Table Of Contents

show crypto isakmp key

show crypto isakmp peer

show crypto isakmp policy

show crypto isakmp profile

show crypto isakmp sa

show crypto key mypubkey rsa

show crypto key pubkey-chain rsa

show crypto map (IPSec)

show crypto mib ipsec flowmib history failure size

show crypto mib ipsec flowmib history tunnel size

show crypto mib ipsec flowmib version

show crypto pki certificates

show crypto pki crls

show crypto pki server

show crypto pki timers

show crypto pki trustpoints

show crypto session

show crypto session group

show crypto session summary

show crypto socket

show dnsix

show dot1x

show dot1x (EtherSwitch)

show eou

show ip admission

show ip auth-proxy

show ip inspect

show ip ips

show ip port-map

show ip sdee

show ip source-track

show ip source-track export flows

show ip ssh

show ip traffic-export

show ip trigger-authentication

show ip urlfilter cache

show ip urlfilter config

show ip urlfilter statistics

show ip virtual-reassembly

show kerberos creds

show login

show parser view

show ppp queues

show privilege

show radius local-server statistics

show radius statistics

show secure bootset

show ssh

show tacacs

show tcp intercept connections

show tcp intercept statistics

show usb controllers

show usb device

show usb driver

show usb port

show usbtoken

show usb tree

show webvpn sessions

show webvpn statistics

show wlccp wds

shutdown (certificate server)

snmp-server enable traps ipsec

snmp-server enable traps isakmp

source interface

split-dns

ssh

ssid

ssl encryption

ssl trustpoint

strict-http

subject-name

show crypto isakmp key

To list the keyrings and their preshared keys, use the show crypto isakmp key command in EXEC mode.

show crypto isakmp key

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
12.2(15)T	This command was introduced.

Examples

The following is sample output for the show crypto isakmp key command:

Router# show crypto isakmp key

Hostname/Address       Preshared Key

vpn1                   : 172.61.1.1          vpn1

vpn2                   : 10.1.1.1            vpn2

The following configuration was in effect when the above show crypto isakmp key command was issued:

crypto keyring vpn1 

  pre-shared-key address 172.16.1.1 key vpn1

crypto keyring vpn2 

  pre-shared-key address 10.1.1.1 key vpn2

Table 41 describes significant fields in the show crypto isakmp key profile.

Table 41 show crypto isakmp key Field Descriptions

Field	Description
Hostname/Address	The preshared key host name or address.
Preshared Key	The preshared key.
keyring	Name of the crypto keyring. The global keys are listed in the default keyring.
VRF string	The virtual route forwarding (VRF) of the keyring. If the keyring does not have a VRF, an empty string is printed.

show crypto isakmp peer

To display peer descriptions, use the show crypto isakmp peer command in privileged EXEC mode.

show crypto isakmp peer

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(4)T	This command was introduced.

Examples

The following output example shows information about the peer named "This-is-another-peer-at-10-1-1-3":

Router# show crypto isakmp peer

Peer: 10.1.1.3 Port: 500

 Description: This-is-another-peer-at-10-1-1-3

 Phase1 id: 10.1.1.3

Table 42 describes the significant fields shown in the display.

Table 42 show crypto isakmp peer Field Descriptions 

Field	Description
Phase1 id	Internet Key Exchange (IKE) ID

Related Commands

Command	Description
clear crypto session	Deletes crypto sessions (IPSec and IKE) SAs.
description	Adds a description for an IKE peer.
show crypto session	Displays status information for active crypto sessions in a router.

show crypto isakmp policy

To display the parameters for each Internet Key Exchange (IKE) policy, use the show crypto isakmp policy command in EXEC mode.

show crypto isakmp policy

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
11.3 T	This command was introduced.
12.2(13)T	The command output was expanded to include a warning message for users who try to configure an IKE encryption method that the hardware does not support.

Examples

The following is sample output from the show crypto isakmp policy command, after two IKE policies have been configured (with priorities 15 and 20, respectively):

Router# show crypto isakmp policy

Protection suite priority 15

        encryption algorithm:    DES - Data Encryption Standard (56 bit keys)

        hash algorithm:  Message Digest 5

        authentication method:   Rivest-Shamir-Adleman Signature

        Diffie-Hellman Group:    #2 (1024 bit)

        lifetime:      5000 seconds, no volume limit

Protection suite priority 20

        encryption algorithm:    DES - Data Encryption Standard (56 bit keys)

        hash algorithm: Secure Hash Standard

        authentication method:   preshared Key

        Diffie-Hellman Group:    #1 (768 bit)

        lifetime:      10000 seconds, no volume limit

Default protection suite

        encryption algorithm:    DES - Data Encryption Standard (56 bit keys)

        hash algorithm: Secure Hash Standard

        authentication method:   Rivest-Shamir-Adleman Signature

        Diffie-Hellman Group:    #1 (768 bit)

        lifetime:      86400 seconds, no volume limit

---

Note Although the output shows "no volume limit" for the lifetimes, you can currently configure only a time lifetime (such as 86,400 seconds); volume limit lifetimes are not used.

---

The following sample output from the show crypto isakmp policy command displays a warning message after a user tries to configure an IKE encryption method that the hardware does not support:

Router# show crypto isakmp policy

Protection suite of priority 1

        encryption algorithm:  AES - Advanced Encryption Standard (256 bit keys).

WARNING:encryption hardware does not support the configured

encryption method for ISAKMP policy 1

        hash algorithm:        Secure Hash Standard

        authentication method: Pre-Shared Key

        Diffie-Hellman group:  #1 (768 bit)

        lifetime:              3600 seconds, no volume limit

Related Commands

Command	Description
authentication (IKE policy)	Specifies the authentication method within an IKE policy.
crypto isakmp policy	Defines an IKE policy.
encryption (IKE policy)	Specifies the encryption algorithm within an IKE policy.
group (IKE policy)	Specifies the DH group identifier within an IKE policy.
hash (IKE policy)	Specifies the hash algorithm within an IKE policy.
lifetime (IKE policy)	Specifies the lifetime of an IKE SA.

show crypto isakmp profile

To list all the Internet Security Association and Key Management Protocol (ISAKMP) profiles that are defined on a router, use the show crypto isakmp profile command in EXEC mode.

show crypto isakmp profile

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
12.2(15)T	This command was introduced.

Examples

The following is sample output for the show crypto isakmp profile command:

Router# show crypto isakmp profile

ISAKMP PROFILE vpn1-ra

   Identities matched are:

group vpn1-ra

   Identity presented is: ip-address

Table 43 describes significant fields in the display.

Table 43 show crypto isakmp profile Field Descriptions

Field	Description
ISAKMP PROFILE	Name of the ISAKMP profile.
Identities matched are:	Lists all identities that the ISAKMP profile will match.
Identity presented is:	The identity that the ISAKMP profile will present to the remote endpoint.

The following configuration was in effect when the above show crypto isakmp profile command was issued:

crypto isakmp profile vpn1-ra

 vrf vpn1

 self-identity address

 match identity group vpn1-ra

 client authentication list aaa-list

 isakmp authorization list aaa

 client configuration address initiate

 client configuration address respond

Related Commands

Command	Description
show crypto isakmp key	Lists the keyrings and their preshared keys.

show crypto isakmp sa

To display current Internet Key Exchange (IKE) security associations (SAs), use the show crypto isakmp sa command in privileged EXEC mode.

show crypto isakmp sa [active | standby]

Syntax Description

active	(Optional) All existing IKE SAs that are in an active state are displayed.
standby	(Optional) All existing IKE SAs that are in standby state are displayed.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.3 T	This command was introduced.
12.3(11)T	The active and standby keywords were added.

Usage Guidelines

If neither the active keyword nor the standby keyword are specified, current SAs for all configured routers will be shown.

Examples

The following sample output shows the SAs of both the active and standby devices:

Router# show crypto isakmp sa

dst             src             state          conn-id slot status

209.165.201.3   209.165.200.225 QM_IDLE              2    0 STDBY 

10.0.0.1        10.0.0.2        QM_IDLE              1    0 ACTIVE

The following sample output shows the SAs of only the active device:

Router# show crypto isakmp sa active

dst             src             state          conn-id slot status

209.165.201.3   209.165.200.225 QM_IDLE              5    0 ACTIVE

The following sample output shows the SAs of only the standby device:

Router# show crypto isakmp sa standby

dst             src             state          conn-id slot status

209.165.201.3   209.165.200.225 QM_IDLE              5    0 STDBY 

209.165.201.3   209.165.200.225 QM_IDLE              1    0 STDBY 

Table 44 through Table 47 show the various states that may be displayed in the output of the show crypto isakmp sa command. When an Internet Security Association and Key Management Protocol (ISAKMP) SA exists, it will most likely be in its quiescent state (QM_IDLE). For long exchanges, some of the MM_xxx states may be observed.

Table 44 States in Main Mode Exchange

State	Explanation
MM_NO_STATE	The ISAKMP SA has been created, but nothing else has happened yet. It is "larval" at this stage—there is no state.
MM_SA_SETUP	The peers have agreed on parameters for the ISAKMP SA.
MM_KEY_EXCH	The peers have exchanged Diffie-Hellman public keys and have generated a shared secret. The ISAKMP SA remains unauthenticated.
MM_KEY_AUTH	The ISAKMP SA has been authenticated. If the router initiated this exchange, this state transitions immediately to QM_IDLE, and a Quick Mode exchange begins.

Table 45 States in Aggressive Mode Exchange 

State	Explanation
AG_NO_STATE	The ISAKMP SA has been created, but nothing else has happened yet. It is "larval" at this stage—there is no state.
AG_INIT_EXCH	The peers have done the first exchange in aggressive mode, but the SA is not authenticated.
AG_AUTH	The ISAKMP SA has been authenticated. If the router initiated this exchange, this state transitions immediately to QM_IDLE, and a quick mode exchange begins.

Table 46 States in Quick Mode Exchange

State	Explanation
QM_IDLE	The ISAKMP SA is idle. It remains authenticated with its peer and may be used for subsequent quick mode exchanges. It is in a quiescent state.

Table 47 show crypto isakmp sa Field Descriptions

Field	Description
f_vrf/i_vrf	The front door virtual routing and forwarding (FVRF) and the inside VRF (IVRF) of the IKE SA. If the FVRF is global, the output shows f_vrf as an empty field.

Related Commands

Command	Description
crypto isakmp policy	Defines an IKE policy.
lifetime (IKE policy)	Specifies the lifetime of an IKE SA.

show crypto key mypubkey rsa

To display the RSA public keys of your router, use the show crypto key mypubkey rsa command in privileged EXEC mode.

show crypto key mypubkey rsa

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.3 T	This command was introduced.
12.3(7)T	The show output was modified to display whether an RSA key is protected (encrypted) and locked or unlocked.
12.2(18)SXE	This command was integrated into Cisco IOS Release 12.2(18)SXE.

Usage Guidelines

This command displays the RSA public keys of your router.

---

Note Secure Shell (SSH) may generate an additional RSA keypair if you generate a keypair on a router having no RSA keys. The additional keypair is used only by SSH and will have a name such as {router_FQDN}.server. For example, if a router name is "router1.cisco.com," the keyname is "router1.cisco.com.server."

---

Examples

The following is sample output from the show crypto key mypubkey rsa command. Special usage RSA keys were previously generated for this router using the crypto key generate rsa command.

% Key pair was generated at: 06:07:49 UTC Jan 13 1996

Key name: myrouter.example.com

 Usage: Signature Key

 Key Data:

  005C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B 55D6AB22 

  04AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9 DF0B4E4C 73A05DD2 

  BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4 71020301 0001

% Key pair was generated at: 06:07:50 UTC Jan 13 1996

Key name: myrouter.example.com

 Usage: Encryption Key

 Key Data:

  00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D5

  18242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB

  07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21

The following example shows how to encrypt the RSA key "pki1-72a.cisco.com." Thereafter, the show crypto key mypubkey rsa command is issued to verify that the RSA key is encrypted (protected) and unlocked.

Router(config)# crypto key encrypt rsa name pki1-72a.cisco.com passphrase cisco1234

Router(config)# exit

Router# show crypto key mypubkey rsa

% Key pair was generated at:00:15:32 GMT Jun 25 2003

Key name:pki1-72a.cisco.com

Usage:General Purpose Key

*** The key is protected and UNLOCKED. ***

Key is not exportable.

Key Data:

305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00E0CC9A 1D23B52C

CD00910C ABD392AE BA6D0E3F FC47A0EF 8AFEE340 0EC1E62B D40E7DCC

23C4D09E

03018B98 E0C07B42 3CFD1A32 2A3A13C0 1FF919C5 8DE9565F 1F020301 0001

% Key pair was generated at:00:15:33 GMT Jun 25 2003

Key name:pki1-72a.cisco.com.server

Usage:Encryption Key

Key is exportable.

Key Data:

307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00D3491E 2A21D383

854D7DA8 58AFBDAC 4E11A7DD E6C40AC6 66473A9F 0C845120 7C0C6EC8 1FFF5757

3A41CE04 FDCB40A4 B9C68B4F BC7D624B 470339A3 DE739D3E F7DDB549 91CD4DA4

DF190D26 7033958C 8A61787B D40D28B8 29BCD0ED 4E6275C0 6D020301 0001

Router#

The following example shows how to lock the key "pki1-72a.cisco.com." Thereafter, the show crypto key mypubkey rsa command is issued to verify that the key is protected (encrypted) and locked.

Router# crypto key lock rsa name pki1-72a.cisco.com passphrase cisco1234

! 

Router# show crypto key mypubkey rsa

% Key pair was generated at:20:29:41 GMT Jun 20 2003

Key name:pki1-72a.cisco.com

Usage:General Purpose Key

*** The key is protected and LOCKED. ***

Key is exportable.

Key Data:

305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D7808D C5FF14AC

0D2B55AC 5D199F2F 7CB4B355 C555E07B 6D0DECBE 4519B1F0 75B12D6F 902D6E9F

B6FDAD8D 654EF851 5701D5D7 EDA047ED 9A2A619D 5639DF18 EB020301 0001

Related Commands

Command	Description
crypto key encrypt rsa	Encrypts the RSA private key.
crypto key generate rsa (IKE)	Generates RSA key pairs.
crypto key lock rsa	Locks the RSA private key in a router.

show crypto key pubkey-chain rsa

To display the RSA public keys of the peer that are stored on your router, use the show crypto key pubkey-chain rsa command in EXEC mode.

show crypto key pubkey-chain rsa [name key-name | address key-address]

Syntax Description

name key-name	(Optional) The name of a particular public key to view.
address key-address	(Optional) The address of a particular public key to view.

Command Modes

EXEC

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

This command shows RSA public keys stored on your router. This includes peers' RSA public keys manually configured at your router and keys received by your router via other means (such as by a certificate, if certification authority support is configured).

If a router reboots, any public key derived by certificates will be lost. This is because the router will ask for certificates again, at which time the public key will be derived again.

Use the name or address keywords to display details about a particular RSA public key stored on your router.

If no keywords are used, this command displays a list of all RSA public keys stored on your router.

Examples

The following is sample output from the show crypto key pubkey-chain rsa command:

Router# show crypto key pubkey-chain rsa

Codes: M - Manually Configured, C - Extracted from certificate

Code  Usage        IP-address     Name

M     Signature    10.0.0.l       myrouter.example.com

M     Encryption   10.0.0.1       myrouter.example.com

C     Signature    172.16.0.1     routerA.example.com

C     Encryption   172.16.0.1     routerA.example.com

C     General      192.168.10.3   routerB.domain1.com

This sample shows manually configured special usage RSA public keys for the peer "somerouter." This sample also shows three keys obtained from peers' certificates: special usage keys for peer "routerA" and a general purpose key for peer "routerB."

Certificate support is used in the above example; if certificate support was not in use, none of the peers' keys would show "C" in the code column, but would all have to be manually configured.

The following is sample output when you issue the command show crypto key pubkey rsa name somerouter.example.com:

Router# show crypto key pubkey rsa name somerouter.example.com

Key name: somerouter.example.com

Key address: 10.0.0.1

 Usage: Signature Key

 Source: Manual

 Data:

  305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B 55D6AB22 

  04AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9 DF0B4E4C 73A05DD2 

  BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4 71020301 0001

Key name: somerouter.example.com

Key address: 10.0.0.1

 Usage: Encryption Key

 Source: Manual

 Data:

  00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D5

  18242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB

  07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21

---

Note The Source field in the above example indicates "Manual," meaning that the keys were manually configured on the router, not received in the peer's certificate.

---

The following is sample output when you issue the command show crypto key pubkey rsa address 192.168.10.3:

Router# show crypto key pubkey rsa address 192.168.10.3

Key name: routerB.example.com

Key address: 192.168.10.3

 Usage: General Purpose Key

 Source: Certificate

 Data:

  0738BC7A 2BC3E9F0 679B00FE 53987BCC 01030201 42DD06AF E228D24C 458AD228

  58BB5DDD F4836401 2A2D7163 219F882E 64CE69D4 B583748A 241BED0F 6E7F2F16

  0DE0986E DF02031F 4B0B0912 F68200C4 C625C389 0BFF3321 A2598935 C1B1

The Source field in the above example indicates "Certificate," meaning that the keys were received by the router by way of the other router's certificate.

show crypto map (IPSec)

To display the crypto map configuration, use the show crypto map command in privileged EXEC or user EXEC mode.

show crypto map [interface interface | tag map-name]

Syntax Description

interface interface	(Optional) Displays only the crypto map set that is applied to the specified interface.
tag map-name	(Optional) Displays only the crypto map set with the specified map-name.

Defaults

No crypto maps are shown.

Command Modes

Privileged EXEC
User EXEC

Command History

Release	Modification
11.2	This command was introduced.
12.3(8)T	Output has been modified to display the crypto input and output access control lists (ACLs) that have been configured.

Usage Guidelines

The show crypto map command provides output that is IP specific, and it allows you to specify a particular crypto map.

Examples

The following example shows that crypto input and output ACLs have been configured:

Router# show crypto map

Crypto Map "test" 10 ipsec-isakmp

 Peer

 Extended IP access list ipsec_acl 

  access-list ipsec_acl permit ip 192.168.2.0 0.0.0.255 192.168.102.0 0.0.0.255 

 Extended IP access check IN list 110 

  access-list 110 permit ip host 192.168.102.47 192.168.2.0 0.0.0.15

  access-list 110 permit ip host 192.168.102.47 192.168.2.32 0.0.0.15

  access-list 110 permit ip host 192.168.102.47 192.168.2.64 0.0.0.15

  access-list 110 permit ip host 192.168.102.57 192.168.2.0 0.0.0.15

  access-list 110 permit ip host 192.168.102.57 192.168.2.32 0.0.0.15

  access-list 110 permit ip host 192.168.102.57 192.168.2.64 0.0.0.15

 Extended IP access check OUT list 120

  access-list 120 permit ip 192.168.2.0 0.0.0.15 host 192.168.102.47 

  access-list 120 permit ip 192.168.2.32 0.0.0.15 host 192.168.102.47

  access-list 120 permit ip 192.168.2.64 0.0.0.15 host 192.168.102.47

  access-list 120 permit ip 192.168.2.0 0.0.0.15 host 192.168.102.57

  access-list 120 permit ip 192.168.2.32 0.0.0.15 host 192.168.102.57

  access-list 120 permit ip 192.168.2.64 0.0.0.15 host 192.168.102.57

 Current peer: 10.0.0.2 

 Security association lifetime: 4608000 kilobytes/3600 seconds 

 PFS (Y/N): N 

 Transform sets=test

 Interfaces using crypto map test: 

  Serial0/1

Table 48 describes the output in the display.

Table 48 show crypto map Field Descriptions

Field	Description
Peer	Possible peers that are configured for this crypto map entry.
Extended IP access list	Access list that is used to define which data packets are to be encrypted. Packets that are denied by this access list are forwarded but not encrypted. The "reverse" of this access list is used to check the inbound return packets, which are also encrypted. Packets that are denied by the "reverse" access list are dropped because they should have been encrypted but were not.
Extended IP access list check	Access lists that are used to more finely control which data packets are allowed into or out of the IPSec tunnel. Packets that are allowed by the "Extended IP access list" ACL but denied by the "Extended IP access list check" ACL are dropped.
Current peer	Current peer that is being used for this crypto map entry.
Security association lifetime	Number of bytes that are allowed to be encrypted or decrypted or the age of the security association before new encryption keys must be negotiated.
PFS	(Perfect Forward Secrecy) If "Yes," the Internet Security Association (ISAKMP) SKEYID-d key is also renegotiated each time IPSec security association (SA) encryption keys are renegotiated (requires another Diffie-Hillman calculation). Otherwise, the same ISAKMP SKEYID-d key is used when renegotiating IPSec SA encryption keys. ISAKMP keys are renegotiated on a separate schedule, with a default time of 24 hours.
Transform sets	List of transform sets (encryption, authentication, and compression algorithms) that can be used with this crypto map.
Interfaces using crypto map test	Interfaces to which this crypto map is applied. Packets that are leaving from this interface are subject to the rules of this crypto map for encryption. Encrypted packets may enter the router on any interface, and they will be decrypted. Nonencrypted packets that are entering the router through this interface are subject to the "reverse" crypto access list check.

show crypto mib ipsec flowmib history failure size

To display the size of the IP Security (IPSec) failure history table, use the show crypto mib ipsec flowmib history failure size command in privileged EXEC mode.

show crypto mib ipsec flowmib history failure size

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(4)E	This command was introduced.
12.2(4)T	This command was integrated into Cisco IOS Release 12.2(4)T.

