Cisco IOS IPv6 Command Reference
IPv6 Commands: show crypto isakmp policy through show ipv6 eigrp neighbors
Download this chapter
IPv6 Commands: show crypto isakmp policy through show ipv6 eigrp neighborsIPv6 Commands: show crypto isakmp policy through show ipv6 eigrp neighbors
Download the complete book
Book-level PDF: Cisco IOS IPv6 Command ReferenceBook-level PDF: Cisco IOS IPv6 Command Reference (PDF - 15 MB)
give_us_feedback

Table Of Contents

show crypto isakmp policy

show crypto isakmp profile

show crypto map (IPSec)

show crypto session

show crypto socket

show erm statistics

show fm ipv6 traffic-filter

show frame-relay map

show glbp

show ip sockets

show ipv6 access-list

show ipv6 cef

show ipv6 cef adjacency

show ipv6 cef non-recursive

show ipv6 cef platform

show ipv6 cef summary

show ipv6 cef switching statistics

show ipv6 cef traffic prefix-length

show ipv6 cef tree

show ipv6 cef unresolved

show ipv6 cef vrf

show ipv6 dhcp

show ipv6 dhcp binding

show ipv6 dhcp database

show ipv6 dhcp interface

show ipv6 dhcp pool

show ipv6 eigrp interfaces

show ipv6 eigrp neighbors


show crypto isakmp policy

To display the parameters for each Internet Key Exchange (IKE) policy, use the show crypto isakmp policy command in privileged EXEC mode.

show crypto isakmp policy

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release
Modification

11.3 T

This command was introduced.

12.2(13)T

The command output was expanded to include a warning message for users who try to configure an IKE encryption method that the hardware does not support.

12.4(4)T

Support for IPv6 was added.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Examples

The following is sample output from the show crypto isakmp policy command, after two IKE policies have been configured (with priorities 15 and 20, respectively): 

Router# show crypto isakmp policy


Protection suite priority 15

        encryption algorithm:    DES - Data Encryption Standard (56 bit keys)

        hash algorithm:  Message Digest 5

        authentication method:   Rivest-Shamir-Adleman Signature

        Diffie-Hellman Group:    #2 (1024 bit)

        lifetime:      5000 seconds, no volume limit

Protection suite priority 20

        encryption algorithm:    DES - Data Encryption Standard (56 bit keys)

        hash algorithm: Secure Hash Standard

        authentication method:   preshared Key

        Diffie-Hellman Group:    #1 (768 bit)

        lifetime:      10000 seconds, no volume limit

Default protection suite

        encryption algorithm:    DES - Data Encryption Standard (56 bit keys)

        hash algorithm: Secure Hash Standard

        authentication method:   Rivest-Shamir-Adleman Signature

        Diffie-Hellman Group:    #1 (768 bit)

        lifetime:      86400 seconds, no volume limit

Note Although the output shows "no volume limit" for the lifetimes, you can currently configure only a time lifetime (such as 86,400 seconds); volume limit lifetimes are not used.

The following sample output from the show crypto isakmp policy command displays a warning message after a user tries to configure an IKE encryption method that the hardware does not support: 

Router# show crypto isakmp policy


Protection suite of priority 1

        encryption algorithm:  AES - Advanced Encryption Standard (256 bit keys).

WARNING:encryption hardware does not support the configured

encryption method for ISAKMP policy 1

        hash algorithm:        Secure Hash Standard

        authentication method: Pre-Shared Key

        Diffie-Hellman group:  #1 (768 bit)

        lifetime:              3600 seconds, no volume limit

Related Commands

Command
Description

authentication (IKE policy)

Specifies the authentication method within an IKE policy.

crypto isakmp policy

Defines an IKE policy.

encryption (IKE policy)

Specifies the encryption algorithm within an IKE policy.

group (IKE policy)

Specifies the DH group identifier within an IKE policy.

hash (IKE policy)

Specifies the hash algorithm within an IKE policy.

lifetime (IKE policy)

Specifies the lifetime of an IKE SA.


show crypto isakmp profile

To list all the Internet Security Association and Key Management Protocol (ISAKMP) profiles that are defined on a router, use the show crypto isakmp profile command in privileged EXEC mode.

show crypto isakmp profile [tag profilename | vrf vrfname]

Syntax Description

tag profilename

(Optional) Displays ISAKMP profile details specified by the profile name.

vrf vrfname

(Optional) Displays ISAKMP profile details specified by the VRF name.


