Cisco Nexus 6000 Series NX-OS Security Command Reference
Show Commands
Downloads: This chapterpdf (PDF - 667.0KB) The complete bookPDF (PDF - 2.5MB) | Feedback

Show Commands

Table Of Contents

Show Commands

show aaa accounting

show aaa authentication

show aaa authorization

show aaa groups

show aaa user

show access-lists

show accounting log

show checkpoint

show checkpoint summary

show checkpoint system

show checkpoint user

show diff rollback-patch checkpoint

show diff rollback-patch file

show diff rollback-patch running-config

show diff rollback-patch startup-config

show http-server

show ip access-lists

show ip arp

show ip arp inspection

show ip arp inspection interfaces

show ip arp inspection log

show ip arp inspection statistics

show ip arp inspection vlan

show ip arp sync-entries

show ip dhcp snooping

show ip dhcp snooping binding

show ip dhcp snooping statistics

show ipv6 access-lists

show ip verify source

show mac access-lists

show privilege

show radius-server

show role

show role feature

show role feature-group

show rollback log

show running-config aaa

show running-config aclmgr

show running-config arp

show running-config dhcp

show running-config radius

show running-config security

show ssh key

show ssh server

show startup-config aaa

show startup-config aclmgr

show startup-config arp

show startup-config dhcp

show startup-config radius

show startup-config security

show tacacs-server

show telnet server

show user-account

show users

show vlan access-list

show vlan access-map

show vlan filter


Show Commands


This chapter describes the Cisco NX-OS security show commands.

show aaa accounting

To display authentication, authorization, and accounting (AAA) accounting configuration, use the show aaa accounting command.

show aaa accounting

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the configuration of the accounting log:

switch# show aaa accounting 
         default: local
switch#
 
   

Related Commands

Command
Description

aaa accounting default

Configures AAA methods for accounting.


show aaa authentication

To display authentication, authorization, and accounting (AAA) authentication configuration information, use the show aaa authentication command.

show aaa authentication login [error-enable | mschap]

Syntax Description

error-enable

(Optional) Displays the authentication login error message enable configuration.

mschap

(Optional) Displays the authentication login Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) enable configuration.


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the configured authentication parameters:

switch# show aaa authentication 
         default: group t1
         console: group t1
switch#
 
   

This example shows how to display the authentication login error enable configuration:

switch# show aaa authentication login error-enable 
disabled
switch#
 
   

This example shows how to display the authentication login MS-CHAP configuration:

switch# show aaa authentication login mschap 
MSCHAP is disabled
switch#
 
   

Related Commands

Command
Description

aaa authentication

Configures AAA authentication methods.


show aaa authorization

To display AAA authorization configuration information, use the show aaa authorization command.

show aaa authorization [all]

Syntax Description

all

(Optional) Displays configured and default values.


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the configured authorization methods:

switch# show aaa authorization 
AAA command authorization:
         default authorization for config-commands: none
 
   
switch# 
 
   

Related Commands

Command
Description

aaa authorization commands default

Configures default AAA authorization methods for EXEC commands.

aaa authorization config-commands default

Configures default AAA authorization methods for configuration commands.


show aaa groups

To display authentication, authorization, and accounting (AAA) server group configuration, use the show aaa groups command.

show aaa groups

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display AAA group information:

switch# show aaa groups 
radius
t1
tacacs
rad1
switch#
 
   

Related Commands

Command
Description

aaa group server radius

Creates a RADIUS server group.


show aaa user

To display the status of the default role assigned by the authentication, authorization, and accounting (AAA) server administrator for remote authentication, use the show aaa user command.

show aaa user default-role

Syntax Description

default-role

Displays the status of the default AAA role.


Command Default

None

Command Modes

EXEC mode.

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the status of the default role assigned by the AAA server administrator for remote authentication:

switch# show aaa user default-role 
enabled
switch# 
 
   

Related Commands

Command
Description

aaa user default-role

Configures the default user for remote authentication.

show aaa authentication

Displays AAA authentication information.


show access-lists

To display all IPv4 and MAC access control lists (ACLs) or a specific ACL, use the show access-lists command.

show access-lists [access-list-name]

Syntax Description

access-list-name

(Optional) Name of an ACL, which can be up to 64 alphanumeric, case-sensitive characters.


Command Default

The switch shows all ACLs unless you use the access-list-name argument to specify an ACL.

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display all IPv4 and MAC ACLs on the switch:

switch# show access-lists 
 
   

In Cisco NX-OS Release 5.0(2)N1(1), the following output is displayed:

switch# show access-lists 
 
   
IP access list BulkData
        10 deny ip any any
IP access list CriticalData
        10 deny ip any any
IP access list Scavenger
        10 deny ip any any
MAC access list acl-mac
        10 permit any any
IP access list denyv4
        20 deny ip 10.10.10.0/24 10.20.10.0/24 fragments
        30 permit udp 10.10.10.0/24 10.20.10.0/24 lt 400
        40 permit icmp any any router-advertisement
        60 deny tcp 10.10.10.0/24 10.20.10.0/24 syn
        70 permit igmp any any host-report
        80 deny tcp any any rst
        90 deny tcp any any ack
        100 permit tcp any any fin
        110 permit tcp any gt 300 any lt 400
        130 deny tcp any range 200 300 any lt 600
        140 deny tcp any range 200 300 any lt 600
IP access list dot
        statistics per-entry
        10 permit ip 20.1.1.1 255.255.255.0 20.10.1.1 255.255.255.0 precedence f
lash-override
        20 deny ip 20.1.1.1/24 20.10.1.1/24 fragments
        30 permit tcp any any fragments
        40 deny tcp any eq 400 any eq 500
IP access list ipPacl
        statistics per-entry
        10 deny tcp any eq 400 any eq 500
IP access list ipv4
        10 permit ip 10.10.10.1 225.255.255.0 any fragments
        20 permit ip any any dscp ef
IP access list ipv4Acl
        10 permit ip 10.10.10.1/32 10.10.10.2/32
MAC access list test
        statistics per-entry
        10 deny 0000.1111.2222 0000.0000.0000 0000.1111.3333 ffff.0000.0000
IP access list voice
        10 remark - avaya rtp range
        20 permit udp any range 49072 50175 any range 49072 50175 dscp ef
        30 permit udp any range 49072 50175 any range 50176 50353 dscp ef
        40 permit udp any range 50176 50353 any range 49072 50175 dscp ef
        50 permit udp any range 50176 50353 any range 50176 50353 dscp ef
        60 permit udp any range 2048 2815 any range 2048 2815 dscp ef
        70 permit udp any range 2048 2815 any range 2816 3028 dscp ef
        80 permit udp any range 2816 3028 any range 2816 3028 dscp ef
        90 permit udp any range 2816 3028 any range 2048 2815 dscp ef
        100 remark -- cisco rtp range
switch#
 
   

Related Commands

Command
Description

ip access-list

Configures an IPv4 ACL.

mac access-list

Configures a MAC ACL.

show ip access-lists

Displays all IPv4 ACLs or a specific IPv4 ACL.

show mac access-lists

Displays all MAC ACLs or a specific MAC ACL.


show accounting log

To display the accounting log contents, use the show accounting log command.

show accounting log [size] [start-time year month day HH:MM:SS] [end-time year month day HH:MM:SS]

Syntax Description

size

(Optional) Amount of the log to display in bytes. The range is from 0 to 250000.

start-time year month day HH:MM:SS

(Optional) Specifies a start time. The year argument is in yyyy format. The month is the three-letter English abbreviation. The day argument range is from 1 to 31. The HH:MM:SS argument is in standard 24-hour format.

end-time year month day HH:MM:SS

(Optional) Specifies an end time. The year argument is in yyyy format. The month is the three-letter English abbreviation. The day argument range is from 1 to 31. The HH:MM:SS argument is in standard 24-hour format.


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the entire accounting log:

switch# show accounting log 
 
   

In Cisco NX-OS Release, this command displays the following output:

switch# show accounting log 
 
   
Mon Aug 16 09:37:43 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; interface vfc3 ; bind interface Ethernet1/12 (SUCCESS)
Mon Aug 16 09:38:20 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; interface vfc3 ; no shutdown (REDIRECT)
Mon Aug 16 09:38:20 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=Inte
rface vfc3 state updated to up
Mon Aug 16 09:38:20 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; interface vfc3 ; no shutdown (SUCCESS)
Mon Aug 16 09:38:20 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; interface vfc3 ; no shutdown (SUCCESS)
Mon Aug 16 09:48:05 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; interface Ethernet2/1 (SUCCESS)
Mon Aug 16 09:55:27 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; vtp mode client (FAILURE)
Mon Aug 16 09:55:35 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; vtp mode server (FAILURE)
Mon Aug 16 10:03:46 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; no vtp mode (FAILURE)
Mon Aug 16 10:04:11 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; vtp mode transparent (SUCCESS)
Mon Aug 16 10:04:20 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; vtp domain MyDomain (SUCCESS)
Mon Aug 16 10:04:39 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; vtp password MyPass (SUCCESS)
Mon Aug 16 10:05:17 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; no vtp password (SUCCESS)
Mon Aug 16 10:06:46 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; vtp pruning (SUCCESS)
Mon Aug 16 10:09:11 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; interface Ethernet1/12 (SUCCESS)
Mon Aug 16 10:32:33 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=clea
r vtp counters (SUCCESS)
Mon Aug 16 10:35:20 2010:type=stop:id=72.163.177.184@pts/0:user=admin:cmd=shell
terminated because of telnet closed
--More--
switch#
 
   

This example shows how to display 400 bytes of the accounting log:

switch# show accounting log 400 
 
   

This example shows how to display the accounting log starting at 16:00:00 on February 16, 2008:

switch# show accounting log start-time 2008 Feb 16 16:00:00 
 
   

This example shows how to display the accounting log starting at 15:59:59 on February 1, 2008 and ending at 16:00:00 on February 29, 2008:

switch# show accounting log start-time 2008 Feb 1 15:59:59 end-time 2008 Feb 29 16:00:00 
 
   

Related Commands

Command
Description

clear accounting log

Clears the accounting log.


show checkpoint

To display the configuration at the time a checkpoint was implemented, use the show checkpoint command.

show checkpoint [checkpoint-name] [all [system | user]]

Syntax Description

checkpoint-name

(Optional) Checkpoint name. The name can be a maximum of 32 characters.

all

(Optional) Displays user-configured and system-configured checkpoints.

system

(Optional) Displays all system-configured checkpoints.

user

(Optional) Displays all user-configured checkpoints.


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Usage Guidelines

The command output displays a history of the most recent (up to ten) checkpoint IDs. The checkpoint IDs represent the rollback points that allow the user to restore the system to a checkpoint configuration.