Examples

The following is sample output from the show crypto mib ipsec flowmib history failure size command:

Router# show crypto mib ipsec flowmib history failure size

IPSec Failure Window size: 140

Related Commands

Command	Description
crypto mib ipsec flowmib history failure size	Changes the size of the IPSec failure history table.
show crypto mib ipsec flowmib version	Displays the IPSec Flow MIB version used by the router.

show crypto mib ipsec flowmib history tunnel size

To display the size of the IP Security (IPSec) tunnel history table, use the show crypto mib ipsec flowmib history tunnel size command in privileged EXEC mode.

show crypto mib ipsec flowmib history tunnel size

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(4)E	This command was introduced.
12.2(4)T	This command was integrated into Cisco IOS Release 12.2(4)T.

Examples

The following is sample output from the show crypto mib ipsec flowmib history tunnel size command:

Router# show crypto mib ipsec flowmib history tunnel size

IPSec History Window Size: 130

Related Commands

Command	Description
crypto mib ipsec flowmib history tunnel size	Changes the size of the IPSec tunnel history table.
show crypto mib ipsec flowmib version	Displays the IPSec Flow MIB version used by the router.

show crypto mib ipsec flowmib version

To display the IP Security (IPSec) MIB version used by the router, use the show crypto mib ipsec flowmib version command in privileged EXEC mode.

show crypto mib ipsec flowmib version

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(4)E	This command was introduced.
12.2(4)T	This command was integrated into Cisco IOS Release 12.2(4)T.

Usage Guidelines

Use the show crypto mib ipsec flowmib version command to display the MIB version used by the management applications to identify the feature set.

---

Note The MIB version can also be obtained by querying the MIB element cipSecMibLevel using Simple Network Management Protocol (SNMP).

---

Examples

The following is sample output from the show crypto mib ipsec flowmib version command:

Router# show crypto mib ipsec flowmib version

IPSec Flow MIB version: 1

Related Commands

Command	Description
show crypto mib ipsec flowmib history failure size	Displays the size of the IPSec failure history table.
show crypto mib ipsec flowmib history tunnel size	Displays the size of the IPSec tunnel history table.

show crypto pki certificates

To display information about your certificate, the certification authority certificate, and any registration authority certificates, use the show crypto pki certificates command in privileged EXEC mode.

show crypto pki certificates [trustpoint-name [verbose]]

Syntax Description

trustpoint-name	(Optional) Name of the trustpoint. Using this argument indicates that only certificates that are related to the trustpoint are to be displayed.
verbose	(Optional) More detailed information is to be displayed. Note The verbose keyword can be used only if a trustpoint name is entered.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.3 T	The show crypto ca certificates command was introduced.
12.2(13)T	The trustpoint-name argument was added.
12.3(7)T	This command replaced the show crypto ca certificates command.
12.3(8)T	The verbose keyword was added.
12.3(14)T	The command output was modified to include persistent self-signed certificate parameters.

Usage Guidelines

This command shows information about the following certificates:

•Your certificate, if you have requested one from the certificate authority (CA) (see the crypto pki enroll command)

•The certificate of the CA, if you have received the certificate of the CA (see the crypto pki authenticate command)

•RA certificates, if you have received registration authority (RA) certificates (see the crypto pki authenticate command)

•A self-signed certificate, if one has been requested

Examples

The following is sample output from the show crypto pki certificates command after you authenticated the CA by requesting the certificate of the CA and public key with the crypto pki authenticate command:

CA Certificate

  Status: Available

  Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F

  Key Usage: Not Set

The CA certificate might show Key Usage as "Not Set."

The following is sample output from the show crypto pki certificates command, and it shows the certificate of the router and the certificate of the CA. In this example, a single, general-purpose Rivest, Shamir, and Adelman (RSA) key pair was previously generated, and a certificate was requested but not received for that key pair.

Certificate

  Subject Name

    Name: myrouter.example.com

    IP Address: 10.0.0.1

    Serial Number: 04806682

  Status: Pending

  Key Usage: General Purpose

    Fingerprint: 428125BD A3419600 3F6C7831 6CD8FA95 00000000

CA Certificate

  Status: Available

  Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F

  Key Usage: Not Set

Note that in the previous sample, the certificate status of the router shows "Pending." After the router receives its certificate from the CA, the Status field changes to "Available" in the show output.

The following is sample output from the show crypto pki certificates command, and it shows the certificates of two routers and the certificate of the CA. In this example, special-usage RSA key pairs were previously generated, and a certificate was requested and received for each key pair.

Certificate

  Subject Name

    Name: myrouter.example.com

    IP Address: 10.0.0.1

  Status: Available

  Certificate Serial Number: 428125BDA34196003F6C78316CD8FA95

  Key Usage: Signature

Certificate

  Subject Name

    Name: myrouter.example.com

    IP Address: 10.0.0.1

  Status: Available

  Certificate Serial Number: AB352356AFCD0395E333CCFD7CD33897

  Key Usage: Encryption

CA Certificate

  Status: Available

  Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F

  Key Usage: Not Set

The following is sample output from the show crypto pki certificates command when the CA supports an RA. In this example, the CA and RA certificates were previously requested with the crypto pki authenticate command.

CA Certificate

  Status: Available

  Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F

  Key Usage: Not Set

RA Signature Certificate

  Status: Available

  Certificate Serial Number: 34BCF8A0

  Key Usage: Signature

RA KeyEncipher Certificate

  Status: Available

  Certificate Serial Number: 34BCF89F

  Key Usage: Encryption

The following is sample output from the show crypto pki certificates command using the optional trustpoint-name argument and verbose keyword. The output shows the certificate of a router and the certificate of the CA. In this example, general-purpose RSA key pairs were previously generated, and a certificate was requested and received for the key pair.

Certificate

   Status: Available

   Version: 3

   Certificate Serial Number: 18C1EE03000000004CBD

   Certificate Usage: General Purpose

   Issuer:

     cn=msca-root

     ou=pki msca-root

     o=cisco

     l=santa cruz2

     st=CA

     c=US

     ea=user@example.com

   Subject:

     Name: myrouter.example.com

     hostname=myrouter.example.com

   CRL Distribution Points:

     http://msca-root/CertEnroll/msca-root.crl

   Validity Date:

     start date: 19:50:40 GMT Oct 5 2004

     end   date: 20:00:40 GMT Oct 12 2004

   Subject Key Info:

     Public Key Algorithm: rsaEncryption

     RSA Public Key: (360 bit)

   Signature Algorithm: SHA1 with RSA Encryption

   Fingerprint MD5: 2B5F53E6 E3E892E6 3A9D3706 01261F10

   Fingerprint SHA1: 315D127C 3AD34010 40CE7F3A 988BBDA5 CD528824

   X509v3 extensions:

     X509v3 Key Usage: A0000000

       Digital Signature

       Key Encipherment

     X509v3 Subject Key ID: D156E92F 46739CBA DFE66D2D 3559483E B41ECCF4

     X509v3 Authority Key ID: 37F3CC61 AF5E7C0B 434AB364 CF9FA0C1 B17C50D9

     Authority Info Access:

   Associated Trustpoints: msca-root

   Key Label: myrouter.example.com

CA Certificate

   Status: Available

   Version: 3

   Certificate Serial Number: 1244325DE0369880465F977A18F61CA8

   Certificate Usage: Signature

   Issuer:

     cn=msca-root

     ou=pki msca-root

     o=cisco

     l=santa cruz2

     st=CA

     c=US

     ea=user@example.com

   Subject:

     cn=msca-root

     ou=pki msca-root

     o=cisco

     l=santa cruz2

     st=CA

     c=US

     ea=user@example.com

   CRL Distribution Points:

     http://msca-root.example.com/CertEnroll/msca-root.crl

   Validity Date:

     start date: 22:19:29 GMT Oct 31 2002

     end   date: 22:27:27 GMT Oct 31 2017

   Subject Key Info:

     Public Key Algorithm: rsaEncryption

     RSA Public Key: (512 bit)

   Signature Algorithm: SHA1 with RSA Encryption

   Fingerprint MD5: 84E470A2 38176CB1 AA0476B9 C0B4F478

   Fingerprint SHA1: 0F57170C 654A5D7D 10973553 EFB0F94F 2FAF9837

   X509v3 extensions:

     X509v3 Key Usage: C6000000

       Digital Signature

       Non Repudiation

       Key Cert Sign

       CRL Signature

     X509v3 Subject Key ID: 37F3CC61 AF5E7C0B 434AB364 CF9FA0C1 B17C50D9

     X509v3 Basic Constraints:

         CA: TRUE

     Authority Info Access:

   Associated Trustpoints: msca-root

The following example shows that a self-signed certificate has been created using a user-defined trustpoint:

Router Self-Signed Certificate

  Status: Available

  Certificate Serial Number: 01

  Certificate Usage: General Purpose

  Issuer:

    serialNumber=C63EBBE9+ipaddress=10.3.0.18+hostname=test.cisco.com

  Subject:

    Name: router.cisco.com

    IP Address: 10.3.0.18

    Serial Number: C63EBBE9

    serialNumber=C63EBBE9+ipaddress=10.3.0.18+hostname=test.cisco.com

  Validity Date:

    start date: 20:51:40 GMT Nov 29 2004

    end   date: 00:00:00 GMT Jan 1 2020

  Associated Trustpoints: local

Related Commands

Command	Description
crypto pki authenticate	Authenticates the CA (by obtaining the certificate of the CA).
crypto pki enroll	Obtains the certificates of your router from the CA.
debug crypto pki messages	Displays debug messages for the details of the interaction (message dump) between the CA and the route.
debug crypto pki transactions	Displays debug messages for the trace of interaction (message type) between the CA and the router.

show crypto pki crls

To display the current certificate revocation list (CRL) on router, use the show crypto pki crls command in EXEC mode.

show crypto pki crls

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
12.1	The show crypto ca crls command was introduced.
12.3(7)T	This command replaced the show crypto ca crls command.

Examples

The following is sample output of the show crypto pki crls command:

Router# show crypto pki crls 

          CRL Issuer Name: 

              OU = sjvpn, O = cisco, C = us

              LastUpdate: 16:17:34 PST Jan 10 2002

              NextUpdate: 17:17:34 PST Jan 11 2002

              Retrieved from CRL Distribution Point: 

                LDAP: CN = CRL1, OU = sjvpn, O = cisco, C = us

Related Commands

Command	Description
crypto pki crl request	Requests that a new CRL be obtained immediately from the CA.

show crypto pki server

To display the current state and configuration of the certificate server, use the show crypto pki server command in privileged EXEC mode.

show crypto pki server

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(4)T	This command was introduced.

Usage Guidelines

At startup, the certificate server must check the current configuration before issuing any certificates. As it starts up, the certificate server transitions through the states defined in Table 49. Use the show crypto pki server command to display the state of the certificate server.

Table 49 State of the Certificate Server

Certificate Server State	Description
configured	The server is available and has generated the certificate server certificates.
storage configuration incomplete	The server is verifying that the configured storage location is available.
waiting for HTTP server	The server is verifying that the HTTP server is running.
waiting for time setting	The server is verifying that the time has been set.

Examples

The following example is sample output for the show crypto pki server command:

Router# show crypto pki server 

Certificate Server status: disabled, storage configuration incomplete

    Granting mode is: manual

    Last certificate issued serial number: 0

    CA certificate expiration timer: 21:29:38 GMT Jun 5 2006

    CRL NextUpdate timer: 21:31:39 GMT Jun 6 2003

    Current storage dir: ftp://myftpserver

    Database Level: Minimum - no cert data written to storage

Table 50 describes the significant fields shown in the display.

Table 50 show crypto pki server Field Descriptions 

Field	Description
Granting mode is	Specifies whether certificate enrollment requests should be granted manually (which is the default) or automatic (via the grant automatic command). Note The grant automatic command should be used only when testing and building simple networks. This command must be disabled before the network is accessible by the Internet.
Last certificate issued serial number	The serial number of the latest certificate. (To specify the distinguished name (DN) as the certification authority (CA) issuer name, use the issuer-name command.)
CA certificate expiration timer	The expiration date for the CA certificate. (To specify the expiration date, use the lifetime command.)
CRL NextUpdate timer	The next time the certificate revocation list (CRL) will be updated. (To specify the CRL lifetime, in hours, use the lifetime crl command.
Current storage dir	The location where all database entries for the certificate server will be written out. (To specify a location, use the database url command.)
Database Level	The type of data that is stored in the certificate enrollment database—minimal, names, or complete. (To specify the data type to be stored, use database level command.)

Related Commands

Command	Description
crypto pki server	Enables a Cisco IOS certificate server and enter certificate server configuration mode.

show crypto pki timers

To display the status of the managed timers that are maintained by Cisco IOS for public key infrastructure (PKI), use the show crypto pki timers command in EXEC mode.

show crypto pki timers

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
12.2(8)T	The show crypto ca timers command was introduced.
12.3(7)T	This command replaced the show crypto ca timers command.

Usage Guidelines

For each timer, this command displays the time remaining before the timer expires. It also associates trustpoint certification authorities (CAs), except for certificate revocation list (CRL) timers, by displaying the CRL distribution point.

Examples

The following example is sample output for the show crypto pki timers command:

Router# show crypto pki timers

PKI Timers

| 4d15:13:33.144  

 | 4d15:13:33.144  CRL http://msca-root.cisco.com/CertEnroll/msca-root.crl

 |328d11:56:48.372  RENEW msroot

 | 6:43.201  POLL verisign

Related Commands

Command	Description
auto-enroll	Enables autoenrollment.
crypto pki trustpoint	Declares the CA that your router should use.

show crypto pki trustpoints

To display the trustpoints that are configured in the router, use the show crypto pki trustpoints command in privileged or user EXEC mode.

show crypto pki trustpoints [status | label [status]]

Syntax Description

status	(Optional) Trustpoint status.
label	(Optional) Trustpoint name.

Defaults

If the label argument (trustpoint name) is not specified, command output is displayed for all trustpoints.

Command Modes

Privileged EXEC
User EXEC

Command History

Release	Modification
12.2(8)T	The show crypto ca trustpoints command was introduced.
12.3(7)T	This command replaced the show crypto ca trustpoints command.
12.3(11)T	The status keyword and label argument were added.
12.3(14)T	The command output was modified to include persistent self-signed certificate parameters.

Usage Guidelines

If you enter the show crypto ca roots command, it will have the same effect as entering the show crypto pki trustpoints command.

Examples

The following is sample output from the show crypto pki trustpoints command:

Router# show crypto pki trustpoints

Trustpoint bo:

    Subject Name:

    CN = bomborra Certificate Manager

     O = cisco.com

     C = US

          Serial Number:01

    Certificate configured.

    CEP URL:http://bomborra

    CRL query url:ldap://bomborra

The following is sample output from the show crypto pki trustpoints command when a persistent self-signed certificate has been configured:

Router# show crypto pki trustpoints

Trustpoint local:

    Subject Name:

    serialNumber=C63EBBE9+ipaddress=10.3.0.18+hostname=test.cisco.com

          Serial Number: 01

    Persistent self-signed certificate trust point

The following output using the status keyword shows that the trustpoint is configured in query mode and is currently trying to query the certificates (the certificate authority (CA) certificate and the router certificate are both pending):

Router# show crypto pki trustpoints status

Trustpoint yni:

  Issuing CA certificate pending:

    Subject Name:

     cn=nsca-r1 Cert Manager,ou=pki,o=cisco.com,c=US

    Fingerprint: C21514AC 12815946 09F635ED FBB6CF31 

  Router certificate pending:

    Subject Name:

     hostname=trance.cisco.com,o=cisco.com

  Next query attempt:

    52 seconds

The following output using the status keyword shows that the trustpoint has been authenticated:

Router# show crypto pki trustpoints status

Trustpoint yni:

  Issuing CA certificate configured:

    Subject Name:

     cn=nsca-r1 Cert Manager,ou=pki,o=cisco.com,c=US

    Fingerprint: C21514AC 12815946 09F635ED FBB6CF31 

  State:

    Keys generated ............. No

    Issuing CA authenticated ....... Yes

    Certificate request(s) ..... None

The following output using the status keyword shows that the trustpoint is enrolling and that two of the certificate requests are pending (Signature and Encryption):

Router# show crypto pki trustpoints status

Trustpoint yni:

  Issuing CA certificate configured:

    Subject Name:

     cn=nsca-r1 Cert Manager,ou=pki,o=cisco.com,c=US

    Fingerprint: C21514AC 12815946 09F635ED FBB6CF31 

  Router Signature certificate pending:

    Requested Subject Name:

     hostname=trance.cisco.com

    Request Fingerprint: FAE0D74E BB844EA1 54B26698 56AB42EC

    Enrollment polling: 1 times (9 left)

    Next poll: 32 seconds

  Router Encryption certificate pending:

    Requested Subject Name:

     hostname=trance.cisco.com

    Request Fingerprint: F4E815DB D9D9B60F 9B5B1724 3E155DBF

    Enrollment polling: 1 times (9 left)

    Next poll: 44 seconds

  Last enrollment status: Pending

  State:

    Keys generated ............. Yes (Signature, Encryption)

    Issuing CA authenticated ....... Yes

    Certificate request(s) ..... Pending

The following output using the status keyword shows that enrollment has succeeded and that two router certificates have been granted (Signature and Encryption):

Router# show crypto pki trustpoints status 

Trustpoint yni:

  Issuing CA certificate configured:

    Subject Name:

     cn=nsca-r1 Cert Manager,ou=pki,o=cisco.com,c=US

    Fingerprint: C21514AC 12815946 09F635ED FBB6CF31 

  Router Signature certificate configured:

    Subject Name:

     hostname=trance.cisco.com,o=cisco.com

    Fingerprint: 8A370B8B 3B6A2464 F962178E 8385E9D6 

  Router Encryption certificate configured:

    Subject Name:

     hostname=trance.cisco.com,o=cisco.com

    Fingerprint: 43A03218 C0AFF844 AE0C162A 690B414A 

  Last enrollment status: Granted

  State:

    Keys generated ............. Yes (Signature, Encryption)

    Issuing CA authenticated ....... Yes

    Certificate request(s) ..... Yes

The following output using the status keyword shows that trustpoint enrollment has been rejected:

Router# show crypto pki trustpoints status

Trustpoint yni:

  Issuing CA certificate configured:

    Subject Name:

     cn=nsca-r1 Cert Manager,ou=pki,o=cisco.com,c=US

    Fingerprint: C21514AC 12815946 09F635ED FBB6CF31 

  Last enrollment status: Rejected

  State:

    Keys generated ............. Yes (General Purpose)

    Issuing CA authenticated ....... Yes

    Certificate request(s) ..... None

The following output using the status keyword shows that enrollment has succeeded and that the router is configured for autoenrollment using a regenerated key. In addition, the running configuration has been modified so that it will not be saved automatically after autoenrollment.

Router# show crypto pki trustpoints status

Trustpoint yni:

  Issuing CA certificate configured:

    Subject Name:

     cn=nsca-r1 Cert Manager,ou=pki,o=cisco.com,c=US

    Fingerprint: C21514AC 12815946 09F635ED FBB6CF31 

  Router General Purpose certificate configured:

    Subject Name:

     hostname=trance.cisco.com,o=cisco.com

    Fingerprint: FC365F95 E24D4B55 81347510 10FFE331 

  Last enrollment status: Granted

  Next enrollment attempt:

    01:58:25 PST Feb 14 2004 

    * A new key will be generated *

    * Configuration will not be saved after enrollment *

  State:

    Keys generated ............. Yes (General Purpose)

    Issuing CA authenticated ....... Yes

    Certificate request(s) ..... Yes

Table 51 describes the significant fields shown in the display.

Table 51 show crypto pki trustpoints Field Descriptions 

Field	Description
Trustpoint	Name of the trustpoint.
Issuing CA certificate pending	The certificate authority (CA) certificate is being retrieved (query mode).
Issuing CA certificate [not] configured	A CA certificate is [not] configured.
Subject Name	Subject name of the indicated certificate.
Next query attempt	Time until the next query attempt (query mode).
Router certificate pending/Router [key usage] certificate pending	The trustpoint is attempting to obtain the certificate from the CA server (through query mode or enrollment).
Router [key usage] certificate configured	Certificate of the specified key usage is configured.
Requested Subject Name	Subject name used in the enrollment request (Public Key Cryptography Standards 10 [PKCS10]).
Fingerprint MD5/SHA1	Fingerprint of the indicated certificate (Message Digest 5 [MD5] or Secure Hash Algorithm 1 [SHA]1).
Request Fingerprint MD5/SHA1	Fingerprint of the PKCS10 enrollment request (MD5/SHA1).
Enrollment polling: [polled] times ([remaining] left)/Next poll: in seconds	Number of Simple Certificate Enrollment Protocol (SCEP) polling attempts that have been made and that remain before the router gives up/Time until the next polling attempt.
Last enrollment status: Pending/Granted/Rejected/Failed	Last enrollment attempt status (pending, granted, rejected, or failed).
Next enrollment attempt: time (Optional) A new key will be generated. (Optional) Configuration will not be saved after enrollment.	The trustpoint is configured to do auto-enrollment and the auto-enrollment will happen at time. (Optional) The trustpoint is configured to generate a new key when auto-enrollment occurs. (Optional) The running configuration is "dirty," so the configuration will not be saved automatically after autoenrollment.
State	Current state of the trustpoint.
Keys generated	"Yes or No" and the key usage (General Purpose or Signature, Encryption).
Issuing CA authenticated	"Yes or No" if crypto CA authentication has been done successfully.
Certificate request(s)	Progress of current enrollment: "Pending," "Yes," (complete), or "None" (not in progress).