Privileged EXEC

Command History

Release
Modification

12.2(15)T

This command was introduced.

12.4(4)T

IPv6 support was added.

12.4(11)T

The tag profilename and vrf vrfname keywords and arguments were added.


Examples

The following is sample output for the show crypto isakmp profile command: 

Router# show crypto isakmp profile


ISAKMP PROFILE vpn1-ra

   Identities matched are:

group vpn1-ra

   Identity presented is: ip-address

The following sample output shows information for an IPv6 router: 

Router# show crypto isakmp profile


ISAKMP PROFILE tom

Identities matched are:

ipv6-address 2001:0DB8:0:1::1/32 

Certificate maps matched are:

Identity presented is: ipv6-address fqdn

keyring(s): <none>

trustpoint(s): <all>

Table 68 describes significant fields in the display.

Table 68 show crypto isakmp profile Field Descriptions

Field
Description

ISAKMP PROFILE

Name of the ISAKMP profile.

Identities matched are:

Lists all identities that the ISAKMP profile will match.

Identity presented is:

The identity that the ISAKMP profile will present to the remote endpoint.


The following configuration was in effect when the preceding show crypto isakmp profile command was issued: 

crypto isakmp profile vpn1-ra

 vrf vpn1

 self-identity address

 match identity group vpn1-ra

 client authentication list aaa-list

 isakmp authorization list aaa

 client configuration address initiate

 client configuration address respond

Related Commands

Command
Description

show crypto isakmp key

Lists the keyrings and their preshared keys.


show crypto map (IPSec)

To display the crypto map configuration, use the show crypto map command in privileged EXEC or user EXEC mode.

show crypto map [interface interface | tag map-name]

Syntax Description

interface interface

(Optional) Displays only the crypto map set that is applied to the specified interface.

tag map-name

(Optional) Displays only the crypto map set with the specified map-name.


Command Default

No crypto maps are shown.

Command Modes

Privileged EXEC
User EXEC

Command History

Release
Modification

11.2

This command was introduced.

12.3(8)T

Output has been modified to display the crypto input and output access control lists (ACLs) that have been configured.

12.4(4)T

IPv6 address information was added to command output.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

The show crypto map command allows you to specify a particular crypto map. The crypto maps shown in the command output have been dynamically generated; the user does not have to configure crypto maps in order for them to appear in this command output.

Examples

The following example shows that crypto input and output ACLs have been configured: 

Router# show crypto map


Crypto Map "test" 10 ipsec-isakmp

 Peer

 Extended IP access list ipsec_acl 

  access-list ipsec_acl permit ip 192.168.2.0 0.0.0.255 192.168.102.0 0.0.0.255 

 Extended IP access check IN list 110 

  access-list 110 permit ip host 192.168.102.47 192.168.2.0 10.0.0.15

  access-list 110 permit ip host 192.168.102.47 192.168.2.32 10.0.0.15

  access-list 110 permit ip host 192.168.102.47 192.168.2.64 10.0.0.15

  access-list 110 permit ip host 192.168.102.57 192.168.2.0 10.0.0.15

  access-list 110 permit ip host 192.168.102.57 192.168.2.32 10.0.0.15

  access-list 110 permit ip host 192.168.102.57 192.168.2.64 10.0.0.15

 Extended IP access check OUT list 120

  access-list 120 permit ip 192.168.2.0 10.0.0.15 host 192.168.102.47 

  access-list 120 permit ip 192.168.2.32 10.0.0.15 host 192.168.102.47

  access-list 120 permit ip 192.168.2.64 10.0.0.15 host 192.168.102.47

  access-list 120 permit ip 192.168.2.0 10.0.0.15 host 192.168.102.57

  access-list 120 permit ip 192.168.2.32 10.0.0.15 host 192.168.102.57

  access-list 120 permit ip 192.168.2.64 10.0.0.15 host 192.168.102.57

 Current peer: 10.0.0.2 

 Security association lifetime: 4608000 kilobytes/3600 seconds 

 PFS (Y/N): N 

 Transform sets=test

 Interfaces using crypto map test: 

  Serial0/1

Table 69 describes the output in the display.

Table 69 show crypto map Field Descriptions 

Field
Description

Peer

Possible peers that are configured for this crypto map entry.

Extended IP access list

Access list that is used to define which data packets are to be encrypted. Packets that are denied by this access list are forwarded but not encrypted. The "reverse" of this access list is used to check the inbound return packets, which are also encrypted. Packets that are denied by the "reverse" access list are dropped because they should have been encrypted but were not.