Examples

This example shows how to display the rollback checkpoints configured in the local switch:

switch# show checkpoint 
--------------------------------------------------------------------------------
Name: chkpnt-1
 
   
 
   
!Command: Checkpoint cmd vdc 1
!Time: Mon Sep  6 09:40:47 2010
 
   
version 5.0(2)N1(1)
feature telnet
feature tacacs+
cfs eth distribute
feature private-vlan
feature udld
feature interface-vlan
feature lacp
feature vpc
feature lldp
feature fex
 
   
username adminbackup password 5 !  role network-operator
username admin password 5 $1$KIPRDtFF$7eUMjCAd7Nkhktzebsg5/0  role network-admin
no password strength-check
ip domain-lookup
ip domain-lookup
hostname switch
ip access-list ip1
class-map type qos class-fcoe
  match cos 4
class-map type qos match-all cq1
  match cos 4
  match precedence 7
class-map type qos match-all cq2
  match cos 5
  match dscp 10
class-map type qos match-any cq3
  match precedence 7
 
   
<--output truncated-->
switch#
 
   

This example shows how to display information about a specific checkpoint:

switch# show checkpoint chkpnt-1 
--------------------------------------------------------------------------------
Name: chkpnt-1
 
   
 
   
!Command: Checkpoint cmd vdc 1
!Time: Mon Sep  6 09:40:47 2010
 
   
version 5.0(2)N1(1)
feature telnet
feature tacacs+
cfs eth distribute
feature private-vlan
feature udld
feature interface-vlan
feature lacp
feature vpc
feature lldp
feature fex
 
   
username adminbackup password 5 !  role network-operator
username admin password 5 $1$KIPRDtFF$7eUMjCAd7Nkhktzebsg5/0  role network-admin
no password strength-check
ip domain-lookup
ip domain-lookup
hostname switch
ip access-list ip1
class-map type qos class-fcoe
  match cos 4
class-map type qos match-all cq1
  match cos 4
  match precedence 7
--More--
switch#
 
   

This example shows how to display all configured rollback checkpoints:

switch# show checkpoint all 
 
   

Related Commands

Command
Description

checkpoint

Creates a checkpoint.

rollback

Rolls back the configuration to any of the saved checkpoints.

show checkpoint summary

Displays configuration rollback checkpoints summary.

show checkpoint system

Displays system-defined rollback checkpoints.

show checkpoint user

Displays user-configured rollback checkpoints.


show checkpoint summary

To display a summary of the configured checkpoints, use the show checkpoint summary command.

show checkpoint summary [system | user]

Syntax Description

system

(Optional) Displays a summary of the system-configured checkpoints.

user

(Optional) Displays a summary of the user-configured checkpoints.


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the configuration rollback checkpoints summary:

switch# show checkpoint summary 
User Checkpoint Summary
User Checkpoint Summary
--------------------------------------------------------------------------------
1) chkpnt-1:
Created by admin
Created at Tue, 08:10:23 14 Sep 2010
Size is 21,508 bytes
Description: Checkpoint to save current configuration, Sep 9 10:02 A.M.
 
   
2) chkpnt-2:
Created by admin
Created at Tue, 08:11:46 14 Sep 2010
Size is 21,536 bytes
Description: None
 
   
3) user-checkpoint-4:
Created by admin
Created at Tue, 08:16:48 14 Sep 2010
Size is 21,526 bytes
Description: None
 
   
switch#
 
   

This example shows how to display the summary of the system-configured rollback checkpoints:

switch# show checkpoint summary system 
 
   

This example shows how to display the summary of the user-configured rollback checkpoints:

switch# show checkpoint summary user 
--------------------------------------------------------------------------------
1) chkpnt-1:
Created by admin
Created at Tue, 08:10:23 14 Sep 2010
Size is 21,508 bytes
Description: Checkpoint to save current configuration, Sep 9 10:02 A.M.
 
   
2) chkpnt-2:
Created by admin
Created at Tue, 08:11:46 14 Sep 2010
Size is 21,536 bytes
Description: None
 
   
3) user-checkpoint-4:
Created by admin
Created at Tue, 08:16:48 14 Sep 2010
Size is 21,526 bytes
Description: None
 
   
switch#
 
   

Related Commands

Command
Description

checkpoint

Creates a checkpoint.

rollback

Rolls back the configuration to any of the saved checkpoints.

show checkpoint

Displays rollback checkpoints.

show checkpoint system

Displays system-defined rollback checkpoints.

show checkpoint user

Displays user-configured rollback checkpoints.


show checkpoint system

To display only the system-configured checkpoints, use the show checkpoint system command.

show checkpoint system

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the rollback checkpoints defined by the system:

switch# show checkpoint system 
 
   

Related Commands

Command
Description

checkpoint

Creates a checkpoint.

rollback

Rolls back the configuration to any of the saved checkpoints.

show checkpoint

Displays rollback checkpoints.

show checkpoint user

Displays user-configured rollback checkpoints.


show checkpoint user

To display only the user-configured checkpoints, use the show checkpoint user command.

show checkpoint user

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the rollback checkpoints configured by the current user:

switch# show checkpoint user 
--------------------------------------------------------------------------------
Name: myChkpoint
 
   
 
   
!Command: Checkpoint cmd vdc 1
!Time: Mon Sep  6 09:40:47 2010
 
   
version 5.0(2)N1(1)
feature telnet
feature tacacs+
cfs eth distribute
feature private-vlan
feature udld
feature interface-vlan
feature lacp
feature vpc
feature lldp
feature fex
 
   
username adminbackup password 5 !  role network-operator
username admin password 5 $1$KIPRDtFF$7eUMjCAd7Nkhktzebsg5/0  role network-admin
no password strength-check
ip domain-lookup
ip domain-lookup
hostname switch
ip access-list ip1
class-map type qos class-fcoe
  match cos 4
class-map type qos match-all cq1
  match cos 4
  match precedence 7
 
   
<--output truncated-->
switch#
 
   

Related Commands

Command
Description

checkpoint

Creates a checkpoint.

rollback

Rolls back the configuration to any of the saved checkpoints.

show checkpoint

Displays rollback checkpoints.

show checkpoint summary

Displays a summary of all configured rollback checkpoints.

show checkpoint system

Displays system-defined rollback checkpoints.


show diff rollback-patch checkpoint

To display the configuration differences between two checkpoints, use the show diff rollback-patch checkpoint command.

show diff rollback-patch checkpoint src-checkpoint-name checkpoint dest-checkpoint-name

Syntax Description

src-checkpoint-name

Source checkpoint name. The name can be a maximum of 32 characters.

dest-checkpoint-name

Destination checkpoint name. The name can be a maximum of 32 characters.


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Usage Guidelines

Use this command to view the differences between the source and destination checkpoints that reference current or saved configurations. The configuration differences based on the current running configuration and checkpointed configuration are applied to the system to restore the running state of the system.

Examples

This example shows how to view the changes between two checkpoints, chkpnt-1 and chkpnt-2:

switch# checkpoint chkpnt-1 
<-- modify configuration in running configuration--->
switch# checkpoint chkpnt-2 
<-- modify configuration in running configuration--->
switch# checkpoint 
...
user-checkpoint-4 created Successfully
 
   
Done
switch# 
<-- modify configuration in running configuration--->
switch# show diff rollback-patch checkpoint user-checkpoint-4 checkpoint chkpnt-1 
#Generating Rollback Patch
 
   
!!
interface Ethernet1/2
  no untagged cos
  no description Sample config
  exit
!
interface Ethernet1/2
 channel-group 1
!
line vty
switch# rollback chkpnt-1 
switch# 
 
   

Related Commands

Command
Description

checkpoint

Creates a checkpoint.

rollback

Rolls back the configuration to any of the saved checkpoints.

show checkpoint

Displays checkpoint information.

show diff rollback-patch file

Displays the differences between the current checkpoint file and the saved configuration.

show diff rollback-patch running-config

Displays the differences between the current running configuration and the saved checkpoint configuration.


show diff rollback-patch file

To display the differences between the two checkpoint configuration files, use the show diff rollback-patch file command.

show diff rollback-patch file {bootflash: | volatile:}[//server][directory/][src-filename] {checkpoint dest-checkpoint-name | file {bootflash: | volatile:}[//server][directory/][dest-filename] | running-config | startup-config}

Syntax Description

bootflash:

Specifies the bootflash local writable storage file system.

volatile:

Specifies the volatile local writable storage file system.

//server

(Optional) Name of the server. Valid values are ///, //module-1/, //sup-1/, //sup-active/, or //sup-local/. The double slash (//) is required.

directory/

(Optional) Name of a directory. The directory name is case sensitive.

src-filename

(Optional) Name of the source checkpoint configuration file. The filename is case sensitive.

dest-filename

(Optional) Name of the destination checkpoint configuration file. The filename is case sensitive.

checkpoint

Specifies a destination checkpoint.

dest-checkpoint-name

Destination checkpoint name. The name can be a maximum of 32 characters.

file

Specifies the destination checkpoint file.

running-config

Specifies that the running configuration be used as the destination.

startup-config

Specifies that the startup configuration be used as the destination.



Note There can be no spaces in the filesystem://server/directory/filename string. Individual elements of this string are separated by colons (:) and slashes (/).


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Usage Guidelines

Use this command to view the differences between the source and destination checkpoint configuration files that reference current or saved configurations. The configuration differences based on the current running configuration and checkpointed configuration are applied to the system to restore the running state of the system.

Examples

This example shows how to view the changes between two checkpoint configurations stored in files in the bootflash storage system:

switch# checkpoint chkpnt-1 
<-- modify configuration in running configuration--->
switch# checkpoint file bootflash:///chkpnt_configSep9-1.txt 
<-- modify configuration in running configuration--->
switch# checkpoint file bootflash:///chkpnt_configSep9-2.txt 
<-- modify configuration in running configuration--->
switch# checkpoint chkpnt-2 
switch# show diff rollback-patch file bootflash:///chkpnt_configSep9-2.txt file 
bootflash:///chkpnt_configSep9-1.txt 
 
   
switch# rollback file bootflash:///chkpnt_configSep9-1.txt 
switch# 
 
   

Related Commands

Command
Description

rollback

Rolls back the switch to any of the saved checkpoints.

show checkpoint

Displays checkpoint information.

show diff rollback-patch checkpoint

Displays the differences between the current checkpoint and the saved configuration.

show diff rollback-patch running-config

Displays the differences between the current running configuration and the saved checkpoint configuration.


show diff rollback-patch running-config

To display the differences between the current running configuration and the saved (checkpointed) configuration, use the show diff rollback-patch running-config command.

show diff rollback-patch running-config {checkpoint checkpoint-name | file {bootflash: | volatile:}[//server][directory/][filename] | running-config | startup-config}

Syntax Description

checkpoint

Specifies that the checkpoint be used as the destination in the comparison.

checkpoint-name

Checkpoint name. The name can be a maximum of 32 characters.

file

Specifies that the checkpoint configuration file be used as the destination in the comparison.

bootflash:

Specifies the bootflash local writable storage file system.

volatile:

Specifies the volatile local writable storage file system.

//server

(Optional) Name of the server. Valid values are ///, //module-1/, //sup-1/, //sup-active/, or //sup-local/. The double slash (//) is required.

directory/

(Optional) Name of a directory. The directory name is case sensitive.

filename

(Optional) Name of the checkpoint configuration file. The filename is case sensitive.

running-config

Specifies that the running configuration be used as the destination in the comparison.

startup-config

Specifies that the startup configuration be used as the destination in the comparison.



