Cisco IOS Security Command Reference: Commands S to Z, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
show parameter-map type consent through show users
Downloads: This chapterpdf (PDF - 376.0KB) The complete bookPDF (PDF - 1.45MB) | Feedback

show parameter-map type consent through show users

show parameter-map type consent through show users

show port-security

To display information about the port-security setting in EXEC command mode, use the show port-security command.

show port-security [ interface interface interface-number ]

show port-security [ interface interface interface-number ] { address | vlan }

Syntax Description

interface interface

(Optional) Specifies the interface type; possible valid values are ethernet, fastethernet, gigabitethernet, and longreachethernet.

interface-number

Interface number. Valid values are 1 to 6.

address

Displays all the secure MAC addresses that are configured on all the switch interfaces or on a specified interface with aging information for each address.

vlan

Virtual LAN.

Command Default

This command has no default settings.

Command Modes


EXEC

Command History

Release

Modification

12.2(14)SX

Support for this command was introduced on the Supervisor Engine 720.

12.2(17d)SXB

Support for this command on the Supervisor Engine 2 was extended to Release 12.2(17d)SXB.

12.2(18)SXE

The address keyword was added to display the maximum number of MAC addresses configured per VLAN on a trunk port on the Supervisor Engine 720 only.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

Usage Guidelines

The vlan keyword is supported on trunk ports only and displays per-Vlan maximums set on a trunk port.

The interface-number argument designates the module and port number. Valid values for interface-number depend on the specified interface type and the chassis and module that are used. For example, if you specify a Gigabit Ethernet interface and have a 48-port 10/100BASE-T Ethernet module that is installed in a 13-slot chassis, valid values for the module number are from 1 to 13 and valid values for the port number are from 1 to 48.

Examples

This example shows the output from the show port-security command when you do not enter any options:

Router# show port-security
Secure Port      MaxSecureAddr  CurrentAddr  SecurityViolation  Security
Action
                    (Count)        (Count)      (Count)
----------------------------------------------------------------------------
 
     Fa5/1           11            11            0            Shutdown
     Fa5/5           15            5             0            Restrict
     Fa5/11          5             4             0            Protect
----------------------------------------------------------------------------
 
Total Addresses in System: 21
Max Addresses limit in System: 128
Router# 

This example shows how to display port-security information for a specified interface:

Router# show port-security interface fastethernet 5/1
Port Security: Enabled
Port status: SecureUp
Violation mode: Shutdown
Maximum MAC Addresses: 11
Total MAC Addresses: 11
Configured MAC Addresses: 3
Aging time: 20 mins
Aging type: Inactivity
SecureStatic address aging: Enabled
Security Violation count: 0
Router# 

This example show how to display all the secure MAC addresses that are configured on all the switch interfaces or on a specified interface with aging information for each address:

Router# show port-security address
Default maximum: 10 
VLAN Maximum Current 
1    5       3 
2    4       4 
3    6       4
Router#

Related Commands

Command

Description

clear port-security

Deletes configured secure MAC addresses and sticky MAC addresses from the MAC address table.

 
       

show privilege

To display your current level of privilege, use the show privilege command in EXEC mode.

show privilege

Syntax Description

This command has no arguments or keywords.

Command Modes


EXEC

Command History

Release

Modification

10.3

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Examples

The following example shows sample output from the show privilege command. The current privilege level is 15.

Router# show privilege
Current privilege level is 15

Related Commands

Command

Description

enable password

Sets a local password to control access to various privilege levels.

enable secret

Specifies an additional layer of security over the enable password command.

show radius statistics

To display the RADIUS statistics for accounting and authentication packets, use the show radius statistics command in user EXEC or privileged EXEC mode.

show radius statistics

Syntax Description

This command has no arguments or keywords.

Command Modes


User EXEC (>)
Privileged EXEC (#)

Command History

Release

Modification

12.1(3)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

15.1(1)S

This command was integrated into Cisco IOS Release 15.1(1)S. Support for the CISCO-RADIUS-EXT-MIB was added.

15.1(4)M

This command was modified. Support for the CISCO-RADIUS-EXT-MIB was added.

