Table Of Contents

show crypto isakmp key

show crypto isakmp peer

show crypto isakmp policy

show crypto isakmp profile

show crypto isakmp sa

show crypto key mypubkey rsa

show crypto key pubkey-chain rsa

show crypto map (IPSec)

show crypto mib ipsec flowmib history failure size

show crypto mib ipsec flowmib history tunnel size

show crypto mib ipsec flowmib version

show crypto pki certificates

show crypto pki crls

show crypto pki server

show crypto pki timers

show crypto pki trustpoints

show crypto session

show crypto session group

show crypto session summary

show crypto socket

show dnsix

show dot1x

show dot1x (EtherSwitch)

show eou

show ip admission

show ip auth-proxy

show ip inspect

show ip ips

show ip port-map

show ip sdee

show ip source-track

show ip source-track export flows

show ip ssh

show ip traffic-export

show ip trigger-authentication

show ip urlfilter cache

show ip urlfilter config

show ip urlfilter statistics

show ip virtual-reassembly

show kerberos creds

show login

show parser view

show ppp queues

show privilege

show radius local-server statistics

show radius statistics

show secure bootset

show ssh

show tacacs

show tcp intercept connections

show tcp intercept statistics

show usb controllers

show usb device

show usb driver

show usb port

show usbtoken

show usb tree

show webvpn sessions

show webvpn statistics

show wlccp wds

shutdown (certificate server)

snmp-server enable traps ipsec

snmp-server enable traps isakmp

source interface

split-dns

ssh

ssid

ssl encryption

ssl trustpoint

strict-http

subject-name

show crypto isakmp key

To list the keyrings and their preshared keys, use the show crypto isakmp key command in EXEC mode.

show crypto isakmp key

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
12.2(15)T	This command was introduced.

Examples

The following is sample output for the show crypto isakmp key command:

Router# show crypto isakmp key

Hostname/Address       Preshared Key

vpn1                   : 172.61.1.1          vpn1

vpn2                   : 10.1.1.1            vpn2

The following configuration was in effect when the above show crypto isakmp key command was issued:

crypto keyring vpn1 

  pre-shared-key address 172.16.1.1 key vpn1

crypto keyring vpn2 

  pre-shared-key address 10.1.1.1 key vpn2

Table 41 describes significant fields in the show crypto isakmp key profile.

Table 41 show crypto isakmp key Field Descriptions

Field	Description
Hostname/Address	The preshared key host name or address.
Preshared Key	The preshared key.
keyring	Name of the crypto keyring. The global keys are listed in the default keyring.
VRF string	The virtual route forwarding (VRF) of the keyring. If the keyring does not have a VRF, an empty string is printed.

show crypto isakmp peer

To display peer descriptions, use the show crypto isakmp peer command in privileged EXEC mode.

show crypto isakmp peer

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(4)T	This command was introduced.

Examples

The following output example shows information about the peer named "This-is-another-peer-at-10-1-1-3":

Router# show crypto isakmp peer

Peer: 10.1.1.3 Port: 500

 Description: This-is-another-peer-at-10-1-1-3

 Phase1 id: 10.1.1.3

Table 42 describes the significant fields shown in the display.

Table 42 show crypto isakmp peer Field Descriptions 

Field	Description
Phase1 id	Internet Key Exchange (IKE) ID

Related Commands

Command	Description
clear crypto session	Deletes crypto sessions (IPSec and IKE) SAs.
description	Adds a description for an IKE peer.
show crypto session	Displays status information for active crypto sessions in a router.

show crypto isakmp policy

To display the parameters for each Internet Key Exchange (IKE) policy, use the show crypto isakmp policy command in EXEC mode.

show crypto isakmp policy

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
11.3 T	This command was introduced.
12.2(13)T	The command output was expanded to include a warning message for users who try to configure an IKE encryption method that the hardware does not support.

Examples

The following is sample output from the show crypto isakmp policy command, after two IKE policies have been configured (with priorities 15 and 20, respectively):

Router# show crypto isakmp policy

Protection suite priority 15

        encryption algorithm:    DES - Data Encryption Standard (56 bit keys)

        hash algorithm:  Message Digest 5

        authentication method:   Rivest-Shamir-Adleman Signature

        Diffie-Hellman Group:    #2 (1024 bit)

        lifetime:      5000 seconds, no volume limit

Protection suite priority 20

        encryption algorithm:    DES - Data Encryption Standard (56 bit keys)

        hash algorithm: Secure Hash Standard

        authentication method:   preshared Key

        Diffie-Hellman Group:    #1 (768 bit)

        lifetime:      10000 seconds, no volume limit

Default protection suite

        encryption algorithm:    DES - Data Encryption Standard (56 bit keys)

        hash algorithm: Secure Hash Standard

        authentication method:   Rivest-Shamir-Adleman Signature

        Diffie-Hellman Group:    #1 (768 bit)

        lifetime:      86400 seconds, no volume limit

---

Note Although the output shows "no volume limit" for the lifetimes, you can currently configure only a time lifetime (such as 86,400 seconds); volume limit lifetimes are not used.

---

The following sample output from the show crypto isakmp policy command displays a warning message after a user tries to configure an IKE encryption method that the hardware does not support:

Router# show crypto isakmp policy

Protection suite of priority 1

        encryption algorithm:  AES - Advanced Encryption Standard (256 bit keys).

WARNING:encryption hardware does not support the configured

encryption method for ISAKMP policy 1

        hash algorithm:        Secure Hash Standard

        authentication method: Pre-Shared Key

        Diffie-Hellman group:  #1 (768 bit)

        lifetime:              3600 seconds, no volume limit

Related Commands

Command	Description
authentication (IKE policy)	Specifies the authentication method within an IKE policy.
crypto isakmp policy	Defines an IKE policy.
encryption (IKE policy)	Specifies the encryption algorithm within an IKE policy.
group (IKE policy)	Specifies the DH group identifier within an IKE policy.
hash (IKE policy)	Specifies the hash algorithm within an IKE policy.
lifetime (IKE policy)	Specifies the lifetime of an IKE SA.

show crypto isakmp profile

To list all the Internet Security Association and Key Management Protocol (ISAKMP) profiles that are defined on a router, use the show crypto isakmp profile command in EXEC mode.

show crypto isakmp profile

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
12.2(15)T	This command was introduced.

Examples

The following is sample output for the show crypto isakmp profile command:

Router# show crypto isakmp profile

ISAKMP PROFILE vpn1-ra

   Identities matched are:

group vpn1-ra

   Identity presented is: ip-address

Table 43 describes significant fields in the display.

Table 43 show crypto isakmp profile Field Descriptions

Field	Description
ISAKMP PROFILE	Name of the ISAKMP profile.
Identities matched are:	Lists all identities that the ISAKMP profile will match.
Identity presented is:	The identity that the ISAKMP profile will present to the remote endpoint.

The following configuration was in effect when the above show crypto isakmp profile command was issued:

crypto isakmp profile vpn1-ra

 vrf vpn1

 self-identity address

 match identity group vpn1-ra

 client authentication list aaa-list

 isakmp authorization list aaa

 client configuration address initiate

 client configuration address respond

Related Commands

Command	Description
show crypto isakmp key	Lists the keyrings and their preshared keys.

show crypto isakmp sa

To display current Internet Key Exchange (IKE) security associations (SAs), use the show crypto isakmp sa command in privileged EXEC mode.

show crypto isakmp sa [active | standby]

Syntax Description

active	(Optional) All existing IKE SAs that are in an active state are displayed.
standby	(Optional) All existing IKE SAs that are in standby state are displayed.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.3 T	This command was introduced.
12.3(11)T	The active and standby keywords were added.

Usage Guidelines

If neither the active keyword nor the standby keyword are specified, current SAs for all configured routers will be shown.

Examples

The following sample output shows the SAs of both the active and standby devices:

Router# show crypto isakmp sa

dst             src             state          conn-id slot status

209.165.201.3   209.165.200.225 QM_IDLE              2    0 STDBY 

10.0.0.1        10.0.0.2        QM_IDLE              1    0 ACTIVE

The following sample output shows the SAs of only the active device:

Router# show crypto isakmp sa active

dst             src             state          conn-id slot status

209.165.201.3   209.165.200.225 QM_IDLE              5    0 ACTIVE

The following sample output shows the SAs of only the standby device:

Router# show crypto isakmp sa standby

dst             src             state          conn-id slot status

209.165.201.3   209.165.200.225 QM_IDLE              5    0 STDBY 

209.165.201.3   209.165.200.225 QM_IDLE              1    0 STDBY 

Table 44 through Table 47 show the various states that may be displayed in the output of the show crypto isakmp sa command. When an Internet Security Association and Key Management Protocol (ISAKMP) SA exists, it will most likely be in its quiescent state (QM_IDLE). For long exchanges, some of the MM_xxx states may be observed.

Table 44 States in Main Mode Exchange

State	Explanation
MM_NO_STATE	The ISAKMP SA has been created, but nothing else has happened yet. It is "larval" at this stage—there is no state.
MM_SA_SETUP	The peers have agreed on parameters for the ISAKMP SA.
MM_KEY_EXCH	The peers have exchanged Diffie-Hellman public keys and have generated a shared secret. The ISAKMP SA remains unauthenticated.
MM_KEY_AUTH	The ISAKMP SA has been authenticated. If the router initiated this exchange, this state transitions immediately to QM_IDLE, and a Quick Mode exchange begins.

Table 45 States in Aggressive Mode Exchange 

State	Explanation
AG_NO_STATE	The ISAKMP SA has been created, but nothing else has happened yet. It is "larval" at this stage—there is no state.
AG_INIT_EXCH	The peers have done the first exchange in aggressive mode, but the SA is not authenticated.
AG_AUTH	The ISAKMP SA has been authenticated. If the router initiated this exchange, this state transitions immediately to QM_IDLE, and a quick mode exchange begins.

Table 46 States in Quick Mode Exchange

State	Explanation
QM_IDLE	The ISAKMP SA is idle. It remains authenticated with its peer and may be used for subsequent quick mode exchanges. It is in a quiescent state.

Table 47 show crypto isakmp sa Field Descriptions

Field	Description
f_vrf/i_vrf	The front door virtual routing and forwarding (FVRF) and the inside VRF (IVRF) of the IKE SA. If the FVRF is global, the output shows f_vrf as an empty field.

Related Commands

Command	Description
crypto isakmp policy	Defines an IKE policy.
lifetime (IKE policy)	Specifies the lifetime of an IKE SA.

show crypto key mypubkey rsa

To display the RSA public keys of your router, use the show crypto key mypubkey rsa command in privileged EXEC mode.

show crypto key mypubkey rsa

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.3 T	This command was introduced.
12.3(7)T	The show output was modified to display whether an RSA key is protected (encrypted) and locked or unlocked.
12.2(18)SXE	This command was integrated into Cisco IOS Release 12.2(18)SXE.

Usage Guidelines

This command displays the RSA public keys of your router.

---

Note Secure Shell (SSH) may generate an additional RSA keypair if you generate a keypair on a router having no RSA keys. The additional keypair is used only by SSH and will have a name such as {router_FQDN}.server. For example, if a router name is "router1.cisco.com," the keyname is "router1.cisco.com.server."

---

Examples

The following is sample output from the show crypto key mypubkey rsa command. Special usage RSA keys were previously generated for this router using the crypto key generate rsa command.

% Key pair was generated at: 06:07:49 UTC Jan 13 1996

Key name: myrouter.example.com

 Usage: Signature Key

 Key Data:

  005C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B 55D6AB22 

  04AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9 DF0B4E4C 73A05DD2 

  BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4 71020301 0001

% Key pair was generated at: 06:07:50 UTC Jan 13 1996

Key name: myrouter.example.com

 Usage: Encryption Key

 Key Data:

  00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D5

  18242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB

  07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21

The following example shows how to encrypt the RSA key "pki1-72a.cisco.com." Thereafter, the show crypto key mypubkey rsa command is issued to verify that the RSA key is encrypted (protected) and unlocked.

Router(config)# crypto key encrypt rsa name pki1-72a.cisco.com passphrase cisco1234

Router(config)# exit

Router# show crypto key mypubkey rsa

% Key pair was generated at:00:15:32 GMT Jun 25 2003

Key name:pki1-72a.cisco.com

Usage:General Purpose Key

*** The key is protected and UNLOCKED. ***

Key is not exportable.

Key Data:

305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00E0CC9A 1D23B52C

CD00910C ABD392AE BA6D0E3F FC47A0EF 8AFEE340 0EC1E62B D40E7DCC

23C4D09E

03018B98 E0C07B42 3CFD1A32 2A3A13C0 1FF919C5 8DE9565F 1F020301 0001

% Key pair was generated at:00:15:33 GMT Jun 25 2003

Key name:pki1-72a.cisco.com.server

Usage:Encryption Key

Key is exportable.

Key Data:

307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00D3491E 2A21D383

854D7DA8 58AFBDAC 4E11A7DD E6C40AC6 66473A9F 0C845120 7C0C6EC8 1FFF5757

3A41CE04 FDCB40A4 B9C68B4F BC7D624B 470339A3 DE739D3E F7DDB549 91CD4DA4

DF190D26 7033958C 8A61787B D40D28B8 29BCD0ED 4E6275C0 6D020301 0001

Router#

The following example shows how to lock the key "pki1-72a.cisco.com." Thereafter, the show crypto key mypubkey rsa command is issued to verify that the key is protected (encrypted) and locked.

Router# crypto key lock rsa name pki1-72a.cisco.com passphrase cisco1234

! 

Router# show crypto key mypubkey rsa

% Key pair was generated at:20:29:41 GMT Jun 20 2003

Key name:pki1-72a.cisco.com

Usage:General Purpose Key

*** The key is protected and LOCKED. ***

Key is exportable.

Key Data:

305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D7808D C5FF14AC

0D2B55AC 5D199F2F 7CB4B355 C555E07B 6D0DECBE 4519B1F0 75B12D6F 902D6E9F

B6FDAD8D 654EF851 5701D5D7 EDA047ED 9A2A619D 5639DF18 EB020301 0001

Related Commands

Command	Description
crypto key encrypt rsa	Encrypts the RSA private key.
crypto key generate rsa (IKE)	Generates RSA key pairs.
crypto key lock rsa	Locks the RSA private key in a router.

show crypto key pubkey-chain rsa

To display the RSA public keys of the peer that are stored on your router, use the show crypto key pubkey-chain rsa command in EXEC mode.

show crypto key pubkey-chain rsa [name key-name | address key-address]

Syntax Description

name key-name	(Optional) The name of a particular public key to view.
address key-address	(Optional) The address of a particular public key to view.

Command Modes

EXEC

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

This command shows RSA public keys stored on your router. This includes peers' RSA public keys manually configured at your router and keys received by your router via other means (such as by a certificate, if certification authority support is configured).

If a router reboots, any public key derived by certificates will be lost. This is because the router will ask for certificates again, at which time the public key will be derived again.

Use the name or address keywords to display details about a particular RSA public key stored on your router.

If no keywords are used, this command displays a list of all RSA public keys stored on your router.

Examples

The following is sample output from the show crypto key pubkey-chain rsa command:

Router# show crypto key pubkey-chain rsa

Codes: M - Manually Configured, C - Extracted from certificate

Code  Usage        IP-address     Name

M     Signature    10.0.0.l       myrouter.example.com

M     Encryption   10.0.0.1       myrouter.example.com

C     Signature    172.16.0.1     routerA.example.com

C     Encryption   172.16.0.1     routerA.example.com

C     General      192.168.10.3   routerB.domain1.com

This sample shows manually configured special usage RSA public keys for the peer "somerouter." This sample also shows three keys obtained from peers' certificates: special usage keys for peer "routerA" and a general purpose key for peer "routerB."

Certificate support is used in the above example; if certificate support was not in use, none of the peers' keys would show "C" in the code column, but would all have to be manually configured.

The following is sample output when you issue the command show crypto key pubkey rsa name somerouter.example.com:

Router# show crypto key pubkey rsa name somerouter.example.com

Key name: somerouter.example.com

Key address: 10.0.0.1

 Usage: Signature Key

 Source: Manual

 Data:

  305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B 55D6AB22 

  04AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9 DF0B4E4C 73A05DD2 

  BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4 71020301 0001

Key name: somerouter.example.com

Key address: 10.0.0.1

 Usage: Encryption Key

 Source: Manual

 Data:

  00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D5

  18242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB

  07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21

---

Note The Source field in the above example indicates "Manual," meaning that the keys were manually configured on the router, not received in the peer's certificate.