Related Commands

Command	Description
crypto pki trustpoint	Declares the CA that your router should use.

show crypto session

To display status information for active crypto sessions, use the show crypto session command in privileged EXEC mode.

show crypto session [detail] | [local ip-address [port local-port] [remote ip-address [port remote-port]] [detail]] | [fvfr vrf-name] [ivrf vrf-name] [detail]

IPSec and IKE Stateful Failover Syntax

show crypto session [active | standby]

Syntax Description

detail	(Optional) Provides more detailed information about the session, such as the capability of the Internet Key Exchange (IKE) security association (SA), connection ID, remaining lifetime of the IKE SA, inbound or outbound encrypted or decrypted packet number of the IP Security (IPSec) flow, dropped packet number, and kilobyte-per-second lifetime of the IPSec SA.
local ip-address	(Optional) Displays status information about crypto sessions of a local crypto endpoint. •The ip-address value is the IP address of the local crypto endpoint.
port local-port	(Optional) Port of the local crypto endpoint. •The local-port value can be 1 through 65535. The default value is 500.
remote ip-address	(Optional) Displays status information about crypto sessions of a remote session. •The ip-address value is the IP address of the remote crypto endpoint.
port remote-port	(Optional) Displays status information about crypto sessions of a remote crypto endpoint. •The remote-port value can be 1 through 65535. The default value is 500.
fvfr vrf-name	(Optional) Displays status information about the front door virtual routing and forwarding (FVRF) session.
ivrf vrf-name	(Optional) Displays status information about the inside VRF (IVRF) session.
active	(Optional) Displays all crypto sessions in the active state.
standby	(Optional) Displays all crypto sessions that are in the standby state.

Defaults

If the show crypto session command is entered without any keywords, all existing sessions will be displayed. Port default values are 500.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(4)T	This command was introduced.
12.3(11)T	The active and standby keywords were added.

Usage Guidelines

You can get a list of all the active Virtual Private Network (VPN) sessions and of the IKE and IPSec SAs for each VPN session by entering the show crypto session command. The listing will include the following:

•Interface

•IKE peer description, if available

•IKE SAs that are associated with the peer by whom the IPSec SAs are created

•IPSec SAs serving the flows of a session

Multiple IKE or IPSec SAs may be established for the same peer (for the same session), in which case IKE peer descriptions will be repeated with different values for the IKE SAs that are associated with the peer and for the IPSec SAs that are serving the flows of the session.

Examples

The following example shows active VPN sessions:

Router# show crypto session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

Interface: Ethernet1/0

Session status: UP-NO-IKE

Peer: 10.2.80.179/500 fvrf: (none) ivrf: (none)

      Desc: My-manual-keyed-peer

      Phase1_id: 10.2.80.179

  IPSEC FLOW: permit ip host 10.2.80.190 host 10.2.80.179

        Active SAs: 4, origin: manual-keyed crypto map

        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0

        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

Interface: Ethernet1/2

Session status: DOWN

Peer: 10.1.1.1/500 fvrf: (none) ivrf: (none)

      Desc: SJC24-2-VPN-Gateway

      Phase1_id: 10.1.1.1

  IPSEC FLOW: permit ip host 10.2.2.3 host 10.2.2.2

        Active SAs: 0, origin: crypto map

        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0

        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

  IPSEC FLOW: permit ip 10.2.0.0/255.255.0.0 10.4.0.0/255.255.0.0

        Active SAs: 0, origin: crypto map

        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0

        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

Interface: Serial2/0.17

Session status: UP-ACTIVE

Peer: 10.1.1.5/500 fvrf: (none) ivrf: (none)

      Desc: (none)

      Phase1_id: 10.1.1.5

  IKE SA: local 10.1.1.5/500 remote 10.1.1.5/500 Active

          Capabilities:(none) connid:1 lifetime:00:59:51

  IPSEC FLOW: permit ip host 10.1.1.5 host 10.1.2.5

        Active SAs: 2, origin: dynamic crypto map

        Inbound:  #pkts dec'ed 4 drop 0 life (KB/Sec) 20085/171

        Outbound: #pkts enc'ed 4 drop 0 life (KB/Sec) 20086/171

Table 52 describes the significant fields shown in the display.

Table 52 show crypto session Field Descriptions 

Field	Description
Interface	Interface to which the crypto session is related.
Session status	Current status of the crypto (VPN) sessions. See Table 53 for the status of the IKE SA, IPSec SA, and tunnel as shown in the display.
IKE SA	Information is provided about the IKE SA, such as local and remote address and port, SA status, SA capabilities, crypto engine connection ID, and remaining lifetime of the IKE SA.
IPSEC FLOW	A snapshot of information about the IPSec-protected traffic flow, such as what the flow is (for example, permit ip host 10.1.1.5 host 10.1.2.5); how many IPSec SAs there are; the origin of the SA, such as manual keyed, dynamic, or static crypto map; the number of encrypted or decrypted packets or dropped packets; and the IPSec SA remaining lifetime in kilobytes per second.

Table 53 provides an explanation of the current status of the VPN sessions shown in the display.

Table 53 Current Status of the VPN Sessions

IKE SA	IPSec SA	Tunnel Status
Exist, active	Exist (flow exists)	UP-ACTIVE
Exist, active	None (flow exists)	UP-IDLE
Exist, active	None (no flow)	UP-IDLE
Exist, inactive	Exist (flow exists)	UP-NO-IKE
Exist, inactive	None (flow exists)	DOWN-NEGOTIATING
Exist, inactive	None (no flow)	DOWN-NEGOTIATING
None	Exist (flow exists)	UP-NO-IKE
None	None (flow exists)	DOWN
None	None (no flow)	DOWN

---

Note IPSec flow may not exist if a dynamic crypto map is being used.

---

The following sample output shows all crypto sessions that are in the standby state:

Router# show crypto session standby

Crypto session current status

Interface: Ethernet0/0

Session status: UP-STANDBY    

Peer: 209.165.200.225 port 500 

  IKE SA: local 209.165.201.3/500 remote 209.165.200.225/500 Active 

  IKE SA: local 209.165.201.3/500 remote 209.165.200.225/500 Active 

  IPSEC FLOW: permit ip host 192.168.0.1 host 172.16.0.1 

        Active SAs: 4, origin: crypto map

Related Commands

Command	Description
clear crypto session	Deletes crypto sessions (IPSec and IKE SAs).
description	Adds a description for an IKE peer.
show crypto isakmp peer	Displays peer descriptions.

show crypto session group

To display groups that are currently active on the Virtual Private Network (VPN) device, use the show crypto session group command in privileged EXEC mode.

show crypto session group

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(4)T	This command was introduced.

Usage Guidelines

If the crypto isakmp client configuration group command and max-users keyword have not been enabled in any VPN group profile, this command will yield a blank result.

Examples

The following example shows that at least one session is active for the group Connections:

Router# show crypto session group

 Group: Connections

 cisco: 1

Related Commands

Command	Description
crypto isakmp client configuration group	Specifies to which group a policy profile will be defined.
show crypto session summary	Displays groups that are currently active on the VPN device and the users that are connected for each of those groups.

show crypto session summary

To display groups that are currently active on the Virtual Private Network (VPN) device and the users that are connected for each of those groups, use the show crypto session summary command in privileged EXEC mode.

show crypto session summary

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC mode

Command History

Release	Modification
12.3(4)T	This command was introduced.

Usage Guidelines

If the crypto isakmp client configuration group command and max-users keyword are not enabled in any VPN group profile and the crypto isakmp client configuration group command and max-logins keyword are not enabled, this command will yield a blank result.

Examples

The following example shows that the group "cisco" is active and that it has one user connected, green, who is connected one time. The number in parentheses (1) is the number of simultaneous logins for that user.

Router# show crypto session summary

 Group cisco has 1 connections

  User (Logins)

  green (1)

Related Commands

Command	Description
crypto isakmp client configuration group	Specifies to which group a policy profile will be defined.
show crypto session group	Displays groups that are currently active on the VPN device.

show crypto socket

To list crypto sockets, use the show crypto socket command in privileged EXEC mode.

show crypto socket

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(11)T	This command was introduced.
12.2(18)SXE	This command was integrated into Cisco IOS Release 12.2(18)SXE.

Usage Guidelines

Use this command to list crypto sockets and the state of the sockets.

Examples

The following sample output shows the number of crypto socket connections (1) and its state:

Router# show crypto sockets

Number of Crypto Socket connections 1

  Tu0 Peers (local/remote): 10.0.0.2/10.0.0.1

    Local Ident  (addr/mask/prot/port): (10.0.0.2/255.255.255.255/0/47)

    Remote Ident (addr/mask/port/prot): (10.0.0.1/255.255.255.255/0/47)

    Socket State: Open

    Client: "TUNNEL SEC" (Client State: Active)

Crypto Sockets in Listen state:

    TUNNEL SEC Profile: "vi"

Significant fields are described in Table 54.

Table 54 show crypto sockets Field Descriptions

Field	Description
Number of crypto socket connections	Number of crypto sockets in the system.
Socket State	This state can be Open, which means that active IPSec security associations (SAs) exist, or it can be Closed, which means that no active IPSec SAs exist.
Client	Application name and its state.
Crypto Sockets in Listen state	Name of the crypto IPSec profile.

show dnsix

To display state information and the current configuration of the DNSIX audit writing module, use the show dnsix command in privileged EXEC mode.

show dnsix

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
10.0	This command was introduced.

Examples

The following is sample output from the show dnsix command:

Router# show dnsix

Audit Trail Enabled with Source 192.168.2.5 

          State: PRIMARY

          Connected to 192.168.2.4 

          Primary 192.168.2.4 

          Transmit Count 1 

          DMDP retries 4

          Authorization Redirection List:

               192.168.2.4

          Record count: 0 

          Packet Count: 0 

          Redirect Rcv: 0 

show dot1x

To show details for an identity profile, use the show dot1x command in privileged EXEC mode.

show dot1x [interface interface-name [details]]

Syntax Description

interface interface-name	(Optional) Name of the interface.
details	(Optional) Displays 802.1X details for the specified interface.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(2)XA	This command was introduced.
12.3(4)T	This command was integrated into Cisco IOS Release 12.3(4)T.
12.3(11)T	The PAE, HeldPeriod, StartPeriod, and MaxStart fields were added to the show dot1x command output.

Examples

The following is sample output for the show dot1x command:

Router# show dot1x

Sysauthcontrol  = Disabled

Dot1x Version   = 1

Dot1x Info for interface Ethernet0

-----------------------------------------

PortControl       = AUTO

ReAuthentication  = Disabled

ReAuthPeriod      = 3600 Seconds

ServerTimeout     = 30 Seconds

SuppTimeout       = 30 Seconds

QuietWhile        = 120 Seconds

MaxReq            = 2

Dot1x Info for interface Ethernet1

-----------------------------------------

PortControl       = AUTO

ReAuthentication  = Disabled

ReAuthPeriod      = 3600 Seconds

ServerTimeout     = 30 Seconds

SuppTimeout       = 30 Seconds

QuietWhile        = 120 Seconds

MaxReq            = 2

The following is sample output for the show dot1x command using the interface and details keywords. The clients are authenticated in this output example.

Router# show dot1x interface ethernet 0 details

PortControl       = AUTO

ReAuthentication  = Enabled

ReAuthPeriod      = 36000 Seconds

ServerTimeout     = 30 Seconds

SuppTimeout       = 30 Seconds

QuietWhile        = 120 Seconds

MaxReq            = 2

Dot1x Client List

-------------------------------------

MAC Address         State

-------------------------------------

0000.1111.0001      AUTHENTICATED

0000.1111.0002      UNAUTHENTICATED

The following show dot1x sample output shows information for all three possible interface configurations (that is, as an authenticator, as a supplicant, and as an authenticator and supplicant).

Router# show dot1x

Sysauthcontrol     = Enabled

Dot1x Version      = 1

Dot1x Information for interface Ethernet0

-----------------------------------------

PortControl        = AUTO

PAE                = AUTHENTICATOR

ReAuthentication   = Enabled

ReAuthPeriod       = 60 Seconds

ServerTimeout      = 30 Seconds

SuppTimeout        = 30 Seconds

QuietWhile         = 120 Seconds

MaxReq             = 2

Dot1x Information for interface Ethernet1

-----------------------------------------

PortControl        = AUTO

PAE                = SUPPLICANT

AuthPeriod         = 30

HeldPeriod         = 60 Seconds

StartPeriod        = 30 Seconds

MaxStart           = 2

Dot1x Information for interface Ethernet2

-----------------------------------------

PortControl        = AUTO

PAE                = BOTH

ReAuthentication   = Enabled

ReAuthPeriod       = 60 Seconds

ServerTimeout      = 30 Seconds

SuppTimeout        = 30 Seconds

QuietWhile         = 120 Seconds

MaxReq             = 2

AuthPeriod         = 30

HeldPeriod         = 60 Seconds

StartPeriod        = 30 Seconds

MaxStart           = 2

The following is sample output for the show dot1x command using the interface and details keywords.

Router# show dot1x interface ethernet0

PortControl        = AUTO

PAE                = AUTHENTICATOR

ReAuthentication   = Enabled

ReAuthPeriod       = 60 Seconds

ServerTimeout      = 30 Seconds

SuppTimeout        = 30 Seconds

QuietWhile         = 120 Seconds

MaxReq             = 2

Router# show dot1x interface ethernet0 details

PortControl        = AUTO

PAE                = SUPPLICANT

ReAuthentication   = Enabled

ReAuthPeriod       = 60 Seconds

ServerTimeout      = 30 Seconds

SuppTimeout        = 30 Seconds

QuietWhile         = 120 Seconds

MaxReq             = 2

Dot1x Client List

-------------------------------------

MAC Address         State

-------------------------------------

0001.f380.87ce      AUTHENTICATED

0001.87ce.f380      AUTHENTICATING

0010.a7b4.97af      UNAUTHENTICATED

Dot1x List of Supplicant Instances

-----------------------------------------

MAC Address          State

-----------------------------------------

0180.c200.0003       AUTHORIZED

Table 55 describes the significant fields shown in the displays.

Table 55 show dot1x Field Descriptions 

Field	Description
Sysauthcontrol	802.1X port-based authentication is enabled or disabled.
PortControl	Port control value. •AUTO—the authentication status of the client PC is being determined by the authentication process. •Force-authorize—all the client PCs on the interface are being authorized. •Force-unauthorized—all the client PCs on the interface are being unauthorized.
PAE	Port Access Entity. Defines the role of an interface (as a supplicant, as an authenticator, or as an authenticator and supplicant).
ReAuthentication	Periodic reauthentication of client PCs on the interface has been enabled or disabled.
ReAuthPeriod	Time after which an automatic reauthentication will be initiated.
ServerTimeout	Timeout that has been set for RADIUS retries. If an 802.1X packet is sent to the server and the server does not send a response, the packet will be sent again after the number of seconds that are shown.
SuppTimeout	Time that has been set for supplicant (client PC) retries. If an 802.1X packet is sent to the supplicant and the supplicant does not send a response, the packet will be sent again after the number of seconds that are shown.
QuietWhile	After authentication fails for a client, the authentication gets restarted after the quiet period that is shown.
RateLimit	The period that EAP-start packets are throttled from misbehaving supplicants.
MaxReq	Maximum number of times that the router sends an Extensible Authentication Protocol (EAP) request/identity frame (assuming that no response is received) to the client PC before concluding that the client PC does not support 802.1X.
HeldPeriod	Interval for which the supplicant (client PC) will wait before trying to send its credentials after being unauthenticated by the authenticator.
StartPeriod	Interval between two successive Extensible Authentication Protocol over LAN- (EAPOL-) start messages (when they are being retransmitted).
MaxStart	Number of EAPOL-start messages that the supplicant (client PC) sends before the supplicant assumes that the other end is not 802.1X capable.
Dot1x Client List	Table providing information regarding MAC addresses and the state of the PCs. This list displays in the output if the interface is configured only as an authenticator or as an authenticator and a supplicant. If the interface is configured as a supplicant, a separate list is displayed.
Dot1x List of Supplicant Instances	Table providing information regarding MAC addresses and the state of the PCs. This list displays in the output if the interface is configured only as a supplicant.
MAC Address	List of MAC addresses (for example, the MAC address of the PC or of any 802.1X client).
State	The state of the PC can be authenticated or unauthenticated.

Related Commands

Command	Description
clear dot1x	Clears 802.1X interface information.
debug dot1x	Displays 802.1X debugging information.
identity profile	Creates an identity profile.

show dot1x (EtherSwitch)

To display the 802.1X statistics, administrative status, and operational status for the Ethernet switch network module or for the specified interface, use the show dot1x command in privileged EXEC mode.

show dot1x [statistics] [interface interface-type interface-number]

Syntax Description

statistics	(Optional) Displays 802.1X statistics.
interface interface-type interface-number	(Optional) Specifies the slot and port number of the interface to reauthenticate.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(6)EA2	This command was introduced.
12.2(15)ZJ	This command was implemented on the following platforms: Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series routers.
12.3(4)T	This command was integrated into Cisco IOS Release 12.3(4)T on the following platforms: Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series routers.

Usage Guidelines

If you do not specify an interface, global parameters and a summary appear. If you specify an interface, details for that interface appear.

If you specify an interface with the statistics keyword, statistics appear for all physical ports.

Examples

The following is sample output from the show dot1x command:

Router# show dot1x

Global 802.1X Parameters

    reauth-enabled                no

    reauth-period               3600

    quiet-period                  60

    tx-period                     30

    supp-timeout                  30

    server-timeout                30

    reauth-max                     2

    max-req                        2

802.1X Port Summary

    Port Name                Status      Mode                Authorized

    Gi0/1                    disabled    n/a                 n/a

    Gi0/2                    enabled     Auto (negotiate)    no

    802.1X Port Details

    802.1X is disabled on GigabitEthernet0/1

802.1X is enabled on GigabitEthernet0/2

      Status                Unauthorized

      Port-control          Auto

      Supplicant            0060.b0f8.fbfb

      Multiple Hosts        Disallowed

      Current Identifier    2

      Authenticator State Machine

        State               AUTHENTICATING

        Reauth Count        1

      Backend State Machine

        State               RESPONSE

        Request Count       0

        Identifier (Server) 2

      Reauthentication State Machine

        State               INITIALIZE

Table 56 describes the significant fields shown in the display.

Table 56 show dot1x Field Descriptions 

Field	Description
reauth-enabled	Periodic reauthentication of client PCs on the interface has been enabled or disabled.
reauth-period	Time, in seconds, after which an automatic reauthentication will be initiated.
quiet-period	After authentication fails for a client, the authentication gets restarted after this quiet period shown in seconds.
tx-period	Time, in seconds, that the device waits for a response from a client to an Extensible Authentication Protocol (EAP) request or identity frame before retransmitting the request.
supp-timeout	Time, in seconds, that has been set for supplicant (client PC) retries. If an 802.1X packet is sent to the supplicant and the supplicant does not send a response, the packet will be sent again after the number of seconds that are shown.
server-timeout	Timeout, in seconds, that has been set for RADIUS retries. If an 802.1X packet is sent to the server and the server does not send a response, the packet will be sent again after the number of seconds that are shown.
reauth-max	The maximum number of times that the device tries to authenticate the client without receiving any response before the switch resets the port and restarts the authentication process.
max-req	Maximum number of times that the router sends an EAP request/identity frame (assuming that no response is received) to the client PC before concluding that the client PC does not support 802.1X.
Port Name	Interface type and slot/port numbers.
Status	Displays the 802.1X status of the port as either enabled or disabled.
Mode	Operational status of the port: •Auto—The port control value has been configured to be Force-unauthorized but the port has not changed to that state. •n/a—802.1X is disabled.
Authorized	Authorization state of the port.
Status	Status of the port (authorized or unauthorized). The status of a port appears as authorized if the dot1x port-control interface configuration command is set to auto, and authentication was successful.
Port-control	Setting of the dot1x port-control interface configuration command. The port control value is one of the following: •Auto—The authentication status of the client PC is being determined by the authentication process. •Force-authorize—All the client PCs on the interface are being authorized. •Force-unauthorized—All the client PCs on the interface are being unauthorized.
Supplicant	Ethernet MAC address of the client, if one exists. If the device has not discovered the client, this field displays Not set.
Multiple Hosts	Setting of the dot1x multiple-hosts interface configuration command (allowed or disallowed).
Current Identifier	Each exchange between the device and the client includes an identifier, which matches requests with responses. This number is incremented with each exchange and can be reset by the authentication server. Note This field and the remaining fields in the output show internal state information. For a detailed description of these state machines and their settings, refer to the IEEE 802.1X standard.

