Table Of Contents

show diameter peer

show dmvpn

show dnsix

show dot1x

show dot1x (EtherSwitch)

show dss log

show eap registrations

show eap sessions

show eou

show epm session

show fm private-hosts

show fpm package-group

show fpm package-info

show ip access-list

show ip access-lists

show ip admission

show ip audit configuration

show ip audit interface

show ip audit statistics

show ip auth-proxy

show ip auth-proxy watch-list

show ip bgp labels

show ip device tracking

show ip inspect

show ip inspect ha

show ip interface

show ip ips

show ip ips auto-update

show ip port-map

show ip sdee

show ip source-track

show ip source-track export flows

show ip ssh

show ip traffic-export

show ip trigger-authentication

show ip trm config

show ip trm subscription status

show ip urlfilter cache

show ip urlfilter config

show ip urlfilter statistics

show ip virtual-reassembly

show kerberos creds

show logging ip access-list

show login

show mab

show mac access-group interface

show mac-address-table

show management-interface

show mls rate-limit

show object-group

show diameter peer

To display the configuration and status of a specific Diameter peer, or all Diameter peers, use the show diameter peer command in privileged EXEC mode.

show diameter peer [peer-name]

Syntax Description

peer-name

Displays the configuration and status of the specified Diameter peer. Note If no peer name is specified, the command will display information for all configured Diameter peers.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.4(9)T	This command was introduced.

Usage Guidelines

This command displays the peer status information, as well as counters, including:

•Total packets sent

•Total responses seen

•Packets with responses

•Packets without responses

•Average response delay (ms)

•Number of Diameter timeouts

•Buffer allocation failures

Examples

The following is a sample output from the show diameter peer command:

Router# show diameter peer iwan-view5

Peer information for iwan-view5

-------------------------------

Peer name: iwan-view 5

Peer type: Server

Peer transport protocol: TCP

Peer listening port: 3688

Peer security protocol: IPSEC

Peer connection timer value: 30 seconds

Peer watch dog timer value: 35 seconds

Peer vrf name: default

Peer connection status: UP

The fields shown above are self-explanatory.

Related Commands

Command	Description
debug diameter	Displays information about the Diameter protocol.

show dmvpn

To display Dynamic Multipoint VPN (DMVPN) specific session information, use the show dmvpn command in privileged EXEC mode.

show dmvpn [ipv4 | ipv6] [peer [nbma | tunnel {ip-address | ipv6-address}] | network {ip-address mask}] [vrf vrf-name] [interface tunnel number] [detail] [static] [debug-condition]

Syntax Description

ipv4	(Optional) View information only about IPv4 private networks
ipv6	(Optional) View information only about IPv6 private networks
peer	(Optional) Displays information for a specific DMVPN peer.
nbma	(Optional) Displays DMVPN information based on nonbroadcast multiaccess (NBMA) addresses.
tunnel	(Optional) Displays DMVPN information based on the peer virtual private network (VPN) address.
ip-address	(Optional) Specifies DMVPN peer IP address.
ipv6-address	(Optional) Specifies DMVPN peer IPv6 address.
network ip-address mask	(Optional) Displays DMVPN information based on a specific destination network and mask address.
vrf vrf-name	(Optional) Displays information based on the specified virtual routing forwarding (VRF).
interface	(Optional) Displays DMVPN information based on a specific interface.
tunnel number	(Optional) Specifies tunnel address for DMVPN peer.
detail	(Optional) Displays detail DMVPN information for each session, including Next Hop Server (NHS) and NHS status, crypto session information, and socket details.
static	(Optional) Displays only static DMVPN information.
debug-condition	(Optional) Displays DMVPN conditional debugging.

Command Default

Information is displayed for all DMVPN-specific sessions.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.4(9)T	This command was introduced.
12.4(20)T	The ipv4 keyword, the ipv6 keyword, the ipv6-address argument, and the network ipv6-address keyword and argument combination were added.
12.4(22)T	The output of this command was extended to display the NHRP group received from the spoke and the QoS policy applied to the spoke tunnel.

Usage Guidelines

Use this command to obtain DMVPN specific session information. By default, summary information will be displayed.

When the detail keyword is used, command output will include information from the show crypto session detail command, including inbound and outbound security parameter indexes (SPI) and the show crypto socket command.

Examples

The following example shows sample summary output:

Router# show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

        N - NATed, L - Local, X - No Socket

        # Ent --> Number of NHRP entries with same NBMA peer

! The line below indicates that the sessions are being displayed for Tunnel1. 

! Tunnel1 is acting as a spoke and is a peer with three other NBMA peers.

Tunnel1, Type: Spoke, NBMA Peers: 3, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     2    192.0.2.21       192.0.2.116   IKE     3w0d D    

     1    192.0.2.102      192.0.2.11   NHRP 02:40:51 S    

     1    192.0.2.225      192.0.2.10     UP     3w0d S    

Tunnel2, Type: Spoke, NBMA Peers: 1, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     1      192.0.2.25     192.0.2.171   IKE    never S    

Table 121 describes the significant fields shown in the display.

Table 121 show dmvpn Field Descriptions 

Field	Description
# Ent	The number of Next Hop Routing Protocol (NHRP) entries in the current session.
Peer NBMA Addr	The remote NBMA address.
Peer Tunnel Add	The remote tunnel endpoint IP address.
State	The state of the DMVPN session. The DMVPN session is either up or down. If the DMVPN state is down, the reason for the down state error is displayed—Internet Key Exchange (IKE), IPsec, or NHRP.
UpDn Tm	Displays how long the session has been in the current state.
Attrib	Displays any associated attributes of the current session. One of the following attributes will be displayed—dynamic (D), static (S), incomplete (I), Network Address Translation (NAT) for the peer address, or NATed, (N), local (L), no socket (X).

The following example shows output of the show dmvpn command with the detail keyword:

Router# show dmvpn detail

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

        N - NATed, L - Local, X - No Socket

        # Ent --> Number of NHRP entries with same NBMA peer

-------------- Interface Tunnel1 info: -------------- 

Intf. is up, Line Protocol is up, Addr. is 192.0.2.5

   Source addr: 192.0.2.229, Dest addr: MGRE

  Protocol/Transport: "multi-GRE/IP", Protect "gre_prof",

Tunnel VRF "" ip vrf forwarding ""

NHRP Details: NHS: 192.0.2.10 RE 192.0.2.11  E

Type: Spoke, NBMA Peers: 4

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network

----- --------------- --------------- ----- -------- ----- -----------------

    2        192.0.2.21      192.0.2.116    UP 00:14:59 D      192.0.2.118/24

                                            UP 00:14:59 D      192.0.2.116/32

  IKE SA: local 192.0.2.229/500 remote 192.0.2.21/500 Active 

          Capabilities:(none) connid:1031 lifetime:23:45:00

  Crypto Session Status: UP-ACTIVE     

  fvrf: (none)

  IPSEC FLOW: permit 47 host 192.0.2.229 host 192.0.2.21 

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 1 drop 0 life (KB/Sec) 4494994/2700

        Outbound: #pkts enc'ed 1 drop 0 life (KB/Sec) 4494994/2700

   Outbound SPI : 0xD1EA3C9B, transform : esp-3des esp-sha-hmac 

    Socket State: Open

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network

----- --------------- --------------- ----- -------- ----- -----------------

    1     192.0.2.229       192.0.2.5    UP 00:15:00 DLX        192.0.2.5/32

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network

----- --------------- --------------- ----- -------- ----- -----------------

    1     192.0.2.102      192.0.2.11 NHRP 02:55:47  S         192.0.2.11/32

  IKE SA: local 192.0.2.229/4500 remote 192.0.2.102/4500 Active 

          Capabilities:N connid:1028 lifetime:11:45:37

  Crypto Session Status: UP-ACTIVE     

  fvrf: (none)

  IPSEC FLOW: permit 47 host 192.0.2.229 host 192.0.2.102 

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 199056 drop 393401 life (KB/Sec) 4560270/1524

        Outbound: #pkts enc'ed 416631 drop 10531 life (KB/Sec) 4560322/1524

   Outbound SPI : 0x9451AF5C, transform : esp-3des esp-sha-hmac 

    Socket State: Open

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network

----- --------------- --------------- ----- -------- ----- -----------------

    1     192.0.2.225      192.0.2.10    UP     3w0d S         192.0.2.10/32

  IKE SA: local 192.0.2.229/500 remote 192.0.2.225/500 Active 

          Capabilities:(none) connid:1030 lifetime:03:46:44

  Crypto Session Status: UP-ACTIVE     

  fvrf: (none)

  IPSEC FLOW: permit 47 host 192.0.2.229 host 192.0.2.225 

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 430261 drop 0 life (KB/Sec) 4415197/3466

        Outbound: #pkts enc'ed 406232 drop 4 life (KB/Sec) 4415197/3466

   Outbound SPI : 0xAF3E15F2, transform : esp-3des esp-sha-hmac 

    Socket State: Open

 -------------- Interface Tunnel2 info: -------------- 

Intf. is up, Line Protocol is up, Addr. is 192.0.2.172

   Source addr: 192.0.2.20, Dest addr: MGRE

  Protocol/Transport: "multi-GRE/IP", Protect "gre_prof",

Tunnel VRF "" ip vrf forwarding ""

NHRP Details: NHS:         192.0.2.171  E

Type: Spoke, NBMA Peers: 1

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network

----- --------------- --------------- ----- -------- ----- -----------------

    1      192.0.2.25     192.0.2.171  IKE     never S        192.0.2.171/32

  IKE SA: local 192.0.2.20/500 remote 192.0.2.25/500 Inactive 

          Capabilities:(none) connid:0 lifetime:0

  IKE SA: local 192.0.2.20/500 remote 192.0.2.25/500 Inactive 

          Capabilities:(none) connid:0 lifetime:0

  Crypto Session Status: DOWN-NEGOTIATING

  fvrf: (none)

  IPSEC FLOW: permit 47 host 192.0.2.20 host 192.0.2.25 

        Active SAs: 0, origin: crypto map

        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0

        Outbound: #pkts enc'ed 0 drop 436431 life (KB/Sec) 0/0

   Outbound SPI : 0x       0, transform : 

    Socket State: Closed

Pending DMVPN Sessions:

!There are no pending DMVPN sessions.

The following example shows output of the show dmvpn command with the detail keyword. This example displays the NHRP group received from the spoke and the QoS policy applied to the spoke tunnel:

Router# show dmvpn detail

Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea

        N - NATed, L - Local, X - No Socket

        # Ent --> Number of NHRP entries with same NBMA peer

 -------------- Interface Tunnel0 info: -------------- 

Intf. is up, Line Protocol is up, Addr. is 10.0.0.1

   Source addr: 172.17.0.1, Dest addr: MGRE

  Protocol/Transport: "multi-GRE/IP", Protect "dmvpn-profile",

Tunnel VRF "", ip vrf forwarding ""

NHRP Details: 

Type:Hub, NBMA Peers:2

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network

----- --------------- --------------- ----- -------- ----- -----------------

    1      172.17.0.2        10.0.0.2    UP 00:19:57 D           10.0.0.2/32

NHRP group: test-group-0

 Output QoS service-policy applied: queueing

  IKE SA: local 172.17.0.1/500 remote 172.17.0.2/500 Active 

  Crypto Session Status: UP-ACTIVE     

  fvrf: (none), Phase1_id: 172.17.0.2

  IPSEC FLOW: permit 47 host 172.17.0.1 host 172.17.0.2 

        Active SAs: 2, origin: crypto map

   Outbound SPI : 0x44E4E634, transform : esp-des esp-sha-hmac 

    Socket State: Open

  IKE SA: local 172.17.0.1/500 remote 172.17.0.2/500 Active 

  IPSEC FLOW: permit 47 host 172.17.0.1 host 172.17.0.2 

        Active SAs: 2, origin: crypto map

   Outbound SPI : 0x44E4E634, transform : esp-des esp-sha-hmac 

    Socket State: Open

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network

----- --------------- --------------- ----- -------- ----- -----------------

    1      172.17.0.3        10.0.0.3    UP 00:02:21 D           10.0.0.3/32

NHRP group: test-group-0

 Output QoS service-policy applied: queueing

  IKE SA: local 172.17.0.1/500 remote 172.17.0.3/500 Active 

  Crypto Session Status: UP-ACTIVE     

  fvrf: (none), Phase1_id: 172.17.0.3

  IPSEC FLOW: permit 47 host 172.17.0.1 host 172.17.0.3 

        Active SAs: 2, origin: crypto map

   Outbound SPI : 0xBF13C9CC, transform : esp-des esp-sha-hmac 

    Socket State: Open

  IKE SA: local 172.17.0.1/500 remote 172.17.0.3/500 Active 

  IPSEC FLOW: permit 47 host 172.17.0.1 host 172.17.0.3 

        Active SAs: 2, origin: crypto map

   Outbound SPI : 0xBF13C9CC, transform : esp-des esp-sha-hmac 

    Socket State: Open

 -------------- Interface Tunnel1 info: -------------- 

Intf. is up, Line Protocol is up, Addr. is 11.0.0.1

   Source addr: 172.17.0.1, Dest addr: MGRE

  Protocol/Transport: "multi-GRE/IP", Protect "dmvpn-profile",

Tunnel VRF "", ip vrf forwarding ""

