outside, Queue length 20
Link state flooding due in 12 msec
Type LS ID ADV RTR Seq NO Age Checksum
5 10.2.195.0 192.168.0.163 0x80000009 0 0xFB61
5 10.1.192.0 192.168.0.163 0x80000009 0 0x2938
5 10.2.194.0 192.168.0.163 0x80000009 0 0x757
5 10.1.193.0 192.168.0.163 0x80000009 0 0x1E42
5 10.2.193.0 192.168.0.163 0x80000009 0 0x124D
5 10.1.194.0 192.168.0.163 0x80000009 0 0x134C
 

 
Related Commands

Command
Description

router ospf

Enables OSPF routing and configures global OSPF routing parameters.

show ospf interface

To display the OSPF-related interface information, use the show ospf interface command in privileged EXEC mode.

show ospf interface [ interface_name ]

 
Syntax Description

interface_name

(Optional) Name of the interface for which to display the OSPF-related information.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

9.0(1)

Multiple context mode is supported.

 
Usage Guidelines

When used without the interface_name argument, the OSPF information for all interfaces is shown.

Examples

The following is sample output from the show ospf interface command:

ciscoasa# show ospf interface outside
out is up, line protocol is up
Internet Address 10.0.3.4 mask 255.255.255.0, Area 0
Process ID 2, Router ID 10.0.3.4, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State WAITING, Priority 1
No designated router on this network
No backup designated router on this network
Timer intervals configured, Hello 10 msec, Dead 1, Wait 1, Retransmit 5
Hello due in 5 msec
Wait time before Designated router selection 0:00:11
Index 1/1, flood queue length 0
Next 0x00000000(0)/0x00000000(0)
Last flood scan length is 0, maximum is 0
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)

 
Related Commands

Command
Description

interface

Enters interface configuration mode.

show ospf neighbor

To display the OSPF-neighbor information on a per-interface basis, use the show ospf neighbor command in privileged EXEC mode.

show ospf neighbor [ detail | interface_name [ nbr_router_id ]]

 
Syntax Description

detail

(Optional) Lists detail information for the specified router.

interface_name

(Optional) Name of the interface for which to display neighbor information.

nbr_router_id

(Optional) Router ID of the neighbor router.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

9.0(1)

Multiple context mode is supported.

Examples

The following is sample output from the show ospf neighbor command. It shows how to display the OSPF-neighbor information on a per-interface basis.

ciscoasa# show ospf neighbor outside
 
Neighbor 192.168.5.2, interface address 10.225.200.28
In the area 0 via interface outside
Neighbor priority is 1, State is FULL, 6 state changes
DR is 10.225.200.28 BDR is 10.225.200.30
Options is 0x42
Dead timer due in 00:00:36
Neighbor is up for 00:09:46
Index 1/1, retransmission queue length 0, number of retransmission 1
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec
 

 
Related Commands

Command
Description

neighbor

Configures OSPF routers interconnecting to non-broadcast networks.

router ospf

Enables OSPF routing and configures global OSPF routing parameters.

show ospf request-list

To display a list of all LSAs that are requested by a router, use the show ospf request-list command in privileged EXEC mode.

show ospf request-list nbr_router_id interface_name

 
Syntax Description

interface_name

Name of the interface for which to display neighbor information. Displays the list of all LSAs that are requested by the router from this interface.

nbr_router_id

Router ID of the neighbor router. Displays the list of all LSAs that are requested by the router from this neighbor.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

9.0(1)

Multiple context mode is supported.

Examples

The following is sample output from the show ospf request-list command:

ciscoasa# show ospf request-list 192.168.1.12 inside
 
OSPF Router with ID (192.168.1.11) (Process ID 1)
Neighbor 192.168.1.12, interface inside address 172.16.1.12
 
Type LS ID ADV RTR Seq NO Age Checksum
1 192.168.1.12 192.168.1.12 0x8000020D 8 0x6572
 

 
Related Commands

Command
Description

show ospf retransmission-list

Displays a list of all LSAs waiting to be resent.

show ospf retransmission-list

To display a list of all LSAs waiting to be resent, use the show ospf retransmission-list command in privileged EXEC mode.

show ospf retransmission-list nbr_router_id interface_name

 
Syntax Description

interface_name

Name of the interface for which to display neighbor information.

nbr_router_id

Router ID of the neighbor router.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

9.0(1)

Multiple context mode is supported.

