Cisco ASA Series Command Reference
show scansafe -- show switch vlan
Downloads: This chapterpdf (PDF - 374.0KB) The complete bookPDF (PDF - 31.85MB) | The complete bookePub (ePub - 2.33MB) | The complete bookMobi (Mobi - 9.5MB) | Feedback

Table of Contents

show scansafe through show switch vlan Commands

show scansafe server

show scansafe statistics

s how service-policy

show shared license

s how shun

s how sip

s how skinny

s how sla monitor configuration

s how sla monitor operational-state

show snmp-server engineid

show snmp-server group

s how snmp-server statistics

show snmp-server user

show software authenticity file

s how ssh sessions

s how ssl

s how startup-config

show sunrpc-server active

s how switch mac-address-table

s how switch vlan

show scansafe through show switch vlan Commands

show scansafe server

To show the status of the Cloud Web Security proxy servers, use the show scansafe server command in privileged EXEC mode.

show scansafe server

 
Syntax Description

This command has no arguments or keywords.

 
Command Default

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

 
Command History

Release
Modification

9.0(1)

We introduced this command.

 
Usage Guidelines

This command shows the status of the server, whether it is the current active server, the backup server, or unreachable.

Examples

The following is sample output from the show scansafe server command:

hostname# show scansafe server
ciscoasa# Primary: proxy197.scansafe.net (72.37.244.115) (REACHABLE)*
ciscoasa# Backup: proxy137.scansafe.net (80.254.152.99)
 

 
Related Commands

Command
Description

class-map type inspect scansafe

Creates an inspection class map for whitelisted users and groups.

default user group

Specifies the default username and/or group if the ASA cannot determine the identity of the user coming into the ASA.

http [ s ] (parameters)

Specifies the service type for the inspection policy map, either HTTP or HTTPS.

inspect scansafe

Enables Cloud Web Security inspection on the traffic in a class.

license

Configures the authentication key that the ASA sends to the Cloud Web Security proxy servers to indicate from which organization the request comes.

match user group

Matches a user or group for a whitelist.

policy-map type inspect scansafe

Creates an inspection policy map so you can configure essential parameters for the rule and also optionally identify the whitelist.

retry-count

Enters the retry counter value, which is the amount of time that the ASA waits before polling the Cloud Web Security proxy server to check its availability.

scansafe

In multiple context mode, allows Cloud Web Security per context.

scansafe general-options

Configures general Cloud Web Security server options.

server { primary | backup }

Configures the fully qualified domain name or IP address of the primary or backup Cloud Web Security proxy servers.

show conn scansafe

Shows all Cloud Web Security connections, as noted by the capitol Z flag.

show scansafe statistics

Shows total and current http connections.

user-identity monitor

Downloads the specified user or group information from the AD agent.

whitelist

Performs the whitelist action on the class of traffic.

show scansafe statistics

To show information about Cloud Web Security activity, use the show scansafe statistics command in privileged EXEC mode.

show scansafe statistics

 
Syntax Description

This command has no arguments or keywords.

 
Command Default

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

 
Command History

Release
Modification

9.0(1)

We introduced this command.

 
Usage Guidelines

The show scansafe statistics command shows information about Cloud Web Security activity, such as the number of connections redirected to the proxy server, the number of current connections being redirected, and the number of whitelisted connections.

Examples

The following is sample output from the show scansafe statistics command:

hostname# show scansafe statistics
Current HTTP sessions : 0
Current HTTPS sessions : 0
Total HTTP Sessions : 0
Total HTTPS Sessions : 0
Total Fail HTTP sessions : 0
Total Fail HTTPS sessions : 0
Total Bytes In : 0 Bytes
Total Bytes Out : 0 Bytes
HTTP session Connect Latency in ms(min/max/avg) : 0/0/0
HTTPS session Connect Latency in ms(min/max/avg) : 0/0/0
 

 
Related Commands

Command
Description

class-map type inspect scansafe

Creates an inspection class map for whitelisted users and groups.

default user group

Specifies the default username and/or group if the ASA cannot determine the identity of the user coming into the ASA.

http [ s ] (parameters)

Specifies the service type for the inspection policy map, either HTTP or HTTPS.

inspect scansafe

Enables Cloud Web Security inspection on the traffic in a class.

license

Configures the authentication key that the ASA sends to the Cloud Web Security proxy servers to indicate from which organization the request comes.

match user group

Matches a user or group for a whitelist.

policy-map type inspect scansafe

Creates an inspection policy map so you can configure essential parameters for the rule and also optionally identify the whitelist.

retry-count

Enters the retry counter value, which is the amount of time that the ASA waits before polling the Cloud Web Security proxy server to check its availability.

scansafe

In multiple context mode, allows Cloud Web Security per context.

scansafe general-options

Configures general Cloud Web Security server options.

server { primary | backup }

Configures the fully qualified domain name or IP address of the primary or backup Cloud Web Security proxy servers.

show conn scansafe

Shows all Cloud Web Security connections, as noted by the capitol Z flag.

show scansafe server

Shows the status of the server, whether it’s the current active server, the backup server, or unreachable.

user-identity monitor

Downloads the specified user or group information from the AD agent.

whitelist

Performs the whitelist action on the class of traffic.

show service-policy

To display the service policy statistics, use the show service-policy command in privileged EXEC mode.

show service-policy [ global | interface intf ] [ csc | cxsc | inspect inspection [ arguments ] | ips | police | priority | set connection [ details ] | shape | user-statistics ]

show service-policy [ global | interface intf ] [ flow protocol { host src_host | src_ip src_mask } [ eq src_port ] { host dest_host | dest_ip dest_mask } [ eq dest_port ] [ icmp_number | icmp_control_message ]]

 
Syntax Description

csc

(Optional) Shows detailed information about policies that include the csc command.

cxsc

(Optional) Shows detailed information about policies that include the cxsc command.

dest_ip dest_mask

For the flow keyword, the destination IP address and netmask of the traffic flow.

details

(Optional) For the set connection keyword, displays per-client connection information, if a per-client connection limit is enabled.

eq dest_port

(Optional) For the flow keyword, equals the destination port for the flow.

eq src_port

(Optional) For the flow keyword, equals the source port for the flow.

flow protocol

(Optional) Shows policies that match a particular flow identified by the 5-tuple (protocol, source IP address, source port, destination IP address, destination port). You can use this command to check that your service policy configuration will provide the services you want for specific connections.