NHRP Details: 

Type:Hub, NBMA Peers:1

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network

----- --------------- --------------- ----- -------- ----- -----------------

    1      172.17.0.2        11.0.0.2    UP 00:20:01 D           11.0.0.2/32

NHRP group: test-group-1

 Output QoS service-policy applied: queueing

Pending DMVPN Sessions:

The following example shows DMVPN debug-condition information:

Router# show dmvpn debug-condition 

NBMA addresses under debug are:

Interfaces under debug are:

Tunnel101, 

Crypto DMVPN filters:

Interface = Tunnel101

DMVPN Conditional debug context unmatched flag: OFF

Related Commands

Command	Description
debug dmvpn	Debugs DMVPN sessions.
show crypto session detail	Displays detailed status information for active crypto sessions.
show crypto socket	Lists crypto sockets.
show policy-map mgre	Displays statistics about a specific QoS policy as it is applied to a tunnel endpoint.

show dnsix

To display state information and the current configuration of the DNSIX audit writing module, use the show dnsix command in privileged EXEC mode.

show dnsix

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
10.0	This command was introduced.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Examples

The following is sample output from the show dnsix command:

Router# show dnsix

Audit Trail Enabled with Source 192.168.2.5 

          State: PRIMARY

          Connected to 192.168.2.4 

          Primary 192.168.2.4 

          Transmit Count 1 

          DMDP retries 4

          Authorization Redirection List:

               192.168.2.4

          Record count: 0 

          Packet Count: 0 

          Redirect Rcv: 0 

show dot1x

To display details for an identity profile, use the show dot1x command in privileged EXEC mode.

show dot1x [all | interface interface-name [details | statistics]] [statistics]

Syntax Description

all	(Optional) Displays 802.1X status for all ports.
interface interface-name	(Optional) Displays 802.1X status for the specified port (including type, stack member, module, and port number).
interface interface-name details	(Optional) Displays the interface configuration as well as the authenticator instances on the interface.
interface interface-name statistics	(Optional) Displays the interface statistics.
statistics	(Optional) Displays 802.1X statistics for all the interfaces.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(11)AX	This command was introduced.
12.1(14)EA1	The all keyword was added.
12.3(2)XA	This command was integrated into Cisco IOS Release 12.3(2)XA.
12.3(4)T	This command was integrated into Cisco IOS Release 12.3(4)T.
12.2(25)SED	The output display was expanded to include auth-fail-vlan information in the authorization state machine state and port status fields.
12.2(25)SEE	The details and statistics keywords were added.
12.3(11)T	The PAE, HeldPeriod, StartPeriod, and MaxStart fields were added to the show dot1x command output.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

If you do not specify a port, global parameters and a summary appear. If you specify a port, details for that port appear in the output.

Examples

The following is sample output for the show dot1x command:

Router# show dot1x

Sysauthcontrol  = Disabled

Dot1x Version   = 1

Dot1x Info for interface Ethernet0

-----------------------------------------

PortControl       = AUTO

ReAuthentication  = Disabled

ReAuthPeriod      = 3600 Seconds

ServerTimeout     = 30 Seconds

SuppTimeout       = 30 Seconds

QuietWhile        = 120 Seconds

MaxReq            = 2

Dot1x Info for interface Ethernet1

-----------------------------------------

PortControl       = AUTO

ReAuthentication  = Disabled

ReAuthPeriod      = 3600 Seconds

ServerTimeout     = 30 Seconds

SuppTimeout       = 30 Seconds

QuietWhile        = 120 Seconds

MaxReq            = 2

The following is sample output for the show dot1x command using both the interface and interface details keywords. The clients are authenticated in this output example.

Router# show dot1x interface ethernet 0 details

PortControl       = AUTO

ReAuthentication  = Enabled

ReAuthPeriod      = 36000 Seconds

ServerTimeout     = 30 Seconds

SuppTimeout       = 30 Seconds

QuietWhile        = 120 Seconds

MaxReq            = 2

Dot1x Client List

-------------------------------------

MAC Address         State

-------------------------------------

0000.1111.0001      AUTHENTICATED

0000.1111.0002      UNAUTHENTICATED

The following show dot1x sample output shows information for all three possible interface configurations (that is, as an authenticator, as a supplicant, and as an authenticator and supplicant).

Router# show dot1x

Sysauthcontrol     = Enabled

Dot1x Version      = 1

Dot1x Information for interface Ethernet0

-----------------------------------------

PortControl        = AUTO

PAE                = AUTHENTICATOR

ReAuthentication   = Enabled

ReAuthPeriod       = 60 Seconds

ServerTimeout      = 30 Seconds

SuppTimeout        = 30 Seconds

QuietWhile         = 120 Seconds

MaxReq             = 2

Dot1x Information for interface Ethernet1

-----------------------------------------

PortControl        = AUTO

PAE                = SUPPLICANT

AuthPeriod         = 30

HeldPeriod         = 60 Seconds

StartPeriod        = 30 Seconds

MaxStart           = 2

Dot1x Information for interface Ethernet2

-----------------------------------------

PortControl        = AUTO

PAE                = BOTH

ReAuthentication   = Enabled

ReAuthPeriod       = 60 Seconds

ServerTimeout      = 30 Seconds

SuppTimeout        = 30 Seconds

QuietWhile         = 120 Seconds

MaxReq             = 2

AuthPeriod         = 30

HeldPeriod         = 60 Seconds

StartPeriod        = 30 Seconds

MaxStart           = 2

The following is sample output for the show dot1x command using the interface and details keywords.

Router# show dot1x interface ethernet0

PortControl        = AUTO

PAE                = AUTHENTICATOR

ReAuthentication   = Enabled

ReAuthPeriod       = 60 Seconds

ServerTimeout      = 30 Seconds

SuppTimeout        = 30 Seconds

QuietWhile         = 120 Seconds

MaxReq             = 2

Router# show dot1x interface ethernet0 details

PortControl        = AUTO

PAE                = SUPPLICANT

ReAuthentication   = Enabled

ReAuthPeriod       = 60 Seconds

ServerTimeout      = 30 Seconds

SuppTimeout        = 30 Seconds

QuietWhile         = 120 Seconds

MaxReq             = 2

Dot1x Client List

-------------------------------------

MAC Address         State

-------------------------------------

0001.f380.87ce      AUTHENTICATED

0001.87ce.f380      AUTHENTICATING

0010.a7b4.97af      UNAUTHENTICATED

Dot1x List of Supplicant Instances

-----------------------------------------

MAC Address          State

-----------------------------------------

0180.c200.0003       AUTHORIZED

Table 122 describes the significant fields shown in the displays.

Table 122 show dot1x Field Descriptions 

Field	Description
Sysauthcontrol	802.1X port-based authentication is enabled or disabled.
PortControl	Port control value. •AUTO—the authentication status of the client PC is being determined by the authentication process. •Force-authorize—all the client PCs on the interface are being authorized. •Force-unauthorized—all the client PCs on the interface are being unauthorized.
PAE	Port Access Entity. Defines the role of an interface (as a supplicant, as an authenticator, or as an authenticator and supplicant).
ReAuthentication	Periodic reauthentication of client PCs on the interface has been enabled or disabled.
ReAuthPeriod	Time after which an automatic reauthentication will be initiated.
ServerTimeout	Timeout that has been set for RADIUS retries. If an 802.1X packet is sent to the server and the server does not send a response, the packet will be sent again after the number of seconds that are shown.
SuppTimeout	Time that has been set for supplicant (client PC) retries. If an 802.1X packet is sent to the supplicant and the supplicant does not send a response, the packet will be sent again after the number of seconds that are shown.
QuietWhile	After authentication fails for a client, the authentication gets restarted after the quiet period that is shown.
MaxReq	Maximum number of times that the router sends an Extensible Authentication Protocol (EAP) request/identity frame (assuming that no response is received) to the client PC before concluding that the client PC does not support 802.1X.
HeldPeriod	Interval for which the supplicant (client PC) will wait before trying to send its credentials after being unauthenticated by the authenticator.
StartPeriod	Interval between two successive Extensible Authentication Protocol over LAN- (EAPOL-) start messages (when they are being retransmitted).
MaxStart	Number of EAPOL-start messages that the supplicant (client PC) sends before the supplicant assumes that the other end is not 802.1X capable.
Dot1x Client List	Table providing information regarding MAC addresses and the state of the PCs. This list displays in the output if the interface is configured only as an authenticator or as an authenticator and a supplicant. If the interface is configured as a supplicant, a separate list is displayed.
Dot1x List of Supplicant Instances	Table providing information regarding MAC addresses and the state of the PCs. This list displays in the output if the interface is configured only as a supplicant.
MAC Address	List of MAC addresses (for example, the MAC address of the PC or of any 802.1X client).
State	The state of the PC can be authenticated or unauthenticated.

Related Commands

Command	Description
clear dot1x	Clears 802.1X interface information.
debug dot1x	Displays 802.1X debugging information.
dot1x default	Resets the global 802.1X parameters to their default values.
identity profile	Creates an identity profile.

show dot1x (EtherSwitch)

To display the 802.1X statistics, administrative status, and operational status for the Ethernet switch network module or for the specified interface, use the show dot1x command in privileged EXEC mode.

show dot1x [statistics] [interface interface-type interface-number]

Syntax Description

statistics	(Optional) Displays 802.1X statistics.
interface interface-type interface-number	(Optional) Specifies the slot and port number of the interface to reauthenticate.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(6)EA2	This command was introduced.
12.2(15)ZJ	This command was implemented on the following platforms: Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series routers.
12.3(4)T	This command was integrated into Cisco IOS Release 12.3(4)T on the following platforms: Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series routers.

Usage Guidelines

If you do not specify an interface, global parameters and a summary appear. If you specify an interface, details for that interface appear.

If you specify an interface with the statistics keyword, statistics appear for all physical ports.

Examples

The following is sample output from the show dot1x command:

Router# show dot1x

Global 802.1X Parameters

    reauth-enabled                no

    reauth-period               3600

    quiet-period                  60

    tx-period                     30

    supp-timeout                  30

    server-timeout                30

    reauth-max                     2

    max-req                        2

802.1X Port Summary

    Port Name                Status      Mode                Authorized

    Gi0/1                    disabled    n/a                 n/a

    Gi0/2                    enabled     Auto (negotiate)    no

    802.1X Port Details

    802.1X is disabled on GigabitEthernet0/1

802.1X is enabled on GigabitEthernet0/2

      Status                Unauthorized

      Port-control          Auto

      Supplicant            0060.b0f8.fbfb

      Multiple Hosts        Disallowed

      Current Identifier    2

      Authenticator State Machine

        State               AUTHENTICATING

        Reauth Count        1

      Backend State Machine

        State               RESPONSE

        Request Count       0

        Identifier (Server) 2

      Reauthentication State Machine

        State               INITIALIZE

Table 123 describes the significant fields shown in the display.