---

The following is sample output when you issue the command show crypto key pubkey rsa address 192.168.10.3:

Router# show crypto key pubkey rsa address 192.168.10.3

Key name: routerB.example.com

Key address: 192.168.10.3

 Usage: General Purpose Key

 Source: Certificate

 Data:

  0738BC7A 2BC3E9F0 679B00FE 53987BCC 01030201 42DD06AF E228D24C 458AD228

  58BB5DDD F4836401 2A2D7163 219F882E 64CE69D4 B583748A 241BED0F 6E7F2F16

  0DE0986E DF02031F 4B0B0912 F68200C4 C625C389 0BFF3321 A2598935 C1B1

The Source field in the above example indicates "Certificate," meaning that the keys were received by the router by way of the other router's certificate.

show crypto map (IPSec)

To display the crypto map configuration, use the show crypto map command in privileged EXEC or user EXEC mode.

show crypto map [interface interface | tag map-name]

Syntax Description

interface interface	(Optional) Displays only the crypto map set that is applied to the specified interface.
tag map-name	(Optional) Displays only the crypto map set with the specified map-name.

Defaults

No crypto maps are shown.

Command Modes

Privileged EXEC
User EXEC

Command History

Release	Modification
11.2	This command was introduced.
12.3(8)T	Output has been modified to display the crypto input and output access control lists (ACLs) that have been configured.

Usage Guidelines

The show crypto map command provides output that is IP specific, and it allows you to specify a particular crypto map.

Examples

The following example shows that crypto input and output ACLs have been configured:

Router# show crypto map

Crypto Map "test" 10 ipsec-isakmp

 Peer

 Extended IP access list ipsec_acl 

  access-list ipsec_acl permit ip 192.168.2.0 0.0.0.255 192.168.102.0 0.0.0.255 

 Extended IP access check IN list 110 

  access-list 110 permit ip host 192.168.102.47 192.168.2.0 0.0.0.15

  access-list 110 permit ip host 192.168.102.47 192.168.2.32 0.0.0.15

  access-list 110 permit ip host 192.168.102.47 192.168.2.64 0.0.0.15

  access-list 110 permit ip host 192.168.102.57 192.168.2.0 0.0.0.15

  access-list 110 permit ip host 192.168.102.57 192.168.2.32 0.0.0.15

  access-list 110 permit ip host 192.168.102.57 192.168.2.64 0.0.0.15

 Extended IP access check OUT list 120

  access-list 120 permit ip 192.168.2.0 0.0.0.15 host 192.168.102.47 

  access-list 120 permit ip 192.168.2.32 0.0.0.15 host 192.168.102.47

  access-list 120 permit ip 192.168.2.64 0.0.0.15 host 192.168.102.47

  access-list 120 permit ip 192.168.2.0 0.0.0.15 host 192.168.102.57

  access-list 120 permit ip 192.168.2.32 0.0.0.15 host 192.168.102.57

  access-list 120 permit ip 192.168.2.64 0.0.0.15 host 192.168.102.57

 Current peer: 10.0.0.2 

 Security association lifetime: 4608000 kilobytes/3600 seconds 

 PFS (Y/N): N 

 Transform sets=test

 Interfaces using crypto map test: 

  Serial0/1

Table 48 describes the output in the display.

Table 48 show crypto map Field Descriptions

Field	Description
Peer	Possible peers that are configured for this crypto map entry.
Extended IP access list	Access list that is used to define which data packets are to be encrypted. Packets that are denied by this access list are forwarded but not encrypted. The "reverse" of this access list is used to check the inbound return packets, which are also encrypted. Packets that are denied by the "reverse" access list are dropped because they should have been encrypted but were not.
Extended IP access list check	Access lists that are used to more finely control which data packets are allowed into or out of the IPSec tunnel. Packets that are allowed by the "Extended IP access list" ACL but denied by the "Extended IP access list check" ACL are dropped.
Current peer	Current peer that is being used for this crypto map entry.
Security association lifetime	Number of bytes that are allowed to be encrypted or decrypted or the age of the security association before new encryption keys must be negotiated.
PFS	(Perfect Forward Secrecy) If "Yes," the Internet Security Association (ISAKMP) SKEYID-d key is also renegotiated each time IPSec security association (SA) encryption keys are renegotiated (requires another Diffie-Hillman calculation). Otherwise, the same ISAKMP SKEYID-d key is used when renegotiating IPSec SA encryption keys. ISAKMP keys are renegotiated on a separate schedule, with a default time of 24 hours.
Transform sets	List of transform sets (encryption, authentication, and compression algorithms) that can be used with this crypto map.
Interfaces using crypto map test	Interfaces to which this crypto map is applied. Packets that are leaving from this interface are subject to the rules of this crypto map for encryption. Encrypted packets may enter the router on any interface, and they will be decrypted. Nonencrypted packets that are entering the router through this interface are subject to the "reverse" crypto access list check.

show crypto mib ipsec flowmib history failure size

To display the size of the IP Security (IPSec) failure history table, use the show crypto mib ipsec flowmib history failure size command in privileged EXEC mode.

show crypto mib ipsec flowmib history failure size

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(4)E	This command was introduced.
12.2(4)T	This command was integrated into Cisco IOS Release 12.2(4)T.

Examples

The following is sample output from the show crypto mib ipsec flowmib history failure size command:

Router# show crypto mib ipsec flowmib history failure size

IPSec Failure Window size: 140

Related Commands

Command	Description
crypto mib ipsec flowmib history failure size	Changes the size of the IPSec failure history table.
show crypto mib ipsec flowmib version	Displays the IPSec Flow MIB version used by the router.

show crypto mib ipsec flowmib history tunnel size

To display the size of the IP Security (IPSec) tunnel history table, use the show crypto mib ipsec flowmib history tunnel size command in privileged EXEC mode.

show crypto mib ipsec flowmib history tunnel size

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(4)E	This command was introduced.
12.2(4)T	This command was integrated into Cisco IOS Release 12.2(4)T.

Examples

The following is sample output from the show crypto mib ipsec flowmib history tunnel size command:

Router# show crypto mib ipsec flowmib history tunnel size

IPSec History Window Size: 130

Related Commands

Command	Description
crypto mib ipsec flowmib history tunnel size	Changes the size of the IPSec tunnel history table.
show crypto mib ipsec flowmib version	Displays the IPSec Flow MIB version used by the router.

show crypto mib ipsec flowmib version

To display the IP Security (IPSec) MIB version used by the router, use the show crypto mib ipsec flowmib version command in privileged EXEC mode.

show crypto mib ipsec flowmib version

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(4)E	This command was introduced.
12.2(4)T	This command was integrated into Cisco IOS Release 12.2(4)T.

Usage Guidelines

Use the show crypto mib ipsec flowmib version command to display the MIB version used by the management applications to identify the feature set.

---

Note The MIB version can also be obtained by querying the MIB element cipSecMibLevel using Simple Network Management Protocol (SNMP).

---

Examples

The following is sample output from the show crypto mib ipsec flowmib version command:

Router# show crypto mib ipsec flowmib version

IPSec Flow MIB version: 1

Related Commands

Command	Description
show crypto mib ipsec flowmib history failure size	Displays the size of the IPSec failure history table.
show crypto mib ipsec flowmib history tunnel size	Displays the size of the IPSec tunnel history table.

show crypto pki certificates

To display information about your certificate, the certification authority certificate, and any registration authority certificates, use the show crypto pki certificates command in privileged EXEC mode.

show crypto pki certificates [trustpoint-name [verbose]]

Syntax Description

trustpoint-name	(Optional) Name of the trustpoint. Using this argument indicates that only certificates that are related to the trustpoint are to be displayed.
verbose	(Optional) More detailed information is to be displayed. Note The verbose keyword can be used only if a trustpoint name is entered.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.3 T	The show crypto ca certificates command was introduced.
12.2(13)T	The trustpoint-name argument was added.
12.3(7)T	This command replaced the show crypto ca certificates command.
12.3(8)T	The verbose keyword was added.
12.3(14)T	The command output was modified to include persistent self-signed certificate parameters.

Usage Guidelines

This command shows information about the following certificates:

•Your certificate, if you have requested one from the certificate authority (CA) (see the crypto pki enroll command)

•The certificate of the CA, if you have received the certificate of the CA (see the crypto pki authenticate command)

•RA certificates, if you have received registration authority (RA) certificates (see the crypto pki authenticate command)

•A self-signed certificate, if one has been requested

Examples

The following is sample output from the show crypto pki certificates command after you authenticated the CA by requesting the certificate of the CA and public key with the crypto pki authenticate command:

CA Certificate

  Status: Available

  Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F

  Key Usage: Not Set

The CA certificate might show Key Usage as "Not Set."

The following is sample output from the show crypto pki certificates command, and it shows the certificate of the router and the certificate of the CA. In this example, a single, general-purpose Rivest, Shamir, and Adelman (RSA) key pair was previously generated, and a certificate was requested but not received for that key pair.

Certificate

  Subject Name

    Name: myrouter.example.com

    IP Address: 10.0.0.1

    Serial Number: 04806682

  Status: Pending

  Key Usage: General Purpose

    Fingerprint: 428125BD A3419600 3F6C7831 6CD8FA95 00000000

CA Certificate

  Status: Available

  Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F

  Key Usage: Not Set

Note that in the previous sample, the certificate status of the router shows "Pending." After the router receives its certificate from the CA, the Status field changes to "Available" in the show output.

The following is sample output from the show crypto pki certificates command, and it shows the certificates of two routers and the certificate of the CA. In this example, special-usage RSA key pairs were previously generated, and a certificate was requested and received for each key pair.

Certificate

  Subject Name

    Name: myrouter.example.com

    IP Address: 10.0.0.1

  Status: Available

  Certificate Serial Number: 428125BDA34196003F6C78316CD8FA95

  Key Usage: Signature

Certificate

  Subject Name

    Name: myrouter.example.com

    IP Address: 10.0.0.1

  Status: Available

  Certificate Serial Number: AB352356AFCD0395E333CCFD7CD33897

  Key Usage: Encryption

CA Certificate

  Status: Available

  Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F

  Key Usage: Not Set

The following is sample output from the show crypto pki certificates command when the CA supports an RA. In this example, the CA and RA certificates were previously requested with the crypto pki authenticate command.

CA Certificate

  Status: Available

  Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F

  Key Usage: Not Set

RA Signature Certificate

  Status: Available

  Certificate Serial Number: 34BCF8A0

  Key Usage: Signature

RA KeyEncipher Certificate

  Status: Available

  Certificate Serial Number: 34BCF89F

  Key Usage: Encryption

The following is sample output from the show crypto pki certificates command using the optional trustpoint-name argument and verbose keyword. The output shows the certificate of a router and the certificate of the CA. In this example, general-purpose RSA key pairs were previously generated, and a certificate was requested and received for the key pair.

Certificate

   Status: Available

   Version: 3

   Certificate Serial Number: 18C1EE03000000004CBD

   Certificate Usage: General Purpose

   Issuer:

     cn=msca-root

     ou=pki msca-root

     o=cisco

     l=santa cruz2

     st=CA

     c=US

     ea=user@example.com

   Subject:

     Name: myrouter.example.com

     hostname=myrouter.example.com

   CRL Distribution Points:

     http://msca-root/CertEnroll/msca-root.crl

   Validity Date:

     start date: 19:50:40 GMT Oct 5 2004

     end   date: 20:00:40 GMT Oct 12 2004

   Subject Key Info:

     Public Key Algorithm: rsaEncryption

     RSA Public Key: (360 bit)

   Signature Algorithm: SHA1 with RSA Encryption

   Fingerprint MD5: 2B5F53E6 E3E892E6 3A9D3706 01261F10

   Fingerprint SHA1: 315D127C 3AD34010 40CE7F3A 988BBDA5 CD528824

   X509v3 extensions:

     X509v3 Key Usage: A0000000

       Digital Signature

       Key Encipherment

     X509v3 Subject Key ID: D156E92F 46739CBA DFE66D2D 3559483E B41ECCF4

     X509v3 Authority Key ID: 37F3CC61 AF5E7C0B 434AB364 CF9FA0C1 B17C50D9

     Authority Info Access:

   Associated Trustpoints: msca-root

   Key Label: myrouter.example.com

CA Certificate

   Status: Available

   Version: 3

   Certificate Serial Number: 1244325DE0369880465F977A18F61CA8

   Certificate Usage: Signature

   Issuer:

     cn=msca-root

     ou=pki msca-root

     o=cisco

     l=santa cruz2

     st=CA

     c=US

     ea=user@example.com

   Subject:

     cn=msca-root

     ou=pki msca-root

     o=cisco

     l=santa cruz2

     st=CA

     c=US

     ea=user@example.com

   CRL Distribution Points:

     http://msca-root.example.com/CertEnroll/msca-root.crl

   Validity Date:

     start date: 22:19:29 GMT Oct 31 2002

     end   date: 22:27:27 GMT Oct 31 2017

   Subject Key Info:

     Public Key Algorithm: rsaEncryption

     RSA Public Key: (512 bit)

   Signature Algorithm: SHA1 with RSA Encryption

   Fingerprint MD5: 84E470A2 38176CB1 AA0476B9 C0B4F478

   Fingerprint SHA1: 0F57170C 654A5D7D 10973553 EFB0F94F 2FAF9837

   X509v3 extensions:

     X509v3 Key Usage: C6000000

       Digital Signature

       Non Repudiation

       Key Cert Sign

       CRL Signature

     X509v3 Subject Key ID: 37F3CC61 AF5E7C0B 434AB364 CF9FA0C1 B17C50D9

     X509v3 Basic Constraints:

         CA: TRUE

     Authority Info Access:

   Associated Trustpoints: msca-root

The following example shows that a self-signed certificate has been created using a user-defined trustpoint:

Router Self-Signed Certificate

  Status: Available

  Certificate Serial Number: 01

  Certificate Usage: General Purpose

  Issuer:

    serialNumber=C63EBBE9+ipaddress=10.3.0.18+hostname=test.cisco.com

  Subject:

    Name: router.cisco.com

    IP Address: 10.3.0.18

    Serial Number: C63EBBE9

    serialNumber=C63EBBE9+ipaddress=10.3.0.18+hostname=test.cisco.com

  Validity Date:

    start date: 20:51:40 GMT Nov 29 2004

    end   date: 00:00:00 GMT Jan 1 2020

  Associated Trustpoints: local

Related Commands

Command	Description
crypto pki authenticate	Authenticates the CA (by obtaining the certificate of the CA).
crypto pki enroll	Obtains the certificates of your router from the CA.
debug crypto pki messages	Displays debug messages for the details of the interaction (message dump) between the CA and the route.
debug crypto pki transactions	Displays debug messages for the trace of interaction (message type) between the CA and the router.

show crypto pki crls

To display the current certificate revocation list (CRL) on router, use the show crypto pki crls command in EXEC mode.

show crypto pki crls

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
12.1	The show crypto ca crls command was introduced.
12.3(7)T	This command replaced the show crypto ca crls command.

Examples

The following is sample output of the show crypto pki crls command:

Router# show crypto pki crls 

          CRL Issuer Name: 

              OU = sjvpn, O = cisco, C = us

              LastUpdate: 16:17:34 PST Jan 10 2002

              NextUpdate: 17:17:34 PST Jan 11 2002

              Retrieved from CRL Distribution Point: 

                LDAP: CN = CRL1, OU = sjvpn, O = cisco, C = us

Related Commands

Command	Description
crypto pki crl request	Requests that a new CRL be obtained immediately from the CA.

show crypto pki server

To display the current state and configuration of the certificate server, use the show crypto pki server command in privileged EXEC mode.

show crypto pki server

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(4)T	This command was introduced.

Usage Guidelines

At startup, the certificate server must check the current configuration before issuing any certificates. As it starts up, the certificate server transitions through the states defined in Table 49. Use the show crypto pki server command to display the state of the certificate server.