Because the flow is described as a 5-tuple, not all policies are supported. See the following supported policy matches:

match access-list

match port

match rtp

match default-inspection-traffic

global

(Optional) Limits output to the global policy.

host dest_host

For the flow keyword, the host destination IP address of the traffic flow.

host src_host

For the flow keyword, the host source IP address of the traffic flow.

icmp_control_message

(Optional) For the flow keyword when you specify ICMP as the protocol, specifies an ICMP control message of the traffic flow.

icmp_number

(Optional) For the flow keyword when you specify ICMP as the protocol, specifies the ICMP protocol number of the traffic flow.

inspect inspection [ arguments ]

(Optional) Shows detailed information about policies that include an inspect command. Not all inspect commands are supported for detailed output. To see all inspections, use the show service-policy command without any arguments. The arguments available for each inspection vary; see the CLI help for more information.

interface intf

(Optional) Displays policies applied to the interface specified by the intf argument, where intf is the interface name given by the nameif command.

ips

(Optional) Shows detailed information about policies that include the ips command.

police

(Optional) Shows detailed information about policies that include the police command.

priority

(Optional) Shows detailed information about policies that include the priority command.

set connection

(Optional) Shows detailed information about policies that include the set connection command.

shape

(Optional) Shows detailed information about policies that include the shape command.

src_ip src_mask

For the flow keyword, the source IP address and netmask used in the traffic flow.

user-statistics

(Optional) Shows detailed information about policies that include the user-statistics command. This command displays user statistics for the Identify Firewall, including sent packet count, sent drop count, received packet count, and send drop count for selected users.

 
Defaults

If you do not specify any arguments, this command shows all global and interface policies.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

7.0(1)

This command was introduced.

7.1(1)

The csc keyword was added.

7.2(4)/8.0(4)

The shape keyword was added.

8.4(2)

We added support for the user-statistics keyword for the Identity Firewall.

8.4(4.1)

We added support for the cxsc keyword for the ASA CX module.

 
Usage Guidelines

The number of embryonic connections displayed in the show service-policy command output indicates the current number of embryonic connections to an interface for traffic matching that defined by the class-map command. The “embryonic-conn-max” field shows the maximum embryonic limit configured for the traffic class using the Modular Policy Framework. If the current embryonic connections displayed equals or exceeds the maximum, TCP intercept is applied to new TCP connections that match the traffic type defined by the class-map command.

When you make service policy changes to the configuration, all new connections use the new service policy. Existing connections continue to use the policy that was configured at the time of the connection establishment. show command output will not include data about the old connections. For example, if you remove a QoS service policy from an interface, then re-add a modified version, then the show service-policy command only displays QoS counters associated with new connections that match the new service policy; existing connections on the old policy no longer show in the command output. To ensure that all connections use the new policy, you need to disconnect the current connections so they can reconnect using the new policy. See the clear conn or clear local-host commands.


Note For an inspect icmp and inspect icmp error policies, the packet counts only include the echo request and reply packets.


Examples

The following is sample output from the show service-policy global command:

ciscoasa# show service-policy global
 
Global policy:
Service-policy: inbound_policy
Class-map: ftp-port
Inspect: ftp strict inbound_ftp, packet 0, drop 0, reset-drop 0
 

The following is sample output from the show service-policy priority command:

ciscoasa# show service-policy priority
 
Interface outside:
 
Global policy:
Service-policy: sa_global_fw_policy
 
Interface outside:
Service-policy: ramap
Class-map: clientmap
Priority:
Interface outside: aggregate drop 0, aggregate transmit 5207048
Class-map: udpmap
Priority:
Interface outside: aggregate drop 0, aggregate transmit 5207048
Class-map: cmap
 

The following is sample output from the show service-policy flow command:

ciscoasa# show service-policy flow udp host 209.165.200.229 host 209.165.202.158 eq 5060
 
Global policy:
Service-policy: f1_global_fw_policy
Class-map: inspection_default
Match: default-inspection-traffic
Action:
Input flow: inspect sip
 
Interface outside:
Service-policy: test
Class-map: test
Match: access-list test
Access rule: permit ip 209.165.200.229 255.255.255.224 209.165.202.158 255.255.255.224
Action:
Input flow: ids inline
Input flow: set connection conn-max 10 embryonic-conn-max 20
 

The following is sample output from the show service-policy inspect http command. This example shows the statistics of each match command in a match-any class map.

ciscoasa# show service-policy inspect http
 
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: http http, packet 1916, drop 0, reset-drop 0
protocol violations
packet 0
class http_any (match-any)
Match: request method get, 638 packets
Match: request method put, 10 packets
Match: request method post, 0 packets
Match: request method connect, 0 packets
log, packet 648
 

The following is sample output from the show service-policy inspect waas command. This example shows the waas statistics.

ciscoasa# show service-policy inspect waas
 
Global policy:
Service-policy: global_policy
Class-map: WAAS
Inspect: waas, packet 12, drop 0, reset-drop 0
SYN with WAAS option 4
SYN-ACK with WAAS option 4
Confirmed WAAS connections 4
Invalid ACKs seen on WAAS connections 0
Data exceeding window size on WAAS connections 0
 

The following is sample output from the show gtp requests command:

ciscoasa# show gtp requests
0 in use, 0 most used, 200 maximum allowed
 

You can use the vertical bar | to filter the display, as in the following example:

ciscoasa# show service-policy gtp statistics | grep gsn
 

This example shows the GTP statistics with the word gsn in the output.