Table 123 show dot1x Field Descriptions 

Field	Description
reauth-enabled	Periodic reauthentication of client PCs on the interface has been enabled or disabled.
reauth-period	Time, in seconds, after which an automatic reauthentication will be initiated.
quiet-period	After authentication fails for a client, the authentication gets restarted after this quiet period shown in seconds.
tx-period	Time, in seconds, that the device waits for a response from a client to an Extensible Authentication Protocol (EAP) request or identity frame before retransmitting the request.
supp-timeout	Time, in seconds, that has been set for supplicant (client PC) retries. If an 802.1X packet is sent to the supplicant and the supplicant does not send a response, the packet will be sent again after the number of seconds that are shown.
server-timeout	Timeout, in seconds, that has been set for RADIUS retries. If an 802.1X packet is sent to the server and the server does not send a response, the packet will be sent again after the number of seconds that are shown.
reauth-max	The maximum number of times that the device tries to authenticate the client without receiving any response before the switch resets the port and restarts the authentication process.
max-req	Maximum number of times that the router sends an EAP request/identity frame (assuming that no response is received) to the client PC before concluding that the client PC does not support 802.1X.
Port Name	Interface type and slot/port numbers.
Status	Displays the 802.1X status of the port as either enabled or disabled.
Mode	Operational status of the port: •Auto—The port control value has been configured to be Force-unauthorized but the port has not changed to that state. •n/a—802.1X is disabled.
Authorized	Authorization state of the port.
Status	Status of the port (authorized or unauthorized). The status of a port appears as authorized if the dot1x port-control interface configuration command is set to auto, and authentication was successful.
Port-control	Setting of the dot1x port-control interface configuration command. The port control value is one of the following: •Auto—The authentication status of the client PC is being determined by the authentication process. •Force-authorize—All the client PCs on the interface are being authorized. •Force-unauthorized—All the client PCs on the interface are being unauthorized.
Supplicant	Ethernet MAC address of the client, if one exists. If the device has not discovered the client, this field displays Not set.
Multiple Hosts	Setting of the dot1x multiple-hosts interface configuration command (allowed or disallowed).
Current Identifier	Each exchange between the device and the client includes an identifier, which matches requests with responses. This number is incremented with each exchange and can be reset by the authentication server. Note This field and the remaining fields in the output show internal state information. For a detailed description of these state machines and their settings, refer to the IEEE 802.1X standard.

The following is sample output from the show dot1x interface gigabitethernet0/2 privileged EXEC command. Table 123 describes the fields in the output.

Router# show dot1x interface gigabitethernet0/2

802.1X is enabled on GigabitEthernet0/2 

  Status                Authorized 

  Port-control          Auto 

  Supplicant            0060.b0f8.fbfb 

  Multiple Hosts        Disallowed 

  Current Identifier    3

  Authenticator State Machine 

    State               AUTHENTICATED 

    Reauth Count        0

  Backend State Machine 

    State               IDLE 

    Request Count       0 

    Identifier (Server) 2

Reauthentication State Machine 

    State               INITIALIZE

The following is sample output from the show dot1x statistics interface gigiabitethernet0/1 command. Table 124 describes the fields in the example.

Router# show dot1x statistics interface gigabitethernet0/1

GigabitEthernet0/1

    Rx: EAPOL     EAPOL     EAPOL     EAPOL     EAP       EAP       EAP

        Start     Logoff    Invalid   Total     Resp/Id   Resp/Oth  LenError

        0         0         0         21        0         0         0

        Last      Last

        EAPOLVer  EAPOLSrc

        1         0002.4b29.2a03

    Tx: EAPOL     EAP       EAP

        Total     Req/Id    Req/Oth

        622       445       0 

Table 124 show dot1x statistics Field Descriptions 

Field	Description
Rx EAPOL Start	Number of valid EAPOL-start frames that have been received. Note EAPOL = Extensible Authentication Protocol over LAN
Rx EAPOL Logoff	Number of EAPOL-logoff frames that have been received.
Rx EAPOL Invalid	Number of EAPOL frames that have been received and have an unrecognized frame type.
Rx EAPOL Total	Number of valid EAPOL frames of any type that have been received.
Rx EAP Resp/ID	Number of EAP-response/identity frames that have been received.
Rx EAP Resp/Oth	Number of valid EAP-response frames (other than response/identity frames) that have been received.
Rx EAP LenError	Number of EAPOL frames that have been received in which the packet body length field is invalid.
Last EAPOLVer	Protocol version number carried in the most recently received EAPOL frame.
LAST EAPOLSrc	Source MAC address carried in the most recently received EAPOL frame.
Tx EAPOL Total	Number of EAPOL frames of any type that have been sent.
Tx EAP Req/Id	Number of EAP-request/identity frames that have been sent.
Tx EAP Req/Oth	Number of EAP-request frames (other than request/identity frames) that have been sent.

Related Commands

Command	Description
dot1x default	Resets the global 802.1X parameters to their default values.

show dss log

To display the invalidation routes for the DSS range on the NetFlow table in the EXEC command mode, use the show dss log command.

show dss log {ip | ipv6}

Syntax Description

ip	Displays the range-invalidation profile for the DSS IP.
ipv6	Displays the range-invalidation profile for the DSS IPv6.

Defaults

This command has no default settings.

Command Modes

EXEC

Command History

Release	Modification
12.2(14)SX	Support for this command was introduced on the Supervisor Engine 720.
12.2(17b)SXA	This command was changed to support the ipv6 keyword.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.

Usage Guidelines

This command is not supported in Cisco 7600 series routers that are configured with a Supervisor Engine 2.

Whenever an IPv6 entry is deleted from the routing table, a message is sent to the switch processor to remove the entries that are associated to that network. Several IPv6 prefixes are collapsed to the less specific one if too many invalidations occur in a short period of time.

Examples

This example shows how to display the range-invalidation profile for the DSS IP:

Router# show dss log ip

22:50:18.551  prefix 172.20.52.18 mask 172.20.52.18

22:50:20.059  prefix 127.0.0.0 mask 255.0.0.0

22:51:48.767  prefix 172.20.52.18 mask 172.20.52.18

22:51:52.651  prefix 0.0.0.0 mask 0.0.0.0

22:53:02.651  prefix 0.0.0.0 mask 0.0.0.0

22:53:19.651  prefix 0.0.0.0 mask 0.0.0.0

Router#

show eap registrations

To display Extensible Authentication Protocol (EAP) registration information, use the show eap registrations command in privileged EXEC mode.

show eap registrations [method | transport]

Syntax Description

method	(Optional) Displays information about EAP method registrations only.
transport	(Optional) Displays information about EAP transport registrations only.

Command Default

If a keyword is not used, information is displayed for all lower layers used by EAP and for the methods that are registered with the EAP framework.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(25)SEE	This command was introduced.
12.4(6)T	This command was integrated into Cisco IOS Release 12.4(6)T.

Usage Guidelines

This command is used to check which EAP methods are enabled on a router.

Examples

The following is an example of output from the show eap registrations command:

Router# show eap registrations

Registered EAP Methods:

Method Type Name

4 Peer MD5

Registered EAP Lower Layers:

Handle Type Name

2 Authenticator Dot1x-Authenticator

1 Authenticator MAB

The following is an example of output from the show eap registrations command using the transport keyword:

Router# show eap registrations transport

Registered EAP Lower Layers:

Handle Type Name

2 Authenticator Dot1x-Authenticator

The output fields are self-explanatory.

Related Commands

Related Commands1 Authenticator MAB

Command	Description
clear eap	Clears EAP session information for the switch or specified port.

show eap sessions

To display active Extensible Authentication Protocol (EAP) session information, use the show eap sessions command in privileged EXEC mode.

show eap sessions [credentials credentials-name | interface interface-name | method method-name | transport transport-name]

Syntax Description

credentials credentials-name	(Optional) Displays information about the specified credentials profile.
interface interface-name	(Optional) Displays information, such as type, module, and port number, about sessions that are associated with the specified interface.
method method-name	(Optional) Displays information about sessions that are associated with the specified EAP method.
transport transport-name	(Optional) Displays information about sessions that are associated with the specified lower layer.

Command Default

All active EAP sessions are displayed.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(25)SEE	This command was introduced.
12.4(6)T	This command was integrated into Cisco IOS Release 12.4(6)T.

Usage Guidelines

The command output can be filtered using any of the optional keywords, singly or in combination.

Examples

The following is an example of output from the show eap sessions command:

Router# show eap sessions

Role: Authenticator Decision: Fail

Lower layer: Dot1x-AuthenticaInterface: Gi1/0/1

Current method: None Method state: Uninitialised

Retransmission count: 0 (max: 2) Timer: Authenticator

ReqId Retransmit (timeout: 30s, remaining: 2s)

EAP handle: 0x5200000A Credentials profile: None

Lower layer context ID: 0x93000004 Eap profile name: None

Method context ID: 0x00000000 Peer Identity: None

Start timeout (s): 1 Retransmit timeout (s): 30 (30)

Current ID: 2 Available local methods: None

Role: Authenticator Decision: Fail

Lower layer: Dot1x-AuthenticaInterface: Gi1/0/2

Current method: None Method state: Uninitialised

Retransmission count: 0 (max: 2) Timer: Authenticator

ReqId Retransmit (timeout: 30s, remaining: 2s)

EAP handle: 0xA800000B Credentials profile: None

Lower layer context ID: 0x0D000005 Eap profile name: None

Method context ID: 0x00000000 Peer Identity: None

Start timeout (s): 1 Retransmit timeout (s): 30 (30)

Current ID: 2 Available local methods: None

.

.

.

The following is an example of output from the show eap sessions interface command:

Router# show eap sessions interface gigabitethernet1/0/1

Role: Authenticator Decision: Fail

Lower layer: Dot1x-AuthenticaInterface: Gi1/0/1

Current method: None Method state: Uninitialised

Retransmission count: 1 (max: 2) Timer: Authenticator

ReqId Retransmit (timeout: 30s, remaining: 13s)

EAP handle: 0x5200000A Credentials profile: None

Lower layer context ID: 0x93000004 Eap profile name: None

Method context ID: 0x00000000 Peer Identity: None

Start timeout (s): 1 Retransmit timeout (s): 30 (30)

The fields in the above output are self-explanatory.

Related Commands

Related CommandsCurrent ID: 2 Available local methods: None

Command	Description
clear eap sessions	Clears EAP session information for the switch or for the specified port.

show eou

To display information about Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) global values or EAPoUDP session cache entries, use the show eou command in privileged EXEC mode.

show eou {all | authentication {clientless | eap | static} | interface {interface-type} | ip {ip-address} | mac {mac-address} | posturetoken {name}} [{begin | exclude | include} expression]

Syntax Description

all	Displays EAPoUDP information about all clients.
authentication	Authentication type.
clientless	Authentication type is clientless, that is, the endpoint system is not running Cisco Trust Agent (CTA) software.
eap	Authentication type is EAP.
static	Authentication type is statically configured.
interface	Provides information about the interface.
interface-type	Type of interface (see Table 125 for the interface types that may be shown).
ip	Specifies an IP address.
ip-address	IP address of the client device.
mac	Specifies a MAC address.
mac-address	The 48-bit address of the client device.
posturetoken	Displays information about a posture token name.
name	Name of the posture token.
begin	(Optional) Display begins with the line that matches the expression argument.
exclude	(Optional) Display excludes lines that match the expression argument.
include	(Optional) Display includes lines that match the specified expression argument.
expression	(Optional) Expression in the output to use as a reference point.

Command Default

All global EAPoUDP global values are displayed.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.3(8)T	This command was introduced.
12.2(18)SXF	This command was integrated into Cisco IOS Release 12.2(18)SXF.
12.2(25)SED	This command was integrated into Cisco IOS Release 12.2(25)SED.
12.2(25)SG	This command was integrated into Cisco IOS Release 12.2(25)SG.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.4(11)T	The output of this command was enhanced to display information about whether the session is using the AAA timeout policy.
12.2(33)SXI	This command was integrated into Cisco IOS Release 12.2(33)SXI.

Usage Guidelines

If you do not specify a port, global parameters and a summary appear. If you specify a port, details for that port appear.

Expressions are case sensitive. For example, if you enter "exclude output," the lines that contain "output" are not displayed, but the lines that contain "Output" appear.

Table 125 lists the interface types that may be used for the interface-type argument.