The following is sample output from the show dot1x interface gigabitethernet0/2 privileged EXEC command. Table 56 describes the fields in the output.

Router# show dot1x interface gigabitethernet0/2

802.1X is enabled on GigabitEthernet0/2 

  Status                Authorized 

  Port-control          Auto 

  Supplicant            0060.b0f8.fbfb 

  Multiple Hosts        Disallowed 

  Current Identifier    3

  Authenticator State Machine 

    State               AUTHENTICATED 

    Reauth Count        0

  Backend State Machine 

    State               IDLE 

    Request Count       0 

    Identifier (Server) 2

Reauthentication State Machine 

    State               INITIALIZE

The following is sample output from the show dot1x statistics interface gigiabitethernet0/1 command. Table 57 describes the fields in the example.

Router# show dot1x statistics interface gigabitethernet0/1

GigabitEthernet0/1

    Rx: EAPOL     EAPOL     EAPOL     EAPOL     EAP       EAP       EAP

        Start     Logoff    Invalid   Total     Resp/Id   Resp/Oth  LenError

        0         0         0         21        0         0         0

        Last      Last

        EAPOLVer  EAPOLSrc

        1         0002.4b29.2a03

    Tx: EAPOL     EAP       EAP

        Total     Req/Id    Req/Oth

        622       445       0 

Table 57 show dot1x statistics Field Descriptions 

Field	Description
Rx EAPOL Start	Number of valid EAPOL-start frames that have been received. Note EAPOL = Extensible Authentication Protocol over LAN
Rx EAPOL Logoff	Number of EAPOL-logoff frames that have been received.
Rx EAPOL Invalid	Number of EAPOL frames that have been received and have an unrecognized frame type.
Rx EAPOL Total	Number of valid EAPOL frames of any type that have been received.
Rx EAP Resp/ID	Number of EAP-response/identity frames that have been received.
Rx EAP Resp/Oth	Number of valid EAP-response frames (other than response/identity frames) that have been received.
Rx EAP LenError	Number of EAPOL frames that have been received in which the packet body length field is invalid.
Last EAPOLVer	Protocol version number carried in the most recently received EAPOL frame.
LAST EAPOLSrc	Source MAC address carried in the most recently received EAPOL frame.
Tx EAPOL Total	Number of EAPOL frames of any type that have been sent.
Tx EAP Req/Id	Number of EAP-request/identity frames that have been sent.
Tx EAP Req/Oth	Number of EAP-request frames (other than request/identity frames) that have been sent.

Related Commands

Command	Description
dot1x default	Resets the global 802.1X parameters to their default values.

show eou

To display information about Extensible Authentication Protocol over UDP (EAPoUDP) global values or EAPoUDP session cache entries, use the show eou command in privileged EXEC mode.

show eou {all | authentication {clientless | eap | static} | interface {interface-type} | ip {ip-address} | mac {mac-address} | posturetoken {name}}

Syntax Description

all	Displays EAPoUDP information about all clients.
authentication	Authentication type.
clientless	Authentication type is clientless.
eap	Authentication type is EAP.
static	Authentication type is static.
interface	Provides information about the interface.
interface-type	Type of interface (see Table 58 for the interface types that may be shown).
ip	Specifies an IP address.
ip-address	IP address of the client device.
mac	Specifies a MAC address.
mac-address	The 48-bit address of the client device.
posturetoken	Displays information about a posture token name.
name	Name of the posture token.

Defaults

If no keywords are listed, all global EAPoUDP global values are displayed.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(8)T	This command was introduced.

Usage Guidelines

Table 58 lists the interface types that may be used for the interface-type argument.

Table 58 Description of Interface Types

Interface Type	Description
Async	Asynchronous interface
BVI	Bridge-Group Virtual Interface
CDMA-Ix	Code division multiple access Internet exchange (CDMA Ix) interface
CTunnel	Connectionless Network Protocol (CLNS) tunnel (Ctunnel) interface
Dialer	Dialer interface
Ethernet	IEEE 802.3 standard interface
Lex	Lex interface
Loopback	Loopback interface
MFR	Multilink frame relay bundle interface
Multilink	Multilink-group interface
Null	Null interface
Serial	Serial interface
Tunnel	Tunnel interface
Vif	Pragmatic General Multicast (PGM) Multicase Host interface
Virtual-PPP	Virtual PPP interface
Virtual-Template	Virtual template interface
Virtual-TokenRing	Virtual TokenRing interface

Examples

The following output displays information about a global EAPoUDP configuration. The default values can be changed or customized using the eou default, eou max-retry, eou revalidate, or eou timeout commands, depending on whether you configure them globally or as interface specific.

Router# show eou 

Global EAPoUDP Configuration

----------------------------

EAPoUDP Version     = 1

EAPoUDP Port        = 0x5566

Clientless Hosts    = Disabled

IP Station ID       = Disabled

Revalidation        = Enabled

Revalidation Period = 36000 Seconds

ReTransmit Period   = 3 Seconds

StatusQuery Period  = 300 Seconds

Hold Period         = 180 Seconds

AAA Timeout         = 60 Seconds

Max Retries         = 3

EAPoUDP Logging     = Disabled

Clientless Host Username = clientless

Clientless Host Password = clientless

Interface Specific EAPoUDP Configurations

-----------------------------------------

Interface Ethernet2/1

No interface specific configuration

Table 59 describes the significant fields shown in the display.

Table 59 show eou Field Descriptions 

Field	Description
EAPoUDP Version	EAPoUDP protocol version.
EAPoUDP Port	EAPoUDP port number.
Clientless Hosts	Clientless hosts are enabled or disabled.
IP Station ID	Specifies whether the IP address is allowed in the AAA station-id field. By default, it is disabled.
Revalidation	Revalidation is enabled or disabled.
Revalidation Period	Specifies whether revalidation of hosts is enabled. By default, it is disabled.
ReTransmit Period	Specifies the EAPoUDP packet retransmission interval. The default is 3 seconds.
StatusQuery Period	Specifies the EAPoUDP status query interval for validated hosts. The default is 300 seconds.
Hold Period	Hold period following a failed authentication.
AAA Timeout	AAA timeout period.
Max Retries	Maximum number of allowable retransmissions.
EAPoUDP Logging	Logging is enabled or disabled.
Clientless Host Username	Username of the clientless host.
Clientless Host Password	Password of the clientless host.

Related Commands

Command	Description
eou	Displays information about EAPoUDP.

show ip admission

To display the network admission control cache entries or the running network admission control configuration, use the show ip admission command in privileged EXEC mode.

show ip admission {[cache] [configuration] [eapoudp]}

Syntax Description

cache	Displays the current list of network admission entries.
configuration	Displays the running network admission control configuration.
eapoudp	Displays the Extensible Authentication Protocol over UDP (EAPoUDP) network admission control entries.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(8)T	This command was introduced.

Usage Guidelines

Use this command to display either the IP admission control entries or the running IP admission control configuration. Use show ip admission cache eapoudp to list the host IP addresses, the session timeout, and the posture state. If the posture statue is POSTURE ESTAB, the host validation was successful.

Examples

The following output displays all the IP admission control rules that are configured on the router:

Router# show ip admission configuration

Authentication global cache time is 60 minutes

Authentication global absolute time is 0 minutes

Authentication Proxy Watch-list is disabled

Authentication Proxy Rule Configuration

 Auth-proxy name avrule

    eapoudp list not specified auth-cache-time 60 minutes

The following output displays the host IP addresses, the session timeout, and the posture states:

Router# show ip admission cache eapoudp

Posture Validation Proxy Cache

Total Sessions: 3 Init Sessions: 1

 Client IP 10.0.0.112, timeout 60, posture state POSTURE ESTAB

 Client IP 10.0.0.142, timeout 60, posture state POSTURE INIT

 Client IP 10.0.0.205, timeout 60, posture state POSTURE ESTAB

The field descriptions in the display are self-explanatory.

Related Commands

Command	Description
clear ip admission cache	Clears IP admission cache entries from the router.
ip admission name	Creates a Layer 3 network admission control rule.

show ip auth-proxy

To display the authentication proxy entries or the running authentication proxy configuration, use the show ip auth-proxy command in privileged EXEC mode.

show ip auth-proxy {cache | configuration}

Syntax Description

cache	Displays the current list of the authentication proxy entries.
configuration	Displays the running authentication proxy configuration.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.0(5)T	This command was introduced.

Usage Guidelines

Use the show ip auth-proxy to display either the authentication proxy entries or the running authentication proxy configuration. Use the cache keyword to list the host IP address, the source port number, the timeout value for the authentication proxy, and the state for connections using authentication proxy. If authentication proxy state is HTTP_ESTAB, the user authentication was successful.

Use the configuration keyword to display all authentication proxy rules configured on the router.

Examples

The following example shows sample output from the show ip auth-proxy cache command after one user authentication using the authentication proxy:

Router# show ip auth-proxy cache

Authentication Proxy Cache

Client IP 192.168.25.215 Port 57882, timeout 1, state HTTP_ESTAB

The following example shows how the show ip auth-proxy configuration command displays the information about the authentication proxy rule pxy. The global idle timeout value is 60 minutes. The idle timeouts value for this named rule is 30 minutes. No host list is specified in the rule, meaning that all connection initiating HTTP traffic at the interface is subject to the authentication proxy rule.

Router# show ip auth-proxy configuration

Authentication cache time is 60 minutes

Authentication Proxy Rule Configuration

Auth-proxy name pxy

http list not specified auth-cache-time 30 minutes

Related Commands

Command	Description
clear ip auth-proxy cache	Clears authentication proxy entries from the router.
ip auth-proxy	Sets the authentication proxy idle timeout value (the length of time an authentication cache entry, along with its associated dynamic user ACL, is managed after a period of inactivity).
ip auth-proxy (interface configuration)	Applies an authentication proxy rule at a firewall interface.
ip auth-proxy name	Creates an authentication proxy rule.

show ip inspect

To display Context-Based Access Control (CBAC) configuration and session information, use the show ip inspect command in privileged EXEC mode.

show ip inspect {name inspection-name | config | interfaces | session [detail] | statistics | all} [vrf vrf-name]

Syntax Description

name inspection-name	Displays the configured inspection rule with the name inspection-name.
config	Displays the complete CBAC inspection configuration.
interfaces	Displays the interface configuration with respect to applied inspection rules and access lists.
session [detail]	Displays existing sessions that are currently being tracked and inspected by CBAC. The optional detail keyword allows additional details about these sessions to be shown.
statistics	Displays CBAC sessions statistics, such as the number of TCP and HTTP packets that are processed through the inspection, the number of sessions that have been created since the subsystem startup, the current session count, the maximum session count, and the session creation rate.
all	Displays all CBAC configuration and all existing sessions that are currently being tracked and inspected by CBAC.
vrf vrf-name	(Optional) Displays information only for the specified Virtual Routing and Forwarding (VRF) interface.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.2 P	This command was introduced.
12.3(4)T	The output for the show ip inspect session detail command was enhanced to support dynamic access control list (ACL) bypass.
12.3(11)T	The statistics keyword was added.
12.3(14)T	The output shows the IMAP and POP3 configuration. The vrf vrf-name keyword/argument pair was added.

Usage Guidelines

Use this command to view the CBAC configuration and session information.

ACL Bypass Functionality

ACL bypass allows a packet to avoid redundant ACL checks by allowing the firewall to permit the packet on the basis of existing inspection sessions instead of dynamic ACLs. Because input and output dynamic ACLs have been eliminated from the firewall configuration, the show ip inspect session detail command output no longer shows dynamic ACLs. Instead, the output displays the matching inspection session for each packet that is permitted through the firewall.

Examples

The following example shows sample output for the show ip inspect name myinspectionrule command, where the inspection rule "myinspectionrule" is configured. In this example, the output shows the protocols that should be inspected by CBAC and the corresponding idle timeouts for each protocol.

Router# show ip inspect name myinspectionrule

Inspection Rule Configuration

 Inspection name myinspectionrule

    tcp timeout 3600

    udp timeout 30

    ftp timeout 3600

The following is sample output for the show ip inspect config command. In this example, the output shows CBAC configuration, including global timeouts, thresholds, and inspection rules.

Session audit trail is disabled

one-minute (sampling period) thresholds are [400:500] connections

max-incomplete sessions thresholds are [400:500]

max-incomplete tcp connections per host is 50. Block-time 0 minute.

tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec

tcp idle-time is 3600 sec -- udp idle-time is 30 sec

dns-timeout is 5 sec

Inspection Rule Configuration

 Inspection name myinspectionrule

    tcp timeout 3600

    udp timeout 30

    ftp timeout 3600

The following is sample output for the show ip inspect interfaces command:

Interface Configuration

 Interface Ethernet0

  Inbound inspection rule is myinspectionrule

    tcp timeout 3600

    udp timeout 30

    ftp timeout 3600

  Outgoing inspection rule is not set

  Inbound access list is not set

  Outgoing access list is not set

The following is sample output for the show ip inspect session command. In this example, the output shows the source and destination addresses and port numbers (separated by colons), and it indicates that the session is an FTP session.

Router# show ip inspect session 

Established Sessions

 Session 25A3318 (10.0.0.1:20)=>(10.1.0.1:46068) ftp-data SIS_OPEN

 Session 25A6E1C (10.1.0.1:46065)=>(10.0.0.1:21) ftp SIS_OPEN

The following is sample output for the show ip inspect all command:

Router# show ip inspect all

Session audit trail is disabled

one-minute (sampling period) thresholds are [400:500] connections

max-incomplete sessions thresholds are [400:500]

max-incomplete tcp connections per host is 50. Block-time 0 minute.

tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec

tcp idle-time is 3600 sec -- udp idle-time is 30 sec

dns-timeout is 5 sec

Inspection Rule Configuration

 Inspection name all

    tcp timeout 3600

    udp timeout 30

    ftp timeout 3600

Interface Configuration

 Interface Ethernet0

  Inbound inspection rule is all

    tcp timeout 3600

    udp timeout 30

    ftp timeout 3600

  Outgoing inspection rule is not set

  Inbound access list is not set

  Outgoing access list is not set

 Established Sessions

 Session 25A6E1C (30.0.0.1:46065)=>(40.0.0.1:21) ftp SIS_OPEN

 Session 25A34A0 (40.0.0.1:20)=>(30.0.0.1:46072) ftp-data SIS_OPEN

The following is sample output from the show ip inspect session detail command, which shows that an outgoing ACL and an inbound ACL (dynamic ACLs) have been created to allow return traffic:

Router# show ip inspect session detail 

Established Sessions

 Session 80E87274 (192.168.1.116:32956)=>(192.168.101.115:23) tcp SIS_OPEN

   Created 00:00:08, Last heard 00:00:04

   Bytes sent (initiator:responder) [140:298] acl created 2

   Outgoing access-list 102 applied to interface FastEthernet0/0

   Inbound access-list 101 applied to interface FastEthernet0/1

The following is sample output from the show ip inspect session detail command, which shows related ACL information (such as session identifiers [SIDs]), but does not show dynamic ACLs, which are no longer created:

Router# show ip inspect session detail

Established Sessions

 Session 814063CC (192.168.1.116:32955)=>(192.168.101.115:23) tcp SIS_OPEN

  Created 00:00:10, Last heard 00:00:06

  Bytes sent (initiator:responder) [140:298]

  In  SID 192.168.101.115[23:23]=>192.168.1.117[32955:32955] on ACL 101 (15 matches)

  Out SID 192.168.101.115[23:23]=>192.168.1.116[32955:32955] on ACL 102

The following is sample output from the show ip inspect statistics command:

Router# show ip inspect statistics

Packet inspection statistics [process switch:fast switch]

  tcp packets: [616668:0]

  http packets: [178912:0]

Interfaces configured for inspection 1

Session creations since subsystem startup or last reset 42940

Current session counts (estab/half-open/terminating) [0:0:0]

Maxever session counts (estab/half-open/terminating) [98:68:50]

Last session created 5d21h

Last statistic reset never

Last session creation rate 0

Last half-open session total 0

Router#

show ip ips

To display Intrusion Prevention System (IPS) information such as configured sessions and signatures, use the show ip ips command in privileged EXEC mode.

show ip ips {[all] [configuration] [interfaces] [name name] [statistics [reset]] [sessions [details]] [signatures [details]]}

Syntax Description

all	Displays all available IPS information.
configuration	Displays additional configuration information, including default values that may not be displayed using the show running-config command.
interfaces	Displays the interface configuration.
statistics [reset]	Displays information such as the number of packets audited and the number of alarms sent. The optional reset keyword resets sample output to reflect the latest statistics.
name name	Displays information only for the specified IPS rule.
sessions [details]	Displays IPS session-related information. The optional details keyword shows detailed session information.
signatures [details]	Displays signature information, such as which signatures are disabled and marked for deletion. The optional details keyword shows detailed signature information.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.0(5)T	This command was introduced.
12.3(8)T	The command name was changed from show ip audit to show ip ips. Also, all show ip ips commands were combined into a single command.

Usage Guidelines

Use the show ip ips configuration EXEC command to display additional configuration information, including default values that may not be displayed using the show running-config command.

Examples

Sample Output for the show ip ips configuration Command

The following example displays the output of the show ip ips configuration command:

Event notification through syslog is enabled

Event notification through Net Director is enabled

Default action(s) for info signatures is alarm

Default action(s) for attack signatures is alarm

Default threshold of recipients for spam signature is 25

PostOffice:HostID:5 OrgID:100 Addr:10.2.7.3 Msg dropped:0

HID:1000 OID:100 S:218 A:3 H:14092 HA:7118 DA:0 R:0

    CID:1 IP:172.21.160.20 P:45000 S:ESTAB (Curr Conn)

Audit Rule Configuration

 Audit name AUDIT.1

    info actions alarm

Sample Output for the show ip ips interface Command

The following example displays the output of the show ip ips interface command:

Interface Configuration

 Interface Ethernet0

  Inbound IPS audit rule is AUDIT.1

    info actions alarm

  Outgoing IPS audit rule is not set

 Interface Ethernet1

  Inbound IPS audit rule is AUDIT.1

    info actions alarm

  Outgoing IPS audit rule is AUDIT.1

    info actions alarm

Sample Output for the show ip ips statistics Command

The following displays the output of the show ip ips statistics command:

Signature audit statistics [process switch:fast switch]

  signature 2000 packets audited: [0:2]

  signature 2001 packets audited: [9:9]

  signature 2004 packets audited: [0:2]

  signature 3151 packets audited: [0:12]

Interfaces configured for audit 2

Session creations since subsystem startup or last reset 11

Current session counts (estab/half-open/terminating) [0:0:0]

Maxever session counts (estab/half-open/terminating) [2:1:0]

Last session created 19:18:27

Last statistic reset never

HID:1000 OID:100 S:218 A:3 H:14085 HA:7114 DA:0 R:0

Related Commands

Command	Description
clear ip ips statistics	Resets statistics on packets analyzed and alarms sent.

show ip port-map

To display the port-to-application mapping (PAM) information, use the show ip port-map command in privileged EXEC mode.

show ip port-map [appl-name | port port-num [detail]]

Syntax Description

appl-name	(Optional) Specifies the name of the application to which to apply the port mapping.
port port-num	(Optional) Specifies the alternative port number that maps to the application.
detail	(Optional) Shows the port or application details.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.0(5)T	This command was introduced.
12.3(14)T	The detail keyword was added and command output was modified to display user-defined applications.

Usage Guidelines

Use this command to display the port mapping information at the firewall, including the system-defined and user-defined information. Include the application name to display the list of entries by application. Include the port number to display the entries by port.

Examples

The following is sample output from the show ip port-map command, including system- and user-defined mapping information. Notice that multiple port numbers display in a series such as 554, 8554, or 1512...1525, or a range such as 55000 to 62000. When there are multiple ports, they all display if they can fit into the fixed-field width. If they cannot fit into the fixed-field width, they display with an ellipse, such as 1512...1525 shown below.