The following command shows the statistics for GTP inspection:

ciscoasa# show service-policy inspect gtp statistics
GPRS GTP Statistics:
version_not_support | 0 | msg_too_short | 0
unknown_msg | 0 | unexpected_sig_msg | 0
unexpected_data_msg | 0 | ie_duplicated | 0
mandatory_ie_missing | 0 | mandatory_ie_incorrect | 0
optional_ie_incorrect | 0 | ie_unknown | 0
ie_out_of_order | 0 | ie_unexpected | 0
total_forwarded | 0 | total_dropped | 0
signalling_msg_dropped | 0 | data_msg_dropped | 0
signalling_msg_forwarded | 0 | data_msg_forwarded | 0
total created_pdp | 0 | total deleted_pdp | 0
total created_pdpmcb | 0 | total deleted_pdpmcb | 0
pdp_non_existent | 0
 

Table 59-1 describes each column of the output from the show service-policy inspect gtp statistics command.

 

Table 59-1 GPRS GTP Statistics

Column Heading
Description

version_not_support

Displays packets with an unsupported GTP version field.

msg_too_short

Displays packets less than 8 bytes in length.

unknown_msg

Displays unknown type messages.

unexpected_data_msg

Displays unexpected data messages.

mandatory_ie_missing

Displays messages missing a mandatory Information Element (IE).

mandatory_ie_incorrect

Displays messages with an incorrectly formatted mandatory Information Element (IE).

optional_ie_incorrect

Displays messages with an incorrectly formatted optional Information Element (IE).

ie_unknown

Displays messages with an unknown Information Element (IE).

ie_out_of_order

Displays messages with out-of-sequence Information Elements (IEs).

ie_unexpected

Displays messages with an unexpected Information Element (IE).

total_forwarded

Displays the total messages forwarded.

total_dropped

Displays the total messages dropped.

signalling_msg_dropped

Displays the signaling messages dropped.

data_msg_dropped

Displays the data messages dropped.

signalling_msg_forwarded

Displays the signaling messages forwarded.

data_msg_forwarded

Displays the data messages forwarded.

total created_pdp

Displays the total Packet Data Protocol (PDP) contexts created.

total deleted_pdp

Displays the total Packet Data Protocol (PDP) contexts deleted.

total created_pdpmcb

Displays the total PDPMCB sessions created.

total deleted_pdpmcb

Displays the total PDPMCB sessions deleted.

pdp_non_existent

Displays the messages received for a non-existent PDP context.

The following command displays information about the PDP contexts:

ciscoasa# show service-policy inspect gtp pdp-context
1 in use, 1 most used, timeout 0:00:00
 
Version TID | MS Addr | SGSN Addr | Idle | APN
v1 | 1234567890123425 | 1.1.1.1 | 11.0.0.2 0:00:13 gprs.cisco.com
 
| user_name (IMSI): 214365870921435 | MS address: | 1.1.1.1
| primary pdp: Y | nsapi: 2
| sgsn_addr_signal: | 11.0.0.2 | sgsn_addr_data: | 11.0.0.2
| ggsn_addr_signal: | 9.9.9.9 | ggsn_addr_data: | 9.9.9.9
| sgsn control teid: | 0x000001d1 | sgsn data teid: | 0x000001d3
| ggsn control teid: | 0x6306ffa0 | ggsn data teid: | 0x6305f9fc
| seq_tpdu_up: | 0 | seq_tpdu_down: | 0
| signal_sequence: | 0
| upstream_signal_flow: | 0 | upstream_data_flow: | 0
| downstream_signal_flow: | 0 | downstream_data_flow: | 0
| RAupdate_flow: | 0
 

Table 59-2 describes each column of the output from the show service-policy inspect gtp pdp-context command.

 

Table 59-2 PDP Contexts

Column Heading
Description

Version

Displays the version of GTP.

TID

Displays the tunnel identifier.

MS Addr

Displays the mobile station address.

SGSN Addr

Displays the serving gateway service node.

Idle

Displays the time for which the PDP context has not been in use.

APN

Displays the access point name.

 
Related Commands

Command
Description

clear configure service-policy

Clears service policy configurations.

clear service-policy

Clears all service policy configurations.

service-policy

Configures the service policy.

show running-config service-policy

Displays the service policies configured in the running configuration.

show shared license

To show shared license statistics, use the show shared license command in privileged EXEC mode. Optional keywords are available only for the licensing server.

show shared license [ detail | client [ hostname ] | backup ]

 
Syntax Description

backup

(Optional) Shows information about the backup server.

client

(Optional) Limits the display to participants.

detail

(Optional) Shows all statistics, including per participant.

hostname

(Optional) Limits the display to a particular participant.

 
Command Default

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

8.2(1)

This command was introduced.

 
Usage Guidelines

To clear the statistics, enter the clear shared license command.

Examples

The following is sample output from the show shared license command on the license participant:

ciscoasa# show shared license
Primary License Server : 10.3.32.20
Version : 1
Status : Inactive
 
Shared license utilization:
SSLVPN:
Total for network : 5000
Available : 5000
Utilized : 0
This device:
Platform limit : 250
Current usage : 0
High usage : 0
Messages Tx/Rx/Error:
Registration : 0 / 0 / 0
Get : 0 / 0 / 0
Release : 0 / 0 / 0
Transfer : 0 / 0 / 0
 
Client ID Usage Hostname
ASA0926K04D 0 5510-B
 

Table 59-3 describes the output from the show shared license command.