Table 125 Description of Interface Types 

Interface Type	Description
Async	Asynchronous interface
BVI	Bridge-Group Virtual Interface
CDMA-Ix	Code division multiple access Internet exchange (CDMA Ix) interface
CTunnel	Connectionless Network Protocol (CLNS) tunnel (Ctunnel) interface
Dialer	Dialer interface
Ethernet	IEEE 802.3 standard interface
Lex	Lex interface
Loopback	Loopback interface
MFR	Multilink Frame Relay bundle interface
Multilink	Multilink-group interface
Null	Null interface
Serial	Serial interface
Tunnel	Tunnel interface
Vif	Pragmatic General Multicast (PGM) Multicase Host interface
Virtual-PPP	Virtual PPP interface
Virtual-Template	Virtual template interface
Virtual-TokenRing	Virtual TokenRing interface

Examples

The following output displays information about a global EAPoUDP configuration. The default values can be changed or customized using the eou default, eou max-retry, eou revalidate, or eou timeout commands, depending on whether you configure them globally or on a specific interface.

Router# show eou 

Global EAPoUDP Configuration

----------------------------

EAPoUDP Version     = 1

EAPoUDP Port        = 0x5566

Clientless Hosts    = Disabled

IP Station ID       = Disabled

Revalidation        = Enabled

Revalidation Period = 36000 Seconds

ReTransmit Period   = 3 Seconds

StatusQuery Period  = 300 Seconds

Hold Period         = 180 Seconds

AAA Timeout         = 60 Seconds

Max Retries         = 3

EAPoUDP Logging     = Disabled

Clientless Host Username = clientless

Clientless Host Password = clientless

Interface Specific EAPoUDP Configurations

-----------------------------------------

Interface Ethernet2/1

No interface specific configuration

The following output displays information about a global EAPoUDP configuration that includes a 
NAC Auth Fail Open policy for use when the AAA server is unavailable:

Router# show eou ip 10.0.0.1

Address : 10.0.0.1 
MAC Address : 0001.027c.f364 
Interface : Vlan333 
AuthType : AAA DOWN  
AAA Down policy : rule_policy  
Audit Session ID : 00000000011C11830000000311000001 
PostureToken : ------- 
Age(min) : 0 
URL Redirect : NO URL REDIRECT 
URL Redirect ACL : NO URL REDIRECT ACL 
ACL Name : rule_acl 
Tag Name : NO TAG NAME 
User Name : UNKNOWN USER 
Revalidation Period : 500 Seconds 
Status Query Period : 300 Seconds 
Current State : AAA DOWN

Table 126 describes the significant fields shown in the display

Table 126 show eou Field Descriptions 

Field	Description
EAPoUDP Version	EAPoUDP protocol version.
EAPoUDP Port	EAPoUDP port number.
Clientless Hosts	Clientless hosts are enabled or disabled.
IP Station ID	Specifies whether the IP address is allowed in the AAA station-id field. By default, it is disabled.
Revalidation	Revalidation is enabled or disabled.
Revalidation Period	Specifies whether revalidation of hosts is enabled. By default, it is disabled.
ReTransmit Period	Specifies the EAPoUDP packet retransmission interval. The default is 3 seconds.
StatusQuery Period	Specifies the EAPoUDP status query interval for validated hosts. The default is 300 seconds.
Hold Period	Hold period following a failed authentication.
AAA Timeout	AAA timeout period.
Max Retries	Maximum number of allowable retransmissions.
EAPoUDP Logging	Logging is enabled or disabled.
AAA Down policy	Name of policy to be applied when the AAA server is unreachable. (This is the NAC Auth Fail Open policy.)

Related Commands

Command	Description
eou default	Sets global EAPoUDP parameters to the default values.
eou max-retry	Sets the number of maximum retry attempts for EAPoUDP.
eou rate-limit	Sets the number of simultaneous posture validations for EAPoUDP.
eou timeout	Sets the EAPoUDP timeout values.

show epm session

To display information about Enforcement Policy Module (EPM) sessions, use the show epm session command in privileged EXEC mode.

show epm session {interface type number | ip {ip-address [client client-type] | all} | mac {mac-address [client client-type] | all} | summary}

Syntax Description

interface	Displays interface based session information.
type	Interface type.
number	Interface number.
ip	Displays information specifically for an IP address.
ip-address	IP address for the session.
client	(Optional) Specifies information about the type of client.
client-type	(Optional) Type of client. Values are cts, dot1x, eapoudp, mab, and proxy.
mac	Displays MAC address based session information.
mac-address	MAC address of the client.
all	Displays information for all sessions.
summary	Displays summary of session information such as IP address, MAC address, and so on for all the active sessions.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(6)T	This command was introduced.
12.2(33)SXI2	This command was integrated into Cisco IOS Release 12.2(33)SXI2. The all keyword was added, and, cts, dot1x, and mab values for the client-type argument were added.

Examples

The following output shows information specifically for MAC address 0001.027c.f380:

Router# show epm session mac 0001.027c.f380 client dot1x

Admission feature       : DOT1X

AAA Policies            :

ACS ACL                 : xACSACLx-IP-VERY_SIMPLE_ACL-459b9870

SGT                     : 1357-BAD123456789

The following output shows information specifically for IP address 10.9.0.1:

Router# show epm session ip 10.9.0.1 

Admission feature       : AUTHPROXY

AAA Policies            :

Input Service Policy    : epm-pol-map

Proxy ACL               : permit udp any any

Proxy ACL               : deny icmp any any

ACS ACL                 : xACSACLx-IP-VERY_SIMPLE_ACL-472594af

Admission feature       : EAPOUDP

AAA Policies            :

ACS ACL                 : xACSACLx-IP-VERY_SIMPLE_ACL-459b9870

Proxy ACL               : permit udp any any

Proxy ACL               : permit icmp any any

Proxy ACL               : permit tcp an

Admission feature       : DOT1X

AAA Policies            :

ACS ACL                 : xACSACLx-IP-VERY_SIMPLE_ACL-459b9870

SGT                     : 1357-BAD123456789

The following example shows summary information for all sessions:

Router# show epm session summary

EPM Session Information

--------------------------

Total sessions seen so far : 5

Total active sessions      : 5

Interface              IP Address          MAC Address       Audit Session Id:

--------------------------------------------------------------------------------------

GigabitEthernet7/2     209.165.200.225     0001.027c.f380    16000002000000000003A4EC

GigabitEthernet7/2     209.165.200.227     0001.027c.f380    16000002000000010003AD68

GigabitEthernet7/2     209.165.200.230     0001.027c.f380    16000002000000020003C110

GigabitEthernet7/2     209.165.200.235     0001.027c.f380    16000002000000030003D6BC

GigabitEthernet7/15    0.0.0.0             0030.6eb6.c69a    0904010C000000000002F6A4

Table 127 describes significant fields shown in the displays.

Table 127 show epm session ip Field Descriptions 

Field	Description
Admission feature	Admission feature authentication proxy or Extensible Authentication Protocol over UDP (EOU) acting on the host.
AAA Policies	AAA policy information.
ACS ACL	Access control server (ACS) access control list (ACL).
SGT	Security group tag (SGT) value assigned to the host of that initiated the session.
Input Service Policy	Input service policy for the session.
Proxy ACL	Proxy access control list.
Total sessions seen so far	Total number of hosts connected to the Network Access Device (NAD) until now.
Total active sessions	Total number of active sessions.
Interface	Interface type and number.
IP Address	IP address of the host.
MAC Address	MAC address of the host.
Audit Session Id	Audit session ID.

show fm private-hosts

To display information about the Private Hosts feature manager, use the show fm private-hosts command in privileged EXEC mode.

show fm private-hosts {all | interface type/num}

Syntax Description

all	Displays the feature manager information for all of the interfaces that are configured for Private Hosts.
interface type/num	Displays the feature manager information for a specific interface. The slash (/) is required.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.2(33)SRB	This command was introduced.
12.2(33)SXH	This command was integrated into Cisco IOS Release 12.2(33)SXH.

Examples

The following example displays information about the Private Hosts feature manager:

Router# show fm private-hosts interface GigabitEthernet1/2

-----------------------------------------------------------------------------

FM_FEATURE_PVT_HOST_INGRESS      i/f: Gi1/2      map name: 

PVT_HOST_ISOLATED

=============================================================================

------------------------------------------------------------

MAC Seq. No: 10          Seq. Result : PVT_HOSTS_ACTION_DENY

------------------------------------------------------------

Indx - VMR index      T     - V(Value)M(Mask)R(Result)

EtTy - Ethernet Type  EtCo  - Ethernet Code            

+----+-+--------------+--------------+----+----+

|Indx|T|   Dest Node  |  Source Node |EtTy|EtCo|

+----+-+--------------+--------------+----+----+

 1    V 0000.0000.0000 0000.1111.4001    0 0

      M 0000.0000.0000 ffff.ffff.ffff    0 0

      TM_PERMIT_RESULT             

 2    V 0000.0000.0000 0000.0000.0000    0 0

      M 0000.0000.0000 0000.0000.0000    0 0

      TM_L3_DENY_RESULT            

------------------------------------------------------------

MAC Seq. No: 20          Seq. Result : PVT_HOSTS_ACTION_PERMIT

------------------------------------------------------------

+----+-+--------------+--------------+----+----+

|Indx|T|   Dest Node  |  Source Node |EtTy|EtCo|

+----+-+--------------+--------------+----+----+

 1    V 0000.1111.4001 0000.0000.0000    0 0

      M ffff.ffff.ffff 0000.0000.0000    0 0

      TM_PERMIT_RESULT             

 2    V 0000.0000.0000 0000.0000.0000    0 0

      M 0000.0000.0000 0000.0000.0000    0 0

      TM_L3_DENY_RESULT            

------------------------------------------------------------

MAC Seq. No: 30          Seq. Result : PVT_HOSTS_ACTION_REDIRECT

------------------------------------------------------------

+----+-+--------------+--------------+----+----+

|Indx|T|   Dest Node  |  Source Node |EtTy|EtCo|

+----+-+--------------+--------------+----+----+

 1    V ffff.ffff.ffff 0000.0000.0000    0 0

      M ffff.ffff.ffff 0000.0000.0000    0 0

      TM_PERMIT_RESULT             

 2    V 0000.0000.0000 0000.0000.0000    0 0

      M 0000.0000.0000 0000.0000.0000    0 0

      TM_L3_DENY_RESULT            

------------------------------------------------------------

MAC Seq. No: 40          Seq. Result : PVT_HOSTS_ACTION_PERMIT

------------------------------------------------------------

+----+-+--------------+--------------+----+----+

|Indx|T|   Dest Node  |  Source Node |EtTy|EtCo|

+----+-+--------------+--------------+----+----+

 1    V 0100.5e00.0000 0000.0000.0000    0 0

      M ffff.ff80.0000 0000.0000.0000    0 0

      TM_PERMIT_RESULT             

 2    V 3333.0000.0000 0000.0000.0000    0 0

      M ffff.0000.0000 0000.0000.0000    0 0

      TM_PERMIT_RESULT             

 3    V 0000.0000.0000 0000.0000.0000    0 0

      M 0000.0000.0000 0000.0000.0000    0 0

      TM_L3_DENY_RESULT            

------------------------------------------------------------

MAC Seq. No: 50          Seq. Result : PVT_HOSTS_ACTION_DENY

------------------------------------------------------------

+----+-+--------------+--------------+----+----+

|Indx|T|   Dest Node  |  Source Node |EtTy|EtCo|

+----+-+--------------+--------------+----+----+

 1    V 0000.0000.0000 0000.0000.0000    0 0

      M 0000.0000.0000 0000.0000.0000    0 0

      TM_PERMIT_RESULT             

 2    V 0000.0000.0000 0000.0000.0000    0 0

      M 0000.0000.0000 0000.0000.0000    0 0

      TM_L3_DENY_RESULT            

Interfaces using this pvt host feature in ingress dir.:

------------------------------------------------

  Interfaces (I/E = Ingress/Egress)

Related Commands

Command	Description
private-hosts	Enables or configures the private host feature.
private-hosts mode	Sets the switchport mode.
show fm private-hosts	Displays the FM-related private hosts information.
show private-hosts configuration	Displays Private Hosts configuration information for the router.
show private-hosts interface configuration	Displays Private Hosts configuration information for individual interfaces.

show fpm package-group

To display configuration information about flexible packat matching (fpm) package support, use the show fpm package-group command in user EXEC or privileged EXEC mode.

show fpm package-group [control-plane | fpm-package-group | interface interface-name]

Syntax Description

control-plane	(Optional) Displays fpm package group control plane information.
fpm-group-name	(Optional) Displays fpm group name information.
interface	(Optional) Displays fpm package group interface information.
interface-name	Name of the Interface for which you want to show the fpm package group information. See Table 132 for a list of valid interfaces.