Extended IP access list check

Access lists that are used to more finely control which data packets are allowed into or out of the IPSec tunnel. Packets that are allowed by the "Extended IP access list" ACL but denied by the "Extended IP access list check" ACL are dropped.

Current peer

Current peer that is being used for this crypto map entry.

Security association lifetime

Number of bytes that are allowed to be encrypted or decrypted or the age of the security association before new encryption keys must be negotiated.

PFS

(Perfect Forward Secrecy) If "Yes," the Internet Security Association and Key Management Protocol (ISAKMP) SKEYID-d key is also renegotiated each time IPSec security association (SA) encryption keys are renegotiated (requires another Diffie-Hillman calculation). Otherwise, the same ISAKMP SKEYID-d key is used when renegotiating IPSec SA encryption keys. ISAKMP keys are renegotiated on a separate schedule, with a default time of 24 hours.

Transform sets

List of transform sets (encryption, authentication, and compression algorithms) that can be used with this crypto map.

Interfaces using crypto map test

Interfaces to which this crypto map is applied. Packets that are leaving from this interface are subject to the rules of this crypto map for encryption. Encrypted packets may enter the router on any interface, and they will be decrypted. Nonencrypted packets that are entering the router through this interface are subject to the "reverse" crypto access list check.


show crypto session

To display status information for active crypto sessions, use the show crypto session command in privileged EXEC mode.

show crypto session [[brief | detail] [local ip-address [port local-port] [remote ip-address]] [remote ip-address [port remote-port]] | [fvrf fvrf-name] [ivrf ivrf-name] |
[interface interface-type] | [isakmp group group-name] | [ isakmp profile profile-name] | [username username]] | [groups] | [summary group-name]

IPsec and IKE Stateful Failover Syntax

show crypto session [active | standby]

Syntax Description

brief

(Optional) Provides brief information about the session, such as the peer IP address, interface, username, group name/phase1 ID, length of session uptime, and current session status (up/down).

detail

(Optional) Provides more detailed information about the session, such as the capability of the Internet Key Exchange (IKE) security association (SA), connection ID, remaining lifetime of the IKE SA, inbound or outbound encrypted or decrypted packet number of the IP security (IPsec) flow, dropped packet number, and kilobyte-per-second lifetime of the IPsec SA.

local ip-address

(Optional) Displays status information about crypto sessions of a local crypto endpoint.

The ip-address value is the IP address of the local crypto endpoint.

port local-port

(Optional) Port of the local crypto endpoint.

The local-port value can be 1 through 65535. The default value is 500.

remote ip-address

(Optional) Displays status information about crypto sessions of a remote session.

The ip-address value is the IP address of the remote crypto endpoint.

port remote-port

(Optional) Displays status information about crypto sessions of a remote crypto endpoint.

The remote-port value can be 1 through 65535. The default value is 500.

fvrf fvrf-name

(Optional) Displays status information about the front door virtual routing and forwarding (FVRF) session.

The fvrf-name value is the name of the (FVRF) session.

ivrf ivrf-name

(Optional) Displays status information about the inside VRF (IVRF) session.

The ivrf-name value is the name of the (IVRF) session.

interface interface-type

(Optional) Displays crypto sessions on the connected interface.

The interface-type value is the type of interface connection.

isakmp group group-name

(Optional) Displays crypto sessions using the Internet Security Association and Key Management Protocol (ISAKMP) group.

The group-name value is the name of the group.

isakmp profile profile-name

(Optional) Displays crypto sessions using the Internet Security Association and Key Management Protocol (ISAKMP) profile.

The profile-name value is the name of the profile.

username username

(Optional) Displays the crypto session for the specified AAA Authentication (Xauth) or public key infrastructure (PKI) and authentication, authorization, and accounting (AAA) username.

groups

(Optional) Displays all crypto session group usage.

summary

(Optional) Displays a list of crypto session groups and associated group members.

active

(Optional) Displays all crypto sessions in the active state.

standby

(Optional) Displays all crypto sessions that are in the standby state.


Command Default

All existing sessions will be displayed.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.3(4)T

This command was introduced.

12.2(18)SXD

This command was integrated into Cisco IOS Release 12.2(18)SXD.

12.3(11)T

The active and standby keywords were added.

12.4(4)T

IPv6 address information was added to command output.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

12.4(11)T

The brief, groups, interface interface-type, isakmp group group-name, isakmp profile profile-name, summary, and username username keywords and arguments were added. The show crypto session output has been updated to include username, isakmp profile, isakmp group, assigned address, and session uptime.