 

Table 59-3 show shared license Description

Field
Description

Primary License Server

The IP address of the primary server.

Version

The shared license version.

Status

If the command is issued on the backup server, “Active” means that this device has taken on the role as a Primary Shared Licensing server. “Inactive” means that the device is ready in standby mode, and the device is communicating with the primary server.

If failover is configured on the primary licensing server, the backup server may become “Active” for a brief moment during a failover but should return to “Inactive” after communications have synced up again.

Shared license utilization

SSLVPN

Total for network

Displays the total number of shared sessions available.

Available

Displays the remaining shared sessions available.

Utilized

Displays the shared sessions obtained for the active license server.

This device

Platform limit

Displays the total number of SSL VPN sessions for this device according to the installed license.

Current usage

Displays the number of shared SSL VPN session currently owned by this device from the shared pool.

High usage

Displays the highest number of shared SSL VPN sessions ever owned by this device.

Messages Tx/Rx/Error

Registration
Get
Release
Transfer

Shows the Transmit, Received, and Error packets of each type of connection.

Client ID

A unique client ID.

Usage

Displays the number of sessions in use.

Hostname

Displays the hostname for this device.

The following is sample output from the show shared license detail command on the license server:

ciscoasa# show shared license detail
Backup License Server Info:
 
Device ID : ABCD
Address : 10.1.1.2
Registered : NO
HA peer ID : EFGH
Registered : NO
Messages Tx/Rx/Error:
Hello : 0 / 0 / 0
Sync : 0 / 0 / 0
Update : 0 / 0 / 0
 
Shared license utilization:
SSLVPN:
Total for network : 500
Available : 500
Utilized : 0
This device:
Platform limit : 250
Current usage : 0
High usage : 0
Messages Tx/Rx/Error:
Registration : 0 / 0 / 0
Get : 0 / 0 / 0
Release : 0 / 0 / 0
Transfer : 0 / 0 / 0
 
Client Info:
 
Hostname : 5540-A
Device ID : XXXXXXXXXXX
SSLVPN:
Current usage : 0
High : 0
Messages Tx/Rx/Error:
Registration : 1 / 1 / 0
Get : 0 / 0 / 0
Release : 0 / 0 / 0
Transfer : 0 / 0 / 0
...
 

 
Related Commands

Command
Description

activation-key

Enters a license activation key.

clear configure license-server

Clears the shared licensing server configuration.

clear shared license

Clears shared license statistics.

license-server address

Identifies the shared licensing server IP address and shared secret for a participant.

license-server backup address

Identifies the shared licensing backup server for a participant.

license-server backup backup-id

Identifies the backup server IP address and serial number for the main shared licensing server.

license-server backup enable

Enables a unit to be the shared licensing backup server.

license-server enable

Enables a unit to be the shared licensing server.

license-server port

Sets the port on which the server listens for SSL connections from participants.

license-server refresh-interval

Sets the refresh interval provided to participants to set how often they should communicate with the server.

license-server secret

Sets the shared secret on the shared licensing server.

show activation-key

Shows the current licenses installed.

show running-config license-server

Shows the shared licensing server configuration.

show vpn-sessiondb

Shows license information about VPN sessions.

show shun

To display shun information, use the show shun command in privileged EXEC mode.

show shun [ src_ip | statistics ]

 
Syntax Description

src_ip

(Optional) Displays the information for that address.

statistics

(Optional) Displays the interface counters only.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  •  
  •  
  •  
  •  

 
Command History

Release
Modification

7.0(1)

This command was introduced.

8.2(2)

For threat events, the severity level was changed from a warning to a notification. Threat events can be triggered every five minutes.

Examples

The following is sample output from the show shun command:

ciscoasa# show shun
shun (outside) 10.1.1.27 10.2.2.89 555 666 6
shun (inside1) 10.1.1.27 10.2.2.89 555 666 6
 

 
Related Commands

Command
Description

clear shun

Disables all the shuns that are currently enabled and clears the shun statistics.

shun

Enables a dynamic response to an attacking host by preventing new connections and disallowing packets from any existing connection.

show sip

To display SIP sessions, use the show sip command in privileged EXEC mode.

show sip

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  •  
  •  

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

The show sip command assists in troubleshooting SIP inspection engine issues and is described with the inspect protocol sip udp 5060 command. The show timeout sip command displays the timeout value of the designated protocol.

The show sip command displays information for SIP sessions established across the ASA. Along with the debug sip and show local-host commands, this command is used for troubleshooting SIP inspection engine issues.


Note We recommend that you configure the pager command before using the show sip command. If there are a lot of SIP session records and the pager command is not configured, it will take a while for the show sip command output to reach its end.


Examples

The following is sample output from the show sip command:

ciscoasa# show sip
Total: 2
call-id c3943000-960ca-2e43-228f@10.130.56.44
| state Call init, idle 0:00:01
call-id c3943000-860ca-7e1f-11f7@10.130.56.45
| state Active, idle 0:00:06
 

This sample shows two active SIP sessions on the ASA (as shown in the Total field). Each call-id represents a call.

The first session, with the call-id c3943000-960ca-2e43-228f@10.130.56.44, is in the state Call Init , which means the session is still in call setup. Call setup is complete only when the ACK is seen. This session has been idle for 1 second.

The second session is in the state Active , in which call setup is complete and the endpoints are exchanging media. This session has been idle for 6 seconds.