Router# show ip port-map

Default mapping:  snmp       udp port 161                    system defined

Host specific:    snmp       udp port 577         in list 55 user defined

Host specific:    snmp       udp port 55000-62000 in list 57 user defined

Default mapping:  echo       tcp port 7                      system defined

Default mapping:  echo       udp port 7                      system defined

Default mapping:  telnet     tcp port 23                     system defined

Default mapping:  wins       tcp port 1512...1525            system defined

Default mapping:  n2h2server tcp port 9285                   system defined

Default mapping:  n2h2server udp port 9285                   system defined

Default mapping:  nntp       tcp port 119                    system defined

Default mapping:  pptp       tcp port 1725                   system defined

Default mapping:  rtsp       tcp port 554,8554               system defined

Default mapping:  bootpc     udp port 68                     system defined

Default mapping:  gdoi       udp port 848                    system defined

Default mapping:  tacacs     udp port 49                     system defined

Default mapping:  gopher     tcp port 70                     system defined

Default mapping:  icabrowser udp port 1604                   system defined

The following sample output from the show ip port-map snmp command displays information about the SNMP application:

Router# show ip port-map snmp

Default mapping:  snmp    udp port 161                      system defined

Host specific:    snmp    udp port 577          in list 55  user defined

Host specific:    snmp    udp port 55000-62000  in list 57  user defined

The following sample output from the show ip port-map snmp detail command displays detailed information about the SNMP application:

Router# show ip port-map snmp detail

 IP port-map entry for application 'snmp':

     udp 161                    Simple Network Management Protoco system defined

     udp 577            list 55 User's SNMP Port                  user defined

     udp 55000-62000    list 57 User's Another SNMP Port          user defined

The following sample output from the show ip port-map port 577 command displays information about port 577:

Router# show ip port-map port 577

Host specific:   snmp  udp port 577    in list 55   user defined

The following sample output from the show ip port-map port 55800 command displays information about port 55800:

Router# show ip port-map port 55800

Host specific:   snmp   udp port 55800  in list 57   user defined

The following sample output from the show ip-port-map port 577 detail command displays detailed information about port 577:

Router# show ip port-map port 577 detail 

 IP Port-map entry for port 577:

 snmp                 udp list 55                            user defined

Related Commands

Command	Description
ip port-map	Establishes PAM entries.

show ip sdee

To display Security Device Event Exchange (SDEE) notification information, use the show ip sdee command in privileged EXEC mode.

show ip sdee {[alerts] [all] [errors] [events] [configuration] [status] [subscriptions]}

Syntax Description

alerts	Displays the Intrusion Detection System (IDS) alert buffer.
all	Displays all information available for IDS SDEE notifications.
errors	Displays IDS SDEE error messages.
events	Displays IDS SDEE events.
configuration	Displays SDEE configuration parameters.
status	Displays the status events that are currently in the buffer.
subscriptions	Displays IDS SDEE subscription information.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(8)T	This command was introduced.

Examples

The following is sample output from the show ip sdee alerts command. In this example, the alerts are numbered from 1 to 100 (because 100 events are currently in the event buffer). Following the alert number are 3 digits, which indicate whether the alert has been reported for the 3 possible subscriptions. In this example, these alerts have been reported for subscription number 1. The event ID is composed of the alert time and an increasing count, separated by a colon.

Router# show ip sdee alerts

Event storage:1000 events using 656000 bytes of memory

                                SDEE Alerts

SigID       SrcIP     DstIP       SrcPort  DstPort  Sev     Event ID        SigName

1:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211478597901  ICMP Echo Req

2:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211478887902  ICMP Echo Req

3:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211479247903  ICMP Echo Req

4:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211479457904  ICMP Echo Req

5:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211479487905  ICMP Echo Req

6:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211480077906  ICMP Echo Req

7:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211480407907  ICMP Echo Req

...........................................................

...........................................................

96:000 2004 10.0.0.2  10.0.0.1    8        0        2       10211750898596  ICMP Echo Req

97:000 2004 10.0.0.2  10.0.0.1    8        0        2       10211750898597  ICMP Echo Req

98:000 2004 10.0.0.2  10.0.0.1    8        0        2       10211750898598  ICMP Echo Req

99:000 2004 10.0.0.2  10.0.0.1    8        0        2       10211750908599  ICMP Echo Req

100:000 2004 10.0.0.2 10.0.0.1    8        0        2       10211750918600  ICMP Echo Req 

The following is sample output is from the show ip sdee subscriptions command. In this example, SDEE is enabled, the maximum event buffer size has been set to 100, and the maximum number of subscriptions that can be open at the same time is 1.

Router# show ip sdee subscriptions 

SDEE is enabled

Alert buffer size:100 alerts 65600 bytes

Maximum subscriptions:1

SDEE open subscriptions: 1

Subscription ID IDS1720:0:

Client address 10.0.0.2 port 1500

        Subscription opened at 13:21:30 MDT July 18 2003

        Total GET requests:0

        Max number of events:50

        Timeout:30

        Event Start Time:0

        Report alerts:true

        Alert severity level is INFORMATIONAL

        Report errors:false

        Report status:false

Table 60 describes the significant fields shown in the display.

Table 60 show ip sdee subscriptions Field Descriptions 

Field	Description
Alert buffer size:100 alerts 65600 bytes	Maximum number of events that can be stored in the buffer. The maximum number of events to be stored refers to all types of events (alert, status, and error). (This value can be changed via the ip sdee events command.)
Maximum subscriptions:1	Maximum number of subscriptions that can be open at the same time. (This value can be changed via the ip sdee subscriptions command.)

The following is sample output from the show ip sdee status command. In this example, the buffer is set to store a maximum of 1000 events.

Router# show ip sdee status

Event storage:1000 events using 656000 bytes of memory

                   SDEE Status Messages

Time                            Message              Description

1:000 22:10:58 UTC Apr 18 2003  applicationStarted   STRING.UDP,0 ms

2:000 22:10:58 UTC Apr 18 2003  applicationStarted   STRING.TCP,0 ms

3:000 22:10:58 UTC Apr 18 2003  applicationStarted   OTHER,0 ms

4:000 22:10:58 UTC Apr 18 2003  applicationStarted   SERVICE.FTP,276 ms

5:000 22:11:07 UTC Apr 18 2003  applicationStarted   SERVICE.SMTP,8884 ms

6:000 22:11:07 UTC Apr 18 2003  applicationStarted   SERVICE.RPC,72 ms

7:000 22:11:07 UTC Apr 18 2003  applicationStarted   SERVICE.DNS,132 ms

8:000 22:11:15 UTC Apr 18 2003  applicationStarted   SERVICE.HTTP,7632 ms

9:000 22:11:15 UTC Apr 18 2003  applicationStarted   ATOMIC.TCP,24 ms

10:000 22:11:15 UTC Apr 18 2003  applicationStarted  ATOMIC.UDP,12 ms

11:000 22:11:15 UTC Apr 18 2003  applicationStarted  ATOMIC.ICMP,12 ms

12:000 22:11:15 UTC Apr 18 2003  applicationStarted  ATOMIC.IPOPTIONS,8 ms

13:000 22:11:15 UTC Apr 18 2003  applicationStarted  ATOMIC.L3.IP,8 ms

Related Commands

Command	Description
ip ips notify	Specifies the method of event notification.
id sdee events	Sets the maximum number of SDEE events that can be stored in the event buffer.
ip sdee subscriptions	Sets the maximum number of SDEE subscriptions that can be open simultaneously.

show ip source-track

To display traffic flow statistics for tracked IP host addresses, use the show ip source-track command in privileged EXEC mode.

show ip source-track [ip-address] [summary | cache]

Syntax Description

ip-address	(Optional) Displays the IP address of the tracked host for which traffic flow information is displayed.
summary	(Optional) Displays a summary of traffic flow information that is collected for a specified host address (via the ip-address argument) or for all configured hosts.
cache	(Optional) Displays detailed packet and flow information that is collected on line cards and port adapters for all tracked IP addresses or for specified IP address (not displayed in the a distributed platform such as the gigabit route processor (GRP) or route switch processor (RSP)).

Command Modes

Privileged EXEC

Command History

Release	Modification
12.0(21)S	This command was introduced.
12.0(22)S	This command was implemented on the Cisco 7500 series routers.
12.0(26)S	This command was implemented on Cisco 12000 series ISE line cards.
12.3(7)T	This command was integrated into Cisco IOS Release 12.3(7)T.
12.2(25)S	This command was integrated into Cisco IOS Release 12.2(25)S.

Examples

The following example, which is sample output from the show ip source-track summary command, shows how to verify that IP source tracking is enabled for one or more hosts:

Router# show ip source-track summary

Address          Bytes    Pkts    Bytes/s   Pkts/s

10.0.0.1          119G   1194M    443535      4432

192.168.1.1       119G   1194M    443535      4432

192.168.42.42     119G   1194M    443535      4432

The following example, which is sample output from the show ip source-track summary command, shows how to verify that no traffic has yet to be received for the destination hosts that are being tracked:

Router# show ip source-track summary

Address        Bytes   Pkts   Bytes/s   Pkts/s

10.0.0.1           0      0         0        0 

192.168.1.1        0      0         0        0 

192.168.42.42      0      0         0        0 

The following example, which is sample output from the show ip source-track command, shows that IP source tracking is processing packets to the hosts and exporting statistics from the line card or port adapter to the route processor:

Router# show ip source-track

Address         SrcIF    Bytes   Pkts   Bytes/s   Pkts/s

10.0.0.1        PO0/0    119G   1194M    513009     5127

192.168.1.1     PO0/0    119G   1194M    513009     5127

192.168.42.42 PO0/0 119G 1194M 513009 5127

Related Commands

Command	Description
ip source-track	Enables IP source tracking for a specified host.
ip source-track address-limit	Configures the maximum number of destination hosts that can be simultaneously tracked at any given moment.
ip source-track syslog-interval	Sets the time interval (in minutes) in which syslog messages are generated if IP source tracking is enabled on a device.

show ip source-track export flows

To display the last ten packet flows that were exported from the line card to the route processor, use the show ip source-track export flows command in privileged EXEC mode.

show ip source-track export flows

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.0(21)S	This command was introduced.
12.0(22)S	This command was implemented on the Cisco 7500 series routers.
12.0(26)S	This command was implemented on Cisco 12000 series ISE line cards.
12.3(7)T	This command was integrated into Cisco IOS Release 12.3(7)T.
12.2(25)S	This command was integrated into Cisco IOS Release 12.2(25)S.

Usage Guidelines

The show ip source-track export flows command can be issued only on distributed platforms such as the GRP and the RSP.

Examples

The following example displays the packet flow information that is exported from line cards and port adapters to the gigabit route processor (GRP) and the route switch processor (RSP):

Router# show ip source-track export flows

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts

PO0/0         101.1.1.0       Null          100.1.1.1       06 0000 0000    88K

PO0/0         101.1.1.0       Null          100.1.1.3       06 0000 0000    88K

PO0/0 101.1.1.0 Null 100.1.1.2 06 0000 0000 88K

Related Commands

Command	Description
ip source-track	Enables IP source tracking for a specified host.
ip source-track export-interval	Sets the time interval (in seconds) in which IP source tracking statistics are exported from the line card to the RP.

show ip ssh

To display the version and configuration data for Secure Shell (SSH), use the show ip ssh command in privileged EXEC mode.

show ip ssh

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.0(5)S	This command was introduced.
12.1(1)T	This command was integrated into Cisco IOS Release 12.1 T.
12.1(5)T	This command was modified to display the SSH status—enabled or disabled.

Usage Guidelines

Use the show ip ssh command to view the status of configured options such as retries and timeouts. This command allows you to see if SSH is enabled or disabled.

Examples

The following is sample output from the show ip ssh command when SSH has been enabled:

Router# show ip ssh

SSH Enabled - version 1.5

Authentication timeout: 120 secs; Authentication retries: 3

The following is sample output from the show ip ssh command when SSH has been disabled:

Router# show ip ssh

%SSH has not been enabled

Related Commands

Command	Description
show ssh	Displays the status of SSH server connections.

show ip traffic-export

To display information related to router IP traffic export (RITE), use the show ip traffic-export command in privileged EXEC mode.

show ip traffic-export [interface interface-name | profile profile-name]

Syntax Description

interface interface-name	(Optional) Only data associated with the monitored ingress interface is shown.
profile profile-name	(Optional) Only flow statistics, such as exported packets and number of bytes, are shown.

Defaults

If this command is enabled, all data (both interface- and profile-related data) is shown.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(4)T	This command was introduced.
12.2(25)S	This command was integrated into Cisco IOS Release 12.2(25)S.

Examples

The following sample output from the show ip traffic-export command is for the profile "one." This example is for a single configured interface. If multiple interfaces are configured, the information shown below is displayed for each interface.

Router# show ip traffic-export

Router IP Traffic Export Parameters

Monitored Interface FastEthernet0/0

Export Interface FastEthernet0/1

Destination MAC address 0030.7131.abfc

bi-directional traffic export is off

Input IP Traffic Export Information Packets/Bytes Exported 0/0

Packets Dropped 0

Sampling Rate one-in-every 1 packets

        No Access List configured

        Profile one is Active

Table 61 describes the significant fields shown in the display.

Table 61 show ip traffic-export Field Descriptions 

Field	Description
Monitored Interface	Interface in which the profile was applied. (This interface is specified via the ip traffic-export apply profile command.)
Export Interface	Interface in which the profile exports all captured IP traffic. (This interface is specified via the ip traffic-export profile command.)
Destination MAC address	Ethernet address of the destination host, which is specified via the mac-address command.
bi-directional traffic export is	Incoming and outgoing IP traffic is exported on the monitored interface (via the bidirectional command). By default, only incoming traffic is exported.
Input IP Traffic Export Information        Packets Dropped        Sampling Rate        No Access List Configured       Profile one is Active	Incoming IP traffic information. The sampling rate and ACL can be defined via the incoming command. If the profile is incomplete, the profile will be listed as inactive.

Related Commands

Command	Description
bidirectional	Enables incoming and outgoing IP traffic to be exported across a monitored interface.
ip traffic-export apply profile	Applies an IP traffic export profile to a specific interface.
ip traffic-export profile	Creates or edits an IP traffic export profile and enables the profile on an ingress interface.
incoming	Configures filtering for incoming export traffic.
outgoing	Configures filtering for outgoing export traffic.

show ip trigger-authentication

To display the list of remote hosts for which automated double authentication has been attempted, use the show ip trigger-authentication command in privileged EXEC mode.

show ip trigger-authentication

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

Whenever a remote user needs to be user-authenticated in the second stage of automated double authentication, the local device sends a User Datagram Protocol (UDP) packet to the remote user's host. When the UDP packet is sent, the user's host IP address is added to a table. If additional UDP packets are sent to the same remote host, a new table entry is not created; instead, the existing entry is updated with a new time stamp. This remote host table contains a cumulative list of host entries; entries are deleted after a timeout period or after you manually clear the table using the
clear ip trigger-authentication command. You can change the timeout period with the
ip trigger-authentication (global) command.

Use this command to view the list of remote hosts for which automated double authentication has been attempted.

Examples

The following example shows output from the show ip trigger-authentication command:

Router# show ip trigger-authentication

Trigger-authentication Host Table:

Remote Host          Time Stamp

209.165.200.230       2940514234

This output shows that automated double authentication was attempted for a remote user; the remote user's host has the IP address 209.165.200.230. The attempt to automatically double authenticate occurred when the local host (myfirewall) sent the remote host (209.165.200.230) a packet to UDP port 7500. (The default port was not changed in this example.)

Related Commands

Command	Description
clear ip trigger-authentication	Clears the list of remote hosts for which automated double authentication has been attempted.

show ip urlfilter cache

To display the maximum number of entries that can be cached into the cache table and the number of entries and the destination IP addresses that are cached into the cache table, use the show ip urlfilter cache command in privileged EXEC mode.

show ip urlfilter cache [vrf vrf-name]

Syntax Description

vrf vrf-name

(Optional) Displays the information only for the specified Virtual Routing and Forwarding (VRF) interface.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(11)YU	This command was introduced.
12.2(15)T	This command was integrated into Cisco IOS Release 12.2(15)T.
12.3(14)T	The vrf vrf-name keyword/argument pair was added.

Examples

The following example is sample output from the show ip urlfilter cache command:

Router# show ip urlfilter cache

Maximum number of entries allowed: 5000

Number of entries cached: 5

IP addresses cached ....

 10.64.128.54

 172.28.139.21

 10.76.82.25

 192.168.0.1

 10.0.1.2

Table 62 describes the significant fields shown in the display.

Table 62 show ip urlfilter cache Field Descriptions

Field	Description
Maximum number of entries allowed	Maximum number of destination IP addresses that can be cached into the cache table. This parameter can be configured using the ip url filter cache command. (The default is 5000.)
Number of entries cached	Number of entries that have already been cached into the cache table.
IP addresses cached	IP addresses that have already been cached into the cache table.

Related Commands

Command	Description
clear ip urlfilter cache	Clears the cache table.
ip urlfilter cache	Configures cache parameters.

show ip urlfilter config

To display the size of the cache, the maximum number of outstanding requests, the allow mode state, and the list of configured vendor servers, use the show ip urlfilter config command in EXEC mode.

show ip urlfilter config [vrf vrf-name]

Syntax Description

vrf vrf-name

(Optional) Displays the information only for the specified Virtual Routing and Forwarding (VRF) interface.

Command Modes

EXEC

Command History

Release	Modification
12.2(11)YU	This command was introduced.
12.2(15)T	This command was integrated into Cisco IOS Release 12.2(15)T.
12.3(14)T	The vrf vrf-name keyword/argument pair was added.

Examples

The following example is sample output from the show ip urlfilter config command:

Router# show ip urlfilter config

URL filter is ENABLED

Primary Websense server configurations

===========================

Websense server IP address: 10.0.0.3

Websense server port: 15868

Websense retransmit time out: 5 (seconds)

Websense number of retransmit:2

Secondary Websense server configurations:

==============================

None.

Other configurations

===============

Allow mode: OFF

System Alert: ON

Log message on the router: OFF

Log message on URL filter server:ON

Maximum number of cache entries :5000

Cache timeout :12 (hours)

Maximum number of packet buffers:200

Maximum outstanding requests:1000

Related Commands

Command	Description
ip urlfilter allowmode	Turns on the default mode (allow mode) of the filtering algorithm.
ip urlfilter cache	Configures cache parameters.
ip urlfilter max-request	Sets the maximum number of outstanding requests that can exist at any given time.
ip urlfilter server vendor	Configures a vendor server for URL filtering.

show ip urlfilter statistics

To display URL filtering statistics, use the show ip urlfilter statistics command in privileged EXEC mode.

show ip urlfilter statistics [vrf vrf-name]

Syntax Description

vrf vrf-name

(Optional) Displays the information only for the specified Virtual Routing and Forwarding (VRF) interface.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(11)YU	This command was introduced.
12.2(15)T	This command was integrated into Cisco IOS Release 12.2(15)T.
12.3(14)T	The vrf vrf-name keyword/argument pair was added.

Usage Guidelines

This command shows information, such as the number of requests that are sent to the vendor server (Websense or N2H2), the number of responses received from the vendor server, the numberof pending requests in the system, the number of failed requests, and the number of blocked URLs.

Examples

The following example is sample output from the show ip urlfilter statistics command:

Router# show ip urlfilter statistics

URL filtering statistics

================

Current requests count:25

Current packet buffer count(in use):40

Current cache entry count:3100

Maxever request count:526

Maxever packet buffer count:120

Maxever cache entry count:5000

Total requests sent to URL Filter Server: 44765

Total responses received from URL Filter Server: 44550

Total requests allowed: 44320

Total requests blocked: 224

Table 63 describes the significant fields shown in the display.

Table 63 show ip urlfilter statistics Field Descriptions 

Field	Description
Current requests count1	Number of requests that have been sent to the vendor server.
Current packet buffer count (in use)2	Number of HTTP responses that are currently in the packet buffer of the firewall.
Current cache entry count3	Number of destination IP addresses that have been cached into the cache table.
Maxever request count1	Maximum number of requests that have been sent to the vendor server since power on.
Maxever packet buffer count2	Maximum number of HTTP responses that have been stored in the packet buffer of the firewall since power on.
Maxever cache entry count3	Maximum number of destination IP addresses that have been cached into the cache table since power on.

1 This value can be specified via the ip urlfilter max-request command. 2 This value can be specified via the ip urlfilter max-resp-pak command. 3 This value can be specified via the ip urlfilter cache command.

Related Commands

Command	Description
ip urlfilter cache	Configures cache parameters.
ip urlfilter max-request	Sets the maximum number of outstanding requests that can exist at any given time.
ip urlfilter max-resp-pak	Configures the maximum number of HTTP responses that the firewall can keep in its packet buffer.

show ip virtual-reassembly

To display the configuration and statistical information of the virtual fragment reassembly (VFR) on a given interface, use the show ip virtual-reassembly command in privileged EXEC mode.

show ip virtual-reassembly [interface type]

Syntax Description

interface type

(Optional) VFR information is shown only for the specified interface. If an interface is not specified, VFR information for all configured interfaces is shown.

Defaults

None

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(8)T	This command was introduced.

Examples

The following example is sample output from the show ip virtual-reassembly command:

Router# show ip virtual-reassembly interface ethernet1/1

Ethernet1/1:

Virtual Fragment Reassembly (VFR) is ENABLED...

Concurrent reassemblies (max-reassemblies):64

Fragments per reassembly (max-fragments):16

Reassembly timeout (timeout):3 seconds

Drop fragments:OFF

Current reassembly count:12

Current fragment count:48

Total reassembly count:6950

Total reassembly failures:9

Table 64 describes the significant fields shown in the display.