Table 49 State of the Certificate Server

Certificate Server State	Description
configured	The server is available and has generated the certificate server certificates.
storage configuration incomplete	The server is verifying that the configured storage location is available.
waiting for HTTP server	The server is verifying that the HTTP server is running.
waiting for time setting	The server is verifying that the time has been set.

Examples

The following example is sample output for the show crypto pki server command:

Router# show crypto pki server 

Certificate Server status: disabled, storage configuration incomplete

    Granting mode is: manual

    Last certificate issued serial number: 0

    CA certificate expiration timer: 21:29:38 GMT Jun 5 2006

    CRL NextUpdate timer: 21:31:39 GMT Jun 6 2003

    Current storage dir: ftp://myftpserver

    Database Level: Minimum - no cert data written to storage

Table 50 describes the significant fields shown in the display.

Table 50 show crypto pki server Field Descriptions 

Field	Description
Granting mode is	Specifies whether certificate enrollment requests should be granted manually (which is the default) or automatic (via the grant automatic command). Note The grant automatic command should be used only when testing and building simple networks. This command must be disabled before the network is accessible by the Internet.
Last certificate issued serial number	The serial number of the latest certificate. (To specify the distinguished name (DN) as the certification authority (CA) issuer name, use the issuer-name command.)
CA certificate expiration timer	The expiration date for the CA certificate. (To specify the expiration date, use the lifetime command.)
CRL NextUpdate timer	The next time the certificate revocation list (CRL) will be updated. (To specify the CRL lifetime, in hours, use the lifetime crl command.
Current storage dir	The location where all database entries for the certificate server will be written out. (To specify a location, use the database url command.)
Database Level	The type of data that is stored in the certificate enrollment database—minimal, names, or complete. (To specify the data type to be stored, use database level command.)

Related Commands

Command	Description
crypto pki server	Enables a Cisco IOS certificate server and enter certificate server configuration mode.

show crypto pki timers

To display the status of the managed timers that are maintained by Cisco IOS for public key infrastructure (PKI), use the show crypto pki timers command in EXEC mode.

show crypto pki timers

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
12.2(8)T	The show crypto ca timers command was introduced.
12.3(7)T	This command replaced the show crypto ca timers command.

Usage Guidelines

For each timer, this command displays the time remaining before the timer expires. It also associates trustpoint certification authorities (CAs), except for certificate revocation list (CRL) timers, by displaying the CRL distribution point.

Examples

The following example is sample output for the show crypto pki timers command:

Router# show crypto pki timers

PKI Timers

| 4d15:13:33.144  

 | 4d15:13:33.144  CRL http://msca-root.cisco.com/CertEnroll/msca-root.crl

 |328d11:56:48.372  RENEW msroot

 | 6:43.201  POLL verisign

Related Commands

Command	Description
auto-enroll	Enables autoenrollment.
crypto pki trustpoint	Declares the CA that your router should use.

show crypto pki trustpoints

To display the trustpoints that are configured in the router, use the show crypto pki trustpoints command in privileged or user EXEC mode.

show crypto pki trustpoints [status | label [status]]

Syntax Description

status	(Optional) Trustpoint status.
label	(Optional) Trustpoint name.

Defaults

If the label argument (trustpoint name) is not specified, command output is displayed for all trustpoints.

Command Modes

Privileged EXEC
User EXEC

Command History

Release	Modification
12.2(8)T	The show crypto ca trustpoints command was introduced.
12.3(7)T	This command replaced the show crypto ca trustpoints command.
12.3(11)T	The status keyword and label argument were added.
12.3(14)T	The command output was modified to include persistent self-signed certificate parameters.

Usage Guidelines

If you enter the show crypto ca roots command, it will have the same effect as entering the show crypto pki trustpoints command.

Examples

The following is sample output from the show crypto pki trustpoints command:

Router# show crypto pki trustpoints

Trustpoint bo:

    Subject Name:

    CN = bomborra Certificate Manager

     O = cisco.com

     C = US

          Serial Number:01

    Certificate configured.

    CEP URL:http://bomborra

    CRL query url:ldap://bomborra

The following is sample output from the show crypto pki trustpoints command when a persistent self-signed certificate has been configured:

Router# show crypto pki trustpoints

Trustpoint local:

    Subject Name:

    serialNumber=C63EBBE9+ipaddress=10.3.0.18+hostname=test.cisco.com

          Serial Number: 01

    Persistent self-signed certificate trust point

The following output using the status keyword shows that the trustpoint is configured in query mode and is currently trying to query the certificates (the certificate authority (CA) certificate and the router certificate are both pending):

Router# show crypto pki trustpoints status

Trustpoint yni:

  Issuing CA certificate pending:

    Subject Name:

     cn=nsca-r1 Cert Manager,ou=pki,o=cisco.com,c=US

    Fingerprint: C21514AC 12815946 09F635ED FBB6CF31 

  Router certificate pending:

    Subject Name:

     hostname=trance.cisco.com,o=cisco.com

  Next query attempt:

    52 seconds

The following output using the status keyword shows that the trustpoint has been authenticated:

Router# show crypto pki trustpoints status

Trustpoint yni:

  Issuing CA certificate configured:

    Subject Name:

     cn=nsca-r1 Cert Manager,ou=pki,o=cisco.com,c=US

    Fingerprint: C21514AC 12815946 09F635ED FBB6CF31 

  State:

    Keys generated ............. No

    Issuing CA authenticated ....... Yes

    Certificate request(s) ..... None

The following output using the status keyword shows that the trustpoint is enrolling and that two of the certificate requests are pending (Signature and Encryption):

Router# show crypto pki trustpoints status

Trustpoint yni:

  Issuing CA certificate configured:

    Subject Name:

     cn=nsca-r1 Cert Manager,ou=pki,o=cisco.com,c=US

    Fingerprint: C21514AC 12815946 09F635ED FBB6CF31 

  Router Signature certificate pending:

    Requested Subject Name:

     hostname=trance.cisco.com

    Request Fingerprint: FAE0D74E BB844EA1 54B26698 56AB42EC

    Enrollment polling: 1 times (9 left)

    Next poll: 32 seconds

  Router Encryption certificate pending:

    Requested Subject Name:

     hostname=trance.cisco.com

    Request Fingerprint: F4E815DB D9D9B60F 9B5B1724 3E155DBF

    Enrollment polling: 1 times (9 left)

    Next poll: 44 seconds

  Last enrollment status: Pending

  State:

    Keys generated ............. Yes (Signature, Encryption)

    Issuing CA authenticated ....... Yes

    Certificate request(s) ..... Pending

The following output using the status keyword shows that enrollment has succeeded and that two router certificates have been granted (Signature and Encryption):

Router# show crypto pki trustpoints status 

Trustpoint yni:

  Issuing CA certificate configured:

    Subject Name:

     cn=nsca-r1 Cert Manager,ou=pki,o=cisco.com,c=US

    Fingerprint: C21514AC 12815946 09F635ED FBB6CF31 

  Router Signature certificate configured:

    Subject Name:

     hostname=trance.cisco.com,o=cisco.com

    Fingerprint: 8A370B8B 3B6A2464 F962178E 8385E9D6 

  Router Encryption certificate configured:

    Subject Name:

     hostname=trance.cisco.com,o=cisco.com

    Fingerprint: 43A03218 C0AFF844 AE0C162A 690B414A 

  Last enrollment status: Granted

  State:

    Keys generated ............. Yes (Signature, Encryption)

    Issuing CA authenticated ....... Yes

    Certificate request(s) ..... Yes

The following output using the status keyword shows that trustpoint enrollment has been rejected:

Router# show crypto pki trustpoints status

Trustpoint yni:

  Issuing CA certificate configured:

    Subject Name:

     cn=nsca-r1 Cert Manager,ou=pki,o=cisco.com,c=US

    Fingerprint: C21514AC 12815946 09F635ED FBB6CF31 

  Last enrollment status: Rejected

  State:

    Keys generated ............. Yes (General Purpose)

    Issuing CA authenticated ....... Yes

    Certificate request(s) ..... None

The following output using the status keyword shows that enrollment has succeeded and that the router is configured for autoenrollment using a regenerated key. In addition, the running configuration has been modified so that it will not be saved automatically after autoenrollment.

Router# show crypto pki trustpoints status

Trustpoint yni:

  Issuing CA certificate configured:

    Subject Name:

     cn=nsca-r1 Cert Manager,ou=pki,o=cisco.com,c=US

    Fingerprint: C21514AC 12815946 09F635ED FBB6CF31 

  Router General Purpose certificate configured:

    Subject Name:

     hostname=trance.cisco.com,o=cisco.com

    Fingerprint: FC365F95 E24D4B55 81347510 10FFE331 

  Last enrollment status: Granted

  Next enrollment attempt:

    01:58:25 PST Feb 14 2004 

    * A new key will be generated *

    * Configuration will not be saved after enrollment *

  State:

    Keys generated ............. Yes (General Purpose)

    Issuing CA authenticated ....... Yes

    Certificate request(s) ..... Yes

Table 51 describes the significant fields shown in the display.

Table 51 show crypto pki trustpoints Field Descriptions 

Field	Description
Trustpoint	Name of the trustpoint.
Issuing CA certificate pending	The certificate authority (CA) certificate is being retrieved (query mode).
Issuing CA certificate [not] configured	A CA certificate is [not] configured.
Subject Name	Subject name of the indicated certificate.
Next query attempt	Time until the next query attempt (query mode).
Router certificate pending/Router [key usage] certificate pending	The trustpoint is attempting to obtain the certificate from the CA server (through query mode or enrollment).
Router [key usage] certificate configured	Certificate of the specified key usage is configured.
Requested Subject Name	Subject name used in the enrollment request (Public Key Cryptography Standards 10 [PKCS10]).
Fingerprint MD5/SHA1	Fingerprint of the indicated certificate (Message Digest 5 [MD5] or Secure Hash Algorithm 1 [SHA]1).
Request Fingerprint MD5/SHA1	Fingerprint of the PKCS10 enrollment request (MD5/SHA1).
Enrollment polling: [polled] times ([remaining] left)/Next poll: in seconds	Number of Simple Certificate Enrollment Protocol (SCEP) polling attempts that have been made and that remain before the router gives up/Time until the next polling attempt.
Last enrollment status: Pending/Granted/Rejected/Failed	Last enrollment attempt status (pending, granted, rejected, or failed).
Next enrollment attempt: time (Optional) A new key will be generated. (Optional) Configuration will not be saved after enrollment.	The trustpoint is configured to do auto-enrollment and the auto-enrollment will happen at time. (Optional) The trustpoint is configured to generate a new key when auto-enrollment occurs. (Optional) The running configuration is "dirty," so the configuration will not be saved automatically after autoenrollment.
State	Current state of the trustpoint.
Keys generated	"Yes or No" and the key usage (General Purpose or Signature, Encryption).
Issuing CA authenticated	"Yes or No" if crypto CA authentication has been done successfully.
Certificate request(s)	Progress of current enrollment: "Pending," "Yes," (complete), or "None" (not in progress).

Related Commands

Command	Description
crypto pki trustpoint	Declares the CA that your router should use.

show crypto session

To display status information for active crypto sessions, use the show crypto session command in privileged EXEC mode.

show crypto session [detail] | [local ip-address [port local-port] [remote ip-address [port remote-port]] [detail]] | [fvfr vrf-name] [ivrf vrf-name] [detail]

IPSec and IKE Stateful Failover Syntax

show crypto session [active | standby]

Syntax Description

detail	(Optional) Provides more detailed information about the session, such as the capability of the Internet Key Exchange (IKE) security association (SA), connection ID, remaining lifetime of the IKE SA, inbound or outbound encrypted or decrypted packet number of the IP Security (IPSec) flow, dropped packet number, and kilobyte-per-second lifetime of the IPSec SA.
local ip-address	(Optional) Displays status information about crypto sessions of a local crypto endpoint. •The ip-address value is the IP address of the local crypto endpoint.
port local-port	(Optional) Port of the local crypto endpoint. •The local-port value can be 1 through 65535. The default value is 500.
remote ip-address	(Optional) Displays status information about crypto sessions of a remote session. •The ip-address value is the IP address of the remote crypto endpoint.
port remote-port	(Optional) Displays status information about crypto sessions of a remote crypto endpoint. •The remote-port value can be 1 through 65535. The default value is 500.
fvfr vrf-name	(Optional) Displays status information about the front door virtual routing and forwarding (FVRF) session.
ivrf vrf-name	(Optional) Displays status information about the inside VRF (IVRF) session.
active	(Optional) Displays all crypto sessions in the active state.
standby	(Optional) Displays all crypto sessions that are in the standby state.

Defaults

If the show crypto session command is entered without any keywords, all existing sessions will be displayed. Port default values are 500.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(4)T	This command was introduced.
12.3(11)T	The active and standby keywords were added.

Usage Guidelines

You can get a list of all the active Virtual Private Network (VPN) sessions and of the IKE and IPSec SAs for each VPN session by entering the show crypto session command. The listing will include the following:

•Interface

•IKE peer description, if available

•IKE SAs that are associated with the peer by whom the IPSec SAs are created

•IPSec SAs serving the flows of a session

Multiple IKE or IPSec SAs may be established for the same peer (for the same session), in which case IKE peer descriptions will be repeated with different values for the IKE SAs that are associated with the peer and for the IPSec SAs that are serving the flows of the session.

Examples

The following example shows active VPN sessions:

Router# show crypto session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

Interface: Ethernet1/0

Session status: UP-NO-IKE

Peer: 10.2.80.179/500 fvrf: (none) ivrf: (none)

      Desc: My-manual-keyed-peer

      Phase1_id: 10.2.80.179

  IPSEC FLOW: permit ip host 10.2.80.190 host 10.2.80.179

        Active SAs: 4, origin: manual-keyed crypto map

        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0

        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

Interface: Ethernet1/2

Session status: DOWN

Peer: 10.1.1.1/500 fvrf: (none) ivrf: (none)

      Desc: SJC24-2-VPN-Gateway

      Phase1_id: 10.1.1.1

  IPSEC FLOW: permit ip host 10.2.2.3 host 10.2.2.2

        Active SAs: 0, origin: crypto map

        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0

        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

  IPSEC FLOW: permit ip 10.2.0.0/255.255.0.0 10.4.0.0/255.255.0.0

        Active SAs: 0, origin: crypto map

        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0

        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

Interface: Serial2/0.17

Session status: UP-ACTIVE

Peer: 10.1.1.5/500 fvrf: (none) ivrf: (none)

      Desc: (none)

      Phase1_id: 10.1.1.5

  IKE SA: local 10.1.1.5/500 remote 10.1.1.5/500 Active

          Capabilities:(none) connid:1 lifetime:00:59:51

  IPSEC FLOW: permit ip host 10.1.1.5 host 10.1.2.5

        Active SAs: 2, origin: dynamic crypto map

        Inbound:  #pkts dec'ed 4 drop 0 life (KB/Sec) 20085/171

        Outbound: #pkts enc'ed 4 drop 0 life (KB/Sec) 20086/171

Table 52 describes the significant fields shown in the display.

Table 52 show crypto session Field Descriptions 

Field	Description
Interface	Interface to which the crypto session is related.
Session status	Current status of the crypto (VPN) sessions. See Table 53 for the status of the IKE SA, IPSec SA, and tunnel as shown in the display.
IKE SA	Information is provided about the IKE SA, such as local and remote address and port, SA status, SA capabilities, crypto engine connection ID, and remaining lifetime of the IKE SA.
IPSEC FLOW	A snapshot of information about the IPSec-protected traffic flow, such as what the flow is (for example, permit ip host 10.1.1.5 host 10.1.2.5); how many IPSec SAs there are; the origin of the SA, such as manual keyed, dynamic, or static crypto map; the number of encrypted or decrypted packets or dropped packets; and the IPSec SA remaining lifetime in kilobytes per second.

Table 53 provides an explanation of the current status of the VPN sessions shown in the display.

Table 53 Current Status of the VPN Sessions

IKE SA	IPSec SA	Tunnel Status
Exist, active	Exist (flow exists)	UP-ACTIVE
Exist, active	None (flow exists)	UP-IDLE
Exist, active	None (no flow)	UP-IDLE
Exist, inactive	Exist (flow exists)	UP-NO-IKE
Exist, inactive	None (flow exists)	DOWN-NEGOTIATING
Exist, inactive	None (no flow)	DOWN-NEGOTIATING
None	Exist (flow exists)	UP-NO-IKE
None	None (flow exists)	DOWN
None	None (no flow)	DOWN

---

Note IPSec flow may not exist if a dynamic crypto map is being used.