Examples

The following is sample output from the show radius statistics command:

Router# show radius statistics
                                Auth.      Acct.       Both
Maximum inQ length:              NA         NA        1
Maximum waitQ length:            NA         NA        2
Maximum doneQ length:            NA         NA        1
Total responses seen:            33         67        100
Packets with responses:          33         67        100
Packets without responses:       0          0         0
Access Rejects           :       0
Average response delay(ms) :     1331       124       523
Maximum response delay(ms):      5720       4800      5720
Number of Radius timeouts:       8          2         10
Duplicate ID detects:            0          0          0
Buffer Allocation Failures:      0          0          0
Maximum Buffer Size (bytes):     156        327        327
Malformed Responses        :     0          0          0
Bad Authenticators         :     0          0          0
Source Port Range: (2 ports only)
1645 - 1646
Last used Source Port/Identifier:
1645/33
1646/69

The table below describes significant fields shown in the display.

Table 1 show radius statistics Field Descriptions

Field

Description

Auth.

Statistics for authentication packets.

Acct.

Statistics for accounting packets.

Both

Combined statistics for authentication and accounting packets.

Maximum inQ length

Maximum number of entries allowed in the queue that holds the RADIUS messages not yet sent.

Maximum waitQ length

Maximum number of entries allowed in the queue that holds the RADIUS messages that have been sent and are waiting for a response.

Maximum doneQ length

Maximum number of entries allowed in the queue that holds the messages that have received a response and will be forwarded to the code that is waiting for the messages.

Total responses seen

Number of RADIUS responses seen from the server. In addition to the expected packets, the number includes repeated packets and packets that do not have a matching message in the waitQ.

Packets with responses

Number of packets that received a response from the RADIUS server.

Packets without responses

Number of packets that never received a response from any RADIUS server.

Access Rejects

Number of times access requests have been rejected by a RADIUS server.

Average response delay

Average time, in milliseconds (ms), from when the packet was first transmitted to when it received a response. If the response timed out and the packet was sent again, this value includes the timeout. If the packet never received a response, this value is not included in the average.

Maximum response delay

Maximum delay, in ms, observed while gathering the average response delay information.

Number of RADIUS timeouts

Number of times a server did not respond and the RADIUS server re-sent the packet.

Duplicate ID detects

RADIUS has a maximum of 255 unique IDs. In some instances, there can be more than 255 outstanding packets. When a packet is received, the doneQ is searched from the oldest entry to the youngest. If the IDs are the same, further techniques are used to see if this response matches this entry. If this response does not match, the duplicate ID detect counter is increased.

Buffer Allocation Failures

Number of times the buffer failed to get allocated.

Maximum Buffer Size (bytes)

Displays the maximum size of the buffer.

Malformed Responses

Number of corrupted responses, mostly due to bad authenticators.

Bad Authenticators

Number of authentication failures due to shared secret mismatches.

Source Port Range: (2 ports only)

Displays the port numbers.

Last used Source Port/Identifier

Ports that were last used by the RADIUS server for authentication.

The fields in the output are mapped to Simple Network Management Protocol (SNMP) objects in the CISCO-RADIUS-EXT-MIB and are used in SNMP reporting. The first line of the report is mapped to the CISCO-RADIUS-EXT-MIB as follows:

  • Maximum inQ length maps to creClientTotalMaxInQLength
  • Maximum waitQ length maps to creClientTotalMaxWaitQLength
  • Maximum doneQ length maps to creClientTotalMaxDoneQLength

The field "Both" in the output can be derived from the authentication and accounting MIB objects. The calculation formula for each field, as displayed in the output, is given in the table below.

Table 2 Calculation Formula for the Both field in show radius statistics Command Output

show radius statistics Command Output Data

Calculation Formula for the Both Field

Maximum inQ length

creClientTotalMaxInQLength

Maximum waitQ length

creClientTotalWaitQLength

Maximum doneQ length

creClientDoneQLength

Total responses seen

creAuthClientTotalResponses + creAcctClientTotalResponses

Packets with responses

creAuthClientTotalPacketsWithResponses + creAcctClientTotalPacketsWithResponses

Packets without responses

creAuthClientTotalPacketsWithoutResponses + creAcctClientTotalPacketsWithoutResponses

Access Rejects

creClientTotalAccessRejects

Average response delay

creClientAverageResponseDelay

Maximum response delay

MAX(creAuthClientMaxResponseDelay, creAcctClientMaxResponseDelay)