 
Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

debug sip

Enables debug information for SIP.

inspect sip

Enables SIP application inspection.

show conn

Displays the connection state for different connection types.

timeout

Sets the maximum idle time duration for different protocols and session types.

show skinny

To troubleshoot SCCP (Skinny) inspection engine issues, use the show skinny command in privileged EXEC mode.

show skinny

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  •  
  •  

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

The show skinny command assists in troubleshooting SCCP (Skinny) inspection engine issues.

Examples

The following is sample output from the show skinny command under the following conditions. There are two active Skinny sessions set up across the ASA. The first one is established between an internal Cisco IP Phone at local address 10.0.0.11 and an external Cisco CallManager at 172.18.1.33. TCP port 2000 is the CallManager. The second one is established between another internal Cisco IP Phone at local address 10.0.0.22 and the same Cisco CallManager.

ciscoasa# show skinny
 
LOCAL FOREIGN STATE
 
---------------------------------------------------------------
 
1 10.0.0.11/52238 172.18.1.33/2000 1
 
MEDIA 10.0.0.11/22948 172.18.1.22/20798
 
2 10.0.0.22/52232 172.18.1.33/2000 1
 
MEDIA 10.0.0.22/20798 172.18.1.11/22948
 

The output indicates a call has been established between both internal Cisco IP Phones. The RTP listening ports of the first and second phones are UDP 22948 and 20798 respectively.

The following is the xlate information for these Skinny connections:

ciscoasa# show xlate debug
2 in use, 2 most used
Flags: D | DNS, d | dump, I | identity, i | inside, n | no random,
| o | outside, r | portmap, s | static
NAT from inside:10.0.0.11 to outside:172.18.1.11 flags si idle 0:00:16 timeout 0:05:00
NAT from inside:10.0.0.22 to outside:172.18.1.22 flags si idle 0:00:14 timeout 0:05:00
 

 
Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

debug skinny

Enables SCCP debug information.

inspect skinny

Enables SCCP application inspection.

show conn

Displays the connection state for different connection types.

timeout

Sets the maximum idle time duration for different protocols and session types.

show sla monitor configuration

To display the configuration values, including the defaults, for SLA operations, use the show sla monitor configuration command in user EXEC mode.

show sla monitor configuration [ sla-id ]

 
Syntax Description

sla-id

(Optional) The ID number of the SLA operation. Valid values are from 1 to 2147483647.

 
Defaults

If the sla-id is not specified, the configuration values for all SLA operations are shown.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC

  •  
  •  
  •  
  •  

 
Command History

Release
Modification

7.2(1)

This command was introduced.

 
Usage Guidelines

Use the show running config sla monitor command to see the SLA operation commands in the running configuration.

Examples

The following is sample output from the show sla monitor command. It displays the configuration values for SLA operation 123. Following the output of the show sla monitor command is the output of the show running-config sla monitor command for the same SLA operation.

ciscoasa> show sla monitor 124
 
SA Agent, Infrastructure Engine-II
Entry number: 124
Owner:
Tag:
Type of operation to perform: echo
Target address: 10.1.1.1
Interface: outside
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 1000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 3
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:
 
ciscoasa# show running-config sla monitor 124
 
sla monitor 124
type echo protocol ipIcmpEcho 10.1.1.1 interface outside
timeout 1000
frequency 3
sla monitor schedule 124 life forever start-time now
 

 
Related Commands

Command
Description

show running-config sla monitor

Displays the SLA operation configuration commands in the running configuration.

sla monitor

Defines an SLA monitoring operation.

show sla monitor operational-state

To display the operational state of SLA operations, use the show sla monitor operational-state command in user EXEC mode.

show sla monitor operational-state [ sla-id ]

 
Syntax Description

sla-id

(Optional) The ID number of the SLA operation. Valid values are from 1 to 2147483647.

 
Defaults

If the sla-id is not specified, statistics for all SLA operations are displayed.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC

  •  
  •  
  •  
  •  

 
Command History

Release
Modification

7.2(1)

This command was introduced.

 
Usage Guidelines

Use the show running-config sla monitor command to display the SLA operation commands in the running configuration.

Examples

The following is sample output from the show sla monitor operational-state command:

ciscoasa> show sla monitor operationl-state
 
Entry number: 124
Modification time: 14:42:23.607 EST Wed Mar 22 2006
Number of Octets Used by this Entry: 1480
Number of operations attempted: 4043
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: TRUE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): NoConnection/Busy/Timeout
Latest operation start time: 18:04:26.609 EST Wed Mar 22 2006
Latest operation return code: Timeout
RTT Values:
RTTAvg: 0 RTTMin: 0 RTTMax: 0
NumOfRTT: 0 RTTSum: 0 RTTSum2: 0
 

 
Related Commands

Command
Description

show running-config sla monitor

Displays the SLA operation configuration commands in the running configuration.

sla monitor

Defines an SLA monitoring operation.

show snmp-server engineid

To display the identification of the SNMP engine that has been configured on the ASA, use the show snmp-server engineid command in privileged EXEC mode.

show snmp-server engineid

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

8.2(1)

This command was introduced.

Examples

The following is sample output from the show snmp-server engineid command:

ciscoasa# show snmp-server engineid
Local SNMP engineID: 80000009fe85f8fd882920834a3af7e4ca79a0a1220fe10685
 

 
Usage Guidelines

An SNMP engine is a copy of SNMP that can reside on a local device. The engine ID is a unique value that is assigned for each SNMP agent for each ASA context. The engine ID is not configurable on the ASA. The engine ID is 25 bytes long, and is used to generate encrypted passwords. The encrypted passwords are then stored in flash memory. The engine ID can be cached. In a failover pair, the engine ID is synchronized with the peer.

 
Related Commands

Command
Description

clear configure snmp-server

Clears the SNMP server configuration.

show running-config snmp-server

Displays the SNMP server configuration.

snmp-server

Configures the SNMP server.

show snmp-server group

To display the names of configured SNMP groups, the security model being used, the status of different views, and the storage type of each group, use the show snmp-server group command in privileged EXEC mode.

show snmp-server group

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

8.2(1)

This command was introduced.