Table 64 show ip virtual-reassembly Field Descriptions 

Field	Description
Concurrent reassemblies (max-reassemblies):64	Maximum number of IP datagrams that can be reassembled at any given time. Value can be specified via the max-reassemblies number option from the ip virtual-reassembly command.
Fragments per reassembly (max-fragments):16	Maximum number of fragments that are allowed per IP datagram (fragment set). Value can be specified via the max-fragments number option from the ip virtual-reassembly command.
Reassembly timeout (timeout):3 seconds	Timeout value for an IP datagram that is being reassembled. Value can be specified via the timeout seconds option from the ip virtual-reassembly command.
Drop fragments:OFF	Specifies whether the VFR should drop all fragments that arrive on the configured interface. Function can be turned on or off via the drop-fragments keyword from the ip virtual-reassembly command.
Current reassembly count	Number of IP datagrams that are currently being reassembled
Current fragment count	Number of fragments that have been buffered by VFR for reassembly
Total reassembly count	Total number of datagrams that have been reassembled since the last system reboot.
Total reassembly failures	Total number of reassembly failures since the last system reboot.

Related Commands

Command	Description
ip virtual-reassembly	Enables VFR on an interface.

show kerberos creds

To display the contents of your credentials cache, use the show kerberos creds command in privileged EXEC mode.

show kerberos creds

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.1	This command was introduced.

Usage Guidelines

The show kerberos creds command is equivalent to the UNIX klist command.

When users authenticate themselves with Kerberos, they are issued an authentication ticket called a credential. The credential is stored in a credential cache.

Examples

The following example displays entries in the credentials cache:

Router > show kerberos creds 

 Default Principal: user@example.com

 Valid Starting          Expires                 Service Principal

 18-Dec-1995 16:21:07    19-Dec-1995 00:22:24    krbtgt/EXAMPLE.COM@EXAMPLE.COM

The following example returns output that acknowledges that credentials do not exist in the credentials cache:

Router > show kerberos creds

 No Kerberos credentials

Related Commands

Command	Description
clear kerberos creds	Deletes the contents of the credentials cache.

show login

To display login parameters, use the show login command in privileged EXEC mode.

show login [failures]

Syntax Description

failures

(Optional) Displays information related only to failed login attempts.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(4)T	This command was introduced.
12.2(25)S	This command was integrated into Cisco IOS Release 12.2(25)S.

Usage Guidelines

The show login command allows users to verify the applied login configuration and present login status on your router.

Examples

The following sample output from the show login command verifies that no login parameters have been specified:

Router# show login

No login delay has been applied.

No Quiet-Mode access list has been configured.

All successful login is logged and generate SNMP traps.

All failed login is logged and generate SNMP traps

Router NOT enabled to watch for login Attacks

The following sample output from the show login command verifies that the login block-for command is issued. In this example, the command is configured to block login hosts for 100 seconds if 16 or more login requests fail within 100 seconds; five login requests have already failed.

Router# show login

A default login delay of 1 seconds is applied.

No Quiet-Mode access list has been configured.

All successful login is logged and generate SNMP traps.

All failed login is logged and generate SNMP traps.

Router enabled to watch for login Attacks.

If more than 15 login failures occur in 100 seconds or less, logins will be disabled for 
100 seconds.

Router presently in Watch-Mode, will remain in Watch-Mode for 95 seconds.

Present login failure count 5.

The following sample output from the show login command verifies that the router is in quiet mode. In this example, the login block-for command was configured to block login hosts for 100 seconds if three or more login requests fail within 100 seconds.

Router# show login

A default login delay of 1 seconds is applied.

No Quiet-Mode access list has been configured.

All successful login is logged and generate SNMP traps.

All failed login is logged and generate SNMP traps.

Router enabled to watch for login Attacks.

If more than 2 login failures occur in 100 seconds or less, logins will be disabled for 
100 seconds.

Router presently in Quiet-Mode, will remain in Quiet-Mode for 93 seconds.

Denying logins from all sources.

Table 65 describes the significant fields shown in the proceeding displays.

Table 65 show login Field Descriptions 

Field	Description
A default login delay of 1 seconds is applied.	A delay of 1 second is enforced when the login block-for command is issued. To specify a different delay value, use the login delay command.
No Quiet-Mode access list has been configured.	No access control lists (ACLs) are exempt from the quiet period. To specify an ACL, use the login quiet-mode access-class command.
All successful or failed login is logged and generate SNMP traps.	Logging messages and Simple Network Management Protocol (SNMP) traps are configured to be generated upon successful or failed login attempts. To change this setting, use the login on-success or login on-failure command.
Router enabled to watch for login Attacks.	The Cisco IOS device has been configured with at least the login block-for command, which enables default login functionality. Note If no login parameters are specified, the following description appears: "Router NOT enabled to watch for login Attacks."
If more than 2 login failures occur in 100 seconds or less, logins will be disabled for 100 seconds.	Parameters of the login block-for seconds attempts tries within seconds command.
Router presently in Quiet-Mode, will remain in Quiet-Mode for 93 seconds.	The router has switched to quiet mode. Note If the router is not in quiet mode, the following description appears: "Router presently in Watch-Mode, will remain in Watch-Mode for 95 seconds."
Denying logins from all sources.	The router is in quiet mode and no ACLs are defined, so the router is denying all login requests. Note If the router is not in quiet mode, the following description, which allows the user to keep track of the current failed login attempts, appears: "Present login failure count 5."

show login failure Sample Outputs

The following sample output from show login failures command shows all failed login attempts on the router:

Router# show login failures

Information about login failure's with the device

Username      Source IPAddr  lPort Count  TimeStamp

try1          10.1.1.1        23    1     21:52:49 UTC Sun Mar 9 2003

try2          10.1.1.2        23    1     21:52:52 UTC Sun Mar 9 2003

The following sample output from show login failures command verifies that no information is presently logged:

Router# show login failures

*** No logged failed login attempts with the device.***

Related Commands

Command	Description
login block-for	Configures your Cisco IOS device for login parameters that help provide DoS detection.
login delay	Configures a uniform delay between successive login attempts.
login on-failure	Generates system logging messages for every login attempts.
login on-success	Generates system logging messages for successful login attempts.
login quiet-mode access-class	Specifies an ACL that is to be applied to the router when it switches to quiet mode.

show parser view

To display command-line interface (CLI) view information, use the show parser view command in privileged EXEC mode.

show parser view [all]

Syntax Description

all	(Optional) Displays information about all CLI views that are configured on the router.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(7)T	This command was introduced.

Usage Guidelines

The show parser view command will display information only about the view that the user is currently in. This command is available for both root view users and lawful intercept view users—except for the all keyword, which is available only to root view users. However, the all keyword can be configured by a user in root view to be available for users in lawful intercept view.

The show parser view command cannot be excluded from any view.

Examples

The following example shows how to display information from the root view and the CLI view "first":

Router# enable view

Router# 

01:08:16:%PARSER-6-VIEW_SWITCH:successfully set to view 'root'.

Router# 

! Enable the show parser view command from the root view

Router# show parser view 

Current view is 'root'

! Enable the show parser view command from the root view to display all views

Router# show parser view all 

Views Present in System:

View Name:   first 

View Name:   second 

! Switch to the CLI view "first."

Router# enable view first 

Router#

01:08:09:%PARSER-6-VIEW_SWITCH:successfully set to view 'first'.

! Enable the show parser view command from the CLI view "first."

Router# show parser view

Current view is 'first'

Related Commands

Command	Description
parser view	Creates or changes a CLI view and enters view configuration mode.

show ppp queues

To monitor the number of requests processed by each authentication, authorization, and accounting (AAA) background process, use the show ppp queues command in privileged EXEC mode.

show ppp queues

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.3(2)AA	This command was introduced.

Usage Guidelines

Use the show ppp queues command to display the number of requests handled by each AAA background process, the average amount of time it takes to complete each request, and the requests still pending in the work queue. This information can help you balance the data load between the network access server and the AAA server.

This command displays information about the background processes configured by the aaa processes global configuration command. Each line in the display contains information about one of the background processes. If there are AAA requests in the queue when you enter this command, the requests will be printed as well as the background process data.

Examples

The following example shows output from the show ppp queues command:

Router# show ppp queues

Proc #0   pid=73  authens=59   avg. rtt=118s. authors=160  avg. rtt=94s.

Proc #1   pid=74  authens=52   avg. rtt=119s. authors=127  avg. rtt=115s.

Proc #2   pid=75  authens=69   avg. rtt=130s. authors=80   avg. rtt=122s.

Proc #3   pid=76  authens=44   avg. rtt=114s. authors=55   avg. rtt=106s.

Proc #4   pid=77  authens=70   avg. rtt=141s. authors=76   avg. rtt=118s.

Proc #5   pid=78  authens=64   avg. rtt=131s. authors=97   avg. rtt=113s.

Proc #6   pid=79  authens=56   avg. rtt=121s. authors=57   avg. rtt=117s.

Proc #7   pid=80  authens=43   avg. rtt=126s. authors=54   avg. rtt=105s.

Proc #8   pid=81  authens=139  avg. rtt=141s. authors=120  avg. rtt=122s.

Proc #9   pid=82  authens=63   avg. rtt=128s. authors=199  avg. rtt=80s.

queue len=0 max len=499

Table 66 describes the fields shown in the example.

Table 66 show ppp queues Field Descriptions

Field	Description
Proc #	Identifies the background process allocated by the aaa processes command to handle AAA requests for PPP. All of the data in this row relates to this process.
pid=	Identification number of the background process.
authens=	Number of authentication requests the process has performed.
avg. rtt=	Average delay (in seconds) until the authentication request was completed.
authors=	Number of authorization requests the process has performed.
avg. rtt=	Average delay (in seconds) until the authorization request was completed.
queue len=	Current queue length.
max len=	Maximum length the queue ever reached.

Related Commands

Command	Description
aaa processes	Allocates a specific number of background processes to be used to process AAA authentication and authorization requests for PPP.

show privilege

To display your current level of privilege, use the show privilege command in EXEC mode.

show privilege

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
10.3	This command was introduced.

Examples

The following example shows sample output from the show privilege command. The current privilege level is 15.

Router# show privilege

Current privilege level is 15

Related Commands

Command	Description
enable password	Sets a local password to control access to various privilege levels.
enable secret	Specifies an additional layer of security over the enable password command.

show radius local-server statistics

To display the statistics for the local authentication server, use the show radius local-server statistics command in privileged EXEC mode.

show radius local-server statistics

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(11)JA	This command was introduced on Cisco Aironet Access Point 1100 and Cisco Aironet Access Point 1200.
12.3(11)T	This command was implemented on the following platforms: Cisco 2600XM, Cisco 2691, Cisco 2811, Cisco 2821, Cisco 2851, Cisco 3700, and Cisco 3800 series routers.

Examples

The following output displays statistics for the local authentication server:

Router# show radius local-server statistics

Successes              : 11262       Unknown usernames      : 0

Client blocks          : 0           Invalid passwords      : 8

Unknown NAS            : 0           Invalid packet from NAS: 0

NAS : 10.0.0.1

Successes              : 11262       Unknown usernames      : 0

Client blocks          : 0           Invalid passwords      : 8

Corrupted packet       : 0           Unknown RADIUS message : 0

No username attribute  : 0           Missing auth attribute : 0

Shared key mismatch    : 0           Invalid state attribute: 0

Unknown EAP message    : 0           Unknown EAP auth type  : 0

Maximum number of configurable users: 50, current user count: 11

Username                  Successes  Failures  Blocks

vayu-ap-1                      2235         0       0

vayu-ap-2                      2235         0       0

vayu-ap-3                      2246         0       0

vayu-ap-4                      2247         0       0

vayu-ap-5                      2247         0       0

vayu-11                           3         0       0

vayu-12                           5         0       0

vayu-13                           5         0       0

vayu-14                          30         0       0

vayu-15                           3         0       0

scm-test                          1         8       0

Related Commands

Command	Description
block count	Configures the parameters for locking out members of a group to help protect against unauthorized attacks.
clear radius local-server	Clears the statistics display or unblocks a user.
debug radius local-server	Displays the debug information for the local server.
group	Enters user group configuration mode and configures shared setting for a user group.
nas	Adds an access point or router to the list of devices that use the local authentication server.
radius-server host	Specifies the remote RADIUS server host.
radius-server local	Enables the access point or router to be a local authentication server and enters into configuration mode for the authenticator.
reauthentication time	Specifies the time (in seconds) after which access points or wireless-aware routers must reauthenticate the members of a group.
ssid	Specifies up to 20 SSIDs to be used by a user group.
user	Authorizes a user to authenticate using the local authentication server.
vlan	Specifies a VLAN to be used by members of a user group.

show radius statistics

To display the RADIUS statistics for accounting and authentication packets, use the show radius statistics command in EXEC mode.

show radius statistics

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
12.1(3)T	This command was introduced.

Examples

The following example is sample output for the show radius statistics command:

Router# show radius statistics

                                   Auth.      Acct.       Both

          Maximum inQ length:        NA         NA          1

        Maximum waitQ length:        NA         NA          1

        Maximum doneQ length:        NA         NA          1

        Total responses seen:         3          0          3

      Packets with responses:         3          0          3

   Packets without responses:         0          0          0

  Average response delay(ms):      5006          0       5006

  Maximum response delay(ms):     15008          0      15008

   Number of Radius timeouts:         3          0          3

        Duplicate ID detects:         0          0          0

Table 67 describes significant fields shown in the display.

Table 67 show radius statistics Field Descriptions 

Field	Description
Auth.	Statistics for authentication packets.
Acct.	Statistics for accounting packets.
Both	Combined statistics for authentication and accounting packets.
Maximum inQ length	Maximum number of entries allowed in the queue, that holds the RADIUS messages not yet sent.
Maximum waitQ length	Maximum number of entries allowed in the queue, that holds the RADIUS messages that have been sent and are waiting for a response.
Maximum doneQ length	Maximum number of entries allowed in the queue, that holds the messages that have received a response and will be forwarded to the code that is waiting for the messages.
Total responses seen	Number of RADIUS responses seen from the server. In addition to the expected packets, this includes repeated packets and packets that do not have a matching message in the waitQ.
Packets with responses	Number of packets that received a response from the RADIUS server.
Packets without responses	Number of packets that never received a response from any RADIUS server.
Average response delay	Average time from when the packet was first transmitted to when it received a response. If the response timed out and the packet was sent again, this value includes the timeout. If the packet never received a response, this is not included in the average.
Maximum response delay	Maximum delay observed while gathering average response delay information.
Number of RADIUS timeouts	Number of times a server did not respond, and the RADIUS server re-sent the packet.
Duplicate ID detects	RADIUS has a maximum of 255 unique IDs. In some instances there can be more than 255 outstanding packets. When a packet is received, the doneQ is searched from the oldest entry to the youngest. If the IDs are the same, further techniques are used to see if this response matches this entry. If it is determined that this does not match, the duplicate ID detect counter is increased.

Related Commands

Command	Description
radius-server host	Specifies a RADIUS server host.
radius-server retransmit	Specifies how many times the Cisco IOS software searches the list of RADIUS server hosts before giving up.
radius-server timeout	Sets the interval for which a router waits for a server host to reply.

show secure bootset

To display the status of Cisco IOS image and configuration resilience, use the show secure bootset command in privileged EXEC mode.

show secure bootset

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(8)T	This command was introduced.

Usage Guidelines

Use the show secure bootset command instead of the dir command, the Cisco IOS directory listing command, to verify the existence of an image archive. This command will also display output that shows whether the image or configuration archive is ready for upgrade.

Examples

The following is self-explanatory sample output from the show secure bootset command:

Router# show secure bootset

%IOS image and configuration resilience is not active

Router# show secure bootset

IOS resilience router id JMX0704L5GH

IOS image resilience version 12.3 activated at 08:16:51 UTC Sun Jun 16 2002

Secure archive slot0:c3745-js2-mz type is image (elf) []

  file size is 25469248 bytes, run size is 25634900 bytes

  Runnable image, entry point 0x80008000, run from ram

IOS configuration resilience version 12.3 activated at 08:17:02 UTC Sun Jun 16 2002

Secure archive slot0:.runcfg-20020616-081702.ar type is config

configuration archive size 1059 bytes

Related Commands

Command	Description
dir	Displays a list of files on a file system.
secure boot-config	Saves a secure copy of the router running configuration in persistent storage.
secure boot-image	Enables Cisco IOS image resilience.

show ssh

To display the status of Secure Shell (SSH) server connections, use the show ssh command in privileged EXEC mode.

show ssh

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(5)T	This command was introduced.

Usage Guidelines

Use the show ssh command to display the status of the SSH connections on your router. This command does not display any SSH configuration data; use the show ip ssh command for SSH configuration information such as timeouts and retries.

Examples

The following is sample output from the show ssh command with SSH enabled:

Router# show ssh

Connection      Version     Encryption     	State	Username

	0	1.5	3DES	Session Started		guest

The following is sample output from the show ssh command with SSH disabled:

Router# show ssh

%No SSH server connections running.

Related Commands

Command	Description
show ip ssh	Displays the version and configuration data for SSH.

show tacacs

To display statistics for a TACACS+ server, use the show tacacs command in EXEC mode.

show tacacs

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
11.2	This command was introduced.

Examples

The following example is sample output for the show tacacs command:

Router# show tacacs 

Tacacs+ Server            : 172.19.192.80/49

              Socket opens:          3

             Socket closes:          3

             Socket aborts:          0

             Socket errors:          0

           Socket Timeouts:          0

   Failed Connect Attempts:          0

        Total Packets Sent:          7

        Total Packets Recv:          7

          Expected Replies:          0

  No current connection

Table 68 describes the significant fields shown in the display.

Table 68 show tacacs Field Descriptions 

Field	Description
Tacacs+ Server	IP address of the TACACS+ server.
Socket opens	Number of successful TCP socket connections to the TACACS+ server.
Socket closes	Number of successfully closed TCP socket attempts.
Socket aborts	Number of premature TCP socket closures to the TACACS+ server; that is, the peer did not wait for a reply from the server after a the peer sent its request.
Socket errors	Any other socket read or write errors, such as incorrect packet format and length.
Failed Connect Attempts	Number of failed TCP socket connections to the TACACS+ server.
Total Packets Sent	Number of packets sent to the TACACS+ server.
Total Packets Recv	Number of packets received from the TACACS+ server.
Expected replies	Number of outstanding replies from the TACACS+ server.

Related Commands

Command	Description
tacacs-server host	Specifies a TACACS+ host.

show tcp intercept connections

To display TCP incomplete and established connections, use the show tcp intercept connections command in EXEC mode.

show tcp intercept connections

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
11.2 F	This command was introduced.

Usage Guidelines

Use the show tcp intercept connections command to display TCP incomplete and established connections.

Examples

The following is sample output from the show tcp intercept connections command:

Router# show tcp intercept connections 

Incomplete:

Client                Server                State    Create   Timeout  Mode

172.19.160.17:58190   10.1.1.30:23          SYNRCVD  00:00:09 00:00:05 I

172.19.160.17:57934   10.1.1.30:23          SYNRCVD  00:00:09 00:00:05 I

Established:

Client                Server                State    Create   Timeout  Mode

171.69.232.23:1045    10.1.1.30:23          ESTAB    00:00:08 23:59:54 I

Table 69 describes significant fields shown in the display.

Table 69 show tcp intercept connections Field Descriptions 

Field	Description
Incomplete:	Rows of information under "Incomplete" indicate connections that are not yet established.
Client	IP address and port of the client.
Server	IP address and port of the server being protected by TCP intercept.
State	SYNRCVD—establishing with client. SYNSENT—establishing with server. ESTAB—established with both, passing data.
Create	Hours:minutes:seconds since the connection was created.
Timeout	Hours:minutes:seconds until the retransmission timeout.
Mode	I—intercept mode. W—watch mode.
Established:	Rows of information under "Established" indicate connections that are established. The fields are the same as those under "Incomplete" except for the Timeout field described below.
Timeout	Hours:minutes:seconds until the connection will timeout, unless the software sees a FIN exchange, in which case this indicates the hours:minutes:seconds until the FIN or RESET timeout.

Related Commands

Command	Description
ip tcp intercept connection-timeout	Changes how long a TCP connection will be managed by the TCP intercept after no activity.
ip tcp intercept finrst-timeout	Changes how long after receipt of a reset or FIN-exchange the software ceases to manage the connection.
ip tcp intercept list	Enables TCP intercept.
show tcp intercept statistics	Displays TCP intercept statistics.

show tcp intercept statistics

To display TCP intercept statistics, use the show tcp intercept statistics command in EXEC mode.

show tcp intercept statistics

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
11.2 F	This command was introduced.

Usage Guidelines

Use the show tcp intercept statistics command to display TCP intercept statistics.

Examples

The following is sample output from the show tcp intercept statistics command:

Router# show tcp intercept statistics

intercepting new connections using access-list 101

2 incomplete, 1 established connections (total 3)

1 minute connection request rate 2 requests/sec

Related Commands

Command	Description
ip tcp intercept connection-timeout	Changes how long a TCP connection will be managed by the TCP intercept after no activity.
ip tcp intercept finrst-timeout	Changes how long after receipt of a reset or FIN-exchange the software ceases to manage the connection.
ip tcp intercept list	Enables TCP intercept.
show tcp intercept connections	Displays TCP incomplete and established connections.

show usb controllers

To display USB host controller information, use the show usb controllers command in Privileged EXEC mode.

show usb controllers [controller-number]

Syntax Description

controller-number

(Optional) Displays information only for the specified controller.