Number of RADIUS timeouts

creAuthClientTimeouts + creAcctClientTimeouts

Duplicate ID detects

creAuthClientDupIDs + creAcctClientDupIDs

Buffer Allocation Failures

creAuthClientBufferAllocFailures + creAcctClientBufferAllocFailures

Maximum Buffer Size (bytes)

MAX(creAuthClientMaxBufferSize, creAcctClientMaxBufferSize)

Malformed Responses

creAuthClientMalformedResponses + creAcctClientMalformedResponses

Bad Authenticators

creAuthClientBadAuthenticators + creAcctClientBadAuthenticators

Mapping the following set of objects listed in the CISCO-RADIUS-EXT-MIB map to fields displayed by the show radius statisticscommand is straightforward. For example, the creClientLastUsedSourcePort field corresponds to the Last used Source Port/Identifier portion of the report, creAuthClientBufferAllocFailures corresponds to the Buffer Allocation Failures for authentication packets, creAcctClientBufferAllocFailure corresponds to the Buffer Allocation Failures for accounting packets, and so on.

  • creClientTotalMaxInQLength
  • creClientTotalMaxWaitQLength
  • creClientTotalMaxDoneQLength
  • creClientTotalAccessRejects
  • creClientTotalAverageResponseDelay
  • creClientSourcePortRangeStart
  • creClientSourcePortRangeEnd
  • creClientLastUsedSourcePort
  • creClientLastUsedSourceId
  • creAuthClientBadAuthenticators
  • creAuthClientUnknownResponses
  • creAuthClientTotalPacketsWithResponses
  • creAuthClientBufferAllocFailures
  • creAuthClientTotalResponses
  • creAuthClientTotalPacketsWithoutResponses
  • creAuthClientAverageResponseDelay
  • creAuthClientMaxResponseDelay
  • creAuthClientMaxBufferSize
  • creAuthClientTimeouts
  • creAuthClientDupIDs
  • creAuthClientMalformedResponses
  • creAuthClientLastUsedSourceId
  • creAcctClientBadAuthenticators
  • creAcctClientUnknownResponses
  • creAcctClientTotalPacketsWithResponses
  • creAcctClientBufferAllocFailures
  • creAcctClientTotalResponses
  • creAcctClientTotalPacketsWithoutResponses
  • creAcctClientAverageResponseDelay
  • creAcctClientMaxResponseDelay
  • creAcctClientMaxBufferSize
  • creAcctClientTimeouts
  • creAcctClientDupIDs
  • creAcctClientMalformedResponses
  • creAcctClientLastUsedSourceId
 
       

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http:/​/​www.cisco.com/​go/​mibs .

Related Commands

Command

Description

radius-server host

Specifies a RADIUS server host.

radius-server retransmit

Specifies how many times the Cisco IOS software searches the list of RADIUS server hosts before giving up.

radius-server timeout

Sets the interval for which a router waits for a server host to reply.

show ssh

To display the status of Secure Shell (SSH) server connections on the router, use the show ssh command in user EXEC or privileged EXEC mode.

show ssh vty [ssh-number]

Syntax Description

vty

Displays virtual terminal line (VTY) connection details.

ssh-number

(Optional) The number of SSH server connections on the router. Range is from 0 to 1510. The default value is 0.

Command Modes


User Exec (>)
Privileged EXEC (#)

Command History

Release

Modification

12.1(15)T

This command was introduced.

12.2(33)SRA

This command was modified. It was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXI

This command was modified. It was integrated into Cisco IOS Release 12.2(33)SXI.

Cisco IOS XE Release 2.1

This command was modified. It was integrated into Cisco IOS XE Release 2.1.

Usage Guidelines

Use the show ssh command to display the status of the SSH connections on your router. This command does not display any SSH configuration data. Use the show ip ssh command for SSH configuration information such as timeouts and retries.

Examples

The following is sample output from the show ssh command with SSH enabled:

Router# show ssh
Connection     Version      Encryption     State                 Username
0               1.5         3DES           Session Started        guest

The table below describes the significant fields shown in the display.

Table 3 show ssh Field Descriptions

Field

Description

Connection

Number of SSH connections on the router.

Version

Version number of the SSH terminal.

Encryption

Type of transport encryption.

State

The status of SSH connection to indicate if the session has started or stopped.

Username

Uesrname to log in to the SSH.

Related Commands

Command

Description

show ip ssh

Displays version and configuration data for SSH.