---

The following sample output shows all crypto sessions that are in the standby state:

Router# show crypto session standby

Crypto session current status

Interface: Ethernet0/0

Session status: UP-STANDBY    

Peer: 209.165.200.225 port 500 

  IKE SA: local 209.165.201.3/500 remote 209.165.200.225/500 Active 

  IKE SA: local 209.165.201.3/500 remote 209.165.200.225/500 Active 

  IPSEC FLOW: permit ip host 192.168.0.1 host 172.16.0.1 

        Active SAs: 4, origin: crypto map

Related Commands

Command	Description
clear crypto session	Deletes crypto sessions (IPSec and IKE SAs).
description	Adds a description for an IKE peer.
show crypto isakmp peer	Displays peer descriptions.

show crypto session group

To display groups that are currently active on the Virtual Private Network (VPN) device, use the show crypto session group command in privileged EXEC mode.

show crypto session group

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(4)T	This command was introduced.

Usage Guidelines

If the crypto isakmp client configuration group command and max-users keyword have not been enabled in any VPN group profile, this command will yield a blank result.

Examples

The following example shows that at least one session is active for the group Connections:

Router# show crypto session group

 Group: Connections

 cisco: 1

Related Commands

Command	Description
crypto isakmp client configuration group	Specifies to which group a policy profile will be defined.
show crypto session summary	Displays groups that are currently active on the VPN device and the users that are connected for each of those groups.

show crypto session summary

To display groups that are currently active on the Virtual Private Network (VPN) device and the users that are connected for each of those groups, use the show crypto session summary command in privileged EXEC mode.

show crypto session summary

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC mode

Command History

Release	Modification
12.3(4)T	This command was introduced.

Usage Guidelines

If the crypto isakmp client configuration group command and max-users keyword are not enabled in any VPN group profile and the crypto isakmp client configuration group command and max-logins keyword are not enabled, this command will yield a blank result.

Examples

The following example shows that the group "cisco" is active and that it has one user connected, green, who is connected one time. The number in parentheses (1) is the number of simultaneous logins for that user.

Router# show crypto session summary

 Group cisco has 1 connections

  User (Logins)

  green (1)

Related Commands

Command	Description
crypto isakmp client configuration group	Specifies to which group a policy profile will be defined.
show crypto session group	Displays groups that are currently active on the VPN device.

show crypto socket

To list crypto sockets, use the show crypto socket command in privileged EXEC mode.

show crypto socket

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(11)T	This command was introduced.
12.2(18)SXE	This command was integrated into Cisco IOS Release 12.2(18)SXE.

Usage Guidelines

Use this command to list crypto sockets and the state of the sockets.

Examples

The following sample output shows the number of crypto socket connections (1) and its state:

Router# show crypto sockets

Number of Crypto Socket connections 1

  Tu0 Peers (local/remote): 10.0.0.2/10.0.0.1

    Local Ident  (addr/mask/prot/port): (10.0.0.2/255.255.255.255/0/47)

    Remote Ident (addr/mask/port/prot): (10.0.0.1/255.255.255.255/0/47)

    Socket State: Open

    Client: "TUNNEL SEC" (Client State: Active)

Crypto Sockets in Listen state:

    TUNNEL SEC Profile: "vi"

Significant fields are described in Table 54.

Table 54 show crypto sockets Field Descriptions

Field	Description
Number of crypto socket connections	Number of crypto sockets in the system.
Socket State	This state can be Open, which means that active IPSec security associations (SAs) exist, or it can be Closed, which means that no active IPSec SAs exist.
Client	Application name and its state.
Crypto Sockets in Listen state	Name of the crypto IPSec profile.

show dnsix

To display state information and the current configuration of the DNSIX audit writing module, use the show dnsix command in privileged EXEC mode.

show dnsix

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
10.0	This command was introduced.

Examples

The following is sample output from the show dnsix command:

Router# show dnsix

Audit Trail Enabled with Source 192.168.2.5 

          State: PRIMARY

          Connected to 192.168.2.4 

          Primary 192.168.2.4 

          Transmit Count 1 

          DMDP retries 4

          Authorization Redirection List:

               192.168.2.4

          Record count: 0 

          Packet Count: 0 

          Redirect Rcv: 0 

show dot1x

To show details for an identity profile, use the show dot1x command in privileged EXEC mode.

show dot1x [interface interface-name [details]]

Syntax Description

interface interface-name	(Optional) Name of the interface.
details	(Optional) Displays 802.1X details for the specified interface.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(2)XA	This command was introduced.
12.3(4)T	This command was integrated into Cisco IOS Release 12.3(4)T.
12.3(11)T	The PAE, HeldPeriod, StartPeriod, and MaxStart fields were added to the show dot1x command output.

Examples

The following is sample output for the show dot1x command:

Router# show dot1x

Sysauthcontrol  = Disabled

Dot1x Version   = 1

Dot1x Info for interface Ethernet0

-----------------------------------------

PortControl       = AUTO

ReAuthentication  = Disabled

ReAuthPeriod      = 3600 Seconds

ServerTimeout     = 30 Seconds

SuppTimeout       = 30 Seconds

QuietWhile        = 120 Seconds

MaxReq            = 2

Dot1x Info for interface Ethernet1

-----------------------------------------

PortControl       = AUTO

ReAuthentication  = Disabled

ReAuthPeriod      = 3600 Seconds

ServerTimeout     = 30 Seconds

SuppTimeout       = 30 Seconds

QuietWhile        = 120 Seconds

MaxReq            = 2

The following is sample output for the show dot1x command using the interface and details keywords. The clients are authenticated in this output example.

Router# show dot1x interface ethernet 0 details

PortControl       = AUTO

ReAuthentication  = Enabled

ReAuthPeriod      = 36000 Seconds

ServerTimeout     = 30 Seconds

SuppTimeout       = 30 Seconds

QuietWhile        = 120 Seconds

MaxReq            = 2

Dot1x Client List

-------------------------------------

MAC Address         State

-------------------------------------

0000.1111.0001      AUTHENTICATED

0000.1111.0002      UNAUTHENTICATED

The following show dot1x sample output shows information for all three possible interface configurations (that is, as an authenticator, as a supplicant, and as an authenticator and supplicant).

Router# show dot1x

Sysauthcontrol     = Enabled

Dot1x Version      = 1

Dot1x Information for interface Ethernet0

-----------------------------------------

PortControl        = AUTO

PAE                = AUTHENTICATOR

ReAuthentication   = Enabled

ReAuthPeriod       = 60 Seconds

ServerTimeout      = 30 Seconds

SuppTimeout        = 30 Seconds

QuietWhile         = 120 Seconds

MaxReq             = 2

Dot1x Information for interface Ethernet1

-----------------------------------------

PortControl        = AUTO

PAE                = SUPPLICANT

AuthPeriod         = 30

HeldPeriod         = 60 Seconds

StartPeriod        = 30 Seconds

MaxStart           = 2

Dot1x Information for interface Ethernet2

-----------------------------------------

PortControl        = AUTO

PAE                = BOTH

ReAuthentication   = Enabled

ReAuthPeriod       = 60 Seconds

ServerTimeout      = 30 Seconds

SuppTimeout        = 30 Seconds

QuietWhile         = 120 Seconds

MaxReq             = 2

AuthPeriod         = 30

HeldPeriod         = 60 Seconds

StartPeriod        = 30 Seconds

MaxStart           = 2

The following is sample output for the show dot1x command using the interface and details keywords.

Router# show dot1x interface ethernet0

PortControl        = AUTO

PAE                = AUTHENTICATOR

ReAuthentication   = Enabled

ReAuthPeriod       = 60 Seconds

ServerTimeout      = 30 Seconds

SuppTimeout        = 30 Seconds

QuietWhile         = 120 Seconds

MaxReq             = 2

Router# show dot1x interface ethernet0 details

PortControl        = AUTO

PAE                = SUPPLICANT

ReAuthentication   = Enabled

ReAuthPeriod       = 60 Seconds

ServerTimeout      = 30 Seconds

SuppTimeout        = 30 Seconds

QuietWhile         = 120 Seconds

MaxReq             = 2

Dot1x Client List

-------------------------------------

MAC Address         State

-------------------------------------

0001.f380.87ce      AUTHENTICATED

0001.87ce.f380      AUTHENTICATING

0010.a7b4.97af      UNAUTHENTICATED

Dot1x List of Supplicant Instances

-----------------------------------------

MAC Address          State

-----------------------------------------

0180.c200.0003       AUTHORIZED

Table 55 describes the significant fields shown in the displays.

Table 55 show dot1x Field Descriptions 

Field	Description
Sysauthcontrol	802.1X port-based authentication is enabled or disabled.
PortControl	Port control value. •AUTO—the authentication status of the client PC is being determined by the authentication process. •Force-authorize—all the client PCs on the interface are being authorized. •Force-unauthorized—all the client PCs on the interface are being unauthorized.
PAE	Port Access Entity. Defines the role of an interface (as a supplicant, as an authenticator, or as an authenticator and supplicant).
ReAuthentication	Periodic reauthentication of client PCs on the interface has been enabled or disabled.
ReAuthPeriod	Time after which an automatic reauthentication will be initiated.
ServerTimeout	Timeout that has been set for RADIUS retries. If an 802.1X packet is sent to the server and the server does not send a response, the packet will be sent again after the number of seconds that are shown.
SuppTimeout	Time that has been set for supplicant (client PC) retries. If an 802.1X packet is sent to the supplicant and the supplicant does not send a response, the packet will be sent again after the number of seconds that are shown.
QuietWhile	After authentication fails for a client, the authentication gets restarted after the quiet period that is shown.
RateLimit	The period that EAP-start packets are throttled from misbehaving supplicants.
MaxReq	Maximum number of times that the router sends an Extensible Authentication Protocol (EAP) request/identity frame (assuming that no response is received) to the client PC before concluding that the client PC does not support 802.1X.
HeldPeriod	Interval for which the supplicant (client PC) will wait before trying to send its credentials after being unauthenticated by the authenticator.
StartPeriod	Interval between two successive Extensible Authentication Protocol over LAN- (EAPOL-) start messages (when they are being retransmitted).
MaxStart	Number of EAPOL-start messages that the supplicant (client PC) sends before the supplicant assumes that the other end is not 802.1X capable.
Dot1x Client List	Table providing information regarding MAC addresses and the state of the PCs. This list displays in the output if the interface is configured only as an authenticator or as an authenticator and a supplicant. If the interface is configured as a supplicant, a separate list is displayed.
Dot1x List of Supplicant Instances	Table providing information regarding MAC addresses and the state of the PCs. This list displays in the output if the interface is configured only as a supplicant.
MAC Address	List of MAC addresses (for example, the MAC address of the PC or of any 802.1X client).
State	The state of the PC can be authenticated or unauthenticated.

Related Commands

Command	Description
clear dot1x	Clears 802.1X interface information.
debug dot1x	Displays 802.1X debugging information.
identity profile	Creates an identity profile.

show dot1x (EtherSwitch)

To display the 802.1X statistics, administrative status, and operational status for the Ethernet switch network module or for the specified interface, use the show dot1x command in privileged EXEC mode.

show dot1x [statistics] [interface interface-type interface-number]

Syntax Description

statistics	(Optional) Displays 802.1X statistics.
interface interface-type interface-number	(Optional) Specifies the slot and port number of the interface to reauthenticate.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(6)EA2	This command was introduced.
12.2(15)ZJ	This command was implemented on the following platforms: Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series routers.
12.3(4)T	This command was integrated into Cisco IOS Release 12.3(4)T on the following platforms: Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series routers.

Usage Guidelines

If you do not specify an interface, global parameters and a summary appear. If you specify an interface, details for that interface appear.

If you specify an interface with the statistics keyword, statistics appear for all physical ports.

Examples

The following is sample output from the show dot1x command:

Router# show dot1x

Global 802.1X Parameters

    reauth-enabled                no

    reauth-period               3600

    quiet-period                  60

    tx-period                     30

    supp-timeout                  30

    server-timeout                30

    reauth-max                     2

    max-req                        2

802.1X Port Summary

    Port Name                Status      Mode                Authorized

    Gi0/1                    disabled    n/a                 n/a

    Gi0/2                    enabled     Auto (negotiate)    no

    802.1X Port Details

    802.1X is disabled on GigabitEthernet0/1

802.1X is enabled on GigabitEthernet0/2

      Status                Unauthorized

      Port-control          Auto

      Supplicant            0060.b0f8.fbfb

      Multiple Hosts        Disallowed

      Current Identifier    2

      Authenticator State Machine

        State               AUTHENTICATING

        Reauth Count        1

      Backend State Machine

        State               RESPONSE

        Request Count       0

        Identifier (Server) 2

      Reauthentication State Machine

        State               INITIALIZE

Table 56 describes the significant fields shown in the display.

Table 56 show dot1x Field Descriptions 

Field	Description
reauth-enabled	Periodic reauthentication of client PCs on the interface has been enabled or disabled.
reauth-period	Time, in seconds, after which an automatic reauthentication will be initiated.
quiet-period	After authentication fails for a client, the authentication gets restarted after this quiet period shown in seconds.
tx-period	Time, in seconds, that the device waits for a response from a client to an Extensible Authentication Protocol (EAP) request or identity frame before retransmitting the request.
supp-timeout	Time, in seconds, that has been set for supplicant (client PC) retries. If an 802.1X packet is sent to the supplicant and the supplicant does not send a response, the packet will be sent again after the number of seconds that are shown.
server-timeout	Timeout, in seconds, that has been set for RADIUS retries. If an 802.1X packet is sent to the server and the server does not send a response, the packet will be sent again after the number of seconds that are shown.
reauth-max	The maximum number of times that the device tries to authenticate the client without receiving any response before the switch resets the port and restarts the authentication process.
max-req	Maximum number of times that the router sends an EAP request/identity frame (assuming that no response is received) to the client PC before concluding that the client PC does not support 802.1X.
Port Name	Interface type and slot/port numbers.
Status	Displays the 802.1X status of the port as either enabled or disabled.
Mode	Operational status of the port: •Auto—The port control value has been configured to be Force-unauthorized but the port has not changed to that state. •n/a—802.1X is disabled.
Authorized	Authorization state of the port.
Status	Status of the port (authorized or unauthorized). The status of a port appears as authorized if the dot1x port-control interface configuration command is set to auto, and authentication was successful.
Port-control	Setting of the dot1x port-control interface configuration command. The port control value is one of the following: •Auto—The authentication status of the client PC is being determined by the authentication process. •Force-authorize—All the client PCs on the interface are being authorized. •Force-unauthorized—All the client PCs on the interface are being unauthorized.
Supplicant	Ethernet MAC address of the client, if one exists. If the device has not discovered the client, this field displays Not set.
Multiple Hosts	Setting of the dot1x multiple-hosts interface configuration command (allowed or disallowed).
Current Identifier	Each exchange between the device and the client includes an identifier, which matches requests with responses. This number is incremented with each exchange and can be reset by the authentication server. Note This field and the remaining fields in the output show internal state information. For a detailed description of these state machines and their settings, refer to the IEEE 802.1X standard.

The following is sample output from the show dot1x interface gigabitethernet0/2 privileged EXEC command. Table 56 describes the fields in the output.

Router# show dot1x interface gigabitethernet0/2

802.1X is enabled on GigabitEthernet0/2 

  Status                Authorized 

  Port-control          Auto 

  Supplicant            0060.b0f8.fbfb 

  Multiple Hosts        Disallowed 

  Current Identifier    3

  Authenticator State Machine 

    State               AUTHENTICATED 

    Reauth Count        0

  Backend State Machine 

    State               IDLE 

    Request Count       0 

    Identifier (Server) 2

Reauthentication State Machine 

    State               INITIALIZE

The following is sample output from the show dot1x statistics interface gigiabitethernet0/1 command. Table 57 describes the fields in the example.