Note There can be no spaces in the filesystem://server/directory/filename string. Individual elements of this string are separated by colons (:) and slashes (/).


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Usage Guidelines

Use this command to view the differences between the current running configuration and destination checkpoints that reference a saved configuration. The configuration differences based on the current running configuration and checkpointed configuration are applied to the system to restore the running state of the system.

Examples

This example shows how to view the configuration changes between the current running configuration and a checkpoint named chkpnt-1:

switch# checkpoint chkpnt-1 
<-- modify configuration in running configuration--->
switch# checkpoint chkpnt-2 
<-- modify configuration in running configuration--->
switch# show diff rollback-patch running-config checkpoint chkpnt-1 
Collecting Running-Config
#Generating Rollback Patch
 
   
!!
interface Ethernet1/2
  no description Sample config
  exit
switch# 
 
   

This example shows how to view the configuration changes between the current running configuration and a saved configuration in the bootflash storage system:

switch# checkpoint chkpnt-1 
<-- modify configuration in running configuration--->
switch# checkpoint file bootflash:///chkpnt_configSep9-1.txt 
<-- modify configuration in running configuration--->
switch# checkpoint file bootflash:///chkpnt_configSep9-2.txt 
<-- modify configuration in running configuration--->
switch# show diff rollback-patch running-config file chkpnt_configSep9-1.txt 
 
   

This example shows how to view the configuration changes between the current running configuration and a checkpointed running configuration:

switch# checkpoint chkpnt-1 
<-- modify configuration in running configuration--->
switch# checkpoint file bootflash:///chkpnt_configSep9-1.txt 
<-- modify configuration in running configuration--->
switch# checkpoint file bootflash:///chkpnt_configSep9-2.txt 
<-- modify configuration in running configuration--->
switch# show diff rollback-patch running-config running-config 
 
   

This example shows how to view the configuration changes between the current running configuration and a saved startup configuration:

switch# checkpoint chkpnt-1 
<-- modify configuration in running configuration--->
switch# checkpoint file bootflash:///chkpnt_configSep9-1.txt 
<-- modify configuration in running configuration--->
switch# copy running-config startup-config 
switch# checkpoint file bootflash:///chkpnt_configSep9-2.txt 
<-- modify configuration in running configuration--->
switch# checkpoint chkpnt-2 
switch# show diff rollback-patch running-config startup-config 
Collecting Running-Config
Collecting Startup-Config
#Generating Rollback Patch
 
   
!!
interface Ethernet1/2
  no untagged cos
  no description Sample config
  exit
password strength-check
no username admin
no username adminbackup
!
interface Ethernet1/2
 channel-group 1
no feature ssh
no feature telnet
switch# 
 
   

Related Commands

Command
Description

rollback

Rolls back the switch to any of the saved checkpoints.

show checkpoint

Displays checkpoint information.

show diff rollback-patch checkpoint

Displays the differences between the current checkpoint and the saved configuration.

show diff rollback-patch file

Displays the differences between the current checkpoint file and the saved configuration.

show diff rollback-patch startup-config

Displays the differences between the current startup configuration and the saved checkpoint configuration.


show diff rollback-patch startup-config

To display the differences between the current startup configuration and the saved (checkpointed) configuration, use the show diff rollback-patch startup-config command.

show diff rollback-patch startup-config {checkpoint checkpoint-name | file {bootflash: | volatile:}[//server][directory/][filename] | running-config | startup-config}

Syntax Description

checkpoint

Specifies that the checkpoint be used as the destination in the comparison.

checkpoint-name

Checkpoint name. The name can be a maximum of 32 characters.

file

Specifies that the checkpoint configuration file be used as the destination in the comparison.

bootflash:

Specifies the bootflash local writable storage file system.

volatile:

Specifies the volatile local writable storage file system.

//server

(Optional) Name of the server. Valid values are ///, //module-1/, //sup-1/, //sup-active/, or //sup-local/. The double slash (//) is required.

directory/

(Optional) Name of a directory. The directory name is case sensitive.

filename

(Optional) Name of the checkpoint configuration file. The filename is case sensitive.

running-config

Specifies that the running configuration be used as the destination in the comparison.

startup-config

Specifies that the startup configuration be used as the destination in the comparison.



Note There can be no spaces in the filesystem://server/directory/filename string. Individual elements of this string are separated by colons (:) and slashes (/).


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Usage Guidelines

Use this command to view the differences between the current startup configuration and destination checkpoints that reference a saved configuration. The configuration differences based on the current running configuration and checkpointed configuration are applied to the system to restore the running state of the system.

Examples

This example shows how to view the configuration changes between the current startup configuration and a checkpoint named chkpnt-1:

switch# checkpoint chkpnt-1 
<-- modify configuration in running configuration--->
switch# checkpoint chkpnt-2 
<-- modify configuration in running configuration--->
switch# copy running-config startup-config 
switch# show diff rollback-patch startup-config checkpoint chkpnt-1 
Collecting Startup-Config
#Generating Rollback Patch
 
   
!!
!
feature telnet
feature ssh
username adminbackup password 5 ! role network-operator
username admin password 5 $1$KIPRDtFF$7eUMjCAd7Nkhktzebsg5/0 role network-admin
no password strength-check
switch# 
 
   

This example shows how to view the configuration changes between the current startup configuration and a saved configuration in the bootflash storage system:

switch# checkpoint chkpnt-1 
<-- modify configuration in running configuration--->
switch# checkpoint file bootflash:///chkpnt_configSep9-1.txt 
<-- modify configuration in running configuration--->
switch# checkpoint file bootflash:///chkpnt_configSep9-2.txt 
<-- modify configuration in running configuration--->
switch# copy running-config startup-config 
switch# show diff rollback-patch startup-config file chkpnt_configSep9-1.txt 
 
   
switch# 
 
   

This example shows how to view the configuration changes between the current startup configuration and a checkpointed running configuration:

switch# checkpoint chkpnt-1 
<-- modify configuration in running configuration--->
switch# checkpoint file bootflash:///chkpnt_configSep9-1.txt 
<-- modify configuration in running configuration--->
switch# checkpoint file bootflash:///chkpnt_configSep9-2.txt 
<-- modify configuration in running configuration--->
switch# copy running-config startup-config 
<-- modify configuration in running configuration--->
switch# show diff rollback-patch startup-config running-config 
Collecting Running-Config
Collecting Startup-Config
#Generating Rollback Patch
 
   
!!
!
feature telnet
feature ssh
username adminbackup password 5 ! role network-operator
username admin password 5 $1$KIPRDtFF$7eUMjCAd7Nkhktzebsg5/0 role network-admin
no password strength-check
switch# 
 
   

This example shows how to view the configuration changes between the current startup configuration and a saved startup configuration:

switch# checkpoint chkpnt-1 
<-- modify configuration in running configuration--->
switch# checkpoint file bootflash:///chkpnt_configSep9-1.txt 
<-- modify configuration in running configuration--->
switch# copy running-config startup-config 
switch# checkpoint file bootflash:///chkpnt_configSep9-2.txt 
<-- modify configuration in running configuration--->
switch# show diff rollback-patch startup-config startup-config 
Collecting Startup-Config
#Generating Rollback Patch
Rollback Patch is Empty
switch# 
 
   

Related Commands

Command
Description

rollback

Rolls back the switch to any of the saved checkpoints.

show checkpoint

Displays checkpoint information.

show diff rollback-patch checkpoint

Displays the differences between the current checkpoint and the saved configuration.

show diff rollback-patch file

Displays the differences between the current checkpoint file and the saved configuration.

show diff rollback-patch running-config

Displays the differences between the current running configuration and the saved checkpoint configuration.


show http-server

To display information about the HTTP or HTTPS configuration, use the show http-server command.

show http-server

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the status of the HTTP server:

switch# show http-server 
http-server enabled
switch# 
 
   

Related Commands

Command
Description

feature http-server

Enables or disables the HTTP or HTTPS server on the switch.


show ip access-lists

To display all IPv4 access control lists (ACLs) or a specific IPv4 ACL, use the show ip access-lists command.

show ip access-lists [access-list-name]

Syntax Description

access-list-name

(Optional) Name of an IPv4 ACL, which can be up to 64 alphanumeric, case-sensitive characters.


Command Default

The switch shows all IPv4 ACLs unless you use the access-list-name argument to specify an ACL.

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Usage Guidelines

By default, this command displays the IPv4 ACLs configured on the switch. The command displays the statistics information for an IPv4 ACL only if the IPv4 ACL is applied to the management (mgmt0) interface. If the ACL is applied to an SVI interface or in a QoS class map, then the command does not display any statistics information.

Examples

This example shows how to display all IPv4 ACLs on the switch:

switch# show ip access-lists 

In Cisco NX-OS release 5.0(2)N1(1), this example shows how to display all IPv4 ACLs on the switch:

switch# show ip access-lists 
IP access list BulkData
        10 deny ip any any
IP access list CriticalData
        10 deny ip any any
IP access list Scavenger
        10 deny ip any any
IP access list denyv4
        20 deny ip 10.10.10.0/24 10.20.10.0/24 fragments
        30 permit udp 10.10.10.0/24 10.20.10.0/24 lt 400
        40 permit icmp any any router-advertisement
        60 deny tcp 10.10.10.0/24 10.20.10.0/24 syn
        70 permit igmp any any host-report
        80 deny tcp any any rst
        90 deny tcp any any ack
        100 permit tcp any any fin
        110 permit tcp any gt 300 any lt 400
        130 deny tcp any range 200 300 any lt 600
        140 deny tcp any range 200 300 any lt 600
IP access list dot
        statistics per-entry
        10 permit ip 20.1.1.1 255.255.255.0 20.10.1.1 255.255.255.0 precedence f
lash-override
        20 deny ip 20.1.1.1/24 20.10.1.1/24 fragments
        30 permit tcp any any fragments
        40 deny tcp any eq 400 any eq 500
IP access list ipPacl
        statistics per-entry
        10 deny tcp any eq 400 any eq 500
IP access list ipv4
        10 permit ip 10.10.10.1 225.255.255.0 any fragments
        20 permit ip any any dscp ef
IP access list ipv4Acl
        10 permit ip 10.10.10.1/32 10.10.10.2/32
IP access list voice
--More--
switch#
 
   

Related Commands

Command
Description

ip access-list

Configures an IPv4 ACL.

show access-lists

Displays all ACLs or a specific ACL.

show mac access-lists

Displays all MAC ACLs or a specific MAC ACL.


show ip arp

To display the Address Resolution Protocol (ARP) table statistics, use the show ip arp command.

show ip arp [client | [statistics | summary] [ethernet slot/port | loopback intf-num | mgmt mgmt-intf-num | port-channel channel-num | vlan vlan-id] [fhrp-non-active-learn] [static] [detail] [vrf {vrf-name | all | default | management}]]

Syntax Description

client

(Optional) Displays ARP information for ARP clients.

statistics

(Optional) Display the global ARP statistics on teh switch or the ARP statistics for interfaces.

summary

(Optional) Display the ARP adjacency summary information.

ethernet slot/port

(Optional) Displays the ARP information for an Ethernet interface. The slot number is from 1 to 255 and the port number is from 1 to 128.

loopback intf-num

(Optional) Displays the ARP information for a loopback interface. The loopback interface number is from 0 to 1023.

mgmt mgmt-intf-num

(Optional) Displays the ARP information for a management interface. The interface number is 0.

port-channel channel-num

(Optional) Displays the ARP information for an EtherChannel interface. The channel number range is from 1 to 4096.

vlan vlan-id

(Optional) Displays the ARP information for a specified VLAN. The range is from 1 to 4094, except for the VLANs reserved for internal use.

fhrp-non-active-learn

(Optional) Displays the ARP table information learned only due to a request for a nonactive Cisco First Hop Redundancy Protocol (FHRP) address.

static

(Optional) Displays the static ARP entries.

detail

(Optional) Displays the detailed ARP information.

vrf

(Optional) Specifies the virtual routing and forwarding (VRF) to use.

vrf-name

VRF name. The name can be a maximum of 32 alphanumeric characters and is case sensitive.

all

Displays all VRF entries for the specified VLAN in the ARP table.

default

Displays the default VRF entry for the specified VLAN.

management

Displays the management VRF entry for the specified VLAN.