Examples

The following is sample output from the show snmp-server group command:

ciscoasa# show snmp-server group
groupname: public security model:v1
readview : <no readview specified> writeview: <no writeview specified>
notifyview: <no readview specified>
row status: active
 
groupname: public security model:v2c
readview : <no readview specified> writeview: <no writeview specified>
notifyview: *<no readview specified>
row status: active
 
groupname: privgroup security model:v3 priv
readview : def_read_view writeview: <no writeview specified>
notifyview: def_notify_view
row status: active
 

 
Usage Guidelines

SNMP users and groups are used according to the View-based Access Control Model (VACM) for SNMP. The SNMP group determines the security model to be used. The SNMP user should match the security model of the SNMP group. Each SNMP group name and security level pair must be unique.

 
Related Commands

Command
Description

clear configure snmp-server

Clears the SNMP server configuration.

show running-config snmp-server

Displays the SNMP server configuration.

snmp-server

Configures the SNMP server.

show snmp-server statistics

To display SNMP server statistics, use the show snmp-server statistics command in privileged EXEC mode.

show snmp-server statistics

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

7.0(1)

This command was introduced.

Examples

The following is sample output from the show snmp-server statistics command:

ciscoasa# show snmp-server statistics
0 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
0 Number of requested variables
0 Number of altered variables
0 Get-request PDUs
0 Get-next PDUs
0 Get-bulk PDUs
0 Set-request PDUs (Not supported)
0 SNMP packets output
0 Too big errors (Maximum packet size 512)
0 No such name errors
0 Bad values errors
0 General errors
0 Response PDUs
0 Trap PDUs
 

 
Related Commands

Command
Description

clear configure snmp-server

Clears the SNMP server configuration.

clear snmp-server statistics

Clears the SNMP packet input and output counters.

show running-config snmp-server

Displays the SNMP server configuration.

snmp-server

Configures the SNMP server.

show snmp-server user

To display information about the configured characteristics of SNMP users, use the show snmp-server user command in privileged EXEC mode.

show snmp-server user [ username ]

 
Syntax Description

username

(Optional) Identifies a specific user or users about which to display SNMP information.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

8.2(1)

This command was introduced.

Examples

The following is sample output from the show snmp-server user command:

ciscoasa# show snmp-server user authuser
User name: authuser
Engine ID: 00000009020000000C025808
storage-type: nonvolatile active access-list: N/A
Rowstatus: active
Authentication Protocol: MD5
Privacy protocol: DES
Group name: VacmGroupName
 

The output provides the following information:

  • The username, which is a string that identifies the name of the SNMP user.
  • The engine ID, which is a string that identifies the copy of SNMP on the ASA.
  • The storage-type, which indicates whether or not the settings have been set in volatile or temporary memory on the ASA, or in nonvolatile or persistent memory, in which settings remain after the ASA has been turned off and on again.
  • The active access list, which is the standard IP access list associated with the SNMP user.
  • The Rowstatus, which indicates whether or not it is active or inactive.
  • The authentication protocol, which identifies which authentication protocol is being used. Options are MD5, SHA, or none. If authentication is not supported in your software image, this field does not appear.
  • The privacy protocol, which indicates whether or not DES packet encryption is enabled. If privacy is not supported in your software image, this field does not appear.
  • The group name, which indicates to which SNMP group the user belongs. SNMP groups are defined according to the View-based Access Control Model (VACM).

 
Usage Guidelines

An SNMP user must be part of an SNMP group. If you do not enter the username argument, the show snmp-server user command displays information about all configured users. If you enter the username argument and the user exists, the information about that user appears.

 
Related Commands

Command
Description

clear configure snmp-server

Clears the SNMP server configuration.

show running-config snmp-server

Displays the SNMP server configuration.

snmp-server

Configures the SNMP server.

show software authenticity file

To display digital signature information related to software authentication for a specific image file, use the show software authenticity file command in privileged EXEC mode.

show software authenticity [ filename ]

 
Syntax Description

filename

(Optional) Identifies a specific image file.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

9.1(3)

This command was introduced.

Examples

The following is sample output from the show software authenticity file command:

ciscoasa# show software authenticity file asa913.SSA
File Name : disk0:/asa913.SSA
Image type : Development
Signer Information
Common Name : Cisco
Organization Unit : ASA5585-X
Organization Name : Engineering
Certificate Serial Number : abcd1234efgh5678
Hash Algorithm : SHA512
Signature Algorithm : 2048-bit RSA
Key Version : A
 

The output provides the following information:

  • The filename, which is the name of the filename in memory.
  • The image type, which is the type of image being shown.
  • The signer information specifies the signature information, which includes the following:

The common name, which is the name of the software manufacturer.

The organization unit, which indicates the hardware that the software image is deployed on.

The organization name, which is the owner of the software image.

  • The certificate serial number, which is the certificate serial number for the digital signature.
  • The hash algorithm, which indicates the type of hash algorithm used in digital signature verification.
  • The signature algorithm, which identifies the type of signature algorithm used in digital signature verification.
  • The key version, which indicates the key version used for verification.

 
Related Commands

Command
Description

show version

Displays the software version, hardware configuration, license key, and related uptime data.

show ssh sessions

To display information about the active SSH sessions on the ASA, use the show ssh sessions command in privileged EXEC mode.

show ssh sessions [ hostname or A.B.C.D ] [ hostname or X:X:X:X::X ] [ detail ]

 
Syntax Description

hostname or A.B.C.D

(Optional) Displays SSH session information for only the specified SSH client IPv4 address.

hostname or X:X:X:X::X

(Optional) Displays SSH session information for only the specified SSH client IPv6 address.

detail

Displays detailed SSH session information.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  •  
  •  

 
Command History

Release
Modification

7.0(1)

This command was introduced.