Router# show dot1x statistics interface gigabitethernet0/1

GigabitEthernet0/1

    Rx: EAPOL     EAPOL     EAPOL     EAPOL     EAP       EAP       EAP

        Start     Logoff    Invalid   Total     Resp/Id   Resp/Oth  LenError

        0         0         0         21        0         0         0

        Last      Last

        EAPOLVer  EAPOLSrc

        1         0002.4b29.2a03

    Tx: EAPOL     EAP       EAP

        Total     Req/Id    Req/Oth

        622       445       0 

Table 57 show dot1x statistics Field Descriptions 

Field	Description
Rx EAPOL Start	Number of valid EAPOL-start frames that have been received. Note EAPOL = Extensible Authentication Protocol over LAN
Rx EAPOL Logoff	Number of EAPOL-logoff frames that have been received.
Rx EAPOL Invalid	Number of EAPOL frames that have been received and have an unrecognized frame type.
Rx EAPOL Total	Number of valid EAPOL frames of any type that have been received.
Rx EAP Resp/ID	Number of EAP-response/identity frames that have been received.
Rx EAP Resp/Oth	Number of valid EAP-response frames (other than response/identity frames) that have been received.
Rx EAP LenError	Number of EAPOL frames that have been received in which the packet body length field is invalid.
Last EAPOLVer	Protocol version number carried in the most recently received EAPOL frame.
LAST EAPOLSrc	Source MAC address carried in the most recently received EAPOL frame.
Tx EAPOL Total	Number of EAPOL frames of any type that have been sent.
Tx EAP Req/Id	Number of EAP-request/identity frames that have been sent.
Tx EAP Req/Oth	Number of EAP-request frames (other than request/identity frames) that have been sent.

Related Commands

Command	Description
dot1x default	Resets the global 802.1X parameters to their default values.

show eou

To display information about Extensible Authentication Protocol over UDP (EAPoUDP) global values or EAPoUDP session cache entries, use the show eou command in privileged EXEC mode.

show eou {all | authentication {clientless | eap | static} | interface {interface-type} | ip {ip-address} | mac {mac-address} | posturetoken {name}}

Syntax Description

all	Displays EAPoUDP information about all clients.
authentication	Authentication type.
clientless	Authentication type is clientless.
eap	Authentication type is EAP.
static	Authentication type is static.
interface	Provides information about the interface.
interface-type	Type of interface (see Table 58 for the interface types that may be shown).
ip	Specifies an IP address.
ip-address	IP address of the client device.
mac	Specifies a MAC address.
mac-address	The 48-bit address of the client device.
posturetoken	Displays information about a posture token name.
name	Name of the posture token.

Defaults

If no keywords are listed, all global EAPoUDP global values are displayed.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(8)T	This command was introduced.

Usage Guidelines

Table 58 lists the interface types that may be used for the interface-type argument.

Table 58 Description of Interface Types

Interface Type	Description
Async	Asynchronous interface
BVI	Bridge-Group Virtual Interface
CDMA-Ix	Code division multiple access Internet exchange (CDMA Ix) interface
CTunnel	Connectionless Network Protocol (CLNS) tunnel (Ctunnel) interface
Dialer	Dialer interface
Ethernet	IEEE 802.3 standard interface
Lex	Lex interface
Loopback	Loopback interface
MFR	Multilink frame relay bundle interface
Multilink	Multilink-group interface
Null	Null interface
Serial	Serial interface
Tunnel	Tunnel interface
Vif	Pragmatic General Multicast (PGM) Multicase Host interface
Virtual-PPP	Virtual PPP interface
Virtual-Template	Virtual template interface
Virtual-TokenRing	Virtual TokenRing interface

Examples

The following output displays information about a global EAPoUDP configuration. The default values can be changed or customized using the eou default, eou max-retry, eou revalidate, or eou timeout commands, depending on whether you configure them globally or as interface specific.

Router# show eou 

Global EAPoUDP Configuration

----------------------------

EAPoUDP Version     = 1

EAPoUDP Port        = 0x5566

Clientless Hosts    = Disabled

IP Station ID       = Disabled

Revalidation        = Enabled

Revalidation Period = 36000 Seconds

ReTransmit Period   = 3 Seconds

StatusQuery Period  = 300 Seconds

Hold Period         = 180 Seconds

AAA Timeout         = 60 Seconds

Max Retries         = 3

EAPoUDP Logging     = Disabled

Clientless Host Username = clientless

Clientless Host Password = clientless

Interface Specific EAPoUDP Configurations

-----------------------------------------

Interface Ethernet2/1

No interface specific configuration

Table 59 describes the significant fields shown in the display.

Table 59 show eou Field Descriptions 

Field	Description
EAPoUDP Version	EAPoUDP protocol version.
EAPoUDP Port	EAPoUDP port number.
Clientless Hosts	Clientless hosts are enabled or disabled.
IP Station ID	Specifies whether the IP address is allowed in the AAA station-id field. By default, it is disabled.
Revalidation	Revalidation is enabled or disabled.
Revalidation Period	Specifies whether revalidation of hosts is enabled. By default, it is disabled.
ReTransmit Period	Specifies the EAPoUDP packet retransmission interval. The default is 3 seconds.
StatusQuery Period	Specifies the EAPoUDP status query interval for validated hosts. The default is 300 seconds.
Hold Period	Hold period following a failed authentication.
AAA Timeout	AAA timeout period.
Max Retries	Maximum number of allowable retransmissions.
EAPoUDP Logging	Logging is enabled or disabled.
Clientless Host Username	Username of the clientless host.
Clientless Host Password	Password of the clientless host.

Related Commands

Command	Description
eou	Displays information about EAPoUDP.

show ip admission

To display the network admission control cache entries or the running network admission control configuration, use the show ip admission command in privileged EXEC mode.

show ip admission {[cache] [configuration] [eapoudp]}

Syntax Description

cache	Displays the current list of network admission entries.
configuration	Displays the running network admission control configuration.
eapoudp	Displays the Extensible Authentication Protocol over UDP (EAPoUDP) network admission control entries.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(8)T	This command was introduced.

Usage Guidelines

Use this command to display either the IP admission control entries or the running IP admission control configuration. Use show ip admission cache eapoudp to list the host IP addresses, the session timeout, and the posture state. If the posture statue is POSTURE ESTAB, the host validation was successful.

Examples

The following output displays all the IP admission control rules that are configured on the router:

Router# show ip admission configuration

Authentication global cache time is 60 minutes

Authentication global absolute time is 0 minutes

Authentication Proxy Watch-list is disabled

Authentication Proxy Rule Configuration

 Auth-proxy name avrule

    eapoudp list not specified auth-cache-time 60 minutes

The following output displays the host IP addresses, the session timeout, and the posture states:

Router# show ip admission cache eapoudp

Posture Validation Proxy Cache

Total Sessions: 3 Init Sessions: 1

 Client IP 10.0.0.112, timeout 60, posture state POSTURE ESTAB

 Client IP 10.0.0.142, timeout 60, posture state POSTURE INIT

 Client IP 10.0.0.205, timeout 60, posture state POSTURE ESTAB

The field descriptions in the display are self-explanatory.

Related Commands

Command	Description
clear ip admission cache	Clears IP admission cache entries from the router.
ip admission name	Creates a Layer 3 network admission control rule.

show ip auth-proxy

To display the authentication proxy entries or the running authentication proxy configuration, use the show ip auth-proxy command in privileged EXEC mode.

show ip auth-proxy {cache | configuration}

Syntax Description

cache	Displays the current list of the authentication proxy entries.
configuration	Displays the running authentication proxy configuration.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.0(5)T	This command was introduced.

Usage Guidelines

Use the show ip auth-proxy to display either the authentication proxy entries or the running authentication proxy configuration. Use the cache keyword to list the host IP address, the source port number, the timeout value for the authentication proxy, and the state for connections using authentication proxy. If authentication proxy state is HTTP_ESTAB, the user authentication was successful.

Use the configuration keyword to display all authentication proxy rules configured on the router.

Examples

The following example shows sample output from the show ip auth-proxy cache command after one user authentication using the authentication proxy:

Router# show ip auth-proxy cache

Authentication Proxy Cache

Client IP 192.168.25.215 Port 57882, timeout 1, state HTTP_ESTAB

The following example shows how the show ip auth-proxy configuration command displays the information about the authentication proxy rule pxy. The global idle timeout value is 60 minutes. The idle timeouts value for this named rule is 30 minutes. No host list is specified in the rule, meaning that all connection initiating HTTP traffic at the interface is subject to the authentication proxy rule.

Router# show ip auth-proxy configuration

Authentication cache time is 60 minutes

Authentication Proxy Rule Configuration

Auth-proxy name pxy

http list not specified auth-cache-time 30 minutes

Related Commands

Command	Description
clear ip auth-proxy cache	Clears authentication proxy entries from the router.
ip auth-proxy	Sets the authentication proxy idle timeout value (the length of time an authentication cache entry, along with its associated dynamic user ACL, is managed after a period of inactivity).
ip auth-proxy (interface configuration)	Applies an authentication proxy rule at a firewall interface.
ip auth-proxy name	Creates an authentication proxy rule.

show ip inspect

To display Context-Based Access Control (CBAC) configuration and session information, use the show ip inspect command in privileged EXEC mode.

show ip inspect {name inspection-name | config | interfaces | session [detail] | statistics | all} [vrf vrf-name]

Syntax Description

name inspection-name	Displays the configured inspection rule with the name inspection-name.
config	Displays the complete CBAC inspection configuration.
interfaces	Displays the interface configuration with respect to applied inspection rules and access lists.
session [detail]	Displays existing sessions that are currently being tracked and inspected by CBAC. The optional detail keyword allows additional details about these sessions to be shown.
statistics	Displays CBAC sessions statistics, such as the number of TCP and HTTP packets that are processed through the inspection, the number of sessions that have been created since the subsystem startup, the current session count, the maximum session count, and the session creation rate.
all	Displays all CBAC configuration and all existing sessions that are currently being tracked and inspected by CBAC.
vrf vrf-name	(Optional) Displays information only for the specified Virtual Routing and Forwarding (VRF) interface.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.2 P	This command was introduced.
12.3(4)T	The output for the show ip inspect session detail command was enhanced to support dynamic access control list (ACL) bypass.
12.3(11)T	The statistics keyword was added.
12.3(14)T	The output shows the IMAP and POP3 configuration. The vrf vrf-name keyword/argument pair was added.

Usage Guidelines

Use this command to view the CBAC configuration and session information.

ACL Bypass Functionality

ACL bypass allows a packet to avoid redundant ACL checks by allowing the firewall to permit the packet on the basis of existing inspection sessions instead of dynamic ACLs. Because input and output dynamic ACLs have been eliminated from the firewall configuration, the show ip inspect session detail command output no longer shows dynamic ACLs. Instead, the output displays the matching inspection session for each packet that is permitted through the firewall.

Examples

The following example shows sample output for the show ip inspect name myinspectionrule command, where the inspection rule "myinspectionrule" is configured. In this example, the output shows the protocols that should be inspected by CBAC and the corresponding idle timeouts for each protocol.

Router# show ip inspect name myinspectionrule

Inspection Rule Configuration

 Inspection name myinspectionrule

    tcp timeout 3600

    udp timeout 30

    ftp timeout 3600

The following is sample output for the show ip inspect config command. In this example, the output shows CBAC configuration, including global timeouts, thresholds, and inspection rules.

Session audit trail is disabled

one-minute (sampling period) thresholds are [400:500] connections

max-incomplete sessions thresholds are [400:500]

max-incomplete tcp connections per host is 50. Block-time 0 minute.

tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec

tcp idle-time is 3600 sec -- udp idle-time is 30 sec

dns-timeout is 5 sec

Inspection Rule Configuration

 Inspection name myinspectionrule

    tcp timeout 3600

    udp timeout 30

    ftp timeout 3600

The following is sample output for the show ip inspect interfaces command:

Interface Configuration

 Interface Ethernet0

  Inbound inspection rule is myinspectionrule

    tcp timeout 3600

    udp timeout 30

    ftp timeout 3600

  Outgoing inspection rule is not set

  Inbound access list is not set

  Outgoing access list is not set

The following is sample output for the show ip inspect session command. In this example, the output shows the source and destination addresses and port numbers (separated by colons), and it indicates that the session is an FTP session.

Router# show ip inspect session 

Established Sessions

 Session 25A3318 (10.0.0.1:20)=>(10.1.0.1:46068) ftp-data SIS_OPEN

 Session 25A6E1C (10.1.0.1:46065)=>(10.0.0.1:21) ftp SIS_OPEN

The following is sample output for the show ip inspect all command:

Router# show ip inspect all

Session audit trail is disabled

one-minute (sampling period) thresholds are [400:500] connections

max-incomplete sessions thresholds are [400:500]

max-incomplete tcp connections per host is 50. Block-time 0 minute.

tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec

tcp idle-time is 3600 sec -- udp idle-time is 30 sec

dns-timeout is 5 sec

Inspection Rule Configuration

 Inspection name all

    tcp timeout 3600

    udp timeout 30

    ftp timeout 3600

Interface Configuration

 Interface Ethernet0

  Inbound inspection rule is all

    tcp timeout 3600

    udp timeout 30

    ftp timeout 3600

  Outgoing inspection rule is not set

  Inbound access list is not set

  Outgoing access list is not set

 Established Sessions

 Session 25A6E1C (30.0.0.1:46065)=>(40.0.0.1:21) ftp SIS_OPEN

 Session 25A34A0 (40.0.0.1:20)=>(30.0.0.1:46072) ftp-data SIS_OPEN

The following is sample output from the show ip inspect session detail command, which shows that an outgoing ACL and an inbound ACL (dynamic ACLs) have been created to allow return traffic:

Router# show ip inspect session detail 

Established Sessions

 Session 80E87274 (192.168.1.116:32956)=>(192.168.101.115:23) tcp SIS_OPEN

   Created 00:00:08, Last heard 00:00:04

   Bytes sent (initiator:responder) [140:298] acl created 2

   Outgoing access-list 102 applied to interface FastEthernet0/0

   Inbound access-list 101 applied to interface FastEthernet0/1

The following is sample output from the show ip inspect session detail command, which shows related ACL information (such as session identifiers [SIDs]), but does not show dynamic ACLs, which are no longer created:

Router# show ip inspect session detail

Established Sessions

 Session 814063CC (192.168.1.116:32955)=>(192.168.101.115:23) tcp SIS_OPEN

  Created 00:00:10, Last heard 00:00:06

  Bytes sent (initiator:responder) [140:298]

  In  SID 192.168.101.115[23:23]=>192.168.1.117[32955:32955] on ACL 101 (15 matches)

  Out SID 192.168.101.115[23:23]=>192.168.1.116[32955:32955] on ACL 102

The following is sample output from the show ip inspect statistics command:

Router# show ip inspect statistics

Packet inspection statistics [process switch:fast switch]

  tcp packets: [616668:0]

  http packets: [178912:0]

Interfaces configured for inspection 1

Session creations since subsystem startup or last reset 42940

Current session counts (estab/half-open/terminating) [0:0:0]

Maxever session counts (estab/half-open/terminating) [98:68:50]

Last session created 5d21h

Last statistic reset never

Last session creation rate 0

Last half-open session total 0

Router#

show ip ips

To display Intrusion Prevention System (IPS) information such as configured sessions and signatures, use the show ip ips command in privileged EXEC mode.

show ip ips {[all] [configuration] [interfaces] [name name] [statistics [reset]] [sessions [details]] [signatures [details]]}

Syntax Description

all	Displays all available IPS information.
configuration	Displays additional configuration information, including default values that may not be displayed using the show running-config command.
interfaces	Displays the interface configuration.
statistics [reset]	Displays information such as the number of packets audited and the number of alarms sent. The optional reset keyword resets sample output to reflect the latest statistics.
name name	Displays information only for the specified IPS rule.
sessions [details]	Displays IPS session-related information. The optional details keyword shows detailed session information.
signatures [details]	Displays signature information, such as which signatures are disabled and marked for deletion. The optional details keyword shows detailed signature information.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.0(5)T	This command was introduced.
12.3(8)T	The command name was changed from show ip audit to show ip ips. Also, all show ip ips commands were combined into a single command.

Usage Guidelines

Use the show ip ips configuration EXEC command to display additional configuration information, including default values that may not be displayed using the show running-config command.