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Usage Guidelines

You must use the feature interface-vlan command before you can display the ARP information for VLAN interfaces.

Examples

This example shows how to display the ARP table:

switch# show ip arp
 
   
IP ARP Table for context default
Total number of entries: 1
Address         Age       MAC Address     Interface
90.10.10.2      00:03:11  000d.ece7.df7c  Vlan900
switch#
 
   

This example shows how to display the detailed ARP table:

switch# show ip arp detail
 
   
IP ARP Table for context default
Total number of entries: 1
Address         Age       MAC Address     Interface        Physical Interface
90.10.10.2      00:02:55  000d.ece7.df7c  Vlan900          Ethernet1/12
switch#
 
   

This example shows how to display the ARP table for VLAN 10 and all VRFs:

switch# show ip arp vlan 10 vrf all
 
   

Table 1 describes the fields shown in the above displays.

Table 1 show ip arp Field Descriptions 

Field
Description

IP ARP Table

Context in which the ARP table is applied.

Total number of entries

Total number of ARP entries or messages in the ARP table.

Address

IP address of the switch that the ARP table automatically maps to the MAC address of the switch.

Age

Duration since the switch with a MAC address was mapped to the IP address.

MAC Address

MAC address of the switch.

Interface

Switch interface where packets are forwarded.

Physical Interface

Physical interface, which can one of the following: Ethernet, loopback, EtherChannel, management, or VLAN.


Related Commands

Command
Description

clear ip arp

Clears the ARP cache and table.

feature interface-vlan

Enables the creation of VLAN interfaces.

show running-config arp

Displays the running ARP configuration.


show ip arp inspection

To display the Dynamic ARP Inspection (DAI) configuration status, use the show ip arp inspection command.

show ip arp inspection

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the status of the DAI configuration:

switch# show ip arp inspection 
 
   

Related Commands

Command
Description

ip arp inspection vlan

Enables DAI for a specified list of VLANs.

show ip arp inspection interface

Displays the trust state and the ARP packet rate for a specified interface.

show ip arp inspection log

Displays the DAI log configuration.

show ip arp inspection statistics

Displays the DAI statistics.

show ip arp inspection vlan

Displays DAI status for a specified list of VLANs.

show running-config dhcp

Displays DHCP snooping configuration, including the DAI configuration.


show ip arp inspection interfaces

To display the trust state for the specified interface, use the show ip arp inspection interfaces command.

show ip arp inspection interfaces {ethernet slot/port | port-channel channel-number}

Syntax Description

ethernet slot/port

(Optional) Specifies that the output is for an Ethernet interface.

port-channel channel-number

(Optional) Specifies that the output is for a port-channel interface. Valid port-channel numbers are from 1 to 4096.


Command Default

None

Command Modes

Any command mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the trust state for a trusted interface:

switch# show ip arp inspection interfaces ethernet 2/1 
 
   

Related Commands

Command
Description

ip arp inspection vlan

Enables Dynamic ARP Inspection (DAI) for a specified list of VLANs.

show ip arp inspection

Displays the DAI configuration status.

show ip arp inspection vlan

Displays DAI status for a specified list of VLANs.

show running-config dhcp

Displays DHCP snooping configuration, including the DAI configuration.


show ip arp inspection log

To display the Dynamic ARP Inspection (DAI) log configuration, use the show ip arp inspection log command.

show ip arp inspection log

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the DAI log configuration:

switch# show ip arp inspection log 
 
   
Syslog Buffer Size : 12
Syslog Rate        : 5 entries per 1 seconds
switch# 
 
   

Related Commands

Command
Description

clear ip arp inspection log

Clears the DAI logging buffer.

ip arp inspection log-buffer

Configures the DAI logging buffer size.

show ip arp inspection

Displays the DAI configuration status.

show running-config dhcp

Displays DHCP snooping configuration, including the DAI configuration.


show ip arp inspection statistics

To display the Dynamic ARP Inspection (DAI) statistics, use the show ip arp inspection statistics command.

show ip arp inspection statistics [vlan vlan-list]

Syntax Description

vlan vlan-list

(Optional) Specifies the list of VLANs for which to display DAI statistics. Valid VLAN IDs are from 1 to 4094. You can specify a VLAN or range of VLANs.


Command Default

None

Command Modes

Any command mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the DAI statistics for VLAN 1:

switch# show ip arp inspection statistics vlan 1 
 
   

Related Commands

Command
Description

clear ip arp inspection statistics vlan

Clears the DAI statistics for a specified VLAN.

show ip arp inspection log

Displays the DAI log configuration.

show running-config dhcp

Displays DHCP snooping configuration, including the DAI configuration.


show ip arp inspection vlan

To display the Dynamic ARP Inspection (DAI) status for the specified list of VLANs, use the show ip arp inspection vlan command.

show ip arp inspection vlan vlan-list

Syntax Description

vlan-list

List of VLANs that have the DAI status. The vlan-list argument allows you to specify a single VLAN ID, a range of VLAN IDs, or comma-separated IDs and ranges. Valid VLAN IDs are from 1 to 4094.


Command Default

None

Command Modes

Any command mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the DAI status for VLAN 1:

switch# show ip arp inspection vlan 1 
 
   
Source Mac Validation      : Enabled
Destination Mac Validation : Enabled
IP Address Validation      : Enabled
 
   
Vlan : 1
-----------
Configuration        : Disabled
Operation State      : Inactive
switch# 
 
   

Related Commands

Command
Description

clear ip arp inspection statistics vlan

Clears the DAI statistics for a specified VLAN.

ip arp inspection vlan

Enables DAI for a specified list of VLANs.

show ip arp inspection

Displays the DAI configuration status.

show ip arp inspection interface

Displays the trust state and the ARP packet rate for a specified interface.

show running-config dhcp

Displays DHCP snooping configuration, including the DAI configuration.


show ip arp sync-entries

To display the Address Resolution Protocol (ARP) table information after an ARP table synchronization, use the show ip arp sync-entries command.

show ip arp sync-entries [detail | vrf {vrf-name | all | default | management}]

Syntax Description

detail

(Optional) Displays detailed information about the ARP table.

vrf

(Optional) Displays ARP table information for a virtual routing and forwarding (VRF) instance.

vrf-name

VRF name. The name can be a maximum of 32 alphanumeric characters and is case sensitive.

all

Displays ARP table information for all VRF entries.

default

Displays ARP table information for the default VRF entry.

management

Displays ARP table information for the management VRF entry.


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the global ARP statistics on virtual port channels (vPCs):

switch# show ip arp sync-entries
 
   

Related Commands

Command
Description

ip arp synchronize

Enables ARP synchronization on a vPC domain.

show running-config arp

Displays the running configuration information for ARP tables.


show ip dhcp snooping

To display general status information for Dynamic Host Configuration Protocol (DHCP) snooping, use the show ip dhcp snooping command.

show ip dhcp snooping

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display general status information about DHCP snooping:

switch# show ip dhcp snooping
DHCP snooping service is enabled
Switch DHCP snooping is enabled
DHCP snooping is configured on the following VLANs:
1,13
DHCP snooping is operational on the following VLANs:
1
Insertion of Option 82 is disabled
Verification of MAC address is enabled
DHCP snooping trust is configured on the following interfaces:
Interface             Trusted
------------          -------
Ethernet2/3           Yes
 
   
switch# 

Related Commands

Command
Description

copy running-config startup-config

Copies the running configuration to the startup configuration.

ip dhcp snooping

Globally enables DHCP snooping on the device.

show ip dhcp snooping statistics

Displays DHCP snooping statistics.

show running-config dhcp

Displays the DHCP snooping configuration.


show ip dhcp snooping binding

To display IP-to-MAC address bindings for all interfaces or a specific interface, use the show ip dhcp snooping binding command.

show ip dhcp snooping binding [IP-address] [MAC-address] [interface ethernet slot/port] [vlan vlan-id]

show ip dhcp snooping binding [dynamic]

show ip dhcp snooping binding [static]

Syntax Description

IP-address

(Optional) IPv4 address that the bindings shown must include. Valid entries are in dotted-decimal format.

MAC-address

(Optional) MAC address that the bindings shown must include. Valid entries are in dotted-hexadecimal format.

interface ethernet slot/port

(Optional) Specifies the Ethernet interface that the bindings shown must be associated with. The slot number is from 1 to 255, and the port number is from 1 to 128.

vlan vlan-id

(Optional) Specifies a VLAN ID that the bindings shown must be associated with. Valid VLAN IDs are from 1 to 4094, except for the VLANs reserved for internal use.

Use a hyphen (-) to separate the beginning and ending IDs of a range of VLAN IDs; for example, 70-100.

Use a comma (,) to separate individual VLAN IDs and ranges of VLAN IDs; for example, 20,70-100,142.

dynamic

(Optional) Limits the output to all dynamic IP-MAC address bindings.

static

(Optional) Limits the output to all static IP-MAC address bindings.


Command Default

None

Command Modes

Any command mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Usage Guidelines

The binding interface includes static IP source entries. Static entries appear with the term "static" in the Type column.