Command Modes

User EXEC (>)
Privileged EXEC (#)

Command History

Release	Modification
15.0(1)M	This command was introduced.

Usage Guidelines

Table 132 displays valid interfaces that may be shown as the interface-name argument with the interface keyword.

Table 128 Interfaces That Can Be Shown

Interface	Description
ATM	ATM interface
Async	Asynchronous interface
Auto-template	Auto-Template interface
BVI	Bridge-Group Virtual Interface
CDMA-Ix	CDMA Ix interface
CTunnel	CTunnel interface
Dialer	Dialer interface
FastEthernet	FastEthernet IEEE 802.3
Lex	Lex interface
LongReachEthernet	Long-Reach Ethernet interface
Loopback	Loopback interface
MFR	Multilink Frame Relay bundle intrface
Multilink	Multilink-group interface
Null	Null interface
Pos	Packet over sonet interface
Port-channel	Ethernet channel of interfaces
SSLVPN-VIF	Secure Socket Layer Virtual Private Network (SSLVPN) Virtual Interface
Serial	Serial
Tunnel	Tunnel interface
vif	Pragmatic General Multicast (PGM) multicast host interface
virtual-PPP	Virtual PPP interface
virtual-Template	Virtual template interface
virtual-TokenRing	Virtual TokenRing
vmi	Virtual Multipoint Interface

Examples

The following is sample output from the show fpm package-group command.

Router# show fpm package-group

Router# show fpm package-group

 group name: cisco-fpm-packages

  auto-load

  fpm package: fpm-package-11

  fpm package: fpm-package-43

   package action: log 

Table 129 describes the significant fields shown in the display.

Table 129 show fpm package-group Field Descriptions 

Field	Description
Auto-load	Displays if automatic loading of fpm package support is configured.
FPM package	Displays the name of the fpm package loaded from the fpm-server.
Group name	Displays the protocol to connect to the fpm-server.
Package action	Displays the action taken when the fpm package is loaded.

Related Commands

Command	Description
show fpm package-info	Displays fpm package transfer configuration details.

show fpm package-info

To display information about fpm package transfer between an fpm-server and a local server, use the show fpm package-info command in user EXEC or privileged EXEC mode.

show fpm package-info

Syntax Description

This command has no keywords or arguments.

Command Default

The command displays information about the transfer of fpm package groups from the fpm-server to a local server.

Command Modes

User EXEC (>)
Privileged EXEC (#)

Command History

Release	Modification
15.0(1)M	This command was introduced.

Examples

The following is sample output from the show fpm package-info command.

Router# show fpm package-info

Router# show fpm package-info 

 fpm package-info

  host 10.0.0.1

  remote-path bluebell/

  local-path flash:

  user cisco

  password 7 0101130A5D04141D245F5A1B0C0B57

  protocol tftp

  time-range weekly

Table 129 describes the significant fields shown in the display.

Table 130 show fpm package-info Field Descriptions 

Field	Description
Host	Displays the download server address.
Local-path	Displays the location where packages are stored on the local router.
Password	Displays and encrypted password for the server.
Protocol	Displays the protocol to connect to the server.
Remote-path	Displays the file server name.
Time-range	Displays the interval between searches for fpm updates.
User	Displays the username on the server.

Related Commands

Command	Description
show fpm package-group	Displays fpm package matching support configuration details.

show ip access-list

To display the contents of all current IP access lists, use the show ip access-list command in privileged EXEC mode.

show ip access-list [access-list-number | access-list-name | dynamic access-list-name | interface interface-name [in | out]]

Syntax Description

access-list-number	(Optional) Number of the IP access list to display.
access-list-name	(Optional) Name of the IP access list to display.
dynamic access-list-name	(Optional) Displays the specified dynamic IP access lists.
interface interface-name	(Optional) Displays the access list for the specified interface.
in	(Optional) Displays input interface statistics.
out	(Optional) Displays output interface statistics.

Defaults

All standard and extended IP access lists are displayed.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
10.3	This command was introduced.
12.3(7)T	The dynamic keyword was added.
12.4(6)T	The interface interface-name keyword/attribute pair was added. The in and out keywords were added.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.4(11)T	Example output from the dynamic keyword was added.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
12.4(20)T	The output of this command was extended to display access lists that contain object groups.

Usage Guidelines

The show ip access-list command provides output identical to the show access-lists command, except that it is IP-specific and allows you to specify a particular access list.

Examples

The following is sample output from the show ip access-list command when all access lists are requested:

Router# show ip access-list

Extended IP access list 101

   deny udp any any eq ntp

   permit tcp any any

   permit udp any any eq tftp

   permit icmp any any

   permit udp any any eq domain

The following is sample output from the show ip access-list command when the name of a specific access list is requested:

Router# show ip access-list Internetfilter

Extended IP access list Internetfilter

   permit tcp any 171.16.0.0 0.0.255.255 eq telnet

   deny tcp any any

   deny udp any 171.16.0.0 0.0.255.255 lt 1024

   deny ip any any log

The following is sample output from the show ip access-list command when the name of a specific access list that contains an object group is requested:

Router# show ip access-list my_ogacl_policy

Extended IP access list my_ogacl_policy

10	permit object-group eng_service any any

The following is sample output from the show ip access-list command, which shows input statistics for Fast Ethernet interface 0/0:

Router# show ip access-list interface FastEthernet0/0 in 

Extended IP access list 150 in

   10 permit ip host 10.1.1.1 any

   30 permit ip host 10.2.2.2 any (15 matches)

The following is sample output from the show ip access-list command using the dynamic keyword:

Router# show ip access-list dynamic

Extended IP access list CM_SF#1

    10 permit udp any any eq 5060 (650 matches)

    20 permit tcp any any eq 5060

    30 permit udp any any dscp ef (806184 matches) c2801-61# 

To check your configuration when the dynamic keyword is used, use the show run interfaces cable command:

Router# show run interfaces cable 0/1/0

Building configuration...

Current configuration : 144 bytes

!

interface cable-modem0/1/0

 ip address dhcp

 load-interval 30

 no keepalive

  service-flow primary upstream

   service-policy output llq

end

Related Commands

Command	Description
deny	Sets conditions in a named IP access list or OGACL that will deny packets.
ip access-group	Applies an ACL or OGACL to an interface or a service policy map.
ip access-list	Defines an IP access list or OGACL by name or number.
object-group network	Defines network object groups for use in OGACLs.
object-group service	Defines service object groups for use in OGACLs.
permit	Sets conditions in a named IP access list or OGACL that will permit packets.
show object-group	Displays information about object groups that are configured.

show ip access-lists

To display the contents of all current IP access lists, use the show ip access-lists command in privileged EXEC mode.

show ip access-lists [access-list-number | name]

Syntax Description

access-list-number	(Optional) Number of the IP access list to display.
name	(Optional) Name of the IP access list to display.

Command Default

All standard and extended IP access lists are displayed by default.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.2(33)SXH	This command was introduced.

Usage Guidelines

The show ip access-lists command provides output identical to the show access-lists command, except that it is IP-specific and allows you to specify a particular access list.

Examples

This example shows how to display the configuration contents of all current IP access lists:

Router# show ip access-lists

Extended IP access list test1

    10 permit tcp addrgroup myAG portgroup myPG any

    20 deny tcp any any

This example shows how to display the contents of a specific access list:

Router# show ip access-lists Internetfilter

Extended IP access list Internetfilter

permit tcp any 172.16.0.0 0.0.255.255 eq telnet

deny tcp any any

deny udp any 172.16.0.0 0.0.255.255 lt 1024

deny ip any any log

Related Commands

Command	Description
show access-lists	Displays the contents of current access lists.

show ip admission

To display the network admission (NAC) control cache entries or the running network admission control configuration, use the show ip admission command in privileged EXEC mode.

show ip admission {[cache [consent]] [configuration] [eapoudp]}

Syntax Description

cache	Displays the current list of network admission entries.
consent	Displays the authentication proxy consent webpage sessions.
configuration	Displays the running network admission control configuration.
eapoudp	Displays the Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) network admission control entries.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.3(8)T	This command was introduced.
12.4(11)T	The output of this command was enhanced to display whether the AAA timeout policy is configured.
12.4(15)T	The consent keyword was added.
12.2(33)SXI	This command was integrated into Cisco IOS Release 12.2(33)SXI.

Usage Guidelines

Use show ip admission cache eapoudp to list the host IP addresses, the session timeout, and the posture state. If the posture statue is POSTURE ESTAB, the host validation was successful.

Examples

The following output displays all the IP admission control rules that are configured on the router:

Router# show ip admission configuration

Authentication global cache time is 60 minutes

Authentication global absolute time is 0 minutes

Authentication Proxy Watch-list is disabled

Authentication Proxy Rule Configuration

 Auth-proxy name avrule

    eapoudp list not specified auth-cache-time 60 minutes

The following output displays the host IP addresses, the session timeout, and the posture states:

Router# show ip admission cache eapoudp

Posture Validation Proxy Cache

Total Sessions: 3 Init Sessions: 1

 Client IP 10.0.0.112, timeout 60, posture state POSTURE ESTAB

 Client IP 10.0.0.142, timeout 60, posture state POSTURE INIT

 Client IP 10.0.0.205, timeout 60, posture state POSTURE ESTAB

The following output displays a configuration that includes both a global and a rule-specific NAC Auth Fail Open policy:

Router# show ip admission configuration

Authentication global cache time is 60 minutes 

Authentication global absolute time is 0 minutes 

Authentication global init state time is 2 minutes 

Authentication Proxy Watch-list is enabled 

Watch-list expiry timeout is 1 minutes 

! The line below shows the global policy:

Authentication global AAA fail identity policy aaa_fail_policy 

Authentication Proxy Rule Configuration Auth-proxy name greentree 

eapoudp list 101 specified auth-cache-time 60 minutes 

! The line below shows the rule-specific AAA fail policy; the name changes based on what 
the user configured.

Identity policy name aaa_fail_policy for AAA fail policy 

The field descriptions in the display are self-explanatory.

In the following example, a session has been initiated via https://192.168.104.136 from the client 192.168.100.132. After a successful session establishment, the output is as follows:

Router# show ip admission cache

Authentication Proxy Cache 

 Client Name N/A, Client IP 192.168.100.132, Port 1204, timeout 204, Time Remaining 204, 
 state ESTAB 

Router# show ip admission cache consent

Authentication Proxy Consent Cache 

 Client Name N/A, Client IP 192.168.100.132, Port 1204, timeout 204, Time Remaining 204, 
 state ESTAB

Router# show ip admission cache eapoudp

Posture Validation Proxy Cache 

Total Sessions: 0 Init Sessions: 0 

Related Commands

Command	Description
clear ip admission cache	Clears IP admission cache entries from the router.
ip admission name	Creates a Layer 3 network admission control rule.

show ip audit configuration

To display additional configuration information, including default values that may not be displayed using the show running-config command, use the show ip audit configuration command in EXEC mode.

show ip audit configuration

Syntax Description

This command has no argument or keywords.

Command Modes

EXEC

Command History

Release	Modification
12.0(5)T	This command was introduced.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use the show ip audit configuration EXEC command to display additional configuration information, including default values that may not be displayed using the show running-config command.

Examples

The following example displays the output of the show ip audit configuration command:

Event notification through syslog is enabled

Event notification through Net Director is enabled

Default action(s) for info signatures is alarm

Default action(s) for attack signatures is alarm

Default threshold of recipients for spam signature is 25

PostOffice:HostID:5 OrgID:100 Addr:10.2.7.3 Msg dropped:0

HID:1000 OID:100 S:218 A:3 H:14092 HA:7118 DA:0 R:0

    CID:1 IP:172.21.160.20 P:45000 S:ESTAB (Curr Conn)

Audit Rule Configuration

 Audit name AUDIT.1

    info actions alarm

Related Commands

Command	Description
clear ip audit statistics	Resets statistics on packets analyzed and alarms sent.

show ip audit interface

To display the interface configuration, use the show ip audit interface command in EXEC mode.

show ip audit interface

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
12.0(5)T	This command was introduced.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use the show ip audit interface EXEC command to display the interface configuration.