Defaults

Information about all controllers on the system are displayed.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(14)T	This command was introduced.

Usage Guidelines

Use the show usb controllers command to display content such as controller register specific information, current asynchronous buffer addresses, and period scheduling information. You can also use this command to verify that copy operations are occurring successfully onto a USB flash module.

Examples

The following example is sample output from the show usb controller command:

Router# show usb controllers

Name:1362HCD

Controller ID:1

Controller Specific Information:

    Revision:0x11

    Control:0x80

    Command Status:0x0

    Hardware Interrupt Status:0x24

    Hardware Interrupt Enable:0x80000040

    Hardware Interrupt Disable:0x80000040

    Frame Interval:0x27782EDF

    Frame Remaining:0x13C1

    Frame Number:0xDA4C

    LSThreshold:0x628

    RhDescriptorA:0x19000202

    RhDescriptorB:0x0

    RhStatus:0x0

    RhPort1Status:0x100103

    RhPort2Status:0x100303

    Hardware Configuration:0x3029

    DMA Configuration:0x0

    Transfer Counter:0x1

    Interrupt:0x9

    Interrupt Enable:0x196

    Chip ID:0x3630

    Buffer Status:0x0

    Direct Address Length:0x80A00

    ATL Buffer Size:0x600

    ATL Buffer Port:0x0

    ATL Block Size:0x100

    ATL PTD Skip Map:0xFFFFFFFF

    ATL PTD Last:0x20

    ATL Current Active PTD:0x0

    ATL Threshold Count:0x1

    ATL Threshold Timeout:0xFF

Int Level:1

Transfer Completion Codes:

         Success              :920              CRC             :0       

         Bit Stuff            :0                Stall           :0       

         No Response          :0                Overrun         :0       

         Underrun             :0                Other           :0       

         Buffer Overrun       :0                Buffer Underrun :0       

Transfer Errors:

         Canceled Transfers   :2                Control Timeout :0       

Transfer Failures:

         Interrupt Transfer   :0                Bulk Transfer   :0       

         Isochronous Transfer :0                Control Transfer:0       

Transfer Successes:

         Interrupt Transfer   :0                Bulk Transfer   :26      

         Isochronous Transfer :0                Control Transfer:894     

USBD Failures:

         Enumeration Failures :0                No Class Driver Found:0       

         Power Budget Exceeded:0       

USB MSCD SCSI Class Driver Counters:

         Good Status Failures :3                Command Fail    :0       

         Good Status Timed out:0                Device not Found:0       

         Device Never Opened  :0                Drive Init Fail :0       

         Illegal App Handle   :0                Bad API Command :0       

         Invalid Unit Number  :0                Invalid Argument:0       

         Application Overflow :0                Device in use   :0       

         Control Pipe Stall   :0                Malloc Error    :0       

         Device Stalled       :0                Bad Command Code:0       

         Device Detached      :0                Unknown Error   :0       

         Invalid Logic Unit Num:0       

USB Aladdin Token Driver Counters:

         Token Inserted       :1                Token Removed   :0       

         Send Insert Msg Fail :0                Response Txns   :434     

         Dev Entry Add Fail   :0                Request Txns    :434     

         Dev Entry Remove Fail:0                Request Txn Fail:0       

         Response Txn Fail    :0                Command Txn Fail:0       

         Txn Invalid Dev Handle:0       

USB Flash File System Counters:

         Flash Disconnected   :0                Flash Connected :1       

         Flash Device Fail    :0                Flash Ok        :1       

         Flash startstop Fail :0                Flash FS Fail   :0       

USB Secure Token File System Counters:

         Token Inserted       :1                Token Detached  :0       

         Token FS success     :1                Token FS Fail   :0       

         Token Max Inserted   :0                Create Talker Failures:0       

         Token Event          :0                Destroy Talker Failures:0       

         Watched Boolean Create Failures:0 

show usb device

To display USB device information, use the show usb device command in privileged EXEC mode.

show usb device [controller-ID [device-address]]

Syntax Description

controller-ID	(Optional) Displays information only for the devices under the specified controller.
device-address	(Optional) Displays information only for the device with the specified address.

Defaults

Information for all devices attached to the system are displayed.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(14)T	This command was introduced.

Usage Guidelines

Use the show usb device command to display information for either a USB flash drive or a USB eToken, as appropriate.

Examples

The following example is sample output from the show usb device command:

Router# show usb device 

Host Controller:1

Address:0x1

Device Configured:YES

Device Supported:YES

Description:DiskOnKey

Manufacturer:M-Sys

Version:2.0

Serial Number:0750D84030316868

Device Handle:0x1000000

USB Version Compliance:2.0

Class Code:0x0

Subclass Code:0x0

Protocol:0x0

Vendor ID:0x8EC

Product ID:0x15

Max. Packet Size of Endpoint Zero:64

Number of Configurations:1

Speed:Full

Selected Configuration:1

Selected Interface:0

Configuration:

    Number:1

    Number of Interfaces:1

    Description:

    Attributes:None

    Max Power:140 mA

    Interface:

        Number:0

        Description:

        Class Code:8

        Subclass:6

        Protocol:80

        Number of Endpoints:2

        Endpoint:

            Number:1

            Transfer Type:BULK

            Transfer Direction:Device to Host

            Max Packet:64

            Interval:0

        Endpoint:

            Number:2

            Transfer Type:BULK

            Transfer Direction:Host to Device

            Max Packet:64

            Interval:0

Host Controller:1

Address:0x11

Device Configured:YES

Device Supported:YES

Description:eToken Pro 4254

Manufacturer:AKS

Version:1.0

Serial Number:

Device Handle:0x1010000

USB Version Compliance:1.0

Class Code:0xFF

Subclass Code:0x0

Protocol:0x0

Vendor ID:0x529

Product ID:0x514

Max. Packet Size of Endpoint Zero:8

Number of Configurations:1

Speed:Low

Selected Configuration:1

Selected Interface:0

Configuration:

    Number:1

    Number of Interfaces:1

    Description:

    Attributes:None

    Max Power:60 mA

    Interface:

        Number:0

        Description:

        Class Code:255

        Subclass:0

        Protocol:0

        Number of Endpoints:0

Table 70 describes the significant fields shown in the display.

Table 70 show usb device Field Descriptions 

Field	Description
Device handle	Internal memory handle allocated to the device.
Device Class code	The class code supported by the device. This number is allocated by the USB-IF. If this field is reset to 0, each interface within a configuration specifies its own class information, and the various interfaces operate independently. If this field is set to a value between 1 and FEH, the device supports different class specifications on different interfaces, and the interfaces may not operate independently. This value identifies the class definition used for the aggregate interfaces. If this field is set to FFH, the device class is vendor-specific.
Device Subclass code	The subclass code supported by the device. This number is allocated by the USB-IF.
Device Protocol	The protocol supported by the device. If this field is set to 0, the device does not use class-specific protocols on a device basis. If this field is set to 0xFF, the device uses a vendor-specific protocol on a device basis.
Interface Class code	The class code supported by the interface. If the value is set to 0xFF, the interface class is vendor specific. All other values are allocated by the USB-IF.
Interface Subclass code	The subclass code supported by the interface. All values are allocated by the USB-IF.
Interface Protocol	The protocol code supported by the interface. If this field is set to 0, the device does not use a class-specific protocol on this interface. If this field is set to 0xFF, the device uses a vendor-specific protocol for this interface.
Max Packet	Maximum data packet size, in bytes.

show usb driver

To display information about registered USB class drivers and vendor-specific drivers, use the show usb driver command in privileged EXEC mode.

show usb driver [index]

Syntax Description

index

(Optional) Displays information only for drivers on the specified index.

Defaults

Information about all drivers is displayed.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(14)T	This command was introduced.

Examples

The following example is sample output for the show usb driver command:

Router# show usb driver 

Index:0

Owner Mask:0x6

Class Code:0x0

Subclass Code:0x0

Protocol:0x0

Interface Class Code:0x8

Interface Subclass Code:0x6

Interface Protocol Code:0x50

Product ID:0x655BD598

Vendor ID:0x64E90000

Attached Devices:

    Controller ID:1, Device Address:1

Index:1

Owner Mask:0x1

Class Code:0x0

Subclass Code:0x0

Protocol:0x0

Interface Class Code:0x0

Interface Subclass Code:0x0

Interface Protocol Code:0x0

Product ID:0x514

Vendor ID:0x529

Attached Devices:

    Controller ID:1, Device Address:17

Index:2

Owner Mask:0x5

Class Code:0x9

Subclass Code:0x6249BD58

Protocol:0x2

Interface Class Code:0x5DC0

Interface Subclass Code:0x5

Interface Protocol Code:0xFFFFFFFF

Product ID:0x2

Vendor ID:0x1

Attached Devices:

    None

Index:3

Owner Mask:0x10

Class Code:0x0

Subclass Code:0x0

Protocol:0x0

Interface Class Code:0x0

Interface Subclass Code:0x0

Interface Protocol Code:0x0

Product ID:0x0

Vendor ID:0x0

Attached Devices:

    None 

Table 71 describes the significant field shown in the display.

Table 71 show usb driver Field Descriptions 

Field	Description
Owner Mask	Indicates the fields that are used in enumeration comparison. The driver can own different devices on the basis of their product or vendor IDs and device or interface class, subclass, and protocol codes.

show usb port

To sisplay USB root hub port information, use the show usb port command in privileged EXEC mode.

show usb port [port-number]

Syntax Description

port-number

(Optional) Displays information only for a specified. If the port-number is not issued, information for all root ports will be displayed.

Command Default

None

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(14)T	This command was introduced.

Examples

The following sample from the show usb port command shows the status of the port 1 on the router:

Router# show usb port

Port Number:0

Status:Enabled

Connection State:Connected

Speed:Full

Power State:ON 

Port Number:1

Status:Enabled

Connection State:Connected

Speed:Low

Power State:ON

show usbtoken

To display information about the USB eToken (such as the eToken ID), use the show usbtoken command in privileged EXEC mode.

show usbtoken[0-9]:[all | filesystem]

Syntax Description

0-9	(Optional) One of the ten available flash drives you can choose from; valid values: 0-9. If you do not specify a number, 0 is used by default
all	(Optional) All configuration files stored on the eToken.
filesystem	(Optional) Name of a configuration file.

Command Default

None

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(14)T	This command was introduced.

Usage Guidelines

Use the show usbtoken command to verify whether a USB eToken is inserted in the router.

Examples

The following example is sample output from the show usbtoken command:

Router# show usbtoken0 

Token ID           :43353334

Token device name  : token0

Vendor name        : Aladdin  

Product Name       :Etoken Pro 

Serial number      : 22273a334353

Firmware version   :   4.1.3.2

Total memory size  : 32 KB

Free memory size   : 16 KB

FIPS version       :  Yes/No

Token state        :  "Active" | "User locked" | "Admin locked" | "System Error" | 
"Uknown"

ATR (Answer To Reset) :"3B F2 98 0  FF C1 10 31 FE 55 C8 3"

Table 72 describes the significant fields shown in the display.

Table 72 show usbtoken Field Descriptions 

Field	Description
Token ID	Token identifier.
Token device name	A unique name derived by the token driver.
ATR (Answer to Reset)	Information replied by Smart cards when a reset command is issued.

show usb tree

To display information about the port state and all attached devices, use the show usb tree command in privileged EXEC mode.

show usb tree

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC

Command History

Release	Modification
12.3(14)T	This command was introduced.

Examples

The following example is sample output from the show usb tree command. This output shows that both a USB flash module and a USB eToken are currently enabled.

Router# show usb tree 

[Host Id:1, Host Type:1362HCD, Number of RH-Port:2]

<Root Port0:Power=ON      Current State=Enabled>

  Port0:(DiskOnKey) Addr:0x1 VID:0x08EC PID:0x0015 Configured (0x1000000)

<Root Port1:Power=ON      Current State=Enabled>

  Port1:(eToken Pro 4254) Addr:0x11 VID:0x0529 PID:0x0514 Configured (0x1010000)

show webvpn sessions

To display information about WebVPN sessions, use the show webvpn sessions command in privileged EXEC mode.

show webvpn sessions

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(14)T	This command was introduced.

Examples

The following output example displays information about a WebVPN session:

Router# show webvpn sessions

WebVPN domain name: cisco.com

Client Login Name          Client IP Address     Number of Connections

webuser                    172.107.163.142       4

    Created 00:14:25, Last-used 00:00:10

    Client Port: 2366

    Client Port: 2386

    Client Port: 2396

    Client Port: 2486

browseruser                172.107.163.142      2

    Created 00:00:09, Last-used 00:00:08

    Client Port: 2431

    Client Port: 2432

Table 73 describes the significant fields shown in the display.

Table 73 show webvpn sessions Field Descriptions

Field	Description
Client Login Name	Username used to log in to the WebVPN gateway.
Client IP Address	IP address of the host from which the user is connecting.
Number of Connections	Number of active TCP connections by the user at this point.
Created	Provides the time that has elapsed since the user logged in (in HH:MM:SS format).
Client Port	Local TCP port used on the client host.

Related Commands

Command	Description
show webvpn statistics	Displays WebVPN statistics.

show webvpn statistics

To display WebVPN statistics, use the show webvpn statistics command in privileged EXEC mode.

show webvpn statistics

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(14)T	This command was introduced.

Examples

The following is sample output using the show webvpn statistics command:

Router# show webvpn statistics

Active user sessions: 2

Active user TCP connections: 6 

Authentication failures: 3

Terminated user sessions: 0

Table 74 describes the significant fields shown in the display.

Table 74

Field	Description
Active user sessions	Number of users who are logged into the system.
Active user TCP connections	Number of TCP user connections that are used by the user session.
Authentication failures	Number of authentication failures to the gateway.
Terminated user sessions	Number of users who logged in and logged out after the statistics were cleared.

show webvpn statistics Field Descriptions

Related Commands

Command	Description
show webvpn sessions	Displays information about WebVPN sessions.

show wlccp wds

To display information either about the wireless domain services (WDS) device or about client devices, use the show wlccp wds command in privileged EXEC mode.

show wlccp wds [ap | mn] [detail] [mac-addr mac-address]

Syntax Description

ap	(Optional) Displays access points participating in Cisco Centralized Key Management.
mn	(Optional) Displays cached information about client devices, also called mobile nodes.
detail	(Optional) Displays the lifetime of the client, the service set identifier (SSID), and the virtual VLAN ID.
mac-addr	(Optional) Displays information about a specific client device.
mac-address	Client's MAC address.

Defaults

If you do not enter any options with the show wlccp wds command, this command displays the IP address of the WDS device, the MAC address, the priority, and the interface state. If the interface state is backup, the command also displays the IP address of the current WDS device, the MAC address, and the priority.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(11)JA	This command was introduced.
12.3(11)T	This command was implemented on the following platforms: Cisco 2600XM, Cisco 2691, Cisco 2811, Cisco 2821, Cisco 2851, Cisco 3700, and Cisco 3800 series routers.

Usage Guidelines

To show information about the WDS device, do not enter any keywords with this command.

Examples

The following command entry displays information about the WDS device:

Router# show wlccp wds ap

The following command entry displays cached information, including details, about the client device with the specified MAC address:

Router# show wlccp wds mn detail mac-addr 00-05-C2-00-01-F5

The following is sample output from the show wlccp wds command:

Router# show wlccp wds

      MAC:0001.28e0.a400, IP-ADDR:10.0.0.1       , Priority:255

      Interface Vlan1, State:Administratively StandAlone - ACTIVE

      AP Count:1   , MN Count:0   , MAX AP Count:50

Table 75 describes the significant fields shown in the display.

Table 75 show wlccp wds Field Descriptions

Field	Description
MAC	MAC address of the interface on which the WDS is configured.
IP-ADDR	IP address of the interface on which the WDS is configured.
Priority	Priority of the WDS.
Interface	Interface on which the WDS is configured.
State	State of the WDS. The state can be INITIALIZATION, BACKUP, or ACTIVE.
AP Count	Number of access points registered to the WDS.
MN Count	Number of mobile nodes registered to the WDS.
MAX AP Count	Maximum number of access points that can be registered.

Related Commands

Command	Description
debug wlccp packet	Displays packet traffic to and from the WDS router.
debug wlccp wds	Displays either WDS debug state or WDS statistics messages.
wlccp authentication-server client	Configures the list of servers to be used for 802.1X authentication.
wlccp authentication-server infrastructure	Configures the list of servers to be used for 802.1X authentication for the wireless infrastructure devices.
wlccp wds priority interface	Enables a wireless device such as an access point or a wireless-aware router to be a WDS candidate.

shutdown (certificate server)

To allow a certificate server to be disabled without removing the configuration, use the shutdown command in certificate server configuration mode. To reenable the certificate server, use the no form of this command.

shutdown

no shutdown

Syntax Description

This command has no arguments or keywords.

Defaults

no shutdown

Command Modes

Certificate server configuration

Command History

Release	Modification
12.3(4)T	This command was introduced.

Usage Guidelines

You should issue the no shutdown command only after you have completely configured your certificate server.

The shutdown command disables the certificate server. If you prefer to disable simple certificate enrollment protocol (SCEP) but still want the certificate server for manual certificate enrollment, use the no ip http server command.

Examples

To ensure that the specified URL is working correctly, configure the database url command before you issue the no shutdown command on the certificate server for the first time. If the URL is broken, you will see output as follows:

Router(config)# crypto pki server mycs

Router(cs-server)# database url ftp://myftpserver

Router(cs-server)# no shutdown

% Once you start the server, you can no longer change some of 

% the configuration.

Are you sure you want to do this? [yes/no]: yes 

Translating "myftpserver"

% Failed to generate CA certificate - 0xFFFFFFFF

% The Certificate Server has been disabled.

Related Commands

Command	Description
crypto pki server	Enables a Cisco IOS certificate server and enters PKI configuration mode.
database url	Specifies the location where all database entries for the certificate server will be written out.
ip http server	Enables an HTTP server on your network.

snmp-server enable traps ipsec

To enable the router to send IP Security (IPSec) Simple Network Management Protocol (SNMP) notifications, use the snmp-server enable traps ipsec command in global configuration mode. To disable IPSec SNMP notifications, use the no form of this command.

snmp-server enable traps ipsec [cryptomap [add | delete | attach | detach] | tunnel [start | stop] | too-many-sas]

no snmp-server enable traps ipsec [cryptomap [add | delete | attach | detach] | tunnel [start | stop] | too-many-sas]

Syntax Description

cryptomap add	(Optional) Notifications for cipsCryptomapAdded { cipsMIBNotifications 3 } events are generated, as defined in the CISCO-IPSEC-MIB. These notifications are generated when a new cryptomap is added to the specified cryptomap set.
cryptomap delete	(Optional) Notifications for cipsCryptomapDeleted { cipsMIBNotifications 4 } events are generated, as defined in the CISCO-IPSEC-MIB. These notifications are generated when a cryptomap is removed from the specified cryptomap set.
cryptomap attach	(Optional) Notifications for cipsCryptomapSetAttached { cipsMIBNotifications 5 } events are generated, as defined in the CISCO-IPSEC-MIB. These notifications are generated when a cryptomap set is attached to an active interface of the managed entity.
cryptomap detach	(Optional) Notifications for cipsCryptomapSetDetached { cipsMIBNotifications 6 } events are generated, as defined in the CISCO-IPSEC-MIB. These notifications are generated when a cryptomap set is detached from an interface to which it was previously bound.
tunnel start	(Optional) Notifications for cipSecTunnelStart {  cipSecMIBNotifications 7 } events are generated, as defined in the CISCO-IPSEC-FLOW-MONITOR-MIB. These notifications are generated when an IPsec Phase-2 Tunnel becomes active.
tunnel stop	(Optional) Notifications for cipSecTunnelStop { cipSecMIBNotifications 8 } events are generated, as defined in the CISCO-IPSEC-FLOW-MONITOR-MIB. These notifications are generated when an IPsec Phase-2 Tunnel becomes inactive.
too-many-sas	(Optional) Notifications for cipsTooManySAs { cipsMIBNotifications 7 } events are generated, as defined in the CISCO-IPSEC-MIB.my. These notifications are generated when an attempt to make a new security association (SA) is made but there is insufficient memory on the device.

Defaults

SNMP notifications are disabled by default.

Command Modes

Global configuration

Command History

Release	Modification
12.2(8)T, 12.1(11b)E	This command was introduced.

Usage Guidelines

SNMP notifications can be sent as traps or inform requests. This command enables both traps and inform requests.

A cryptomap is a table that maps an IPSec Phase-2 tunnel to the corresponding IPSec Policy element.

For a complete description of the notification types and additional MIB functions, refer to the CISCO-IP-SEC.my and CISCO-IPSEC-FLOW-MONITOR-MIB.my files, available on Cisco.com through:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

The snmp-server enable traps ipsec command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. To send SNMP notifications, you must configure at least one snmp-server host command.