Examples

This example shows how to show all bindings:

switch# show ip dhcp snooping binding
MacAddress         IpAddress        LeaseSec  Type        VLAN  Interface
-----------------  ---------------  --------  ----------  ----  -------------
0f:00:60:b3:23:33  10.3.2.2         infinite  static      13    Ethernet2/46
0f:00:60:b3:23:35  10.2.2.2         infinite  static      100   Ethernet2/10
switch# 
 
   

Related Commands

Command
Description

clear ip dhcp snooping binding

Clears the DHCP snooping binding database.

copy running-config startup-config

Copies the running configuration to the startup configuration.

ip dhcp snooping

Globally enables DHCP snooping on the device.

ip source binding

Creates a static IP source entry for a Layer 2 Ethernet interface.

show ip dhcp snooping statistics

Displays DHCP snooping statistics.

show running-config dhcp

Displays the DHCP snooping configuration, including the IP Source Guard configuration.


show ip dhcp snooping statistics

To display Dynamic Host Configuration Protocol (DHCP) snooping statistics, use the show ip dhcp snooping statistics command.

show ip dhcp snooping statistics

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display DHCP snooping statistics:

switch# show ip dhcp snooping statistics 
Packets processed 61343
Packets received through cfsoe 0
Packets forwarded 0
Packets forwarded on cfsoe 0
Total packets dropped 61343
Packets dropped from untrusted ports 0
Packets dropped due to MAC address check failure 0
Packets dropped due to Option 82 insertion failure 0
Packets dropped due to o/p intf unknown 0
Packets dropped which were unknown 0
Packets dropped due to dhcp relay not enabled 0
Packets dropped due to no binding entry 0
Packets dropped due to interface error/no interface 61343
Packets dropped due to max hops exceeded 0
switch#
 
   

Related Commands

Command
Description

copy running-config startup-config

Copies the running configuration to the startup configuration.

ip dhcp snooping

Globally enables DHCP snooping on the device.

show running-config dhcp

Displays the DHCP snooping configuration.


show ipv6 access-lists

To display all IPv6 access control lists (ACLs) or a specific IPv6 ACL, use the show ipv6 access-lists command.

show ipv6 access-lists [access-list-name] [expanded | summary]

Syntax Description

access-list-name

(Optional) Name of an IPv6 ACL, which can be up to 64 alphanumeric, case-sensitive characters.

expanded

(Optional) Specifies that the contents of IPv6 address groups or port groups show rather than the names of object groups only.

summary

(Optional) Specifies that the command displays information about the ACL rather than the ACL configuration. For more information, see the "Usage Guidelines" section.


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Usage Guidelines

The device shows all IPv6 ACLs, unless you use the access-list-name argument to specify an ACL.

The summary keyword allows you to display information about the ACL rather than the ACL configuration. The information displayed includes the following:

Whether per-entry statistics is configured for the ACL.

The number of rules in the ACL configuration. This number does not reflect how many entries the ACL contains when the device applies it to an interface. If a rule in the ACL uses an object group, the number of entries in the ACL when it is applied may be much greater than the number of rules.

The interfaces that the ACL is applied to.

The interfaces that the ACL is active on.

The show ipv6 access-lists command displays statistics for each entry in an ACL if the following conditions are both true:

The ACL configuration contains the statistics per-entry command.

The ACL is applied to an interface that is administratively up.

Examples

This example shows how to display all IPv6 ACLs on a switch:

switch# show ipv6 access-lists 

Related Commands

Command
Description

ipv6 access-list

Configures an IPv6 ACL.


show ip verify source

To display the IP Source Guard-enabled interfaces and the IP-to-MAC address bindings, use the show ip verify source command.

show ip verify source [interface {ethernet slot/port | port-channel channel-number}]

Syntax Description

interface

(Optional) Specifies that the output is limited to IP-to-MAC address bindings for a particular interface.

ethernet slot/port

(Optional) Specifies that the output is limited to bindings for the Ethernet interface given. The slot number is from 1 to 255, and the port number is from 1 to 128.

port-channel channel-number

(Optional) Specifies that the output is limited to bindings for the port-channel interface given. Valid port-channel numbers are from 1 to 4096.


Command Default

None

Command Modes

Any command mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the IP Source Guard-enabled interfaces and the IP-to-MAC address bindings on the switch:

switch# show ip verify source 
IP source guard is enabled on the following interfaces:
------------------------------------------------------
        Ethernet1/2
        Ethernet1/5
 
   
 
   
IP source guard operational entries:
-----------------------------------
Interface         Filter-mode             IP-address     Mac-address       Vlan
------------      -----------             ----------     --------------    ----
Ethernet1/2       inactive-no-snoop-vlan
Ethernet1/5       inactive-no-snoop-vlan
switch#
 
   

Related Commands

Command
Description

ip source binding

Creates a static IP source entry for the specified Ethernet interface.

ip verify source dhcp-snooping-vlan

Enables IP Source Guard on an interface.

show running-config dhcp

Displays DHCP snooping configuration, including the IP Source Guard configuration.


show mac access-lists

To display all Media Access Control (MAC) access control lists (ACLs) or a specific MAC ACL, use the show mac access-lists command.

show mac access-lists [access-list-name]

Syntax Description

access-list-name

(Optional) Name of a MAC ACL, which can be up to 64 alphanumeric, case-sensitive characters.


Command Default

The switch shows all MAC ACLs unless you use the access-list-name argument to specify an ACL.

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display all MAC ACLs on the switch:

switch# show mac access-lists 
 
   
MAC access list acl-mac
        10 permit any any
MAC access list test
        statistics per-entry
        10 deny 0000.1111.2222 0000.0000.0000 0000.1111.3333 ffff.0000.0000
switch#
 
   

Related Commands

Command
Description

mac access-list

Configures a MAC ACL.

show access-lists

Displays all ACLs or a specific ACL.

show ip access-lists

Displays all IPv4 ACLs or a specific IPv4 ACL.


show privilege

To show the current privilege level, username, and status of cumulative privilege support, use the show privilege command.

show privilege

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Usage Guidelines

When the feature privilege command is enabled, privilege roles inherit the permissions of lower level privilege roles.

Examples

This example shows how to view the current privilege level, username, and status of cumulative privilege support:

switch# show privilege 
User name: admin
Current privilege level: -1
Feature privilege: Enabled
switch# 
 
   

Related Commands

Command
Description

enable

Enables a user to move to a higher privilege level.

enable secret priv-lvl

Enables a secret password for a specific privilege level.

feature privilege

Enables the cumulative privilege of roles for command authorization on RADIUS and TACACS+ servers.

username

Enables a user to use privilege levels for authorization.


show radius-server

To display RADIUS server information, use the show radius-server command.

show radius-server [hostname | ipv4-address | ipv6-address] [directed-request | groups [group-name] | sorted | statistics hostname | ipv4-address | ipv6-address]

Syntax Description

hostname

(Optional) RADIUS server Domain Name Server (DNS) name. The name is alphanumeric, case sensitive, and has a maximum of 256 characters.

ipv4-address

(Optional) RADIUS server IPv4 address in the A.B.C.D format.

ipv6-address

(Optional) RADIUS server IPv6 address in the X:X::X:X format.

directed-request

(Optional) Displays the directed request configuration.

groups [group-name]

(Optional) Displays information about the configured RADIUS server groups. Supply a group-name to display information about a specific RADIUS server group.

sorted

(Optional) Displays sorted-by-name information about the RADIUS servers.

statistics

(Optional) Displays RADIUS statistics for the RADIUS servers. A hostname or IP address is required.


Command Default

Displays the global RADIUS server configuration.

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Usage Guidelines

RADIUS preshared keys are not visible in the show radius-server command output. Use the show running-config radius command to display the RADIUS preshared keys.

Examples

This example shows how to display information for all RADIUS servers:

switch# show radius-server 
retransmission count:1
timeout value:5
deadtime value:0
source interface:any available
total number of servers:1
 
   
following RADIUS servers are configured:
        192.168.1.1:
                available for authentication on port:1812
                available for accounting on port:1813
                RADIUS shared secret:********
switch#
 
   

This example shows how to display information for a specified RADIUS server:

switch# show radius-server 192.168.1.1 
        192.168.1.1:
                available for authentication on port:1812
                available for accounting on port:1813
                RADIUS shared secret:********
                idle time:0
                test user:test
                test password:********
switch#
 
   

This example shows how to display the RADIUS directed request configuration:

switch# show radius-server directed-request 
disabled
switch#
 
   

This example shows how to display information for RADIUS server groups:

switch# show radius-server groups 
total number of groups:2
 
   
following RADIUS server groups are configured:
        group radius:
                server: all configured radius servers
                deadtime is 0
        group RadServer:
                server: 192.168.1.1 on auth-port 1812, acct-port 1813
                deadtime is 0
switch#
 
   

This example shows how to display information for a specified RADIUS server group:

switch# show radius-server groups RadServer 
        group RadServer:
                server: 10.193.128.5 on auth-port 1812, acct-port 1813
                deadtime is 0
switch#
 
   

This example shows how to display sorted information for all RADIUS servers:

switch# show radius-server sorted 
timeout value:5
retransmission count:1
deadtime value:0
source interface:any available
total number of servers:1
 
   
following RADIUS servers are configured:
        192.168.1.1:
                available for authentication on port:1812
                available for accounting on port:1813
                RADIUS shared secret:********
switch#
 
   

This example shows how to display statistics for a specified RADIUS servers:

switch# show radius-server statistics 192.168.1.1 
Server is not monitored
 
   
Authentication Statistics
        failed transactions: 0
        sucessfull transactions: 0
        requests sent: 0
        requests timed out: 0
        responses with no matching requests: 0
        responses not processed: 0
        responses containing errors: 0
 
   
Accounting Statistics
        failed transactions: 0
        sucessfull transactions: 0
        requests sent: 0
        requests timed out: 0
        responses with no matching requests: 0
        responses not processed: 0
        responses containing errors: 0
switch#
 
   

Related Commands

Command
Description

show running-config radius

Displays the RADIUS information in the running configuration file.


show role

To display the user role configuration, use the show role command.

show role [name role-name]

Syntax Description

name role-name

(Optional) Displays information for a specific user role name.


Command Default

Displays information for all user roles.