Examples

Sample Output for the show ip ips configuration Command

The following example displays the output of the show ip ips configuration command:

Event notification through syslog is enabled

Event notification through Net Director is enabled

Default action(s) for info signatures is alarm

Default action(s) for attack signatures is alarm

Default threshold of recipients for spam signature is 25

PostOffice:HostID:5 OrgID:100 Addr:10.2.7.3 Msg dropped:0

HID:1000 OID:100 S:218 A:3 H:14092 HA:7118 DA:0 R:0

    CID:1 IP:172.21.160.20 P:45000 S:ESTAB (Curr Conn)

Audit Rule Configuration

 Audit name AUDIT.1

    info actions alarm

Sample Output for the show ip ips interface Command

The following example displays the output of the show ip ips interface command:

Interface Configuration

 Interface Ethernet0

  Inbound IPS audit rule is AUDIT.1

    info actions alarm

  Outgoing IPS audit rule is not set

 Interface Ethernet1

  Inbound IPS audit rule is AUDIT.1

    info actions alarm

  Outgoing IPS audit rule is AUDIT.1

    info actions alarm

Sample Output for the show ip ips statistics Command

The following displays the output of the show ip ips statistics command:

Signature audit statistics [process switch:fast switch]

  signature 2000 packets audited: [0:2]

  signature 2001 packets audited: [9:9]

  signature 2004 packets audited: [0:2]

  signature 3151 packets audited: [0:12]

Interfaces configured for audit 2

Session creations since subsystem startup or last reset 11

Current session counts (estab/half-open/terminating) [0:0:0]

Maxever session counts (estab/half-open/terminating) [2:1:0]

Last session created 19:18:27

Last statistic reset never

HID:1000 OID:100 S:218 A:3 H:14085 HA:7114 DA:0 R:0

Related Commands

Command	Description
clear ip ips statistics	Resets statistics on packets analyzed and alarms sent.

show ip port-map

To display the port-to-application mapping (PAM) information, use the show ip port-map command in privileged EXEC mode.

show ip port-map [appl-name | port port-num [detail]]

Syntax Description

appl-name	(Optional) Specifies the name of the application to which to apply the port mapping.
port port-num	(Optional) Specifies the alternative port number that maps to the application.
detail	(Optional) Shows the port or application details.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.0(5)T	This command was introduced.
12.3(14)T	The detail keyword was added and command output was modified to display user-defined applications.

Usage Guidelines

Use this command to display the port mapping information at the firewall, including the system-defined and user-defined information. Include the application name to display the list of entries by application. Include the port number to display the entries by port.

Examples

The following is sample output from the show ip port-map command, including system- and user-defined mapping information. Notice that multiple port numbers display in a series such as 554, 8554, or 1512...1525, or a range such as 55000 to 62000. When there are multiple ports, they all display if they can fit into the fixed-field width. If they cannot fit into the fixed-field width, they display with an ellipse, such as 1512...1525 shown below.

Router# show ip port-map

Default mapping:  snmp       udp port 161                    system defined

Host specific:    snmp       udp port 577         in list 55 user defined

Host specific:    snmp       udp port 55000-62000 in list 57 user defined

Default mapping:  echo       tcp port 7                      system defined

Default mapping:  echo       udp port 7                      system defined

Default mapping:  telnet     tcp port 23                     system defined

Default mapping:  wins       tcp port 1512...1525            system defined

Default mapping:  n2h2server tcp port 9285                   system defined

Default mapping:  n2h2server udp port 9285                   system defined

Default mapping:  nntp       tcp port 119                    system defined

Default mapping:  pptp       tcp port 1725                   system defined

Default mapping:  rtsp       tcp port 554,8554               system defined

Default mapping:  bootpc     udp port 68                     system defined

Default mapping:  gdoi       udp port 848                    system defined

Default mapping:  tacacs     udp port 49                     system defined

Default mapping:  gopher     tcp port 70                     system defined

Default mapping:  icabrowser udp port 1604                   system defined

The following sample output from the show ip port-map snmp command displays information about the SNMP application:

Router# show ip port-map snmp

Default mapping:  snmp    udp port 161                      system defined

Host specific:    snmp    udp port 577          in list 55  user defined

Host specific:    snmp    udp port 55000-62000  in list 57  user defined

The following sample output from the show ip port-map snmp detail command displays detailed information about the SNMP application:

Router# show ip port-map snmp detail

 IP port-map entry for application 'snmp':

     udp 161                    Simple Network Management Protoco system defined

     udp 577            list 55 User's SNMP Port                  user defined

     udp 55000-62000    list 57 User's Another SNMP Port          user defined

The following sample output from the show ip port-map port 577 command displays information about port 577:

Router# show ip port-map port 577

Host specific:   snmp  udp port 577    in list 55   user defined

The following sample output from the show ip port-map port 55800 command displays information about port 55800:

Router# show ip port-map port 55800

Host specific:   snmp   udp port 55800  in list 57   user defined

The following sample output from the show ip-port-map port 577 detail command displays detailed information about port 577:

Router# show ip port-map port 577 detail 

 IP Port-map entry for port 577:

 snmp                 udp list 55                            user defined

Related Commands

Command	Description
ip port-map	Establishes PAM entries.

show ip sdee

To display Security Device Event Exchange (SDEE) notification information, use the show ip sdee command in privileged EXEC mode.

show ip sdee {[alerts] [all] [errors] [events] [configuration] [status] [subscriptions]}

Syntax Description

alerts	Displays the Intrusion Detection System (IDS) alert buffer.
all	Displays all information available for IDS SDEE notifications.
errors	Displays IDS SDEE error messages.
events	Displays IDS SDEE events.
configuration	Displays SDEE configuration parameters.
status	Displays the status events that are currently in the buffer.
subscriptions	Displays IDS SDEE subscription information.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(8)T	This command was introduced.

Examples

The following is sample output from the show ip sdee alerts command. In this example, the alerts are numbered from 1 to 100 (because 100 events are currently in the event buffer). Following the alert number are 3 digits, which indicate whether the alert has been reported for the 3 possible subscriptions. In this example, these alerts have been reported for subscription number 1. The event ID is composed of the alert time and an increasing count, separated by a colon.

Router# show ip sdee alerts

Event storage:1000 events using 656000 bytes of memory

                                SDEE Alerts

SigID       SrcIP     DstIP       SrcPort  DstPort  Sev     Event ID        SigName

1:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211478597901  ICMP Echo Req

2:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211478887902  ICMP Echo Req

3:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211479247903  ICMP Echo Req

4:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211479457904  ICMP Echo Req

5:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211479487905  ICMP Echo Req

6:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211480077906  ICMP Echo Req

7:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211480407907  ICMP Echo Req

...........................................................

...........................................................

96:000 2004 10.0.0.2  10.0.0.1    8        0        2       10211750898596  ICMP Echo Req

97:000 2004 10.0.0.2  10.0.0.1    8        0        2       10211750898597  ICMP Echo Req

98:000 2004 10.0.0.2  10.0.0.1    8        0        2       10211750898598  ICMP Echo Req

99:000 2004 10.0.0.2  10.0.0.1    8        0        2       10211750908599  ICMP Echo Req

100:000 2004 10.0.0.2 10.0.0.1    8        0        2       10211750918600  ICMP Echo Req 

The following is sample output is from the show ip sdee subscriptions command. In this example, SDEE is enabled, the maximum event buffer size has been set to 100, and the maximum number of subscriptions that can be open at the same time is 1.

Router# show ip sdee subscriptions 

SDEE is enabled

Alert buffer size:100 alerts 65600 bytes

Maximum subscriptions:1

SDEE open subscriptions: 1

Subscription ID IDS1720:0:

Client address 10.0.0.2 port 1500

        Subscription opened at 13:21:30 MDT July 18 2003

        Total GET requests:0

        Max number of events:50

        Timeout:30

        Event Start Time:0

        Report alerts:true

        Alert severity level is INFORMATIONAL

        Report errors:false

        Report status:false

Table 60 describes the significant fields shown in the display.

Table 60 show ip sdee subscriptions Field Descriptions 

Field	Description
Alert buffer size:100 alerts 65600 bytes	Maximum number of events that can be stored in the buffer. The maximum number of events to be stored refers to all types of events (alert, status, and error). (This value can be changed via the ip sdee events command.)
Maximum subscriptions:1	Maximum number of subscriptions that can be open at the same time. (This value can be changed via the ip sdee subscriptions command.)

The following is sample output from the show ip sdee status command. In this example, the buffer is set to store a maximum of 1000 events.

Router# show ip sdee status

Event storage:1000 events using 656000 bytes of memory

                   SDEE Status Messages

Time                            Message              Description

1:000 22:10:58 UTC Apr 18 2003  applicationStarted   STRING.UDP,0 ms

2:000 22:10:58 UTC Apr 18 2003  applicationStarted   STRING.TCP,0 ms

3:000 22:10:58 UTC Apr 18 2003  applicationStarted   OTHER,0 ms

4:000 22:10:58 UTC Apr 18 2003  applicationStarted   SERVICE.FTP,276 ms

5:000 22:11:07 UTC Apr 18 2003  applicationStarted   SERVICE.SMTP,8884 ms

6:000 22:11:07 UTC Apr 18 2003  applicationStarted   SERVICE.RPC,72 ms

7:000 22:11:07 UTC Apr 18 2003  applicationStarted   SERVICE.DNS,132 ms

8:000 22:11:15 UTC Apr 18 2003  applicationStarted   SERVICE.HTTP,7632 ms

9:000 22:11:15 UTC Apr 18 2003  applicationStarted   ATOMIC.TCP,24 ms

10:000 22:11:15 UTC Apr 18 2003  applicationStarted  ATOMIC.UDP,12 ms

11:000 22:11:15 UTC Apr 18 2003  applicationStarted  ATOMIC.ICMP,12 ms

12:000 22:11:15 UTC Apr 18 2003  applicationStarted  ATOMIC.IPOPTIONS,8 ms

13:000 22:11:15 UTC Apr 18 2003  applicationStarted  ATOMIC.L3.IP,8 ms

Related Commands

Command	Description
ip ips notify	Specifies the method of event notification.
id sdee events	Sets the maximum number of SDEE events that can be stored in the event buffer.
ip sdee subscriptions	Sets the maximum number of SDEE subscriptions that can be open simultaneously.

show ip source-track

To display traffic flow statistics for tracked IP host addresses, use the show ip source-track command in privileged EXEC mode.

show ip source-track [ip-address] [summary | cache]

Syntax Description

ip-address	(Optional) Displays the IP address of the tracked host for which traffic flow information is displayed.
summary	(Optional) Displays a summary of traffic flow information that is collected for a specified host address (via the ip-address argument) or for all configured hosts.
cache	(Optional) Displays detailed packet and flow information that is collected on line cards and port adapters for all tracked IP addresses or for specified IP address (not displayed in the a distributed platform such as the gigabit route processor (GRP) or route switch processor (RSP)).

Command Modes

Privileged EXEC

Command History

Release	Modification
12.0(21)S	This command was introduced.
12.0(22)S	This command was implemented on the Cisco 7500 series routers.
12.0(26)S	This command was implemented on Cisco 12000 series ISE line cards.
12.3(7)T	This command was integrated into Cisco IOS Release 12.3(7)T.
12.2(25)S	This command was integrated into Cisco IOS Release 12.2(25)S.

Examples

The following example, which is sample output from the show ip source-track summary command, shows how to verify that IP source tracking is enabled for one or more hosts:

Router# show ip source-track summary

Address          Bytes    Pkts    Bytes/s   Pkts/s

10.0.0.1          119G   1194M    443535      4432

192.168.1.1       119G   1194M    443535      4432

192.168.42.42     119G   1194M    443535      4432

The following example, which is sample output from the show ip source-track summary command, shows how to verify that no traffic has yet to be received for the destination hosts that are being tracked:

Router# show ip source-track summary

Address        Bytes   Pkts   Bytes/s   Pkts/s

10.0.0.1           0      0         0        0 

192.168.1.1        0      0         0        0 

192.168.42.42      0      0         0        0 

The following example, which is sample output from the show ip source-track command, shows that IP source tracking is processing packets to the hosts and exporting statistics from the line card or port adapter to the route processor:

Router# show ip source-track

Address         SrcIF    Bytes   Pkts   Bytes/s   Pkts/s

10.0.0.1        PO0/0    119G   1194M    513009     5127

192.168.1.1     PO0/0    119G   1194M    513009     5127

192.168.42.42 PO0/0 119G 1194M 513009 5127

Related Commands

Command	Description
ip source-track	Enables IP source tracking for a specified host.
ip source-track address-limit	Configures the maximum number of destination hosts that can be simultaneously tracked at any given moment.
ip source-track syslog-interval	Sets the time interval (in minutes) in which syslog messages are generated if IP source tracking is enabled on a device.

show ip source-track export flows

To display the last ten packet flows that were exported from the line card to the route processor, use the show ip source-track export flows command in privileged EXEC mode.

show ip source-track export flows

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.0(21)S	This command was introduced.
12.0(22)S	This command was implemented on the Cisco 7500 series routers.
12.0(26)S	This command was implemented on Cisco 12000 series ISE line cards.
12.3(7)T	This command was integrated into Cisco IOS Release 12.3(7)T.
12.2(25)S	This command was integrated into Cisco IOS Release 12.2(25)S.

Usage Guidelines

The show ip source-track export flows command can be issued only on distributed platforms such as the GRP and the RSP.

Examples

The following example displays the packet flow information that is exported from line cards and port adapters to the gigabit route processor (GRP) and the route switch processor (RSP):

Router# show ip source-track export flows

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts

PO0/0         101.1.1.0       Null          100.1.1.1       06 0000 0000    88K

PO0/0         101.1.1.0       Null          100.1.1.3       06 0000 0000    88K

PO0/0 101.1.1.0 Null 100.1.1.2 06 0000 0000 88K

Related Commands

Command	Description
ip source-track	Enables IP source tracking for a specified host.
ip source-track export-interval	Sets the time interval (in seconds) in which IP source tracking statistics are exported from the line card to the RP.

show ip ssh

To display the version and configuration data for Secure Shell (SSH), use the show ip ssh command in privileged EXEC mode.

show ip ssh

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.0(5)S	This command was introduced.
12.1(1)T	This command was integrated into Cisco IOS Release 12.1 T.
12.1(5)T	This command was modified to display the SSH status—enabled or disabled.

Usage Guidelines

Use the show ip ssh command to view the status of configured options such as retries and timeouts. This command allows you to see if SSH is enabled or disabled.

Examples

The following is sample output from the show ip ssh command when SSH has been enabled:

Router# show ip ssh

SSH Enabled - version 1.5

Authentication timeout: 120 secs; Authentication retries: 3

The following is sample output from the show ip ssh command when SSH has been disabled:

Router# show ip ssh

%SSH has not been enabled

Related Commands

Command	Description
show ssh	Displays the status of SSH server connections.

show ip traffic-export

To display information related to router IP traffic export (RITE), use the show ip traffic-export command in privileged EXEC mode.

show ip traffic-export [interface interface-name | profile profile-name]

Syntax Description

interface interface-name	(Optional) Only data associated with the monitored ingress interface is shown.
profile profile-name	(Optional) Only flow statistics, such as exported packets and number of bytes, are shown.

Defaults

If this command is enabled, all data (both interface- and profile-related data) is shown.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(4)T	This command was introduced.
12.2(25)S	This command was integrated into Cisco IOS Release 12.2(25)S.

Examples

The following sample output from the show ip traffic-export command is for the profile "one." This example is for a single configured interface. If multiple interfaces are configured, the information shown below is displayed for each interface.

Router# show ip traffic-export

Router IP Traffic Export Parameters

Monitored Interface FastEthernet0/0

Export Interface FastEthernet0/1

Destination MAC address 0030.7131.abfc

bi-directional traffic export is off

Input IP Traffic Export Information Packets/Bytes Exported 0/0

Packets Dropped 0

Sampling Rate one-in-every 1 packets

        No Access List configured

        Profile one is Active

Table 61 describes the significant fields shown in the display.