Examples

The following example displays the output of the show ip audit interface command:

Interface Configuration

 Interface Ethernet0

  Inbound IDS audit rule is AUDIT.1

    info actions alarm

  Outgoing IDS audit rule is not set

 Interface Ethernet1

  Inbound IDS audit rule is AUDIT.1

    info actions alarm

  Outgoing IDS audit rule is AUDIT.1

    info actions alarm

show ip audit statistics

To display the number of packets audited and the number of alarms sent, among other information, use the show ip audit statistics command in EXEC mode.

show ip audit statistics

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
12.0(5)T	This command was introduced.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use the show ip audit statistics EXEC command to display the number of packets audited and the number of alarms sent, among other information.

Examples

The following displays the output of the show ip audit statistics command:

Signature audit statistics [process switch:fast switch]

  signature 2000 packets audited: [0:2]

  signature 2001 packets audited: [9:9]

  signature 2004 packets audited: [0:2]

  signature 3151 packets audited: [0:12]

Interfaces configured for audit 2

Session creations since subsystem startup or last reset 11

Current session counts (estab/half-open/terminating) [0:0:0]

Maxever session counts (estab/half-open/terminating) [2:1:0]

Last session created 19:18:27

Last statistic reset never

HID:1000 OID:100 S:218 A:3 H:14085 HA:7114 DA:0 R:0

Related Commands

Command	Description
clear ip audit statistics	Resets statistics on packets analyzed and alarms sent.

show ip auth-proxy

To display the authentication proxy entries or the running authentication proxy configuration, use the show ip auth-proxy command in privileged EXEC mode.

show ip auth-proxy {cache | configuration}

Syntax Description

cache	Displays the current list of the authentication proxy entries.
configuration	Displays the running authentication proxy configuration.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.0(5)T	This command was introduced.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use the show ip auth-proxy to display either the authentication proxy entries or the running authentication proxy configuration. Use the cache keyword to list the host IP address, the source port number, the timeout value for the authentication proxy, and the state for connections using authentication proxy. If authentication proxy state is HTTP_ESTAB, the user authentication was successful.

Use the configuration keyword to display all authentication proxy rules configured on the router.

Examples

The following example shows sample output from the show ip auth-proxy cache command after one user authentication using the authentication proxy:

Router# show ip auth-proxy cache

Authentication Proxy Cache

Client IP 192.168.25.215 Port 57882, timeout 1, state HTTP_ESTAB

The following example shows how the show ip auth-proxy configuration command displays the information about the authentication proxy rule pxy. The global idle timeout value is 60 minutes. The idle timeouts value for this named rule is 30 minutes. No host list is specified in the rule, meaning that all connection initiating HTTP traffic at the interface is subject to the authentication proxy rule.

Router# show ip auth-proxy configuration

Authentication cache time is 60 minutes

Authentication Proxy Rule Configuration

Auth-proxy name pxy

http list not specified auth-cache-time 30 minutes

Related Commands

Command	Description
clear ip auth-proxy cache	Clears authentication proxy entries from the router.
ip auth-proxy	Sets the authentication proxy idle timeout value (the length of time an authentication cache entry, along with its associated dynamic user ACL, is managed after a period of inactivity).
ip auth-proxy (interface configuration)	Applies an authentication proxy rule at a firewall interface.
ip auth-proxy name	Creates an authentication proxy rule.

show ip auth-proxy watch-list

To display the information about the authentication proxy watch list in the EXEC command mode, use the show ip auth-proxy watch-list command.

show ip auth-proxy watch-list

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

EXEC

Command History

Release	Modification
12.2(17d)SXB	Support for this command on the Supervisor Engine 2 was extended to Release 12.2(17d)SXB.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.

Usage Guidelines

This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 720.

Examples

This example shows how to display the information about the authentication proxy watch list:

Router# show ip auth-proxy watch-list

Authentication Proxy Watch-list is enabled 

Watch-list expiry timeout is 2 minutes 

Total number of watch-list entries: 3

 Source IP       Type         Violation-count 

 10.0.0.2        MAX_RETRY    MAX_LIMIT 

 10.0.0.3        TCP_NO_DATA  MAX_LIMIT 

 10.255.255.255 CFGED        N/A

Total number of watch-listed users: 3 

Router#

Related Commands

Command	Description
clear ip auth-proxy watch-list	Deletes a single watch-list entry or all watch-list entries.
ip auth-proxy max-login-attempts	Limits the number of login attempts at a firewall interface.
ip auth-proxy watch-list	Enables and configures an authentication proxy watch list.

show ip bgp labels

To display information about Multiprotocol Label Switching (MPLS) labels from the external Border Gateway Protocol (eBGP) route table, use the show ip bgp labels command in privileged EXEC mode.

show ip bgp labels

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.0(21)ST	This command was introduced.
12.0(22)S	This command was integrated into Cisco IOS Release 12.0(22)S.
12.2(13)T	This command was integrated into Cisco IOS Release 12.2(13)T.
12.2(14)S	This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(28)SB	This command was integrated into Cisco IOS Release 12.2(28)SB and implemented on the Cisco 10000 series router.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH	This command was integrated into Cisco IOS Release 12.2(33)SXH.

Usage Guidelines

Use this command to display eBGP labels associated with an Autonomous System Boundary Router (ASBR).

This command displays labels for BGP routes in the default table only. To display labels in the Virtual Private Network (VPN) routing and forwarding (VRF) tables, use the show ip bgp vpnv4 {all | vrf vrf-name} command with the optional labels keyword.

Examples

The following example shows output for an ASBR using BGP as a label distribution protocol:

Router# show ip bgp labels

Network          Next Hop         In Label/Out Label

10.3.0.0/16       0.0.0.0          imp-null/exp-null

10.15.15.15/32   10.15.15.15      18/exp-null

10.16.16.16/32   0.0.0.0          imp-null/exp-null

10.17.17.17/32   10.0.0.1         20/exp-null

10.18.18.18/32   10.0.0.1         24/31

10.18.18.18/32   10.0.0.1         24/33

Table 131 describes the significant fields shown in the display.

Table 131 show ip bgp labels Field Descriptions 

Field	Description
Network	Displays the network address from the eGBP table.
Next Hop	Specifies the eBGP next hop address.
In Label	Displays the label (if any) assigned by this router.
Out Label	Displays the label assigned by the BGP next hop router.

Related Commands

Command	Description
show ip bgp vpnv4	Displays VPN address information from the BGP table.

show ip device tracking

To display information about entries in the IP device tracking table, use the show ip device tracking command in privileged EXEC mode.

show ip device tracking {all count | interface type-of-interface | ip ip-address | mac mac-address}

Syntax Description

all count	Displays a count of all IP tracking host entries.
interface type-of-interface	Displays interface information. See Table 132 for a list of valid interfaces.
ip ip-address	Displays the IP address of the client.
mac mac-address	Displays the 48-bit hardware MAC address.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.2SX	This command was introduced.
12.4(15)T	This command was integrated into Cisco IOS Release 12.4(15)T.

Usage Guidelines

Table 132 displays valid interfaces that may be shown as the type-of-interface argument with the interface keyword.

Table 132 Interfaces That Can Be Tracked 

Interface	Description
Async	Asynchronous interface
BVI	Bridge-Group Virtual Interface
CDMA-Ix	CDMA Ix interface
CTunnel	CTunnel interface
Dialer	Dialer interface
FastEthernet	FastEthernet IEEE 802.3
Lex	Lex interface
Loopback	Loopback interface
MFR	Multilink Frame Relay bundle intrface
Multilink	Multilink-group interface
Null	Null interface
Port-channel	Ethernet channel of interfaces
Serial	Serial
Tunnel	Tunnel interface
vif	Pragmatic General Multicast (PGM) multicast host interface
virtual	Virtual interface
virtual-PPP	Virtual PPP interface
virtual-Template	Virtual template interface
virtual-TokenRing	Virtual TokenRing
XTagATM	Extended Tag ATM interface

Examples

The following example shows that all host entries are to be tracked:

Router# show ip device tracking all count

IP Device Tracking = Enabled

Probe Count: 2

Probe Interval: 10

The fields in the above display are self-explanatory.

show ip inspect

To display Context-Based Access Control (CBAC) configuration and session information, use the show ip inspect command in privileged EXEC mode.

show ip inspect {name inspection-name | config | interfaces | session [detail] | statistics | all | sis | tech-support} [vrf vrf-name]

Firewall MIB Statistics Syntax

show ip inspect mib connection-statistics {global | l4-protocol {all | icmp | tcp | udp} | l7-protocol {all | other | telnet | ftp} | policy policy-name target target name {l4-protocol {all | icmp | tcp | udp} | l7-protocol {all | other | telnet | ftp}}

Syntax Description

name inspection-name	Displays the configured inspection rule with the name inspection-name.
config	Displays the complete CBAC or HA inspection configuration.
interfaces	Displays the interface configuration with respect to applied inspection rules and access lists.
session [detail]	Displays existing sessions that are currently being tracked and inspected by CBAC or HA. The optional detail keyword allows additional details about these sessions to be shown.
statistics	Displays CBAC sessions statistics, such as the number of TCP and HTTP packets that are processed through the inspection, the number of sessions that have been created since the subsystem startup, the current session count, the maximum session count, and the session creation rate.
all	Displays all CBAC configuration and all existing sessions that are currently being tracked and inspected by CBAC.
sis	Displays CBAC session information such as window-size information of initiator and responder windows in a session.
tech-support	Displays additional information regarding drops that are not shown in the show ip inspect statistics command. This information is useful for troubleshooting IP inspect issues.
vrf vrf-name	(Optional) Displays information only for the specified Virtual Routing and Forwarding (VRF) interface.
mib connection-statistics	Displays firewall performance summary statistics that are monitored via firewall MIBs.
global	Displays global connection summary statistics, which are kept for the entire device.
l4-protocol	Displays Layer 4 protocol-based connection summary statistics for one of the follwing specified protocols: all, icmp, tcp, udp.
l7-protocol	Displays Layer 7 protocol-based connection summary statistics for one of the follwing specified protocols: all, other, telnet, ftp.
policy policy-name	Name of the firewall policy that is being monitored.
target target name	Name of the interface on which the specified firewall policy is applied.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.2 P	This command was introduced.
12.3(4)T	The output for the show ip inspect session detail command was enhanced to support dynamic access control list (ACL) bypass.
12.3(11)T	The statistics keyword was added.
12.3(14)T	The output shows the IMAP and POP3 configuration. The vrf vrf-name keyword/argument pair was added.
12.4(6)T	The firewall MIB statistics syntax was added to support firewall performance via SNMP. High Availability (HA) configuration and session information was added to support Stateful Failover.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.
12.4(11)T	The tech-support and sis keywords were unhidden and are now supported.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use this command to view the CBAC and HA configuration and session information.

ACL Bypass Functionality

ACL bypass allows a packet to avoid redundant ACL checks by allowing the firewall to permit the packet on the basis of existing inspection sessions instead of dynamic ACLs. Because input and output dynamic ACLs have been eliminated from the firewall configuration, the show ip inspect session detail command output no longer shows dynamic ACLs. Instead, the output displays the matching inspection session for each packet that is permitted through the firewall.

Firewall MIB Functionality

The Cisco Unified Firewall MIB monitors the following firewall performance statistics:

•Connection statistics, which are a record of the firewall traffic streams that have attempted to flow through the firewall system. Connection statistics can be displayed on a global basis, a protocol-specific basis, or a firewall policy basis.

•URL filtering statistics, which include the status of distinct URL filtering servers that are configured on the firewall and the impact of the performance of the URL filtering servers on the latency and throughput of the firewall.

Examples

The following example shows sample output for the show ip inspect name myinspectionrule command, where the inspection rule "myinspectionrule" is configured. In this example, the output shows the protocols that should be inspected by CBAC and the corresponding idle timeouts for each protocol.

Router# show ip inspect name myinspectionrule

Inspection Rule Configuration

 Inspection name myinspectionrule

    tcp timeout 3600

    udp timeout 30

    ftp timeout 3600

The following is sample output for the show ip inspect config command. In this example, the output shows CBAC configuration, including global timeouts, thresholds, and inspection rules.