9.1(2)

The detail option was added.

 
Usage Guidelines

The SID is a unique number that identifies the SSH session. The Client IP is the IP address of the system running an SSH client. The Version is the protocol version number that the SSH client supports. If the SSH only supports SSH version 1, then the Version column displays 1.5. If the SSH client supports both SSH version 1 and SSH version 2, then the Version column displays 1.99. If the SSH client only supports SSH version 2, then the Version column displays 2.0. The Encryption column shows the type of encryption that the SSH client is using. The State column shows the progress that the client is making as it interacts with the ASA. The Username column lists the login username that has been authenticated for the session. The Mode column describes the direction of the SSH data streams.

For SSH version 2, which can use the same or different encryption algorithms, the Mode field displays in and out. For SSH version 1, which uses the same encryption in both directions, the Mode field displays nil (‘-’) and allows only one entry per connection.

Examples

The following is sample output from the show ssh sessions command:

ciscoasa# show ssh sessions
SID Client IP Version Mode Encryption Hmac State Username
0 172.69.39.39 1.99 IN aes128-cbc md5 SessionStarted pat
OUT aes128-cbc md5 SessionStarted pat
1 172.23.56.236 1.5 - 3DES - SessionStarted pat
2 172.69.39.29 1.99 IN 3des-cbc sha1 SessionStarted pat
OUT 3des-cbc sha1 SessionStarted pat
 

The following is sample output from the show ssh sessions detail command:

ciscoasa# show ssh sessions detail
SSH Session ID : 0
> Client IP : 161.44.66.200
> Username : root
> SSH Version : 2.0
> State : SessionStarted
> Inbound Statistics
> Encryption : aes256-cbc
> HMAC : sha1
> Bytes Received : 2224
> Outbound Statistics
> Encryption : aes256-cbc
> HMAC : sha1
> Bytes Transmitted : 2856
> Rekey Information
> Time Remaining (sec) : 3297
> Data Remaining (bytes): 996145356
> Last Rekey : 16:17:19.732 EST Wed Jan 2 2013
> Data-Based Rekeys : 0
> Time-Based Rekeys : 0
 

 
Related Commands

Command
Description

ssh disconnect

Disconnects an active SSH session.

ssh timeout

Sets the timeout value for idle SSH sessions.

show ssl

To display information about the active SSL sessions on the ASA, use the show ssl command in privileged EXEC mode.

show ssl [ cache | errors | mib | objects | detail ]

 
Syntax Description

cache

(Optional) Displays SSL session cache statistics.

errors

(Optional) Displays SSL errors.

mib

(Optional) Displays SSL MIB statistics.

objects

(Optional) Displays SSL object statistics.

detail

Displays detailed SSH session information.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  •  
  •  

 
Command History

Release
Modification

8.4(1)

This command was introduced.

9.1(2)

The detail option was added.

 
Usage Guidelines

This command shows information about the current SSLv2 and SSLv3 sessions, including the enabled cipher order, which ciphers are disabled, SSL trustpoints being used, and whether or not certificate authentication is enabled.

Examples

The following is sample output from the show ssl command:

ciscoasa# show ssl
 
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1
Disabled ciphers: des-sha1 rc4-md5 null-sha1
SSL trust-points:
inside interface: interfaceA
outside interface: interfaceB
Certificate authentication is not enabled
 

The following is sample output from the show ssh sessions detail command:

ciscoasa# show ssh sessions detail
SSH Session ID : 0
> Client IP : 161.44.66.200
> Username : root
> SSH Version : 2.0
> State : SessionStarted
> Inbound Statistics
> Encryption : aes256-cbc
> HMAC : sha1
> Bytes Received : 2224
> Outbound Statistics
> Encryption : aes256-cbc
> HMAC : sha1
> Bytes Transmitted : 2856
> Rekey Information
> Time Remaining (sec) : 3297
> Data Remaining (bytes): 996145356
> Last Rekey : 16:17:19.732 EST Wed Jan 2 2013
> Data-Based Rekeys : 0
> Time-Based Rekeys : 0
 

 
Related Commands

Command
Description

license-server port

Sets the port on which the server listens for SSL connections from participants.

show startup-config

To show the startup configuration or to show any errors when the startup configuration loaded, use the show startup-config command in privileged EXEC mode.

show startup-config [ errors ]

 
Syntax Description

errors

(Optional) Shows any errors that were generated when the ASA loaded the startup configuration.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System1

Privileged EXEC

1.The errors keyword is only available in single mode and the system execution space,

 
Command History

Release
Modification

7.0(1)

The errors keyword was added.

8.3(1)

The command output displays encrypted paswords.

 
Usage Guidelines

In multiple context mode, the show startup-config command shows the startup configuration for your current execution space: the system configuration or the security context.

The show startup-config command output displays encrypted, masked, or clear text passwords when password encryptionis either enabled or disabled.

To clear the startup errors from memory, use the clear startup-config errors command.

Examples

The following is sample output from the show startup-config command:

ciscoasa# show startup-config
: Saved
: Written by enable_15 at 01:44:55.598 UTC Thu Apr 17 2003
 
Version 7.X(X)
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 209.165.200.224
webvpn enable
!
interface GigabitEthernet0/1
shutdown
nameif test
security-level 0
ip address 209.165.200.225
!
 
...
!
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname firewall1
domain-name example.com
boot system disk0:/cdisk.bin
ftp mode passive
names
name 10.10.4.200 outside
access-list xyz extended permit ip host 192.168.0.4 host 209.165.200.226
!
ftp-map ftp_map
!
ftp-map inbound_ftp
deny-request-cmd appe stor stou
!
 