 
Usage Guidelines

The OSPF routing-related show commands are available in privileged mode on the ASA. You do not need to be in an OSPF configuration mode to use the OSPF-related show commands.

The nbr_router_id argument displays the list of all LSAs that are waiting to be resent for this neighbor.

The interface_name argument displays the list of all LSAs that are waiting to be resent for this interface.

Examples

The following is sample output from the show ospf retransmission-list command, where the nbr_router_id argument is 192.168.1.11 and the if_name argument is outside:

ciscoasa# show ospf retransmission-list 192.168.1.11 outside
 
OSPF Router with ID (192.168.1.12) (Process ID 1)
 
Neighbor 192.168.1.11, interface outside address 172.16.1.11
Link state retransmission due in 3764 msec, Queue length 2
Type LS ID ADV RTR Seq NO Age Checksum
1 192.168.1.12 192.168.1.12 0x80000210 0 0xB196
 

 
Related Commands

Command
Description

show ospf request-list

Displays a list of all LSAs that are requested by a router.

show ospf summary-address

To display a list of all summary address redistribution information that is configured under an OSPF process, use the show ospf summary-address command in privileged EXEC mode.

show ospf summary-address

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

9.0(1)

Multiple context mode is supported.

Examples

The following shows sample output from the show ospf summary-address command. It shows how to display a list of all summary address redistribution information before a summary address has been configured for an OSPF process with the ID of 5.

ciscoasa# show ospf 5 summary-address
 
OSPF Process 2, Summary-address
 
10.2.0.0/255.255.0.0 Metric -1, Type 0, Tag 0
10.2.0.0/255.255.0.0 Metric -1, Type 0, Tag 10
 

 
Related Commands

Command
Description

summary-address

Creates aggregate addresses for OSPF.

show ospf traffic

To display a list of different types of packets that have been processed (sent or received) by a particular OSPF instance, use the show ospf traffic command in privileged EXEC mode. With this command, you can get a snapshot of the different types of OSPF packets that are being being processed without enabling debugging. If there are two OSPF instances configured, the show ospf traffic command displays the statistics for both instances with the process ID of each instance. You can also display the statistics for a single instance by using the sho w ospf process_id traffic command.

show ospf traffic

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

9.0(1)

This command was introduced.

 
Usage Guidelines

With this command, you can get a snapshot of the different types of OSPF packets that are being being processed without enabling debugging. If there are two OSPF instances configured, the show ospf traffic command displays the statistics for both instances with the process ID of each instance. You can also display the statistics for a single instance by using the show ospf process_id traffic command.

Examples

The following shows sample output from the show ospf traffic command.

ciscoasa# show ospf traffic
 
OSPF statistics (Process ID 70):
 
Rcvd: 244 total, 0 checksum errors
234 hello, 4 database desc, 1 link state req
3 link state updates, 2 link state acks
Sent: 485 total
472 hello, 7 database desc, 1 link state req
3 link state updates, 2 link state acks

 
Related Commands

Command
Description

show ospf virtual-links

Displays the parameters and the current state of OSPF virtual links.

show ospf virtual-links

To display the parameters and the current state of OSPF virtual links, use the show ospf virtual-links command in privileged EXEC mode.

show ospf virtual-links

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

9.0(1)

Multiple context mode is supported.

Examples

The following is sample output from the show ospf virtual-links command:

ciscoasa# show ospf virtual-links
 
Virtual Link to router 192.168.101.2 is up
Transit area 0.0.0.1, via interface Ethernet0, Cost of using 10
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 0:00:08
Adjacency State FULL
 

 
Related CommandsYesYesYes

Command
Description

area virtual-link

Defines an OSPF virtual link.