Session audit trail is disabled

one-minute (sampling period) thresholds are [400:500] connections

max-incomplete sessions thresholds are [400:500]

max-incomplete tcp connections per host is 50. Block-time 0 minute.

tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec

tcp idle-time is 3600 sec -- udp idle-time is 30 sec

dns-timeout is 5 sec

Inspection Rule Configuration

 Inspection name myinspectionrule

    tcp timeout 3600

    udp timeout 30

    ftp timeout 3600

The following is sample output for the show ip inspect interfaces command:

Interface Configuration

 Interface Ethernet0

  Inbound inspection rule is myinspectionrule

    tcp timeout 3600

    udp timeout 30

    ftp timeout 3600

  Outgoing inspection rule is not set

  Inbound access list is not set

  Outgoing access list is not set

The following is sample output for the show ip inspect session command. In this example, the output shows the source and destination addresses and port numbers (separated by colons), and it indicates that the session is an FTP session.

Router# show ip inspect session 

Established Sessions

 Session 25A3318 (10.0.0.1:20)=>(10.1.0.1:46068) ftp-data SIS_OPEN

 Session 25A6E1C (10.1.0.1:46065)=>(10.0.0.1:21) ftp SIS_OPEN

The following is sample output for the show ip inspect all command:

Router# show ip inspect all

Session audit trail is disabled

one-minute (sampling period) thresholds are [400:500] connections

max-incomplete sessions thresholds are [400:500]

max-incomplete tcp connections per host is 50. Block-time 0 minute.

tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec

tcp idle-time is 3600 sec -- udp idle-time is 30 sec

dns-timeout is 5 sec

Inspection Rule Configuration

 Inspection name all

    tcp timeout 3600

    udp timeout 30

    ftp timeout 3600

Interface Configuration

 Interface Ethernet0

  Inbound inspection rule is all

    tcp timeout 3600

    udp timeout 30

    ftp timeout 3600

  Outgoing inspection rule is not set

  Inbound access list is not set

  Outgoing access list is not set

 Established Sessions

 Session 25A6E1C (10.3.0.1:46065)=>(10.4.0.1:21) ftp SIS_OPEN

 Session 25A34A0 (10.4.0.1:20)=>(10.3.0.1:46072) ftp-data SIS_OPEN

The following is sample output from the show ip inspect session detail command, which shows that an outgoing ACL and an inbound ACL (dynamic ACLs) have been created to allow return traffic:

Router# show ip inspect session detail 

Established Sessions

 Session 80E87274 (192.168.1.116:32956)=>(192.168.101.115:23) tcp SIS_OPEN

   Created 00:00:08, Last heard 00:00:04

   Bytes sent (initiator:responder) [140:298] acl created 2

   Outgoing access-list 102 applied to interface FastEthernet0/0

   Inbound access-list 101 applied to interface FastEthernet0/1

The following is sample output from the show ip inspect session detail command, which shows related ACL information (such as session identifiers [SIDs]), but does not show dynamic ACLs, which are no longer created:

Router# show ip inspect session detail

Established Sessions

 Session 814063CC (192.168.1.116:32955)=>(192.168.101.115:23) tcp SIS_OPEN

  Created 00:00:10, Last heard 00:00:06

  Bytes sent (initiator:responder) [140:298]

  HA state: HA_STANDBY

  In  SID 192.168.101.115[23:23]=>192.168.1.117[32955:32955] on ACL 101 (15 matches)

  Out SID 192.168.101.115[23:23]=>192.168.1.116[32955:32955] on ACL 102

The following is sample output from the show ip inspect statistics command:

Router# show ip inspect statistics

Packet inspection statistics [process switch:fast switch]

  tcp packets: [616668:0]

  http packets: [178912:0]

Interfaces configured for inspection 1

Session creations since subsystem startup or last reset 42940

Current session counts (estab/half-open/terminating) [0:0:0]

Maxever session counts (estab/half-open/terminating) [98:68:50]

Last session created 5d21h

Last statistic reset never

Last session creation rate 0

Last half-open session total 0

The following example is sample output from the show ip inspect tech-support command:

Router# show ip inspect tech-support

Packet inspection statistics [process switch:fast switch]

  tcp packets: [21:879]

Interfaces configured for inspection 1 Pre-gen sessions 0

Session creations since subsystem startup or last reset 19

Current session counts (estab/half-open/terminating) [0:0:0]

Maxever session counts (estab/half-open/terminating) [1:1:1]

Last session created 02:25:37

Last statistic reset never

Last session creation rate 0

Last half-open session total 0

Packet disposition statistics [process switch:fastswitch]

  tcp packets dropped: [1:3]

  tcp packets skipped: [0:35]

TCP session reset: 0

The following examples are sample outputs from the show ip inspect mib command with global or protocol-specific keywords.

Global MIB Statistics

Router# show ip inspect mib connection-statistics global  
-------------------------------------------------- 
Connections Attempted 7 
Connections Setup Aborted 0 
Connections Policy Declined 0 
Connections Resource Declined 0 
Connections Half Open 2 Connections Active 3 
Connections Expired 2 
Connections Aborted 0 
Connections Embryonic 0 
Connections 1-min Setup Rate 5 
Connections 5-min Setup Rate 7 

Protocol-Based MIB Statistics

Router# show ip inspect mib connection-statistics l4-protocol tcp 
-------------------------------------------------- 
Protocol tcp 
Connections Attempted 3 
Connections Setup Aborted 0 
Connections Policy Declined 0 
Connections Resource Declined 0 
Connections Half Open 1 
Connections Active 2 
Connections Aborted 0 
Connections 1-min Setup Rate 3 
Connections 5-min Setup Rate 3 

Router# show ip inspect mib connection-statistics l7-protocol http 
-------------------------------------------------- 
Protocol http 
Connections Attempted 3 
Connections Setup Aborted 0 
Connections Policy Declined 2 
Connections Resource Declined 0 
Connections Half Open 0 
Connections Active 1 
Connections Aborted 0 
Connections 1-min Setup Rate 1 
Connections 5-min Setup Rate 2

Policy-target-Based MIB Statistics

Router# show ip inspect mib connection-statistics policy ftp interface GigabitEthernet0/0 
l4-protocol tcp 
! Policy Target Protocol Based Connection Summary Stats 
------------------------------------------------------ 
Policy ftp-inspection 
Target GigabitEthernet0/0 
Protocol tcp 
Connections Attempted 3 
Connections Setup Aborted 0 
Connections Policy Declined 0 
Connections Resource Declined 0 
Connections Half Open 1 
Connections Active 2 
Connections Aborted 0 

Router# show ip inspect mib connection-statistics policy ftp interface GigabitEthernet0/0 
l7-protocol ftp 
! Policy Target Protocol Based Connection Summary Stats 
------------------------------------------------------ 
Policy ftp-inspection 
Target GigabitEthernet0/0 
Protocol ftp 
Connections Attempted 3 
Connections Setup Aborted 0 
Connections Policy Declined 0 
Connections Resource Declined 0 
Connections Half Open 1 
Connections Active 2 
Connections Aborted 0

show ip inspect ha

To display Stateful Failover High Availability (HA) session information, use the show ip inspect ha command in privileged EXEC mode.

show ip inspect ha { session [detail] | statistics} [vrf vrf-name]

Syntax Description

session [detail]	Displays additional information on pin-holes created for the return traffic, number of bytes that have passed through this session, and session time information.
statistics	Displays HA sessions statistics for both the active and standby devices.
vrf vrf-name	(Optional) Displays information only for the specified Virtual Routing and Forwarding (VRF) interface.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.4(6)T	This command was introduced.

Usage Guidelines

Use this command to view the Stateful Failover HA session information.

Examples

The following is sample output for the show ip inspect ha {session | detail} command. The following information is displayed for each session:

•Session ID

•Source address and port

•Destination address and port

•Protocol

•Session State

•HA State

Router# show ip inspect ha sessions 

Sess_ID    (src_addr:port)=>(dst_addr:port)   proto sess_state   ha_state

Established Session

2CA8958  (10.0.0.5:37690)=>(10.0.0.4:00023) tcp   SIS_OPEN     HA_ACTIVE

The following is sample output for the show ip inspect ha session detail command. This command displays additional information for each session.

Router #show ip inspect ha sessions detail

Sess_ID    (src_addr:port)=>(dst_addr:port)   proto sess_state   ha_state

Established Session

2CA8958  (10.0.0.5:37690)=>(10.0.0.4:00023) tcp   SIS_OPEN     HA_ACTIVE 

  Created 00:01:52, Last heard 00:01:39

  Bytes sent (initiator:responder) [50:91]

  In  SID 10.11.0.4[23:23]=>10.0.0.5[37690:37690] on ACL test  (25 matches)

The following is sample output for the show ip inspect ha statistics command. This command displays the following information for each session.

On the active router:

Router #show ip inspect ha statistics 

****************************************************

FW HA ACTIVE STATS

****************************************************

FW HA active num add session sent 												1

FW HA active num delete session sent 												0

FW HA active num update session requests 												0

FW HA active num update session sent 												17

FW HA active bulk sync session 												0

FW HA active num error 												0

FW HA active RF error 												0

FW HA active CF error 												0

FW HA active manager error 												0

****************************************************

On the standby router:

Router #show ip inspect ha statistics 

****************************************************

FW HA STANDBY STATS

****************************************************

FW HA standby num add session received 												1

FW HA standby num delete session received 												0

FW HA standby num update session received 												17

FW HA standby num bulk sync request sent 												0

FW HA standby num error 												0

FW HA standby config error 												0

*****************************************************

The following information displays on the active router:

•Number of add session message sent

•Number of delete session message sent

•Number of update session message requests

•Number of update session message sent

•Number of bulk sync requests received and

•Error statistics

The following information displays on the standby router:

•Number of add session message received

•Number of delete session message received

•Number of update session message received

•Number of bulk sync requests sent and

•Error statistics

show ip interface

To display the usability status of interfaces configured for IP, use the show ip interface command in privileged EXEC mode.

show ip interface [type number] [brief]

Syntax Description

type	(Optional) Interface type.
number	(Optional) Interface number.
brief	(Optional) Displays a summary of the usability status information for each interface.

Command Default

The full usability status is displayed for all interfaces configured for IP.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
10.0	This command was introduced.
12.0(3)T	This command was expanded to include the status of the ip wccp redirect out and ip wccp redirect exclude add in commands.
12.2(14)S	The command output was modified to display the status of NetFlow on a subinterface.
12.2(15)T	The command output was modified to display the status of NetFlow on a subinterface.
12.3(6)	The command output was modified to identify the downstream VPN routing and forwarding (VRF) instance in the output.
12.3(14)YM2	The command output was modified to show the usability status of interfaces configured for Multi-Processor Forwarding (MPF) and implemented on the Cisco 7301 and Cisco 7206VXR routers.
12.2(14)SX	This command was introduced on the Supervisor Engine 720.
12.2(17d)SXB	This command was integrated into Cisco IOS 12.2(17d)SXB on the Supervisor Engine 2, and the command output was changed to include NDE for hardware flow status.
12.4(4)T	This command was integrated into Cisco IOS Release 12.4(4)T.
12.2(28)SB	This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(31)SB2	The command output was modified to display information about the Unicast Reverse Path Forwarding (RPF) notification feature.
12.4(20)T	The command output was modified to display information about the Unicast RPF notification feature.
12.2(33)SXI2	This command was modified. The command output was modified to display information about the Unicast RPF notification feature.

Usage Guidelines

The Cisco IOS software automatically enters a directly-connected route in the routing table if the interface is usable (which means that it can send and receive packets). If an interface is not usable, the directly-connected routing entry is removed from the routing table. Removing the entry lets the software use dynamic routing protocols to determine backup routes to the network, if any.

If the interface can provide two-way communication, the line protocol is marked "up." If the interface hardware is usable, the interface is marked "up."

If you specify an optional interface type, you see information for that specific interface. If you specify no optional arguments, you see information on all the interfaces.

When an asynchronous interface is encapsulated with PPP or Serial Line Internet Protocol (SLIP), IP fast switching is enabled. A show ip interface command on an asynchronous interface encapsulated with PPP or SLIP displays a message indicating that IP fast switching is enabled.

You can use the show ip interface brief command to view a summary of the router interfaces. This command displays the IP address, the interface status, and other information.

The show ip interface brief command does not display any information related to Unicast RPF.