Examples

In the following example, the router is configured to send IPSec MIB inform notifications to the host nms.cisco.com using the community string named "public":

snmp-server enable traps ipsec

snmp-server host nms.cisco.com informs public ipsec

Related Commands

Command	Description
snmp-server enable traps isakmps	Controls the sending of (ISAKMP) SNMP notifications
snmp-server host	Specifies the recipient of an SNMP notification operation.
snmp-server trap-source	Specifies the interface that an SNMP trap should originate from.

snmp-server enable traps isakmp

To enable the router to send IP Security (IPSec) Internet Security Association and Key Exchange Protocol (ISAKMP) Simple Network Management Protocol (SNMP) notifications, use the snmp-server enable traps isakmp command in global configuration mode. To disable ISAKMP IPSec SNMP notifications, use the no form of this command.

snmp-server enable traps isakmp [policy {add | delete} | tunnel {start | stop}]

no snmp-server enable traps isakmp [policy {add | delete} | tunnel {start | stop}]

Syntax Description

policy add	(Optional) Notifcations for cipsIsakmpPolicyAdded { cipsMIBNotifications 1 } events are generated, as defined in the CISCO-IPSEC-MIB. These notifications are generated when a new ISAKMP policy element is defined on the managed entity. The context of the event includes the updated number of ISAKMP policy elements currently available.
policy delete	(Optional) Notifcations for cipsIsakmpPolicyDeleted { cipsMIBNotifications 2 } events are generated, as defined in the CISCO-IPSEC-MIB. These notifications are generated when an existing ISAKMP policy element is deleted on the managed entity. The context of the event includes the updated number of ISAKMP policy elements currently available.
tunnel start	(Optional) Notifications for cikeTunnelStart { cipSecMIBNotifications 1 } events are generated, as defined by in the CISCO-IPSEC-FLOW-MONITOR-MIB.my. These notifications are generated when an IPsec Phase-1 IKE Tunnel becomes active.
tunnel stop	(Optional) Notifications for cikeTunnelStop { cipSecMIBNotifications 2 } events are generated, as defined by in the CISCO-IPSEC-FLOW-MONITOR-MIB.my. These notifications are generated when an IPsec Phase-1 IKE Tunnel becomes inactive.

Defaults

SNMP notifications are disabled by default.

If no keywords are specified, all available ISAKMP traps are enabled (or disabled if the no form is used).

Command Modes

Global configuration

Command History

Release	Modification
12.2(8)T, 12.1(11b)E	This command was introduced.

Usage Guidelines

SNMP notifications can be sent as traps or inform requests. This command enables both ISAKMP trap and inform requests.

For a complete description of these notifications and additional MIB functions, refer to the CISCO-IPSEC-MIB.myand CISCO-IPSEC-FLOW-MONITOR-MIB.my files, available on Cisco.com through:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

The snmp-server enable traps isakmp command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. To send SNMP notifications, you must configure at least one snmp-server host command.

Examples

In the following example, the router is configured to send IPSec MIB inform notifications to the host nms.cisco.com using the community string named "public":

snmp-server enable traps isakmp

snmp-server host nms.cisco.com informs public ipsec

Related Commands

Command	Description
snmp-server host	Specifies the recipient of an SNMP notification operation.
snmp-server trap-source	Specifies the interface that an SNMP trap should originate from.

source interface

To specify the address of an interface to be used as the source address for all outgoing TCP connections associated with a trustpoint, use the source interface command in ca-trustpoint configuration mode. To disable the interface that was specified, use the no form of this command.

source interface interface-name

no source interface interface-name

Syntax Description

interface-name

Interface address to be used as the source address for all outgoing TCP connections associated with a trustpoint.

Defaults

If this command is not specified, the address of the outgoing interface is used.

Command Modes

Ca-trustpoint configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

This command must be used following the crypto ca trustpoint command. If this command is used and the address of the outgoing interface is specified, the router uses the specified address (or address of the specified interface) as the source address for any datagrams that are sent to the certification authority (CA) server or Lightweight Directory Access Protocol (LDAP) server during authentication, enrollment, and if appropriate, when obtaining certificate revocation lists (CRLs).

Examples

In the following example, the router is located in a branch office. The router uses IP Security (IPSec) to communicate with the main office. Ethernet 1 is the "outside" interface that connects to the Internet Service Provider (ISP). Ethernet 0 is the interface connected to the LAN of the branch office. To access the CA server located in the main office the router needs to send its IP datagrams out interface Ethernet 1 (address 10.2.2.205) using the IPSec tunnel. Address 10.2.2.205 is assigned by the ISP. Address 10.2.2.205 is not a part of the branch office or main office.

The CA cannot access any address outside the company because of a firewall. The CA sees a message coming from 10.2.2.205 and cannot respond (that is, it does not know that the router is located in a branch office at address 10.1.1.1, which it is able to reach).

Adding the source interface command tells the router to use address 10.1.1.1 as the source address of the IP datagram that it sends to the CA. The CA is able to respond to 10.1.1.1.

This scenario is configured using the source interface command and the interface addresses as described above.

crypto ca trustpoint ms-ca

 enrollment url http://yourname:80/certsrv/mscep/mscep.dll

 source interface ethernet0

!

interface ethernet 0

 description inside interface

 ip address 10.1.1.1 255.255.255.0

!

interface ethernet 1

 description outside interface

 ip address 10.2.2.205 255.255.255.0

 crypto map main-office

Related Commands

Command	Description
crypto ca trustpoint	Declares the CA that your router should use.

split-dns

To specify a domain name that must be tunneled or resolved to the private network, use the split-dns command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove a domain name, use the no form of this command.

split-dns domain-name

no split-dns domain-name

Syntax Description

domain-name

Name of the Domain Name System (DNS) domain that must be tunneled or resolved to the private network.

Defaults

All domain names are resolved via the public DNS server.

Command Modes

ISAKMP group configuration

Command History

Release	Modification
12.3(4)T	This command was introduced.

Usage Guidelines

If you configure the split-dns command, the split-dns attribute will be added to the policy group. The attribute will include the list of domain names that you configured. All other names will be resolved via the public DNS server.

You must enable the crypto isakmp client configuration group command, which specifies group policy information that needs to be defined or changed, before enabling the split-dns command.

---

Note If you have to configure more than one domain name, you have to add a split-dns command line for each.

---

Examples

The following example shows that the domain names "green.com" and "acme.org" will be added to the policy group:

Router (config)# crypto isakmp client configuration group cisco

Router (config-isakmp-group)# key cisco

Router (config-isakmp-group)# dns 10.2.2.2 10.2.2.3

Router (config-isakmp-group)# wins 10.6.6.6

Router (config-isakmp-group)# domain cisco.com

Router (config-isakmp-group)# pool green

Router (config-isakmp-group)# acl 199

Router (config-isakmp-group)# split-dns green.com

Router (config-isakmp-group)# split-dns acme.org

Related Commands

Command	Description
acl	Configures split tunneling.
crypto isakmp client configuration group	Specifies group policy information that needs to be defined or changed.

ssh

To start an encrypted session with a remote networking device, use the ssh command in privileged EXEC or user EXEC mode.

ssh [-v {1 | 2}] [-c {3des | aes128-cbc | aes192-cbc | aes256-cbc}] [-l userid | -l userid:number ip-address | -l userid:rotarynumber ip-address] [-m {hmac-md5 | hmac-md5-96 | hmac-sha1 | hmac-sha1-96}] [-o numberofpasswordprompts n] [-p port-num] {ip-addr | hostname} [command]

Syntax Description

-v	(Optional) Specifies the version of Secure Shell (SSH) to use to connect to the server. •1—Connects using SSH Version 1. •2—Connects using SSH Version 2.
-c {3des | aes128-cbc | aes192-cbc | aes256-cbc}	(Optional) Specifies the crypto algorithms Data Encryption Standard (DES), Triple DES (3DES), or Advanced Encryption Standard (AES) to use for encrypting data. AES algorithms supported are aes128-cbc, aes192-cbc, and aes256-cbc. •To use SSH Version 1, you must have an encryption image running on the router. Cisco software images that include encryption have the designators "k8" (DES) or "k9" (3DES). •SSH Version 2 supports only the following crypto algorithms: aes128-cbc, aes192-cbc, aes256-cbc, and 3des-cbc. SSH Version 2 is supported only in 3DES images. •If you do not specify the -c keyword, during negotiation the remote networking device sends all the supported crypto algorithms. •If you configure the -c keyword and the server does not support the argument that you have shown (des, 3des, aes128-cbc, aes192-cbc, or aes256-cbc), the remote networking device closes the connection.
-l userid	(Optional) Specifies the user ID to use when logging in on the remote networking device running the SSH server. If no user ID is specified, the default is the current user ID.
-l userid:number ip-address	(Optional) Specifies the user ID when configuring reverse SSH by including port information in the userid field. •:—Signifies that a port number and terminal IP address will follow the user ID. •number—Terminal or auxiliary line number. •ip-address—IP address of the terminal server. Note The userid argument and :number ip-address delimiter and arguments must be used if you are configuring reverse SSH by including port information in the userid field (a method that is easier than the longer method of listing each terminal or auxiliary line on a separate command configuration line).
-l userid:rotarynumber ip-address	(Optional) Specifies that the terminal lines are to be grouped under the rotary group for reverse SSH. •:—Signifies that a rotary group number and terminal IP address will follow. •number—Terminal or auxiliary line number. •ip-address—IP address of the terminal server. Note The userid argument and :rotary{number} {ip-address} delimiter and arguments must be used if you are configuring reverse SSH by including rotary information in the userid field (a process that is easier than the longer process of listing each terminal or auxiliary line on a separate command configuration line).
-m {hmac-md5 | hmac-md5-96 | hmac-sha1 | hmac-sha1-96}	(Optional) Specifies a Hashed Message Authentication Code (HMAC) algorithm. •SSH Version 1 does not support HMACs. •If you do not specify the -m keyword, the remote device sends all the supported HMAC algorithms during negotiation. If you specify the -m keyword and the server does not support the argument that you have shown (hmac-md5, hmac-md5-96, hmac-sha1, and hmac-sha1-96), the remote device closes the connection.
-o numberofpasswordprompts n	(Optional) Specifies the number of password prompts that the software generates before ending the session. The SSH server may also apply a limit to the number of attempts. If the limit set by the server is less than the value specified by the -o numberofpasswordprompts keyword, the limit set by the server takes precedence. The default is 3 attempts, which is also the Cisco IOS SSH server default. The range of values is from 1 to 5.
-p port-num	(Optional) Indicates the desired port number for the remote host. The default port number is 22.
ip-addr | hostname	Specifies the IPv4 or IPv6 address or host name of the remote networking device.
command	(Optional) Specifies the Cisco IOS command that you want to run on the remote networking device. If the remote host is not running Cisco IOS software, this may be any command recognized by the remote host. If the command includes spaces, you must enclose the command in quotation marks.

Defaults

Disabled

Command Modes

User EXEC
Privileged EXEC

Command History

Release	Modification
12.1(3)T	This command was introduced.
12.2(8)T	Support for IPv6 addresses was added.
12.0(21)ST	IPv6 address support was integrated into Cisco IOS Release 12.0(21)ST.
12.0(22)S	IPv6 address support was integrated into Cisco IOS Release 12.0(22)S.
12.2(14)S	IPv6 address support was integrated into Cisco IOS Release 12.2(14)S.
12.2(17a)SX	This command was integrated into Cisco IOS Release 12.2(17a)SX.
12.3(7)T	This command was expanded to include Secure Shell Version 2 support. The -c keyword was expanded to include support for the following cryptic algorithms: aes128-cbc, aes192-cbc, and aes256-cbc. The -m keyword was added, with the following algorithms: hmac-md5, hmac-md5-96, hmac-sha1, and hmac-sha1-96. The -v keyword and arguments 1 and 2 were added.
12.2(25)S	This command was integrated into Cisco IOS Release 12.2(25)S.
12.3(11)T	The -l userid:number ip-address and -l userid:rotarynumber ip-address keyword and argument options were added.
12.2(28)SB	This command was integrated into Cisco IOS Release 12.2(28)SB.
12.3(7)JA	This command was integrated into Cisco IOS Release 12.3(7)JA.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.0(32)SY	This command was integrated into Cisco IOS Release 12.0(32)SY.

Usage Guidelines

The ssh command enables a Cisco router to make a secure, encrypted connection to another Cisco router or device running an SSH Version 1 or Version 2 server. This connection provides functionality that is similar to that of an outbound Telnet connection except that the connection is encrypted. With authentication and encryption, the SSH client allows for a secure communication over an insecure network.

---

Note•SSH 1 is supported on DES (56-bit) and 3DES (168-bit) data encryption software images only. In DES software images, DES is the only encryption algorithm available. In 3DES software images, both DES and 3DES encryption algorithms are available.

•SSH Version 2 supports only the following crypto algorithms: aes128-cbc, aes192-cbc, and aes256-cbc. SSH Version 2 is supported only in 3DES images.

•SSH Version 1 does not support HMAC algorithms.

---

Examples

The following example illustrates the initiation of a secure session between the local router and the remote host HQhost to run the show users command. The result of the show users command is a list of valid users who are logged in to HQhost. The remote host will prompt for the adminHQ password to authenticate the user adminHQ. If the authentication step is successful, the remote host will return the result of the show users command to the local router and will then close the session.

ssh -l adminHQ HQhost "show users"

The following example illustrates the initiation of a secure session between the local router and the edge router HQedge to run the show ip route command. In this example, the edge router prompts for the adminHQ password to authenticate the user. If the authentication step is successful, the edge router will return the result of the show ip route command to the local router.

ssh -l adminHQ HQedge "show ip route" 

The following example shows the SSH client using 3DES to initiate a secure remote command connection with the HQedge router. The SSH server running on HQedge authenticates the session for the admin7 user on the HQedge router using standard authentication methods. The HQedge router must have SSH enabled for authentication to work.

ssh -l admin7 -c 3des -o numberofpasswordprompts 5 HQedge

The following example shows a secure session between the local router and a remote IPv6 router with the address 3ffe:1111:2222:1044::72 to run the show running-config command. In this example, the remote IPv6 router prompts for the adminHQ password to authenticate the user. If the authentication step is successful, the remote IPv6 router will return the result of the show running-config command to the local router and will then close the session.

ssh -l adminHQ 3ffe:1111:2222:1044::72 "show running-config"

---

Note A hostname that maps to the IPv6 address 3ffe:1111:2222:1044::72 could have been used in the last example.

---

The following example shows a SSH Version 2 session using the crypto algorithm aes256-cbc and an HMAC of hmac-sha1-96. The user ID is user2, and the IP address is 10.76.82.24.

ssh -v 2 -c aes256-cbc -m hmac-sha1-96 -1 user2 10.76.82.24

The following example shows that reverse SSH has been configured on the SSH client:

ssh -l lab:1 router.example.com

The following command shows that Reverse SSH will connect to the first free line in the rotary group:

ssh -l lab:rotary1 router.example.com

Related Commands

Command	Description
ip ssh	Configures SSH server control parameters on the router.
show ip ssh	Displays the version and configuration data for SSH.
show ssh	Displays the status of SSH server connections.

ssid

To enter up to 20 service set identifiers (SSIDs) to a user group, use the ssid command in local RADIUS server group configuration mode. To instruct the access point (AP) not to check if the client has come in on a list of specified SSIDs, use the no form of this command.

ssid ssid-number

no ssid ssid-number

Syntax Description

ssid-number

SSID number of user group members.

Defaults

No default behavior or values

Command Modes

Local RADIUS server group configuration

Command History

Release	Modification
12.2(11)JA	This command was introduced on Cisco Aironet Access Point 1100 and Cisco Aironet Access Point 1200.
12.3(11)T	This command was implemented on the following platforms: Cisco 2600XM, Cisco 2691, Cisco 2811, Cisco 2821, Cisco 2851, Cisco 3700, and Cisco 3800 series routers.

Usage Guidelines

You can enter up to 20 SSIDs to limit users to those SSIDs.

Examples

The following example shows that the SSID "green" has been added to the local user group:

ssid green

Related Commands

Command	Description
block count	Configures the parameters for locking out members of a group to help protect against unauthorized attacks.
clear radius local-server	Clears the statistics display or unblocks a user.
debug radius local-server	Displays the debug information for the local server.
group	Enters user group configuration mode and configures shared setting for a user group.
nas	Adds an access point or router to the list of devices that use the local authentication server.
radius-server host	Specifies the remote RADIUS server host.
radius-server local	Enables the access point or router to be a local authentication server and enters into configuration mode for the authenticator.
reauthentication time	Specifies the time (in seconds) after which access points or wireless-aware routers must reauthenticate the members of a group.
show radius local-server statistics	Displays statistics for a local network access server.
user	Authorizes a user to authenticate using the local authentication server.
vlan	Specifies a VLAN to be used by members of a user group.

ssl encryption

To specify the encryption algorithms that the Secure Sockets Layer (SSL) protocol will use for an SSL Virtual Private Network (SSLVPN), use the ssl encryption command in Web VPN configuration mode. To remove an algorithm, use the no form of this command.

ssl encryption [3des-sha1] [des-sha-1] [rc4-md5]

no ssl encryption [3des-sha1] [des-sha-1] [rc4-md5]

Syntax Description

3des-sha1	(Optional) Encryption algorithm type is 3 DES-SHA1.
des-sha-1	(Optional) Encryption algorithm type is DES-SHA-1.
rc4-md5	(Optional) Encryption algorithm type is RC4-MD5.

Defaults

All algorithms are available in the order shown above.

Command Modes

Web VPN configuration

Command History

Release	Modification
12.3(14)T	This command was introduced.

Usage Guidelines

Configuring this command allows administrators to restrict the encryption algorithms that SSL uses in Cisco IOS software. The ordering of the algorithms specifies the preference. If you specify this command after you have specified an algorithm, the previous setting is overridden.

Examples

The following example shows that 3 DES-SHA1 has been specified as the encryption algorithm:

ssl encryption 3des-sha1

Related Commands

Command	Description
webvpn	Enters Web VPN configuration mode.

ssl trustpoint

To specify the certificate trustpoint, use the ssl trustpoint command in Web VPN configuration mode. To remove the trustpoint association, use the no form of this command.

ssl trustpoint trustpoint-name

no ssl trustpoint trustpoint-name

Syntax Description

trustpoint-name

Name of the trustpoint.

Defaults

The trustpoint name is SSLVPN.

Command Modes

Web VPN configuration

Command History

Release	Modification
12.3(14)T	This command was introduced.

Usage Guidelines

No configuration is required if the trustpoint name is SSLVPN.

Examples

The following example shows that the trustpoint name is Mytrustpoint:

ssl trustpoint Mytrustpoint

Related Commands

Command	Description
webvpn	Enters Web VPN configuration mode.

strict-http

To allow HTTP messages to pass through the firewall or to reset the TCP connection when HTTP noncompliant traffic is detected, use the strict-http command in appfw-policy-http configuration mode. To disable configured settings, use the no form of this command.

strict-http action {reset | allow} [alarm]

no strict-http action {reset | allow} [alarm]

Syntax Description

action	HTTP messages are subject to the specified action (reset or allow).
reset	Sends a TCP reset notification to the client or server if the HTTP message fails the mode inspection.
allow	Forwards the packet through the firewall.
alarm	(Optional) Generates system logging (syslog) messages for the given action.

Defaults

If this command is not enabled, all traffic will be allowed through the firewall.

Command Modes

appfw-policy-http configuration

Command History

Release	Modification
12.3(14)T	This command was introduced.

Examples

The following example shows how to define the HTTP application firewall policy "mypolicy." This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface.

! Define the HTTP policy.

appfw policy-name mypolicy

 application http

  strict-http action allow alarm

  content-length maximum 1 action allow alarm

  content-type-verification match-req-rsp action allow alarm

  max-header-length request 1 response 1 action allow alarm

  max-uri-length 1 action allow alarm

  port-misuse default action allow alarm

  request-method rfc default action allow alarm

  request-method extension default action allow alarm

  transfer-encoding type default action allow alarm

!

!

! Apply the policy to an inspection rule. 

ip inspect name firewall appfw mypolicy

ip inspect name firewall http

!

!

! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.

interface FastEthernet0/0

 ip inspect firewall in

!

!

subject-name

To specify the subject name in the certificate request, use the subject-name command in ca-trustpoint configuration mode. To clear any subject name from the configuration, use the no form of this command.

subject-name [x.500-name]

no subject-name [x.500-name]

Syntax Description

x.500-name

(Optional) Specifies the subject name used in the certificate request.

Defaults

If the x-500-name argument is not specified, the fully qualified domain name (FQDN), which is the default subject name, will be used.

Command Modes

Ca-trustpoint configuration

Command History

Release	Modification
12.2(8)T	This command was introduced.

Usage Guidelines

Before you can issue the subject-name command, you must enable the crypto ca trustpoint command, which declares the certification authority (CA) that your router should use and enters ca-trustpoint configuration mode.

The subject-name command is an attribute that can be set for autoenrollment; thus, issuing this command prevents you from being prompted for a subject name during enrollment.

Examples

The following example shows how to specify the subject name for the "frog" certificate:

crypto ca trustpoint frog

 enrollment url http://frog.phoobin.com/  

 subject-name OU=Spiral Dept., O=tiedye.com

 ip-address ethernet-0

 auto-enroll regenerate

 password revokme

Related Commands

Command	Description
crypto ca trustpoint	Declares the CA that your router should use.