Usage Guidelines

You can get a list of all the active Virtual Private Network (VPN) sessions and of the IKE and IPsec SAs for each VPN session by entering the show crypto session command. The listing will include the following information:

Interface

IKE peer description, if available

IKE SAs that are associated with the peer by whom the IPsec SAs are created

IPsec SAs serving the flows of a session

Multiple IKE or IPsec SAs may be established for the same peer (for the same session), in which case IKE peer descriptions will be repeated with different values for the IKE SAs that are associated with the peer and for the IPsec SAs that are serving the flows of the session.

IPv6 does not support the fvfr or ivrf keywords or the vrf-name argument.

Examples

The following examples shows active VPN sessions:

The following example shows sample output for the show crypto session command. 

Router# show crypto session 


Crypto session current status


Interface: Virtual-Access2

Username: cisco

Profile: prof

Group: easy

Assigned address: 10.3.3.4

Session status: UP-ACTIVE     

Peer: 10.1.1.2 port 500 

  IKE SA: local 10.1.1.1/500 remote 10.1.1.2/500 Active 

  IKE SA: local 10.1.1.1/500 remote 10.1.1.2/500 Inactive 

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 3.3.3.4 

        Active SAs: 2, origin: crypto map

The following example shows sample output for the show crypto session brief command. 

Router# show crypto session brief 


Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating 

        K - No IKE

ivrf = (none)

           Peer        I/F     Username     Group/Phase1_id    Uptime      Status        

           10.1.1.2    Vi2     cisco        easy               00:50:30    UA

The following example shows sample output for the show crypto session detail command. 

Router# show crypto session detail


Crypto session current status 


Code: C - IKE Configuration mode, D - Dead Peer Detection 

K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication 


Interface: Virtual-Access2

Username: cisco

Profile: prof

Group: easy

Assigned address: 3.3.3.4

Uptime: 00:49:33

Session status: UP-ACTIVE 

Peer: 1.1.1.2 port 500 fvrf: (none) ivrf: (none)

Phase1_id: easy

Desc: (none)

IKE SA: local 1.1.1.1/500 remote 1.1.1.2/500 Active 

Capabilities:CX connid:1002 lifetime:23:10:15

IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 3.3.3.4 

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4425776/626

Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4425776/626

Table 70 describes the significant fields shown in the display.

Table 70 show crypto session Field Descriptions 

Field
Description

Interface

Interface to which the crypto session is related.

Session status

Current status of the crypto (VPN) sessions. See Table 71 for the status of the IKE SA, IPsec SA, and tunnel as shown in the display.

IKE SA

Information is provided about the IKE SA, such as local and remote address and port, SA status, SA capabilities, crypto engine connection ID, and remaining lifetime of the IKE SA.

IPSEC FLOW

A snapshot of information about the IPsec-protected traffic flow, such as what the flow is (for example, permit ip host 10.1.1.5 host 10.1.2.5); how many IPsec SAs there are; the origin of the SA, such as manual keyed, dynamic, or static crypto map; the number of encrypted or decrypted packets or dropped packets; and the IPsec SA remaining lifetime in kilobytes per second.


Table 71 provides an explanation of the current status of the VPN sessions shown in the display.

Table 71 Current Status of the VPN Sessions

IKE SA
IPsec SA
Tunnel Status

Exist, active

Exist (flow exists)

UP-ACTIVE

Exist, active

None (flow exists)

UP-IDLE

Exist, active

None (no flow)

UP-IDLE

Exist, inactive

Exist (flow exists)

UP-NO-IKE

Exist, inactive

None (flow exists)

DOWN-NEGOTIATING

Exist, inactive

None (no flow)

DOWN-NEGOTIATING

None

Exist (flow exists)

UP-NO-IKE

None

None (flow exists)

DOWN

None

None (no flow)

DOWN


Note IPsec flow may not exist if a dynamic crypto map is being used.

The following sample output shows all crypto sessions that are in the standby state: 

Router# show crypto session standby


Crypto session current status


Interface: Ethernet0/0

Session status: UP-STANDBY    

Peer: 10.165.200.225 port 500 

  IKE SA: local 10.165.201.3/500 remote 10.165.200.225/500 Active 

  IKE SA: local 10.165.201.3/500 remote 10.165.200.225/500 Active 

  IPSEC FLOW: permit ip host 192.168.0.1 host 172.16.0.1 

        Active SAs: 4, origin: crypto map

Related Commands

Command
Description

clear crypto session

Deletes crypto sessions (IPsec and IKE SAs).

description

Adds a description for an IKE peer.

show crypto isakmp peer

Displays peer descriptions.


show crypto socket

To list crypto sockets, use the show crypto socket command in privileged EXEC mode.

show crypto socket

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(11)T

This command was introduced.