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display information for a specific user role:

switch# show role name MyRole 
 
   
Role: MyRole
  Description: new role
  vsan policy: permit (default)
  Vlan policy: permit (default)
  Interface policy: permit (default)
  Vrf policy: permit (default)
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity
  -------------------------------------------------------------------
  1       deny    command                         pwd
switch#
 
   

This example shows how to display information for all user roles:

switch# show role 
 
   

In Cisco NX-OS Release 5.0(2)N1(1), the following output is displayed:

switch# show role 
 
   
Role: network-admin
  Description: Predefined network admin role has access to all commands
  on the switch
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity
  -------------------------------------------------------------------
  1       permit  read-write
 
   
Role: network-operator
  Description: Predefined network operator role has access to all read
  commands on the switch
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity
  -------------------------------------------------------------------
  1       permit  read
 
   
Role: vdc-admin
  Description: Predefined vdc admin role has access to all commands within
  a VDC instance
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity
  -------------------------------------------------------------------
  1       permit  read-write
 
   
Role: vdc-operator
  Description: Predefined vdc operator role has access to all read commands
  within a VDC instance
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity
  -------------------------------------------------------------------
  1       permit  read
 
   
Role: priv-14
  Description: This is a system defined privilege role.
  vsan policy: permit (default)
  Vlan policy: permit (default)
  Interface policy: permit (default)
  Vrf policy: permit (default)
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity
  -------------------------------------------------------------------
  1       permit  read-write
 
   
Role: priv-13
  Description: This is a system defined privilege role.
  vsan policy: permit (default)
  Vlan policy: permit (default)
  Interface policy: permit (default)
  Vrf policy: permit (default)
 
   
Role: priv-12
  Description: This is a system defined privilege role.
  vsan policy: permit (default)
  Vlan policy: permit (default)
  Interface policy: permit (default)
  Vrf policy: permit (default)
 
   
Role: priv-11
  Description: This is a system defined privilege role.
  vsan policy: permit (default)
  Vlan policy: permit (default)
  Interface policy: permit (default)
  Vrf policy: permit (default)
 
   
Role: priv-10
  Description: This is a system defined privilege role.
  vsan policy: permit (default)
  Vlan policy: permit (default)
  Interface policy: permit (default)
  Vrf policy: permit (default)
 
   
Role: priv-9
  Description: This is a system defined privilege role.
  vsan policy: permit (default)
  Vlan policy: permit (default)
  Interface policy: permit (default)
  Vrf policy: permit (default)
 
   
Role: priv-8
  Description: This is a system defined privilege role.
  vsan policy: permit (default)
  Vlan policy: permit (default)
  Interface policy: permit (default)
  Vrf policy: permit (default)
 
   
Role: priv-7
  Description: This is a system defined privilege role.
  vsan policy: permit (default)
  Vlan policy: permit (default)
  Interface policy: permit (default)
  Vrf policy: permit (default)
 
   
Role: priv-6
  Description: This is a system defined privilege role.
  vsan policy: permit (default)
  Vlan policy: permit (default)
  Interface policy: permit (default)
  Vrf policy: permit (default)
 
   
Role: priv-5
  Description: This is a system defined privilege role.
  vsan policy: permit (default)
  Vlan policy: permit (default)
  Interface policy: permit (default)
  Vrf policy: permit (default)
 
   
Role: priv-4
  Description: This is a system defined privilege role.
  vsan policy: permit (default)
  Vlan policy: permit (default)
  Interface policy: permit (default)
  Vrf policy: permit (default)
 
   
Role: priv-3
  Description: This is a system defined privilege role.
  vsan policy: permit (default)
  Vlan policy: permit (default)
  Interface policy: permit (default)
  Vrf policy: permit (default)
 
   
Role: priv-2
  Description: This is a system defined privilege role.
  vsan policy: permit (default)
  Vlan policy: permit (default)
  Interface policy: permit (default)
  Vrf policy: permit (default)
 
   
Role: priv-1
  Description: This is a system defined privilege role.
  vsan policy: permit (default)
  Vlan policy: permit (default)
  Interface policy: permit (default)
  Vrf policy: permit (default)
 
   
Role: priv-0
  Description: This is a system defined privilege role.
  vsan policy: permit (default)
  Vlan policy: permit (default)
  Interface policy: permit (default)
  Vrf policy: permit (default)
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity
  -------------------------------------------------------------------
  10      permit  command                         traceroute6 *
  9       permit  command                         traceroute *
  8       permit  command                         telnet6 *
  7       permit  command                         telnet *
  6       permit  command                         ping6 *
  5       permit  command                         ping *
  4       permit  command                         ssh6 *
  3       permit  command                         ssh *
  2       permit  command                         enable *
 
   
Role: default-role
  Description: This is a system defined role and applies to all users.
  vsan policy: permit (default)
  Vlan policy: permit (default)
  Interface policy: permit (default)
  Vrf policy: permit (default)
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity
  -------------------------------------------------------------------
  5       permit  command                         feature environment
  4       permit  command                         feature hardware
  3       permit  command                         feature module
  2       permit  command                         feature snmp
  1       permit  command                         feature system
 
   
Role: priv-15
  Description: This is a system defined privilege role.
  vsan policy: permit (default)
  Vlan policy: permit (default)
  Interface policy: permit (default)
  Vrf policy: permit (default)
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity
  -------------------------------------------------------------------
  1       permit  read-write
 
   
Role: MyRole
  Description: new role
  vsan policy: permit (default)
  Vlan policy: permit (default)
  Interface policy: permit (default)
  Vrf policy: permit (default)
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity
  -------------------------------------------------------------------
  1       deny    command                         pwd
switch#
 
   

Related Commands

Command
Description

role name

Configures user roles.


show role feature

To display the user role features, use the show role feature command.

show role feature [detail | name feature-name]

Syntax Description

detail

(Optional) Displays detailed information for all features.

name feature-name

(Optional) Displays detailed information for a specific feature. The name can be a maximum of 16 alphanumeric characters and is case sensitive.


Command Default

Displays a list of user role feature names.

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the user role features:

switch# show role feature 
 
   

In Cisco NX-OS Release 5.0(2)N1(1), the following output is displayed:

aaa             (AAA service related commands)
arp             (ARP protocol related commands)
cdp             (Cisco Discovery Protocol related commands)
l3vm            (Layer 3 virtualization related commands)
ping            (Network reachability test commands)
snmp            (SNMP related commands)
radius          (Radius configuration and show commands)
syslog          (Syslog related commands)
tacacs          (TACACS configuration and show commands)
install         (Software install related commands)
license         (License related commands)
callhome        (Callhome configuration and show commands)
platform        (Platform configuration and show commands)
access-list     (IP access list related commands)
svi             (Interface VLAN related commands)
vlan            (Virtual LAN related commands)
eth-span        (Ethernet SPAN related commands)
ethanalyzer     (Ethernet Analyzer)
spanning-tree   (Spanning Tree protocol related commands)
acl             (FC ACL related commands)
sfm             (ISCSI flow related commands)
fcns            (Fibre Channel Name Server related commands)
fcsp            (Fibre Channel Security Protocol related commands)
fdmi            (FDMI related commands)
fspf            (Fabric Shortest Path First protocol related commands)
rlir            (Registered Link Incident Report related commands)
rscn            (Registered State Change Notification related commands)
span            (SPAN session relate commands)
vsan            (VSAN configuration and show commands)
wwnm            (WorldWide Name related commands)
zone            (Zone related commands)
fcanalyzer      (FC analyzer related commands)
switch#
 
   

This example shows how to display detailed information all the user role features:

switch# show role feature detail 
 
   

In Cisco NX-OS Release 5.0(2)N1(1), the following output is displayed:

aaa             (AAA service related commands)
  show aaa *
  config t ; aaa *
  aaa *
  clear aaa *
  debug aaa *
  show accounting *
  config t ; accounting *
  accounting *
  clear accounting *
  debug accounting *
arp             (ARP protocol related commands)
  show ip arp *
  config t; ip arp *
  clear ip arp *
  debug ip arp *
  debug-filter ip arp *
cdp             (Cisco Discovery Protocol related commands)
  show cdp *
  config t ; cdp *
  cdp *
  clear cdp *
  debug cdp *
l3vm            (Layer 3 virtualization related commands)
  show vrf *
  config t ; vrf *
  routing-context vrf *
ping            (Network reachability test commands)
  show ping *
  config t ; ping *
  ping *
  clear ping *
  debug ping *
  show ping6 *
  config t ; ping6 *
  ping6 *
  clear ping6 *
  debug ping6 *
  show traceroute *
  config t ; traceroute *
--More--
switch#
 
   

This example shows how to display detailed information for a specific user role feature named arp:

switch# show role feature name arp 
 
   

In Cisco NX-OS Release 5.0(2)N1(1), this command displays the following output:

arp             (ARP protocol related commands)
  show ip arp *
  config t; ip arp *
  clear ip arp *
  debug ip arp *
  debug-filter ip arp *
switch# 
 
   

Related Commands

Command
Description

role feature-group

Configures feature groups for user roles.

rule

Configures rules for user roles.


show role feature-group

To display the user role feature groups, use the show role feature-group command.

show role feature-group [detail | name group-name]

Syntax Description

detail

(Optional) Displays detailed information for all feature groups.

name group-name

(Optional) Displays detailed information for a specific feature group.


Command Default

Displays a list of user role feature groups.

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the user role feature groups:

switch# show role feature-group 
 
   

This example shows how to display detailed information about all the user role feature groups:

switch# show role feature-group detail 
 
   

This example shows how to display information for a specific user role feature group:

switch# show role feature-group name SecGroup 
 
   

Related Commands

Command
Description

role feature-group

Configures feature groups for user roles.

rule

Configures rules for user roles.


show rollback log

To display the log of configuration rollbacks on the switch, use the show rollback log command.

show rollback log {exec | verify}

Syntax Description

exec

Displays the rollback execution log.

verify

Displays the rollback verify log.


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Usage Guidelines

If the rollback log is empty, the following message appears:

ERROR: Log Not Available
 
   

Examples

This example shows how to display the rollback execution log:

switch# show rolback log exec 
--------------------------------------------------------------------------------
time: Mon, 06:16:02 06 Sep 2010
Status: success
--------------------------------------------------------------------------------
time: Mon, 07:58:36 06 Sep 2010
Status: success
--------------------------------------------------------------------------------
time: Mon, 09:48:58 06 Sep 2010
Status: success
switch#
 
   

This example shows how to display the rollback verification log:

switch# show rollback log verify 
--------------------------------------------------------------------------------
time: Mon, 09:48:56 06 Sep 2010
Status: success
--------------------------------------------------------------------------------
time: Mon, 09:48:58 06 Sep 2010
Status: success
switch#
 
   

Related Commands

Command
Description

rollback

Restores the active configuration to the checkpoint state.


show running-config aaa

To display authentication, authorization, and accounting (AAA) configuration information in the running configuration, use the show running-config aaa command.

show running-config aaa [all]

Syntax Description

all

(Optional) Displays configured and default information.


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the configured AAA information in the running configuration:

switch# show running-config aaa 
 
   

Related Commands

Command
Description

aaa accounting default

Configures AAA methods for accounting.

aaa authentication login console

Configures AAA authentication methods for console login.

aaa authentication login default

Configures the default AAA authentication methods.

aaa authentication login error-enable

Configures the AAA authentication failure message to display on the console.

aaa authorization commands default

Configures default AAA authorization methods.

aaa authorization config-commands default

Configures the default AAA authorization methods for all configuration commands.

aaa group server radius

Creates a RADIUS server group.

aaa user default-role

Enables the default role assigned by the AAA server administrator for remote authentication.


show running-config aclmgr

To display the access control list (ACL) configuration in the running configuration, use the show running-config aclmgr command.

show running-config aclmgr [all]

Syntax Description

all

(Optional) Displays configured and default information.