Table 61 show ip traffic-export Field Descriptions 

Field	Description
Monitored Interface	Interface in which the profile was applied. (This interface is specified via the ip traffic-export apply profile command.)
Export Interface	Interface in which the profile exports all captured IP traffic. (This interface is specified via the ip traffic-export profile command.)
Destination MAC address	Ethernet address of the destination host, which is specified via the mac-address command.
bi-directional traffic export is	Incoming and outgoing IP traffic is exported on the monitored interface (via the bidirectional command). By default, only incoming traffic is exported.
Input IP Traffic Export Information        Packets Dropped        Sampling Rate        No Access List Configured       Profile one is Active	Incoming IP traffic information. The sampling rate and ACL can be defined via the incoming command. If the profile is incomplete, the profile will be listed as inactive.

Related Commands

Command	Description
bidirectional	Enables incoming and outgoing IP traffic to be exported across a monitored interface.
ip traffic-export apply profile	Applies an IP traffic export profile to a specific interface.
ip traffic-export profile	Creates or edits an IP traffic export profile and enables the profile on an ingress interface.
incoming	Configures filtering for incoming export traffic.
outgoing	Configures filtering for outgoing export traffic.

show ip trigger-authentication

To display the list of remote hosts for which automated double authentication has been attempted, use the show ip trigger-authentication command in privileged EXEC mode.

show ip trigger-authentication

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

Whenever a remote user needs to be user-authenticated in the second stage of automated double authentication, the local device sends a User Datagram Protocol (UDP) packet to the remote user's host. When the UDP packet is sent, the user's host IP address is added to a table. If additional UDP packets are sent to the same remote host, a new table entry is not created; instead, the existing entry is updated with a new time stamp. This remote host table contains a cumulative list of host entries; entries are deleted after a timeout period or after you manually clear the table using the
clear ip trigger-authentication command. You can change the timeout period with the
ip trigger-authentication (global) command.

Use this command to view the list of remote hosts for which automated double authentication has been attempted.

Examples

The following example shows output from the show ip trigger-authentication command:

Router# show ip trigger-authentication

Trigger-authentication Host Table:

Remote Host          Time Stamp

209.165.200.230       2940514234

This output shows that automated double authentication was attempted for a remote user; the remote user's host has the IP address 209.165.200.230. The attempt to automatically double authenticate occurred when the local host (myfirewall) sent the remote host (209.165.200.230) a packet to UDP port 7500. (The default port was not changed in this example.)

Related Commands

Command	Description
clear ip trigger-authentication	Clears the list of remote hosts for which automated double authentication has been attempted.

show ip urlfilter cache

To display the maximum number of entries that can be cached into the cache table and the number of entries and the destination IP addresses that are cached into the cache table, use the show ip urlfilter cache command in privileged EXEC mode.

show ip urlfilter cache [vrf vrf-name]

Syntax Description

vrf vrf-name

(Optional) Displays the information only for the specified Virtual Routing and Forwarding (VRF) interface.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(11)YU	This command was introduced.
12.2(15)T	This command was integrated into Cisco IOS Release 12.2(15)T.
12.3(14)T	The vrf vrf-name keyword/argument pair was added.

Examples

The following example is sample output from the show ip urlfilter cache command:

Router# show ip urlfilter cache

Maximum number of entries allowed: 5000

Number of entries cached: 5

IP addresses cached ....

 10.64.128.54

 172.28.139.21

 10.76.82.25

 192.168.0.1

 10.0.1.2

Table 62 describes the significant fields shown in the display.

Table 62 show ip urlfilter cache Field Descriptions

Field	Description
Maximum number of entries allowed	Maximum number of destination IP addresses that can be cached into the cache table. This parameter can be configured using the ip url filter cache command. (The default is 5000.)
Number of entries cached	Number of entries that have already been cached into the cache table.
IP addresses cached	IP addresses that have already been cached into the cache table.

Related Commands

Command	Description
clear ip urlfilter cache	Clears the cache table.
ip urlfilter cache	Configures cache parameters.

show ip urlfilter config

To display the size of the cache, the maximum number of outstanding requests, the allow mode state, and the list of configured vendor servers, use the show ip urlfilter config command in EXEC mode.

show ip urlfilter config [vrf vrf-name]

Syntax Description

vrf vrf-name

(Optional) Displays the information only for the specified Virtual Routing and Forwarding (VRF) interface.

Command Modes

EXEC

Command History

Release	Modification
12.2(11)YU	This command was introduced.
12.2(15)T	This command was integrated into Cisco IOS Release 12.2(15)T.
12.3(14)T	The vrf vrf-name keyword/argument pair was added.

Examples

The following example is sample output from the show ip urlfilter config command:

Router# show ip urlfilter config

URL filter is ENABLED

Primary Websense server configurations

===========================

Websense server IP address: 10.0.0.3

Websense server port: 15868

Websense retransmit time out: 5 (seconds)

Websense number of retransmit:2

Secondary Websense server configurations:

==============================

None.

Other configurations

===============

Allow mode: OFF

System Alert: ON

Log message on the router: OFF

Log message on URL filter server:ON

Maximum number of cache entries :5000

Cache timeout :12 (hours)

Maximum number of packet buffers:200

Maximum outstanding requests:1000

Related Commands

Command	Description
ip urlfilter allowmode	Turns on the default mode (allow mode) of the filtering algorithm.
ip urlfilter cache	Configures cache parameters.
ip urlfilter max-request	Sets the maximum number of outstanding requests that can exist at any given time.
ip urlfilter server vendor	Configures a vendor server for URL filtering.

show ip urlfilter statistics

To display URL filtering statistics, use the show ip urlfilter statistics command in privileged EXEC mode.

show ip urlfilter statistics [vrf vrf-name]

Syntax Description

vrf vrf-name

(Optional) Displays the information only for the specified Virtual Routing and Forwarding (VRF) interface.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(11)YU	This command was introduced.
12.2(15)T	This command was integrated into Cisco IOS Release 12.2(15)T.
12.3(14)T	The vrf vrf-name keyword/argument pair was added.

Usage Guidelines

This command shows information, such as the number of requests that are sent to the vendor server (Websense or N2H2), the number of responses received from the vendor server, the numberof pending requests in the system, the number of failed requests, and the number of blocked URLs.

Examples

The following example is sample output from the show ip urlfilter statistics command:

Router# show ip urlfilter statistics

URL filtering statistics

================

Current requests count:25

Current packet buffer count(in use):40

Current cache entry count:3100

Maxever request count:526

Maxever packet buffer count:120

Maxever cache entry count:5000

Total requests sent to URL Filter Server: 44765

Total responses received from URL Filter Server: 44550

Total requests allowed: 44320

Total requests blocked: 224

Table 63 describes the significant fields shown in the display.

Table 63 show ip urlfilter statistics Field Descriptions 

Field	Description
Current requests count1	Number of requests that have been sent to the vendor server.
Current packet buffer count (in use)2	Number of HTTP responses that are currently in the packet buffer of the firewall.
Current cache entry count3	Number of destination IP addresses that have been cached into the cache table.
Maxever request count1	Maximum number of requests that have been sent to the vendor server since power on.
Maxever packet buffer count2	Maximum number of HTTP responses that have been stored in the packet buffer of the firewall since power on.
Maxever cache entry count3	Maximum number of destination IP addresses that have been cached into the cache table since power on.

1 This value can be specified via the ip urlfilter max-request command. 2 This value can be specified via the ip urlfilter max-resp-pak command. 3 This value can be specified via the ip urlfilter cache command.

Related Commands

Command	Description
ip urlfilter cache	Configures cache parameters.
ip urlfilter max-request	Sets the maximum number of outstanding requests that can exist at any given time.
ip urlfilter max-resp-pak	Configures the maximum number of HTTP responses that the firewall can keep in its packet buffer.

show ip virtual-reassembly

To display the configuration and statistical information of the virtual fragment reassembly (VFR) on a given interface, use the show ip virtual-reassembly command in privileged EXEC mode.

show ip virtual-reassembly [interface type]

Syntax Description

interface type

(Optional) VFR information is shown only for the specified interface. If an interface is not specified, VFR information for all configured interfaces is shown.

Defaults

None

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(8)T	This command was introduced.

Examples

The following example is sample output from the show ip virtual-reassembly command:

Router# show ip virtual-reassembly interface ethernet1/1

Ethernet1/1:

Virtual Fragment Reassembly (VFR) is ENABLED...

Concurrent reassemblies (max-reassemblies):64

Fragments per reassembly (max-fragments):16

Reassembly timeout (timeout):3 seconds

Drop fragments:OFF

Current reassembly count:12

Current fragment count:48

Total reassembly count:6950

Total reassembly failures:9

Table 64 describes the significant fields shown in the display.

Table 64 show ip virtual-reassembly Field Descriptions 

Field	Description
Concurrent reassemblies (max-reassemblies):64	Maximum number of IP datagrams that can be reassembled at any given time. Value can be specified via the max-reassemblies number option from the ip virtual-reassembly command.
Fragments per reassembly (max-fragments):16	Maximum number of fragments that are allowed per IP datagram (fragment set). Value can be specified via the max-fragments number option from the ip virtual-reassembly command.
Reassembly timeout (timeout):3 seconds	Timeout value for an IP datagram that is being reassembled. Value can be specified via the timeout seconds option from the ip virtual-reassembly command.
Drop fragments:OFF	Specifies whether the VFR should drop all fragments that arrive on the configured interface. Function can be turned on or off via the drop-fragments keyword from the ip virtual-reassembly command.
Current reassembly count	Number of IP datagrams that are currently being reassembled
Current fragment count	Number of fragments that have been buffered by VFR for reassembly
Total reassembly count	Total number of datagrams that have been reassembled since the last system reboot.
Total reassembly failures	Total number of reassembly failures since the last system reboot.

Related Commands

Command	Description
ip virtual-reassembly	Enables VFR on an interface.

show kerberos creds

To display the contents of your credentials cache, use the show kerberos creds command in privileged EXEC mode.

show kerberos creds

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.1	This command was introduced.

Usage Guidelines

The show kerberos creds command is equivalent to the UNIX klist command.

When users authenticate themselves with Kerberos, they are issued an authentication ticket called a credential. The credential is stored in a credential cache.

Examples

The following example displays entries in the credentials cache:

Router > show kerberos creds 

 Default Principal: user@example.com

 Valid Starting          Expires                 Service Principal

 18-Dec-1995 16:21:07    19-Dec-1995 00:22:24    krbtgt/EXAMPLE.COM@EXAMPLE.COM

The following example returns output that acknowledges that credentials do not exist in the credentials cache:

Router > show kerberos creds

 No Kerberos credentials

Related Commands

Command	Description
clear kerberos creds	Deletes the contents of the credentials cache.

show login

To display login parameters, use the show login command in privileged EXEC mode.

show login [failures]

Syntax Description

failures

(Optional) Displays information related only to failed login attempts.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(4)T	This command was introduced.
12.2(25)S	This command was integrated into Cisco IOS Release 12.2(25)S.

Usage Guidelines

The show login command allows users to verify the applied login configuration and present login status on your router.

Examples

The following sample output from the show login command verifies that no login parameters have been specified:

Router# show login

No login delay has been applied.

No Quiet-Mode access list has been configured.

All successful login is logged and generate SNMP traps.

All failed login is logged and generate SNMP traps

Router NOT enabled to watch for login Attacks

The following sample output from the show login command verifies that the login block-for command is issued. In this example, the command is configured to block login hosts for 100 seconds if 16 or more login requests fail within 100 seconds; five login requests have already failed.

Router# show login

A default login delay of 1 seconds is applied.

No Quiet-Mode access list has been configured.

All successful login is logged and generate SNMP traps.

All failed login is logged and generate SNMP traps.

Router enabled to watch for login Attacks.

If more than 15 login failures occur in 100 seconds or less, logins will be disabled for 
100 seconds.

Router presently in Watch-Mode, will remain in Watch-Mode for 95 seconds.

Present login failure count 5.

The following sample output from the show login command verifies that the router is in quiet mode. In this example, the login block-for command was configured to block login hosts for 100 seconds if three or more login requests fail within 100 seconds.

Router# show login

A default login delay of 1 seconds is applied.

No Quiet-Mode access list has been configured.

All successful login is logged and generate SNMP traps.

All failed login is logged and generate SNMP traps.

Router enabled to watch for login Attacks.

If more than 2 login failures occur in 100 seconds or less, logins will be disabled for 
100 seconds.

Router presently in Quiet-Mode, will remain in Quiet-Mode for 93 seconds.

Denying logins from all sources.

Table 65 describes the significant fields shown in the proceeding displays.

Table 65 show login Field Descriptions 

Field	Description
A default login delay of 1 seconds is applied.	A delay of 1 second is enforced when the login block-for command is issued. To specify a different delay value, use the login delay command.
No Quiet-Mode access list has been configured.	No access control lists (ACLs) are exempt from the quiet period. To specify an ACL, use the login quiet-mode access-class command.
All successful or failed login is logged and generate SNMP traps.	Logging messages and Simple Network Management Protocol (SNMP) traps are configured to be generated upon successful or failed login attempts. To change this setting, use the login on-success or login on-failure command.
Router enabled to watch for login Attacks.	The Cisco IOS device has been configured with at least the login block-for command, which enables default login functionality. Note If no login parameters are specified, the following description appears: "Router NOT enabled to watch for login Attacks."
If more than 2 login failures occur in 100 seconds or less, logins will be disabled for 100 seconds.	Parameters of the login block-for seconds attempts tries within seconds command.
Router presently in Quiet-Mode, will remain in Quiet-Mode for 93 seconds.	The router has switched to quiet mode. Note If the router is not in quiet mode, the following description appears: "Router presently in Watch-Mode, will remain in Watch-Mode for 95 seconds."
Denying logins from all sources.	The router is in quiet mode and no ACLs are defined, so the router is denying all login requests. Note If the router is not in quiet mode, the following description, which allows the user to keep track of the current failed login attempts, appears: "Present login failure count 5."

show login failure Sample Outputs

The following sample output from show login failures command shows all failed login attempts on the router:

Router# show login failures

Information about login failure's with the device

Username      Source IPAddr  lPort Count  TimeStamp

try1          10.1.1.1        23    1     21:52:49 UTC Sun Mar 9 2003

try2          10.1.1.2        23    1     21:52:52 UTC Sun Mar 9 2003

The following sample output from show login failures command verifies that no information is presently logged:

Router# show login failures

*** No logged failed login attempts with the device.***

Related Commands

Command	Description
login block-for	Configures your Cisco IOS device for login parameters that help provide DoS detection.
login delay	Configures a uniform delay between successive login attempts.
login on-failure	Generates system logging messages for every login attempts.
login on-success	Generates system logging messages for successful login attempts.
login quiet-mode access-class	Specifies an ACL that is to be applied to the router when it switches to quiet mode.

show parser view

To display command-line interface (CLI) view information, use the show parser view command in privileged EXEC mode.

show parser view [all]

Syntax Description

all	(Optional) Displays information about all CLI views that are configured on the router.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(7)T	This command was introduced.

Usage Guidelines

The show parser view command will display information only about the view that the user is currently in. This command is available for both root view users and lawful intercept view users—except for the all keyword, which is available only to root view users. However, the all keyword can be configured by a user in root view to be available for users in lawful intercept view.

The show parser view command cannot be excluded from any view.

Examples

The following example shows how to display information from the root view and the CLI view "first":

Router# enable view

Router# 

01:08:16:%PARSER-6-VIEW_SWITCH:successfully set to view 'root'.

Router# 

! Enable the show parser view command from the root view

Router# show parser view 

Current view is 'root'

! Enable the show parser view command from the root view to display all views

Router# show parser view all 

Views Present in System:

View Name:   first 

View Name:   second 

! Switch to the CLI view "first."

Router# enable view first 

Router#

01:08:09:%PARSER-6-VIEW_SWITCH:successfully set to view 'first'.

! Enable the show parser view command from the CLI view "first."

Router# show parser view

Current view is 'first'

Related Commands

Command	Description
parser view	Creates or changes a CLI view and enters view configuration mode.

show ppp queues

To monitor the number of requests processed by each authentication, authorization, and accounting (AAA) background process, use the show ppp queues command in privileged EXEC mode.

show ppp queues

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.3(2)AA	This command was introduced.