12.2(18)SXE

This command was integrated into Cisco IOS Release 12.2(18)SXE.

12.4(5)

The Flags field was added to command output.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.


Usage Guidelines

Use this command to list crypto sockets and the state of the sockets.

Examples

The following sample output shows the number of crypto socket connections (2) and its state: 

Router# show crypto socket


Number of Crypto Socket connections 2


   Tu0 Peers (local/remote): 192.168.2.2/192.168.1.1 

       Local Ident  (addr/mask/port/prot): (192.168.2.2/255.255.255.255/0/47)

       Remote Ident (addr/mask/port/prot): (192.168.1.1/255.255.255.255/0/47)

       Flags: shared

       Socket State: Open

       Client: "TUNNEL SEC" (Client State: Active)

   Tu1 Peers (local/remote): 192.168.2.2/192.168.1.3 

       Local Ident  (addr/mask/port/prot): (192.168.2.2/255.255.255.255/0/47)

       Remote Ident (addr/mask/port/prot): (192.168.1.3/255.255.255.255/0/47)

       Flags: shared

       Socket State: Open

       Client: "TUNNEL SEC" (Client State: Active)


Crypto Sockets in Listen state:

Client: "TUNNEL SEC" Profile: "dmvpn-profile" Map-name: "dmvpn-profile-head-2"

Significant fields are described in Table 72.

Table 72 show crypto socket Field Descriptions 

Field
Description

Number of Crypto Socket connections

Number of crypto sockets in the system.

Socket State

This state can be Open, which means that active IPSec security associations (SAs) exist, or it can be Closed, which means that no active IPSec SAs exist.

Client

Application name and its state.

Crypto Sockets in Listen state

Name of the crypto IPSec profile.

Flags

If this field says "shared," the socket is shared with more than one tunnel interface.


show erm statistics

To display the Embedded Resource Manager (ERM) Forwarding Information Base (FIB) ternary content addressable memory (TCAM) exception status for IPv4, IPv6, and Multiprotocol Label Switching (MPLS) protocols, use the show erm statistics command in privileged EXEC mode.

show erm statistics

Syntax Description

This command has no arguments or keywords.

Command Default

This command has no default settings.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(17b)SXA

Support for this command was introduced on the Supervisor Engine 720.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.


Usage Guidelines

This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.

The IPv4, IPv6, and MPLS exception state displays FALSE when the protocol is not under the exception or displays TRUE when the protocol is under the exception.

Examples

This example shows how to display FIB TCAM exception status for IPv4, IPv6, and MPLS protocols: 

Router# show erm statistics


#IPv4 excep notified     = 0

#IPv6 excep notified     = 0

#MPLS excep notified     = 0

#IPv4 reloads done       = 0

#IPv6 reloads done       = 0

#MPLS reloads done       = 0

Current IPv4 excep state = FALSE

Current IPv6 excep state = FALSE

Current MPLS excep state = FALSE

#Timer expired           = 0

#of erm msgs             = 1

Table 73 describes the significant fields shown in the display.

Table 73 show erm statistics Field Descriptions 

Field
Description

... excep notified

The number of exceptions for each protocol.

... reloads done

The number of reloads for each protocol.

...Current protocol exception state

The current exception status of each protocol.

#of erm msgs

The number of ERM messages sent.


Related Commands

Command
Description

mls erm priority

Assigns the priorities to define an order in which protocols attempt to recover from the exception status.


show fm ipv6 traffic-filter

To display the IPv6 information, use the show fm ipv6 traffic-filter command in EXEC mode.

show fm ipv6 traffic-filter {all | interface interface interface-number}

Syntax Description

all

Displays IPv6 traffic filter information for all interfaces.

interface interface

Displays IPv6 traffic filter information for the specified interface; possible valid values are ethernet, fastethernet, gigabitethernet, tengigabitethernet, pos, atm, ge-wan and vlan.

interface-number

Module and port number; see the "Usage Guidelines" section for valid values.


Command Default

This command has no default settings.

Command Modes

EXEC

Command History

Release
Modification

12.2(14)SX

Support for this command was introduced on the Supervisor Engine 720.