Command Default

None

Command Modes

Any command mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the ACL running configuration:

switch# show running-config aclmgr 
 
   
!Command: show running-config aclmgr
!Time: Tue Aug 31 05:01:56 2010
 
   
version 5.0(2)N1(1)
ip access-list BulkData
  10 deny ip any any
ip access-list CriticalData
  10 deny ip any any
ip access-list Scavenger
  10 deny ip any any
mac access-list acl-mac
  10 permit any any
ip access-list denyv4
  20 deny ip 10.10.10.0/24 10.20.10.0/24 fragments
  30 permit udp 10.10.10.0/24 10.20.10.0/24 lt 400
  40 permit icmp any any router-advertisement
  60 deny tcp 10.10.10.0/24 10.20.10.0/24 syn
  70 permit igmp any any host-report
  80 deny tcp any any rst
  90 deny tcp any any ack
  100 permit tcp any any fin
  110 permit tcp any gt 300 any lt 400
  130 deny tcp any range 200 300 any lt 600
  140 deny tcp any range 200 300 any lt 600
ip access-list dot
  statistics per-entry
  10 permit ip 20.1.1.1 255.255.255.0 20.10.1.1 255.255.255.0 precedence flash-o
verride
:
<snip>
:
vlan access-map vacl-mac
  match mac address acl-mac
  action forward
  statistics per-entry
vlan filter vacl-mac vlan-list 300
 
   
interface Ethernet1/1
  ipv6 port traffic-filter denv6 in
 
   
interface Ethernet1/2
  ip port access-group voice in
 
   
interface Ethernet1/9
  ipv6 port traffic-filter denv6 in
 
   
interface Ethernet1/10
  ipv6 port traffic-filter denv6 in
 
   
line vty
  access-class myACList in
  access-class myACList out
  ipv6 access-class myI6List out
 
   
switch#
 
   

This example shows how to display only the VTY running configuration:

switch# show running-config aclmgr | begin vty 
line vty
  access-class myACList in
  access-class myACList out
  ipv6 access-class myI6List out
 
   
switch#
 
   

Related Commands

Command
Description

access-class

Configures access classes for VTY.

copy running-config startup-config

Copies the running configuration to the startup configuration file.

ip access-class

Configures IPv4 access classes for VTY.

ipv6 access-class

Configures IPv6 access classes for VTY.

show startup-config aclmgr

Displays the ACL startup configuration.


show running-config arp

To display the Address Resolution Protocol (ARP) configuration in the running configuration, use the show running-config arp command.

show running-config arp [all]

Syntax Description

all

(Optional) Displays configured and default information.


Command Default

None

Command Modes

Any command mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the ARP configuration:

switch# show running-config arp 
 
   
!Command: show running-config arp
!Time: Mon Aug 23 07:33:15 2010
 
   
version 5.0(2)N1(1)
ip arp timeout 2100
ip arp event-history errors size medium
 
   
interface Vlan10
  ip arp 10.193.131.37 00C0.4F00.0000
 
   
switch# 
 
   

This example shows how to display the ARP configuration with the default information:

switch# show running-config arp all 
 
   
!Command: show running-config arp all
!Time: Mon Aug 23 07:33:52 2010
 
   
version 5.0(2)N1(1)
ip arp timeout 1500
ip arp event-history cli size small
ip arp event-history snmp size small
ip arp event-history client-errors size small
ip arp event-history client-event size small
ip arp event-history lcache-errors size small
ip arp event-history lcache size small
ip arp event-history errors size small
ip arp event-history ha size small
ip arp event-history event size small
ip arp event-history packet size small
 
   
interface Vlan10
  ip arp 10.193.131.37 00C0.4F00.0000
  ip arp gratuitous update
  ip arp gratuitous request
 
   
switch# 
 
   

Related Commands

Command
Description

copy running-config startup-config

Copies the running configuration to the startup configuration file.

ip arp event-history errors

Logs ARP debug events into the event history buffer.

ip arp timeout

Configures an ARP timeout.

ip arp inspection

Displays general information about DHCP snooping.

show startup-config arp

Displays the ARP startup configuration.


show running-config dhcp

To display the Dynamic Host Configuration Protocol (DHCP) snooping configuration in the running configuration, use the show running-config dhcp command.

show running-config dhcp [all]

Syntax Description

all

(Optional) Displays configured and default information.


Command Default

None

Command Modes

Any command mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Usage Guidelines

To use this command, you must enable the DHCP snooping feature using the feature dhcp command.

Examples

This example shows how to display the DHCP snooping configuration:

switch# show running-config dhcp 
 
   
!Command: show running-config dhcp
!Time: Mon Aug 23 09:09:11 2010
 
   
version 5.0(2)N1(1)
feature dhcp
 
   
ip dhcp snooping
ip dhcp snooping information option
service dhcp
ip dhcp relay
ip dhcp relay information option
 
   
ip arp inspection filter arp-acl-01 vlan 15,37-48
 
   
switch# 
 
   

This example shows how to display the DHCP snooping configuration with the default information:

switch# show running-config dhcp all 
 
   
!Command: show running-config dhcp all
!Time: Mon Aug 23 09:10:11 2010
 
   
version 5.0(2)N1(1)
feature dhcp
 
   
ip dhcp snooping
ip dhcp snooping information option
ip dhcp snooping verify mac-address
service dhcp
ip dhcp relay
ip dhcp relay information option
no ip dhcp relay sub-option type cisco
no ip dhcp relay information option vpn
no ip arp inspection validate src-mac dst-mac ip
ip arp inspection log-buffer entries 32
no ip dhcp packet strict-validation
 
   
 
   
interface port-channel23
  no ip dhcp snooping trust
  no ip arp inspection trust
  no ip verify source dhcp-snooping-vlan
 
   
interface port-channel67
  no ip dhcp snooping trust
  no ip arp inspection trust
  no ip verify source dhcp-snooping-vlan
 
   
interface port-channel150
  no ip dhcp snooping trust
  no ip arp inspection trust
  no ip verify source dhcp-snooping-vlan
 
   
interface port-channel400
  no ip dhcp snooping trust
  no ip arp inspection trust
  no ip verify source dhcp-snooping-vlan
 
   
<--output truncated-->
switch# 
 
   

This example shows how to display the DHCP snooping configuration and the IP Source Guard information on a switch that runs Cisco NX-OS Release 5.0(3)N1(1):

switch# show running-config dhcp
 
   
!Command: show running-config dhcp
!Time: Sat Apr 19 06:18:33 2008
 
   
version 5.0(3)N1(1)
feature dhcp
 
   
ip dhcp snooping
ip dhcp snooping information option
 
   
 
   
interface Ethernet1/2
  ip dhcp snooping trust
  ip verify source dhcp-snooping-vlan
 
   
interface Ethernet1/5
  ip verify source dhcp-snooping-vlan
ip source binding 10.0.0.7 002f.23bd.0014 vlan 5 interface Ethernet1/2
ip source binding 10.5.22.7 001f.28bd.0013 vlan 100 interface Ethernet1/5
 
   
 
   
switch# 
 
   

Related Commands

Command
Description

copy running-config startup-config

Copies the running configuration to the startup configuration.

feature dhcp

Enables the DHCP snooping feature on the device.

ip dhcp snooping

Globally enables DHCP snooping on the device.

ip verify source

Enables IP Source Guard on a Layer 2 interface.

show ip dhcp snooping

Displays general information about DHCP snooping.

show ip verify source

Displays the IP-MAC address bindings.

show startup-config dhcp

Displays the DHCP startup configuration.


show running-config radius

To display RADIUS server information in the running configuration, use the show running-config radius command.

show running-config radius [all]

Syntax Description

all

(Optional) Displays default RADIUS configuration information.


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display information for RADIUS in the running configuration:

switch# show running-config radius 
 
   

In Cisco NX-OS Release 5.0(2)N1(1), the following output is displayed:


!Command: show running-config radius
!Time: Wed Aug 25 10:25:41 2010
 
   
version 5.0(2)N1(1)
radius-server host 192.168.1.1 key 7 "KkwyCet" authentication accounting
aaa group server radius r1
    server 192.168.1.1
 
   
 
   
switch#
 
   

Related Commands

Command
Description

show radius-server

Displays RADIUS information.


show running-config security

To display user account, Secure Shell (SSH) server, and Telnet server information in the running configuration, use the show running-config security command.

show running-config security [all]

Syntax Description

all

(Optional) Displays default user account, SSH server, and Telnet server configuration information.


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display user account, SSH server, and Telnet server information in the running configuration:

switch# show running-config security 
 
   

In Cisco NX-OS Release 5.0(2)N1(1), the following output is displayed:


!Command: show running-config security
!Time: Wed Aug 25 10:27:20 2010
 
   
version 5.0(2)N1(1)
feature telnet
 
   
username admin password 5 $1$eKzwPRms$5QB0PxpkXdp6ZKkME/vSS1  role network-admin
username praveena password 5 $1$9w6ZnM/R$Pg5OfsV/vkOaAGW.f.RyP.  role network-op
erator
username install password 5 !  role network-admin
username user1 password 5 !  role priv-5
no password strength-check
 
   
 
   
switch#
 
   

Related Commands

Command
Description

ssh

Creates a Secure Shell (SSH) connection using IPv4.

ssh6

Creates a Secure Shell (SSH) connection using IPv6.

telnet

Creates a Telnet session using IPv4.

telnet6

Creates a Telnet session using IPv6.

username

Configures a user account.


show ssh key

To display the Secure Shell (SSH) server key, use the show ssh key command.

show ssh key

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Usage Guidelines

This command is available only when SSH is enabled using the ssh server enable command.

Examples

This example shows how to display the SSH server key:

switch# show ssh key 
 
   

In Cisco NX-OS Release 5.0(2)N1(1), the following output is displayed:

**************************************
rsa Keys generated:Mon Aug  2 22:49:27 2010
 
   
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA0iACA1fHAeIaY6PD5fSBLqGX3MIn+k72qhdvLNib7dL7
8CRQVS1AlQiDDTrvyIfRZ5yHMDQndvcmRfkJzluSCW2FP8vokZ66aXFk8TBTFc5Bn3NUiUyPZyhPtFD2
LaHBCkxl0MxEP+nmPJ6Qf6mBzZVAIdLw8Nd64ZwqVHHjeFc=
 
   
bitcount:1024
fingerprint:
bb:bf:a4:c0:22:3b:70:15:e4:2b:2b:bb:08:41:82:d4
**************************************
could not retrieve dsa key information
**************************************
switch#
 
   

Related Commands

Command
Description

ssh server key

Configures the SSH server key.


show ssh server

To display the Secure Shell (SSH) server status, use the show ssh server command.

show ssh server

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the SSH server status:

switch# show ssh server 
ssh version 2 is enabled
switch#
 
   

Related Commands

Command
Description

ssh server enable

Enables the SSH server.


show startup-config aaa

To display authentication, authorization, and accounting (AAA) configuration information in the startup configuration, use the show startup-config aaa command.

show startup-config aaa

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the AAA information in the startup configuration:

switch# show startup-config aaa 
 
   

Related Commands

Command
Description

show running-config aaa

Displays AAA configuration information in the running configuration.


show startup-config aclmgr

To display the access control list (ACL) configuration in the startup configuration, use the show startup-config aclmgr command.

show startup-config aclmgr [all]

Syntax Description

all

(Optional) Displays configured and default information.