...
 
Cryptochecksum:4edf97923899e712ed0da8c338e07e63
 

The following is sample output from the show startup-config errors command:

ciscoasa# show startup-config errors
 
ERROR: 'Mac-addresses': invalid resource name
*** Output from config line 18, "limit-resource Mac-add..."
INFO: Admin context is required to get the interfaces
*** Output from config line 30, "arp timeout 14400"
Creating context 'admin'... WARNING: Invoked the stub function ibm_4gs3_context_
set_max_mgmt_sess
WARNING: Invoked the stub function ibm_4gs3_context_set_max_mgmt_sess
Done. (1)
*** Output from config line 33, "admin-context admin"
WARNING: VLAN *24* is not configured.
*** Output from config line 12, context 'admin', "nameif inside"
.....
*** Output from config line 37, "config-url disk:/admin..."
 

 
Related Commands

Command
Description

clear startup-config errors

Clears the startup errors from memory.

show running-config

Shows the running configuration.

show sunrpc-server active

To display the pinholes open for Sun RPC services, use the show sunrpc-server active command in privileged EXEC mode.

show sunrpc-server active

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  •  
  •  
  •  
  •  

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

Use the show sunrpc-server active command to display the pinholes open for Sun RPC services, such as NFS and NIS.

Examples

To display the pinholes open for Sun RPC services, enter the show sunrpc-server active command. The following is sample output from the show sunrpc-server active command:

ciscoasa# show sunrpc-server active
LOCAL FOREIGN SERVICE TIMEOUT
-----------------------------------------------
192.168.100.2/0 209.165.200.5/32780 100005 00:10:00
 

 
Related Commands

Command
Description

clear configure sunrpc-server

Clears the Sun remote processor call services from the ASA.

clear sunrpc-server active

Clears the pinholes opened for Sun RPC services, such as NFS or NIS.

inspect sunrpc

Enables or disables Sun RPC application inspection and configures the port used.

show running-config sunrpc-server

Displays information about the SunRPC services configuration.

show switch mac-address-table

For models with a built-in switch, such as the ASA 5505 adaptive security appliance, use the show switch mac-address-table command in privileged EXEC mode to view the switch MAC address table.

show switch mac-address-table

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

7.2(1)

This command was introduced.

 
Usage Guidelines

This command is for models with built-in switches only. The switch MAC address table maintains the MAC address-to-switch port mapping for traffic within each VLAN in the switch hardware. If you are in transparent firewall mode, use the show mac-address-table command to view the bridge MAC address table in the ASA software. The bridge MAC address table maintains the MAC address-to-VLAN interface mapping for traffic that passes between VLANs.

MAC address entries age out in 5 minutes.

Examples

The following is sample output from the show switch mac-address-table command.

ciscoasa# show switch mac-address-table
Legend: Age - entry expiration time in seconds
 
Mac Address | VLAN | Type | Age | Port
-------------------------------------------------------
000e.0c4e.2aa4 | 0001 | dynamic | 287 | Et0/0
0012.d927.fb03 | 0001 | dynamic | 287 | Et0/0
0013.c4ca.8a8c | 0001 | dynamic | 287 | Et0/0
00b0.6486.0c14 | 0001 | dynamic | 287 | Et0/0
00d0.2bff.449f | 0001 | static | - | In0/1
0100.5e00.000d | 0001 | static multicast | - | In0/1,Et0/0-7
Total Entries: 6
 

Table 59-4 shows each field description:

 

Table 59-4 show switch mac-address-table Fields

Field
Description

Mac Address

Shows the MAC address.

VLAN

Shows the VLAN associated with the MAC address.

Type

Shows if the MAC address was learned dynamically, as a static multicast address, or statically. The only static entry is for the internal backplane interface.

Age

Shows the age of a dynamic entry in the MAC address table.

Port

Shows the switch port through which the host with the MAC address can be reached.

 
Related Commands

Command
Description

show mac-address-table

Shows the MAC address table for models that do not have a built-in switch.

show switch vlan

Shows the VLAN and physical MAC address association.

show switch vlan

For models with a built-in switch, such as the ASA 5505 adaptive security appliance, use the show switch vlan command in privileged EXEC mode to view the VLANs and the associated switch ports.

show switch vlan

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

7.2(1)

This command was introduced.

 
Usage Guidelines

This command is for models with built-in switches only. For other models, use the show vlan command.

Examples

The following is sample output from the show switch vlan command.

ciscoasa# show switch vlan
 
VLAN Name Status Ports
---- -------------------------------- --------- -------------
100 inside up Et0/0, Et0/1
200 outside up Et0/7
300 - down Et0/1, Et0/2
400 backup down Et0/3
 

Table 59-4 shows each field description:

 

Table 59-5 show switch vlan Fields

Field
Description

VLAN

Shows the VLAN number.

Name

Shows the name of the VLAN interface. If no name is set using the nameif command, or if there is no interface vlan command, the display shows a dash (-).

Status

Shows the status, up or down, to receive and send traffic to and from the VLAN in the switch. At least one switch port in the VLAN needs to be in an up state for the VLAN state to be up.

Ports

Shows the switch ports assigned to each VLAN. If a switch port is listed for multiple VLANs, it is a trunk port. The above sample output shows Ethernet 0/1 is a trunk port that carries VLAN 100 and 300.

 
Related Commands

Command
Description

clear interface

Clears counters for the show interface command.

interface vlan

Creates a VLAN interface and enters interface configuration mode.

show interface

Displays the runtime status and statistics of interfaces.

show vlan

Shows the VLANs for models that do not have built-in switches.

switchport mode

Sets the mode of the switch port to access or trunk mode.