Usage Guidelines

Use the show ppp queues command to display the number of requests handled by each AAA background process, the average amount of time it takes to complete each request, and the requests still pending in the work queue. This information can help you balance the data load between the network access server and the AAA server.

This command displays information about the background processes configured by the aaa processes global configuration command. Each line in the display contains information about one of the background processes. If there are AAA requests in the queue when you enter this command, the requests will be printed as well as the background process data.

Examples

The following example shows output from the show ppp queues command:

Router# show ppp queues

Proc #0   pid=73  authens=59   avg. rtt=118s. authors=160  avg. rtt=94s.

Proc #1   pid=74  authens=52   avg. rtt=119s. authors=127  avg. rtt=115s.

Proc #2   pid=75  authens=69   avg. rtt=130s. authors=80   avg. rtt=122s.

Proc #3   pid=76  authens=44   avg. rtt=114s. authors=55   avg. rtt=106s.

Proc #4   pid=77  authens=70   avg. rtt=141s. authors=76   avg. rtt=118s.

Proc #5   pid=78  authens=64   avg. rtt=131s. authors=97   avg. rtt=113s.

Proc #6   pid=79  authens=56   avg. rtt=121s. authors=57   avg. rtt=117s.

Proc #7   pid=80  authens=43   avg. rtt=126s. authors=54   avg. rtt=105s.

Proc #8   pid=81  authens=139  avg. rtt=141s. authors=120  avg. rtt=122s.

Proc #9   pid=82  authens=63   avg. rtt=128s. authors=199  avg. rtt=80s.

queue len=0 max len=499

Table 66 describes the fields shown in the example.

Table 66 show ppp queues Field Descriptions

Field	Description
Proc #	Identifies the background process allocated by the aaa processes command to handle AAA requests for PPP. All of the data in this row relates to this process.
pid=	Identification number of the background process.
authens=	Number of authentication requests the process has performed.
avg. rtt=	Average delay (in seconds) until the authentication request was completed.
authors=	Number of authorization requests the process has performed.
avg. rtt=	Average delay (in seconds) until the authorization request was completed.
queue len=	Current queue length.
max len=	Maximum length the queue ever reached.

Related Commands

Command	Description
aaa processes	Allocates a specific number of background processes to be used to process AAA authentication and authorization requests for PPP.

show privilege

To display your current level of privilege, use the show privilege command in EXEC mode.

show privilege

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
10.3	This command was introduced.

Examples

The following example shows sample output from the show privilege command. The current privilege level is 15.

Router# show privilege

Current privilege level is 15

Related Commands

Command	Description
enable password	Sets a local password to control access to various privilege levels.
enable secret	Specifies an additional layer of security over the enable password command.

show radius local-server statistics

To display the statistics for the local authentication server, use the show radius local-server statistics command in privileged EXEC mode.

show radius local-server statistics

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(11)JA	This command was introduced on Cisco Aironet Access Point 1100 and Cisco Aironet Access Point 1200.
12.3(11)T	This command was implemented on the following platforms: Cisco 2600XM, Cisco 2691, Cisco 2811, Cisco 2821, Cisco 2851, Cisco 3700, and Cisco 3800 series routers.

Examples

The following output displays statistics for the local authentication server:

Router# show radius local-server statistics

Successes              : 11262       Unknown usernames      : 0

Client blocks          : 0           Invalid passwords      : 8

Unknown NAS            : 0           Invalid packet from NAS: 0

NAS : 10.0.0.1

Successes              : 11262       Unknown usernames      : 0

Client blocks          : 0           Invalid passwords      : 8

Corrupted packet       : 0           Unknown RADIUS message : 0

No username attribute  : 0           Missing auth attribute : 0

Shared key mismatch    : 0           Invalid state attribute: 0

Unknown EAP message    : 0           Unknown EAP auth type  : 0

Maximum number of configurable users: 50, current user count: 11

Username                  Successes  Failures  Blocks

vayu-ap-1                      2235         0       0

vayu-ap-2                      2235         0       0

vayu-ap-3                      2246         0       0

vayu-ap-4                      2247         0       0

vayu-ap-5                      2247         0       0

vayu-11                           3         0       0

vayu-12                           5         0       0

vayu-13                           5         0       0

vayu-14                          30         0       0

vayu-15                           3         0       0

scm-test                          1         8       0

Related Commands

Command	Description
block count	Configures the parameters for locking out members of a group to help protect against unauthorized attacks.
clear radius local-server	Clears the statistics display or unblocks a user.
debug radius local-server	Displays the debug information for the local server.
group	Enters user group configuration mode and configures shared setting for a user group.
nas	Adds an access point or router to the list of devices that use the local authentication server.
radius-server host	Specifies the remote RADIUS server host.
radius-server local	Enables the access point or router to be a local authentication server and enters into configuration mode for the authenticator.
reauthentication time	Specifies the time (in seconds) after which access points or wireless-aware routers must reauthenticate the members of a group.
ssid	Specifies up to 20 SSIDs to be used by a user group.
user	Authorizes a user to authenticate using the local authentication server.
vlan	Specifies a VLAN to be used by members of a user group.

show radius statistics

To display the RADIUS statistics for accounting and authentication packets, use the show radius statistics command in EXEC mode.

show radius statistics

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
12.1(3)T	This command was introduced.

Examples

The following example is sample output for the show radius statistics command:

Router# show radius statistics

                                   Auth.      Acct.       Both

          Maximum inQ length:        NA         NA          1

        Maximum waitQ length:        NA         NA          1

        Maximum doneQ length:        NA         NA          1

        Total responses seen:         3          0          3

      Packets with responses:         3          0          3

   Packets without responses:         0          0          0

  Average response delay(ms):      5006          0       5006

  Maximum response delay(ms):     15008          0      15008

   Number of Radius timeouts:         3          0          3

        Duplicate ID detects:         0          0          0

Table 67 describes significant fields shown in the display.

Table 67 show radius statistics Field Descriptions 

Field	Description
Auth.	Statistics for authentication packets.
Acct.	Statistics for accounting packets.
Both	Combined statistics for authentication and accounting packets.
Maximum inQ length	Maximum number of entries allowed in the queue, that holds the RADIUS messages not yet sent.
Maximum waitQ length	Maximum number of entries allowed in the queue, that holds the RADIUS messages that have been sent and are waiting for a response.
Maximum doneQ length	Maximum number of entries allowed in the queue, that holds the messages that have received a response and will be forwarded to the code that is waiting for the messages.
Total responses seen	Number of RADIUS responses seen from the server. In addition to the expected packets, this includes repeated packets and packets that do not have a matching message in the waitQ.
Packets with responses	Number of packets that received a response from the RADIUS server.
Packets without responses	Number of packets that never received a response from any RADIUS server.
Average response delay	Average time from when the packet was first transmitted to when it received a response. If the response timed out and the packet was sent again, this value includes the timeout. If the packet never received a response, this is not included in the average.
Maximum response delay	Maximum delay observed while gathering average response delay information.
Number of RADIUS timeouts	Number of times a server did not respond, and the RADIUS server re-sent the packet.
Duplicate ID detects	RADIUS has a maximum of 255 unique IDs. In some instances there can be more than 255 outstanding packets. When a packet is received, the doneQ is searched from the oldest entry to the youngest. If the IDs are the same, further techniques are used to see if this response matches this entry. If it is determined that this does not match, the duplicate ID detect counter is increased.

Related Commands

Command	Description
radius-server host	Specifies a RADIUS server host.
radius-server retransmit	Specifies how many times the Cisco IOS software searches the list of RADIUS server hosts before giving up.
radius-server timeout	Sets the interval for which a router waits for a server host to reply.

show secure bootset

To display the status of Cisco IOS image and configuration resilience, use the show secure bootset command in privileged EXEC mode.

show secure bootset

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(8)T	This command was introduced.

Usage Guidelines

Use the show secure bootset command instead of the dir command, the Cisco IOS directory listing command, to verify the existence of an image archive. This command will also display output that shows whether the image or configuration archive is ready for upgrade.

Examples

The following is self-explanatory sample output from the show secure bootset command:

Router# show secure bootset

%IOS image and configuration resilience is not active

Router# show secure bootset

IOS resilience router id JMX0704L5GH

IOS image resilience version 12.3 activated at 08:16:51 UTC Sun Jun 16 2002

Secure archive slot0:c3745-js2-mz type is image (elf) []

  file size is 25469248 bytes, run size is 25634900 bytes

  Runnable image, entry point 0x80008000, run from ram

IOS configuration resilience version 12.3 activated at 08:17:02 UTC Sun Jun 16 2002

Secure archive slot0:.runcfg-20020616-081702.ar type is config

configuration archive size 1059 bytes

Related Commands

Command	Description
dir	Displays a list of files on a file system.
secure boot-config	Saves a secure copy of the router running configuration in persistent storage.
secure boot-image	Enables Cisco IOS image resilience.

show ssh

To display the status of Secure Shell (SSH) server connections, use the show ssh command in privileged EXEC mode.

show ssh

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(5)T	This command was introduced.

Usage Guidelines

Use the show ssh command to display the status of the SSH connections on your router. This command does not display any SSH configuration data; use the show ip ssh command for SSH configuration information such as timeouts and retries.

Examples

The following is sample output from the show ssh command with SSH enabled:

Router# show ssh

Connection      Version     Encryption     	State	Username

	0	1.5	3DES	Session Started		guest

The following is sample output from the show ssh command with SSH disabled:

Router# show ssh

%No SSH server connections running.

Related Commands

Command	Description
show ip ssh	Displays the version and configuration data for SSH.

show tacacs

To display statistics for a TACACS+ server, use the show tacacs command in EXEC mode.

show tacacs

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
11.2	This command was introduced.

Examples

The following example is sample output for the show tacacs command:

Router# show tacacs 

Tacacs+ Server            : 172.19.192.80/49

              Socket opens:          3

             Socket closes:          3

             Socket aborts:          0

             Socket errors:          0

           Socket Timeouts:          0

   Failed Connect Attempts:          0

        Total Packets Sent:          7

        Total Packets Recv:          7

          Expected Replies:          0

  No current connection

Table 68 describes the significant fields shown in the display.

Table 68 show tacacs Field Descriptions 

Field	Description
Tacacs+ Server	IP address of the TACACS+ server.
Socket opens	Number of successful TCP socket connections to the TACACS+ server.
Socket closes	Number of successfully closed TCP socket attempts.
Socket aborts	Number of premature TCP socket closures to the TACACS+ server; that is, the peer did not wait for a reply from the server after a the peer sent its request.
Socket errors	Any other socket read or write errors, such as incorrect packet format and length.
Failed Connect Attempts	Number of failed TCP socket connections to the TACACS+ server.
Total Packets Sent	Number of packets sent to the TACACS+ server.
Total Packets Recv	Number of packets received from the TACACS+ server.
Expected replies	Number of outstanding replies from the TACACS+ server.

Related Commands

Command	Description
tacacs-server host	Specifies a TACACS+ host.

show tcp intercept connections

To display TCP incomplete and established connections, use the show tcp intercept connections command in EXEC mode.

show tcp intercept connections

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
11.2 F	This command was introduced.

Usage Guidelines

Use the show tcp intercept connections command to display TCP incomplete and established connections.

Examples

The following is sample output from the show tcp intercept connections command:

Router# show tcp intercept connections 

Incomplete:

Client                Server                State    Create   Timeout  Mode

172.19.160.17:58190   10.1.1.30:23          SYNRCVD  00:00:09 00:00:05 I

172.19.160.17:57934   10.1.1.30:23          SYNRCVD  00:00:09 00:00:05 I

Established:

Client                Server                State    Create   Timeout  Mode

171.69.232.23:1045    10.1.1.30:23          ESTAB    00:00:08 23:59:54 I

Table 69 describes significant fields shown in the display.

Table 69 show tcp intercept connections Field Descriptions 

Field	Description
Incomplete:	Rows of information under "Incomplete" indicate connections that are not yet established.
Client	IP address and port of the client.
Server	IP address and port of the server being protected by TCP intercept.
State	SYNRCVD—establishing with client. SYNSENT—establishing with server. ESTAB—established with both, passing data.
Create	Hours:minutes:seconds since the connection was created.
Timeout	Hours:minutes:seconds until the retransmission timeout.
Mode	I—intercept mode. W—watch mode.
Established:	Rows of information under "Established" indicate connections that are established. The fields are the same as those under "Incomplete" except for the Timeout field described below.
Timeout	Hours:minutes:seconds until the connection will timeout, unless the software sees a FIN exchange, in which case this indicates the hours:minutes:seconds until the FIN or RESET timeout.

Related Commands

Command	Description
ip tcp intercept connection-timeout	Changes how long a TCP connection will be managed by the TCP intercept after no activity.
ip tcp intercept finrst-timeout	Changes how long after receipt of a reset or FIN-exchange the software ceases to manage the connection.
ip tcp intercept list	Enables TCP intercept.
show tcp intercept statistics	Displays TCP intercept statistics.

show tcp intercept statistics

To display TCP intercept statistics, use the show tcp intercept statistics command in EXEC mode.

show tcp intercept statistics

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
11.2 F	This command was introduced.

Usage Guidelines

Use the show tcp intercept statistics command to display TCP intercept statistics.

Examples

The following is sample output from the show tcp intercept statistics command:

Router# show tcp intercept statistics

intercepting new connections using access-list 101

2 incomplete, 1 established connections (total 3)

1 minute connection request rate 2 requests/sec

Related Commands

Command	Description
ip tcp intercept connection-timeout	Changes how long a TCP connection will be managed by the TCP intercept after no activity.
ip tcp intercept finrst-timeout	Changes how long after receipt of a reset or FIN-exchange the software ceases to manage the connection.
ip tcp intercept list	Enables TCP intercept.
show tcp intercept connections	Displays TCP incomplete and established connections.

show usb controllers

To display USB host controller information, use the show usb controllers command in Privileged EXEC mode.

show usb controllers [controller-number]

Syntax Description

controller-number

(Optional) Displays information only for the specified controller.

Defaults

Information about all controllers on the system are displayed.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(14)T	This command was introduced.

Usage Guidelines

Use the show usb controllers command to display content such as controller register specific information, current asynchronous buffer addresses, and period scheduling information. You can also use this command to verify that copy operations are occurring successfully onto a USB flash module.

Examples

The following example is sample output from the show usb controller command:

Router# show usb controllers

Name:1362HCD

Controller ID:1

Controller Specific Information:

    Revision:0x11

    Control:0x80

    Command Status:0x0

    Hardware Interrupt Status:0x24

    Hardware Interrupt Enable:0x80000040

    Hardware Interrupt Disable:0x80000040

    Frame Interval:0x27782EDF

    Frame Remaining:0x13C1

    Frame Number:0xDA4C

    LSThreshold:0x628

    RhDescriptorA:0x19000202

    RhDescriptorB:0x0

    RhStatus:0x0

    RhPort1Status:0x100103

    RhPort2Status:0x100303

    Hardware Configuration:0x3029

    DMA Configuration:0x0

    Transfer Counter:0x1

    Interrupt:0x9

    Interrupt Enable:0x196

    Chip ID:0x3630

    Buffer Status:0x0

    Direct Address Length:0x80A00

    ATL Buffer Size:0x600

    ATL Buffer Port:0x0

    ATL Block Size:0x100

    ATL PTD Skip Map:0xFFFFFFFF

    ATL PTD Last:0x20

    ATL Current Active PTD:0x0

    ATL Threshold Count:0x1

    ATL Threshold Timeout:0xFF

Int Level:1

Transfer Completion Codes:

         Success              :920              CRC             :0       

         Bit Stuff            :0                Stall           :0       

         No Response          :0                Overrun         :0       

         Underrun             :0                Other           :0       

         Buffer Overrun       :0                Buffer Underrun :0       

Transfer Errors:

         Canceled Transfers   :2                Control Timeout :0       

Transfer Failures:

         Interrupt Transfer   :0                Bulk Transfer   :0       

         Isochronous Transfer :0                Control Transfer:0       

Transfer Successes:

         Interrupt Transfer   :0                Bulk Transfer   :26      

         Isochronous Transfer :0                Control Transfer:894     

USBD Failures:

         Enumeration Failures :0                No Class Driver Found:0       

         Power Budget Exceeded:0       

USB MSCD SCSI Class Driver Counters:

         Good Status Failures :3