12.2(17d)SXB

Support for this command on the Supervisor Engine 2 was extended to Release 12.2(17d)SXB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.


Usage Guidelines

The pos, atm, and ge-wan keywords are supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.

The interface-number argument designates the module and port number. Valid values for interface-number depend on the specified interface type and the chassis and module that are used. For example, if you specify a Gigabit Ethernet interface and have a 48-port 10/100BASE-T Ethernet module that is installed in a 13-slot chassis, valid values for the module number are from 1 to 13 and valid values for the port number are from 1 to 48.

Examples

This example shows how to display the IPv6 information for a specific interface: 

Router# show fm ipv6 traffic-filter interface vlan 50 


----------------------------------------------------------------------------- 

FM_FEATURE_IPV6_ACG_INGRESS Name:testipv6 i/f: Vlan50 

============================================================================= 

DPort - Destination Port SPort - Source Port Pro - Protocol 

X - XTAG TOS - TOS Value Res - VMR Result 

RFM - R-Recirc. Flag MRTNP - M-Multicast Flag R - Reflexive flag 

- F-Fragment flag - T-Tcp Control N - Non-cachable 

- M-More Fragments - P-Mask Priority(H-High, L-Low) 

Adj. - Adj. Index T - M(Mask)/V(Value) FM - Flow Mask 

NULL - Null FM SAO - Source Only FM DAO - Dest. Only FM 

SADA - Sour.& Dest. Only VSADA - Vlan SADA Only FF - Full Flow 

VFF - Vlan Full Flow F-VFF - Either FF or VFF A-VSD - Atleast VSADA 

A-FF - Atleast FF A-VFF - Atleast VFF A-SON - Atleast SAO 

A-DON - Atleast DAO A-SD - Atleast SADA SHORT - Shortest 

A-SFF - Any short than FF A-EFF - Any except FF A-EVFF- Any except VFF 

A-LVFF- Any less than VFF ERR - Flowmask Error 

+----+-+----------------------------------------+----------------------------------------+
---+---+-+-----+----+------+

|Indx|T| Dest IPv6 Addr | Source IPv6 

Addr |Pro|RFM|X|MRTNP|Adj.| FM | 

+----+-+----------------------------------------+----------------------------------------+
---+---+-+-----+----+------+

1 V 0:200E:: 

200D::1 0 -F- - ----L ---- Shorte 

M 0:FFFF:FFFF:FFFF:FFFF:: 

FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF 0 1 

TM_SOFT_BRIDGE_RESULT

2 V 0:200E:: 

200D::1 17 --- - ----L ---- Shorte 

M 0:FFFF:FFFF:FFFF:FFFF:: 

FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF 255 0 

TM_PERMIT_RESULT

3 V 200E:: 

200D::1 0 -F- - ----L ---- Shorte 

M FFFF:FFFF:FFFF:FFFF:: 

FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF 0 1 

TM_SOFT_BRIDGE_RESULT

4 V 200E:: 

200D::1 17 --- - ----L ---- Shorte 

M FFFF:FFFF:FFFF:FFFF:: 

FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF 255 0 

TM_PERMIT_RESULT

5 V 

:: :: 0 -F- - ----L ---- Shorte 

M 

:: :: 0 1 

TM_SOFT_BRIDGE_RESULT

6 V 

:: :: 0 -F- - ----L ---- Shorte 

M 

:: :: 0 1 

TM_SOFT_BRIDGE_RESULT

7 V 

:: :: 58 --- - ----L ---- Shorte 

M 

:: :: 255 0 

TM_PERMIT_RESULT

8 V 

:: :: 58 --- - ----L ---- Shorte 

M 

:: :: 255 0 

TM_PERMIT_RESULT

9 V 

:: :: 58 --- - ----L ---- Shorte 

M 

:: :: 255 0 

TM_PERMIT_RESULT

10 V 

:: :: 58 --- - ----L ---- Shorte 

M 

:: :: 255 0 

TM_PERMIT_RESULT

11 V 

:: :: 58 --- - ----L ---- Shorte 

M 

:: :: 255 0 

TM_PERMIT_RESULT

12 V 

:: :: 58 --- - ----L ---- Shorte 

M 

:: :: 255 0 

TM_PERMIT_RESULT

13 V 

:: :: 58 --- - ----L ---- Shorte 

M 

:: :: 255 0 

TM_PERMIT_RESULT

14 V 

:: :: 58 --- - ----L ---- Shorte 

M 

:: :: 255 0 

TM_PERMIT_RESULT

15 V 

:: :: 0 --- - ----L ---- Shorte 

M 

:: :: 0 0 

TM_L3_DENY_RESULT

Router#

This example shows how to display the IPv6 information for all interfaces: 