Command Default

None

Command Modes

Any command mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the ACL startup configuration:

switch# show startup-config aclmgr 
 
   
!Command: show startup-config aclmgr
!Time: Tue Aug 31 05:01:58 2010
 
   
version 5.0(2)N1(1)
ip access-list BulkData
  10 deny ip any any
ip access-list CriticalData
  10 deny ip any any
ip access-list Scavenger
  10 deny ip any any
mac access-list acl-mac
  10 permit any any
ip access-list denyv4
  20 deny ip 10.10.10.0/24 10.20.10.0/24 fragments
  30 permit udp 10.10.10.0/24 10.20.10.0/24 lt 400
  40 permit icmp any any router-advertisement
  60 deny tcp 10.10.10.0/24 10.20.10.0/24 syn
  70 permit igmp any any host-report
  80 deny tcp any any rst
  90 deny tcp any any ack
  100 permit tcp any any fin
  110 permit tcp any gt 300 any lt 400
  130 deny tcp any range 200 300 any lt 600
  140 deny tcp any range 200 300 any lt 600
:
<snip>
:
vlan access-map vacl-mac
  match mac address acl-mac
  action forward
  statistics per-entry
vlan filter vacl-mac vlan-list 300
 
   
interface Ethernet1/1
  ipv6 port traffic-filter denv6 in
 
   
interface Ethernet1/2
  ip port access-group voice in
 
   
interface Ethernet1/9
  ipv6 port traffic-filter denv6 in
 
   
interface Ethernet1/10
  ipv6 port traffic-filter denv6 in
 
   
line vty
  access-class myACList in
  access-class myACList out
  ipv6 access-class myI6List out
 
   
switch#
 
   

This example shows how to display only the VTY startup configuration:

switch# show startup-config aclmgr | begin vty 
line vty
  access-class myACList in
  access-class myACList out
  ipv6 access-class myI6List out
 
   
switch#
 
   

Related Commands

Command
Description

access-class

Configures access classes for VTY.

copy running-config startup-config

Copies the running configuration to the startup configuration file.

ip access-class

Configures IPv4 access classes for VTY.

ipv6 access-class

Configures IPv6 access classes for VTY.

show running-config aclmgr

Displays the ACL running configuration.


show startup-config arp

To display the Address Resolution Protocol (ARP) configuration in the startup configuration, use the show startup-config arp command.

show startup-config arp [all]

Syntax Description

all

(Optional) Displays configured and default information.


Command Default

None

Command Modes

Any command mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the ARP startup configuration:

switch# show startup-config arp 
 
   
!Command: show running-config arp
!Time: Mon Aug 23 07:33:15 2010
 
   
version 5.0(2)N1(1)
ip arp timeout 2100
ip arp event-history errors size medium
 
   
interface Vlan10
  ip arp 10.193.131.37 00C0.4F00.0000
 
   
switch# 
 
   

Related Commands

Command
Description

copy running-config startup-config

Copies the running configuration to the startup configuration file.

ip arp event-history errors

Logs ARP debug events into the event history buffer.

ip arp timeout

Configures an ARP timeout.

ip arp inspection

Displays general information about DHCP snooping.

show running-config arp

Displays the ARP running configuration.


show startup-config dhcp

To display the Dynamic Host Configuration Protocol (DHCP) snooping configuration in the startup configuration, use the show running-config dhcp command.

show running-config dhcp [all]

Syntax Description

all

(Optional) Displays configured and default information.


Command Default

None

Command Modes

Any command mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Usage Guidelines

To use this command, you must enable the DHCP snooping feature using the feature dhcp command.

Examples

This example shows how to display the DHCP snooping configuration in the startup configuration file:

switch# show startup-config dhcp 
 
   
!Command: show startup-config dhcp
!Time: Mon Aug 23 09:09:14 2010
 
   
version 5.0(2)N1(1)
feature dhcp
 
   
ip dhcp snooping
ip dhcp snooping information option
service dhcp
ip dhcp relay
ip dhcp relay information option
 
   
ip arp inspection filter arp-acl-01 vlan 15,37-48
 
   
switch# 
 
   

Related Commands

Command
Description

copy running-config startup-config

Copies the running configuration to the startup configuration.

feature dhcp

Enables the DHCP snooping feature on the device.

show running-config dhcp

Displays the DHCP running configuration.


show startup-config radius

To display RADIUS configuration information in the startup configuration, use the show startup-config radius command.

show startup-config radius

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the RADIUS information in the startup configuration:

switch# show startup-config radius 
 
   

Related Commands

Command
Description

show running-config radius

Displays RADIUS server information in the running configuration.


show startup-config security

To display user account, Secure Shell (SSH) server, and Telnet server configuration information in the startup configuration, use the show startup-config security command.

show startup-config security

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the user account, SSH server, and Telnet server information in the startup configuration:

switch# show startup-config security 
 
   

Related Commands

Command
Description

show running-config security

Displays user account, Secure Shell (SSH) server, and Telnet server information in the running configuration.


show tacacs-server

To display TACACS+ server information, use the show tacacs-server command.

show tacacs-server [hostname | ip4-address | ip6-address] [directed-request | groups | sorted | statistics]

Syntax Description

hostname

(Optional) TACACS+ server Domain Name Server (DNS) name. The maximum character size is 256.

ipv4-address

(Optional) TACACS+ server IPv4 address in the A.B.C.D format.

ipv6-address

(Optional) TACACS+ server IPv6 address in the X:X:X::X format.

directed-request

(Optional) Displays the directed request configuration.

groups

(Optional) Displays information about the configured TACACS+ server groups.

sorted

(Optional) Displays sorted-by-name information about the TACACS+ servers.

statistics

(Optional) Displays TACACS+ statistics for the TACACS+ servers.


Command Default

Displays the global TACACS+ server configuration.

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Usage Guidelines

TACACS+ preshared keys are not visible in the show tacacs-server command output. Use the show running-config tacacs+ command to display the TACACS+ preshared keys.

You must use the feature tacacs+ command before you can display TACACS+ information.

Examples

This example shows how to display information for all TACACS+ servers:

switch# show tacacs-server 
 
   

This example shows how to display information for a specified TACACS+ server:

switch# show tacacs-server 192.168.2.2 
 
   

This example shows how to display the TACACS+ directed request configuration:

switch# show tacacs-server directed-request 
 
   

This example shows how to display information for TACACS+ server groups:

switch# show tacacs-server groups 
 
   

This example shows how to display information for a specified TACACS+ server group:

switch# show tacacs-server groups TacServer 
 
   

This example shows how to display sorted information for all TACACS+ servers:

switch# show tacacs-server sorted 
 
   

This example shows how to display statistics for a specified TACACS+ server:

switch# show tacacs-server statistics 192.168.2.2 
 
   

Related Commands

Command
Description

show running-config tacacs+

Displays the TACACS+ information in the running configuration file.


show telnet server

To display the Telnet server status, use the show telnet server command.

show telnet server

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display the Telnet server status:

switch# show telnet server 
 
   

Related Commands

Command
Description

telnet server enable

Enables the Telnet server.


show user-account

To display information about the user accounts on the switch, use the show user-account command.

show user-account [name]

Syntax Description

name

(Optional) Information about the specified user account only.


Command Default

Displays information about all the user accounts defined on the switch.

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display information about all the user accounts defined on the switch:

switch# show user-account 
 
   
user:admin
        this user account has no expiry date
        roles:network-admin
user:mable
        this user account has no expiry date
        roles:network-operator
user:install
        this user account has no expiry date
        roles:network-admin
no password set. Local login not allowed
Remote login through RADIUS/TACACS+ is possible
user:user1
        this user account has no expiry date
        roles:priv-5
no password set. Local login not allowed
Remote login through RADIUS/TACACS+ is possible
switch#
 
   

This example shows how to display information about a specific user account:

switch# show user-account admin 
user:admin
        this user account has no expiry date
        roles:network-admin
switch#
 
   

Related Commands

Command
Description

username

Configures a user account.


show users

To display the users currently logged on the switch, use the show users command.

show users

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display all the users currently logged on the switch:

switch# show users 
NAME     LINE         TIME         IDLE          PID COMMENT
admin    ttyS0        Aug 24 22:19 10:41        4681
admin    pts/0        Aug 25 03:39   .          8890 (72.163.177.191) *
switch#
 
   

Related Commands

Command
Description

clear user

Logs out a specific user.

username

Creates and configures a user account.


show vlan access-list

To display the contents of the IPv4 access control list (ACL) or MAC ACL associated with a specific VLAN access map, use the show vlan access-list command.

show vlan access-list map-name

Syntax Description

map-name

VLAN access list to show.


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Usage Guidelines

For the specified VLAN access map, the switch displays the access map name and the contents of the ACL associated with the map.

Examples

This example shows how to display the contents of the ACL associated with the specified VLAN access map:

switch# show vlan access-list vlan1map
 
   

Related Commands

Command
Description

ip access-list

Creates or configures an IPv4 ACL.

mac access-list

Creates or configures a MAC ACL.

show access-lists

Displays information about how a VLAN access map is applied.

show ip access-lists

Displays all IPv4 ACLs or a specific IPv4 ACL.

show mac access-lists

Displays all MAC ACLs or a specific MAC ACL.

vlan access-map

Configures a VLAN access map.


show vlan access-map

To display all VLAN access maps or a VLAN access map, use the show vlan access-map command.

show vlan access-map [map-name]

Syntax Description

map-name

(Optional) VLAN access map to show.


Command Default

The switch shows all VLAN access maps, unless you use the map-name argument to select a specific access map.

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Usage Guidelines

For each VLAN access map displayed, the switch shows the access map name, the ACL specified by the match command, and the action specified by the action command.

Use the show vlan filter command to see which VLANs have a VLAN access map applied to them.

Examples

This example shows how to display a specific VLAN access map:

switch# show vlan access-map vlan1map 
 
   

This example shows how to display all VLAN access maps:

switch# show vlan access-map 
Vlan access-map vacl-mac
        match mac: acl-mac
        action: forward
        statistics per-entry
 
   
switch# 
 
   

Related Commands

Command
Description

action

Specifies an action for traffic filtering in a VLAN access map.

match

Specifies an ACL for traffic filtering in a VLAN access map.

show vlan filter

Displays information about how a VLAN access map is applied.

vlan access-map

Configures a VLAN access map.

vlan filter

Applies a VLAN access map to one or more VLANs.


show vlan filter

To display information about instances of the vlan filter command, including the VLAN access map and the VLAN IDs affected by the command, use the show vlan filter command.

show vlan filter [access-map map-name | vlan vlan-id]

Syntax Description

access-map map-name

(Optional) Limits the output to VLANs that the specified access map is applied to.

vlan vlan-id

(Optional) Limits the output to access maps that are applied to the specified VLAN only.


Command Default

All instances of VLAN access maps applied to a VLAN are displayed, unless you use the access-map keyword and specify an access map or you use the vlan keyword and specify a VLAN ID.

Command Modes

EXEC mode

Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.


Examples

This example shows how to display all VLAN access map information on the switch:

switch# show vlan filter 
 
   
vlan map vacl-mac:
        Configured on VLANs:    300
switch#
 
   

Related Commands

Command
Description

action

Specifies an action for traffic filtering in a VLAN access map.

match

Specifies an ACL for traffic filtering in a VLAN access map.

show vlan access-map

Displays all VLAN access maps or a VLAN access map.

vlan access-map

Configures a VLAN access map.

vlan filter

Applies a VLAN access map to one or more VLANs.