Router# show fm ipv6 traffic-filter all 


----------------------------------------------------------------------------- 

FM_FEATURE_IPV6_ACG_INGRESS Name:testipv6 i/f: Vlan50 

============================================================================= 

DPort - Destination Port SPort - Source Port Pro - Protocol 

X - XTAG TOS - TOS Value Res - VMR Result 

RFM - R-Recirc. Flag MRTNP - M-Multicast Flag R - Reflexive flag 

- F-Fragment flag - T-Tcp Control N - Non-cachable 

- M-More Fragments - P-Mask Priority(H-High, L-Low) 

Adj. - Adj. Index T - M(Mask)/V(Value) FM - Flow Mask 

NULL - Null FM SAO - Source Only FM DAO - Dest. Only FM 

SADA - Sour.& Dest. Only VSADA - Vlan SADA Only FF - Full Flow 

VFF - Vlan Full Flow F-VFF - Either FF or VFF A-VSD - Atleast VSADA 

A-FF - Atleast FF A-VFF - Atleast VFF A-SON - Atleast SAO 

A-DON - Atleast DAO A-SD - Atleast SADA SHORT - Shortest 

A-SFF - Any short than FF A-EFF - Any except FF A-EVFF- Any except VFF 

A-LVFF- Any less than VFF ERR - Flowmask Error 

+----+-+----------------------------------------+----------------------------------------+
---+---+-+-----+----+------+

|Indx|T| Dest IPv6 Addr | Source IPv6 

Addr |Pro|RFM|X|MRTNP|Adj.| FM | 

+----+-+----------------------------------------+----------------------------------------+
---+---+-+-----+----+------+

1 V 0:200E:: 

200D::1 0 -F- - ----L ---- Shorte 

M 0:FFFF:FFFF:FFFF:FFFF:: 

FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF 0 1 

TM_SOFT_BRIDGE_RESULT

2 V 0:200E:: 

200D::1 17 --- - ----L ---- Shorte 

M 0:FFFF:FFFF:FFFF:FFFF:: 

FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF 255 0 

TM_PERMIT_RESULT

3 V 200E:: 

200D::1 0 -F- - ----L ---- Shorte 

M FFFF:FFFF:FFFF:FFFF:: 

FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF 0 1 

TM_SOFT_BRIDGE_RESULT

4 V 200E:: 

200D::1 17 --- - ----L ---- Shorte 

M FFFF:FFFF:FFFF:FFFF:: 

FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF 255 0 

TM_PERMIT_RESULT

5 V 

:: :: 0 -F- - ----L ---- Shorte 

M 

:: :: 0 1 

TM_SOFT_BRIDGE_RESULT

6 V 

:: :: 0 -F- - ----L ---- Shorte 

M 

:: :: 0 1 

TM_SOFT_BRIDGE_RESULT

7 V 

:: :: 58 --- - ----L ---- Shorte 

M 

:: :: 255 0 

TM_PERMIT_RESULT

8 V 

:: :: 58 --- - ----L ---- Shorte 

M 

:: :: 255 0 

TM_PERMIT_RESULT

9 V 

:: :: 58 --- - ----L ---- Shorte 

M 

:: :: 255 0 

TM_PERMIT_RESULT

10 V 

:: :: 58 --- - ----L ---- Shorte 

M 

:: :: 255 0 

13 V 

:: :: 58 --- - ----L ---- Shorte 

M 

:: :: 255 0 

.

. Output is truncated

.

Interface(s) using this IPv6 Ingress Traffic Filter: 

Vl50,

show frame-relay map

To display current Frame Relay map entries and information about connections, use the show frame-relay map command in privileged EXEC mode.

show frame-relay map [interface type number] [dlci]

Syntax Description

interface type number

(Optional) Specifies an interface for which mapping information will be displayed. A space is optional between the interface type and number.

dlci

(Optional) Specifies a data-link connection identifier (DLCI) for which mapping information will be displayed. Range: 16 to 1022.


Command Default

Static and dynamic Frame Relay map entries and information about connections for all DLCIs on all interfaces are displayed.

Command Modes

Privileged EXEC

Command History

Release
Modification

10.0

This command was introduced.

12.2(2)T

The display output for this command was modified to include the IPv6 address mappings of remote nodes to Frame Relay permanent virtual circuits (PVCs).

12.0(21)ST

This command was integrated into Cisco IOS Release 12.0(21)ST.

12.0(22)S

This command was integrated into Cisco IOS Release 12.0(22)S.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(13)T

The display output for this command was modified to include information about Frame Relay PVC bundle maps.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB, the interface keyword was added, and the dlci argument was added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.4(9)T

The interface keyword was added, and the dlci argument was added.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Examples

This section contains the following examples:

Display All Maps or Maps for Specific DLCIs on Specific Interfaces or Subinterfaces: Example

Display Maps for PVC Bundles: Example

Display Maps for IPv6 Addresses: Example

Display All Maps or Maps for Specific DLCIs on Specific Interfaces or Subinterfaces: Example

The sample output in these examples uses the following configuration: 

interface POS2/0

 no ip address

 encapsulation frame-relay

 frame-relay map ip 10.1.1.1 20 tcp header-compression

 frame-relay map ip 10.1.2.1 21 tcp header-compression

 frame-relay map ip 10.1.3.1 22 tcp header-compression

 frame-relay map bridge 23

 frame-relay interface-dlci 25

 frame-relay interface-dlci 26

 bridge-group 1

interface POS2/0.1 point-to-point

 frame-relay interface-dlci 24 protocol ip 10.1.4.1


interface Serial3/0

 no ip address

 encapsulation frame-relay

 serial restart-delay 0

 frame-relay map ip 172.16.3.1 20

 frame-relay map ip 172.16.4.1 21 tcp header-compression active

 frame-relay map ip 172.16.1.1 100

 frame-relay map ip 172.16.2.1 101

interface Serial3/0.1 multipoint

 frame-relay map ip 192.168.11.11 24

 frame-relay map ip 192.168.11.22 105

The following example shows how to display all maps: 

Router# show frame-relay map


POS2/0 (up): ip 10.1.1.1 dlci 20(0x14,0x440), static,

              CISCO, status deleted

              TCP/IP Header Compression (enabled), connections: 256

POS2/0 (up): ip 10.1.2.1 dlci 21(0x15,0x450), static,

              CISCO, status deleted

              TCP/IP Header Compression (enabled), connections: 256

POS2/0 (up): ip 10.1.3.1 dlci 22(0x16,0x460), static,

              CISCO, status deleted

              TCP/IP Header Compression (enabled), connections: 256

POS2/0 (up): bridge dlci 23(0x17,0x470), static,

              CISCO, status deleted

POS2/0.1 (down): point-to-point dlci, dlci 24(0x18,0x480), broadcast

          status deleted

Serial3/0 (downup): ip 172.16.3.1 dlci 20(0x14,0x440), static,

              CISCO, status deleted

Serial3/0 (downup): ip 172.16.4.1 dlci 21(0x15,0x450), static,

              CISCO, status deleted

              TCP/IP Header Compression (enabled), connections: 256

Serial3/0.1 (downup): ip 192.168.11.11 dlci 24(0x18,0x480), static,

              CISCO, status deleted

Serial3/0 (downup): ip 172.16.1.1 dlci 100(0x64,0x1840), static,

              CISCO, status deleted

Serial3/0 (downup): ip 172.16.2.1 dlci 101(0x65,0x1850), static,, CISCO, 

              CISCO, status deleted

              ECRTP Header Compression (enabled, IETF), connections 16

              TCP/IP Header Compression (enabled, IETF), connections 16 

Serial3/0.1 (downup): ip 192.168.11.22 dlci 105(0x69,0x1890), static,

              CISCO, status deleted

Serial4/0/1:0.1 (up): point-to-point dlci, dlci 102(0x66,0x1860), broadcast, CISCO

          status defined, active,

              RTP Header Compression (enabled), connections: 256

The following example shows how to display maps for a specific DLCI: 

Router# show frame-relay map 20


POS2/0 (up): ip 10.1.1.1 dlci 20(0x14,0x440), static,

              CISCO, status deleted

              TCP/IP Header Compression (enabled), connections: 256

Serial3/0 (down): ip 172.16.3.1 dlci 20(0x14,0x440), static,

              CISCO, status deleted

The following example shows how to display maps for a specific interface: 

Router# show frame-relay map interface pos2/0


POS2/0 (up): ip 10.1.1.1 dlci 20(0x14,0x440), static,

              CISCO, status deleted

              TCP/IP Header Compression (enabled), connections: 256

POS2/0 (up): ip 10.1.2.1 dlci 21(0x15,0x450), static,

              CISCO, status deleted