Examples

The following example shows configuration information on interface Gigabit Ethernet 0/3. In this example, the IP flow egress feature is configured on the output side (where packets go out of the interface), and the policy route-map named PBR_NAME is configured on the input side (where packets come into the interface).

Router# show running-config interface gigabitethernet 0/3

interface GigabitEthernet0/3

 ip address 10.1.1.1 255.255.0.0

 ip flow egress

 ip policy route-map PBR_NAME

 duplex auto

 speed auto

 media-type gbic

 negotiation auto

end

The following example shows interface information on Gigabit Ethernet interface 0/3. In this example, MPF is enabled, and both features are not supported by MPF and are ignored.

Router# show ip interface gigabitethernet 0/3

GigabitEthernet0/3 is up, line protocol is up

  Internet address is 10.1.1.1/16

  Broadcast address is 255.255.255.255

  Address determined by setup command

  MTU is 1500 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Outgoing access list is not set

  Inbound access list is not set

  Proxy ARP is enabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are always sent

  ICMP unreachables are always sent

  ICMP mask replies are never sent

  IP fast switching is enabled

  IP fast switching on the same interface is disabled

  IP Flow switching is disabled

  IP CEF switching is enabled

  IP Feature Fast switching turbo vector

  IP VPN Flow CEF switching turbo vector

  IP multicast fast switching is enabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Policy routing is enabled, using route map PBR

  Network address translation is disabled

  BGP Policy Mapping is disabled

  IP Multi-Processor Forwarding is enabled

     IP Input features, "PBR",

         are not supported by MPF and are IGNORED

     IP Output features, "NetFlow",

         are not supported by MPF and are IGNORED

The following example identifies a downstream VRF instance. In the example, "Downstream VPN Routing/Forwarding "D"" identifies the downstream VRF instance.

Router# show ip interface virtual-access 3

Virtual-Access3 is up, line protocol is up

  Interface is unnumbered. Using address of Loopback2 (10.0.0.8)

  Broadcast address is 255.255.255.255

  Peer address is 10.8.1.1

  MTU is 1492 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Outgoing access list is not set

  Inbound  access list is not set

  Proxy ARP is enabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are always sent

  ICMP unreachables are always sent

  ICMP mask replies are never sent

  IP fast switching is enabled

  IP fast switching on the same interface is enabled

  IP Flow switching is disabled

  IP CEF switching is enabled

  IP Feature Fast switching turbo vector

  IP VPN CEF switching turbo vector

  VPN Routing/Forwarding "U"

  Downstream VPN Routing/Forwarding "D"

  IP multicast fast switching is disabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Policy routing is disabled

  Network address translation is disabled

  WCCP Redirect outbound is disabled

  WCCP Redirect inbound is disabled

  WCCP Redirect exclude is disabled

  BGP Policy Mapping is disabled 

The following example shows the information displayed when Unicast RPF drop-rate notification is configured:

Router# show ip interface ethernet 2/3

Ethernet2/3 is up, line protocol is up

  Internet address is 10.0.0.4/16

  Broadcast address is 255.255.255.255

  Address determined by non-volatile memory

  MTU is 1500 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Outgoing access list is not set

  Inbound  access list is not set

  Proxy ARP is enabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are always sent

  ICMP unreachables are always sent

  ICMP mask replies are never sent

  IP fast switching is disabled

  IP Flow switching is disabled

  IP CEF switching is disabled

  IP Null turbo vector

  IP Null turbo vector

  IP multicast fast switching is disabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are No CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Probe proxy name replies are disabled

  Policy routing is disabled

  Network address translation is disabled

  WCCP Redirect outbound is disabled

  WCCP Redirect inbound is disabled

  WCCP Redirect exclude is disabled

  BGP Policy Mapping is disabled

Unicast RPF Information

  Input features: uRPF

  IP verify source reachable-via RX, allow default

   0 verification drops

   0 suppressed verification drops

   0 verification drop-rate

Router#

The following example shows how to display the usability status for a specific VLAN:

Router# show ip interface vlan 1

Vlan1 is up, line protocol is up

  Internet address is 10.0.0.4/24

  Broadcast address is 255.255.255.255

Address determined by non-volatile memory

  MTU is 1500 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Outgoing access list is not set

  Inbound  access list is not set

  Proxy ARP is enabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are always sent

  ICMP unreachables are always sent

  ICMP mask replies are never sent

  IP fast switching is enabled

  IP fast switching on the same interface is disabled

  IP Flow switching is disabled

  IP CEF switching is enabled

  IP Fast switching turbo vector

  IP Normal CEF switching turbo vector

  IP multicast fast switching is enabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Probe proxy name replies are disabled

  Policy routing is disabled

  Network address translation is disabled

  WCCP Redirect outbound is disabled

  WCCP Redirect inbound is disabled

  WCCP Redirect exclude is disabled

  BGP Policy Mapping is disabled

  Sampled Netflow is disabled

  IP multicast multilayer switching is disabled

  Netflow Data Export (hardware) is enabled

Table 133 describes the significant fields shown in the display.

Table 133 show ip interface Field Descriptions 

Field	Description
Virtual-Access3 is up	Shows whether the interface hardware is usable (up). For an interface to be usable, both the interface hardware and line protocol must be up.
Broadcast address is	Broadcast address.
Peer address is	Peer address.
MTU is	MTU value set on the interface.
Helper address	Helper address, if one is set.
Directed broadcast forwarding	Shows whether directed broadcast forwarding is enabled.
Outgoing access list	Shows whether the interface has an outgoing access list set.
Inbound access list	Shows whether the interface has an incoming access list set.
Proxy ARP	Shows whether Proxy Address Resolution Protocol (ARP) is enabled for the interface.
Security level	IP Security Option (IPSO) security level set for this interface.
Split horizon	Shows whether split horizon is enabled.
ICMP redirects	Shows whether redirect messages will be sent on this interface.
ICMP unreachables	Shows whether unreachable messages will be sent on this interface.
ICMP mask replies	Shows whether mask replies will be sent on this interface.
IP fast switching	Shows whether fast switching is enabled for this interface. It is generally enabled on serial interfaces, such as this one.
IP Flow switching	Shows whether Flow switching is enabled for this interface.
IP CEF switching	Shows whether Cisco Express Forwarding (CEF) switching is enabled for the interface.
Downstream VPN Routing/Forwarding "D"	Shows the VRF instance where the PPP peer routes and AAA per-user routes are being installed.
IP multicast fast switching	Shows whether multicast fast switching is enabled for the interface.
IP route-cache flags are Fast, Flow init, CEF, Ingress Flow	Shows whether NetFlow is enabled on an interface. Displays "Flow init" to specify that NetFlow is enabled on the interface. Displays "Ingress Flow" to specify that NetFlow is enabled on a subinterface using the ip flow ingress command. Shows "Flow" to specify that NetFlow is enabled on a main interface using the ip route-cache flow command.
Router Discovery	Shows whether the discovery process is enabled for this interface. It is generally disabled on serial interfaces.
IP output packet accounting	Shows whether IP accounting is enabled for this interface and what the threshold (maximum number of entries) is.
TCP/IP header compression	Shows whether compression is enabled.
WCCP Redirect outbound is disabled	Shows the status of whether packets received on an interface are redirected to a cache engine. Displays "enabled" or "disabled."
WCCP Redirect exclude is disabled	Shows the status of whether packets targeted for an interface will be excluded from being redirected to a cache engine. Displays "enabled" or "disabled."
Netflow Data Export (hardware) is enabled	NDE hardware flow status on the interface.

The following example shows how to display a summary of the usability status information for each interface:

Router# show ip interface brief

Interface     IP-Address     OK?  Method  Status                  Protocol

Ethernet0     10.108.00.5    YES  NVRAM   up                      up      

Ethernet1     unassigned     YES  unset   administratively down   down    

Loopback0     10.108.200.5   YES  NVRAM   up                      up      

Serial0       10.108.100.5   YES  NVRAM   up                      up      

Serial1       10.108.40.5    YES  NVRAM   up                      up      

Serial2       10.108.100.5   YES  manual  up                      up      

Serial3       unassigned     YES  unset   administratively down   down 

Table 134 describes the significant fields shown in the display.

Table 134 show ip interface brief Field Descriptions 

Field	Description
Interface	Type of interface.
IP-Address	IP address assigned to the interface.
OK?	"Yes" means that the IP Address is currently valid. "No" means that the IP Address is not currently valid.
Method	The Method field has the following possible values: •RARP or SLARP—Reverse Address Resolution Protocol (RARP) or Serial Line Address Resolution Protocol (SLARP) request. •BOOTP—Bootstrap protocol. •TFTP—Configuration file obtained from the TFTP server. •manual—Manually changed by CLI command. •NVRAM—Configuration file in NVRAM. •IPCP—ip address negotiated command. •DHCP—ip address dhcp command. •unassigned—No IP address. •unset—Unset. •other—Unknown.
Status	Shows the status of the interface. Valid values and their meanings are: •up—Interface is administratively up. •down—Interface is administratively down. •administratively down—Interface is administratively down.
Protocol	Shows the operational status of the routing protocol on this interface.

Related Commands

Command	Description
ip address	Sets a primary or secondary IP address for an interface.
ip vrf autoclassify	Enables VRF autoclassify on a source interface.
match ip source	Specifies a source IP address to match to required route maps that have been set up based on VRF connected routes.
route-map	Defines the conditions for redistributing routes from one routing protocol into another or to enable policy routing.
set vrf	Enables VPN VRF selection within a route map for policy-based routing VRF selection.
show ip arp	Displays the ARP cache, in which SLIP addresses appear as permanent ARP table entries.
show route-map	Displays static and dynamic route maps.

show ip ips

To display Intrusion Prevention System (IPS) information such as configured sessions and signatures, use the show ip ips command in privileged EXEC mode.

show ip ips {all | configuration | interfaces | license | name name | sessions [detail] [vrf vrf-name] | signatures [[count] [detail | engine [engine-name] | sigid [sigid [subid [subid]]]] | [statistics]] | statistics [reset] [vrf vrf-name]}

Syntax Description

all	Displays all available IPS information.
configuration	Displays additional configuration information, including default values that may not be displayed using the show running-config command.
interfaces	Displays the interface configuration.
license	Displays license and signature package information.
name name	Displays information only for the specified IPS rule.
sessions	Displays IPS session-related information.
detail	(Optional) Shows detailed session information.
vrf vrf-name	(Optional) Shows detailed session and latest statistics information per user specific VRF.
signatures	Displays signature information, such as which signatures are disabled and marked for deletion.
count	(Optional) Displays the number of signatures enabled, retired, and compiled.
detail	(Optional) Displays detailed signature information.
engine engine-name	(Optional) Displays signatures of a selected engine.
sigid sigid	(Optional) Displays signature ID for selected signatures.
subid subid	(Optional) Displays the sub ID for selected signatures.
statistics	(Optional) Displays the information such as the number of packets audited and the number of alarms sent.
statistics	Displays the information such as the number of packets audited and the number of alarms sent.
reset	(Optional) Resets sample output to reflect the latest statistics.

Command Modes

User EXEC (>)
Privileged EXEC (#)

Command History

Release	Modification
12.0(5)T	This command was introduced.
12.3(8)T	This command was modified. The command name was changed from show ip audit to show ip ips. Also, all show ip ips commands were combined into a single command.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX	This command was integrated into a release earlier than Cisco IOS Release 12.2(33)SXI.
12.4(20)T	This command was modified. The vrf keyword and vrf-name argument were added.
12.4(22)T	This command was modified. The count, detail, engine, sigid, signatures, and subid keywords and the engine-name, subid, and sigid arguments were added.
15.0(1)M	This command was modified. The license keyword was added.

Usage Guidelines

Use the show ip ips configuration command to display additional configuration information, including default values that may not be displayed using the show running-config command.

Examples

Sample Output for the show ip ips configuration Command

The following example displays the output of the show ip ips configuration command:

Router# show ip ips configuration

Event notification through syslog is enabled

Event notification through Net Director is enabled

Default action(s) for info signatures is alarm

Default action(s) for attack signatures is alarm

Default threshold of recipients for spam signature is 25

PostOffice:HostID:5 OrgID:100 Addr:10.2.7.3 Msg dropped:0

HID:1000 OID:100 S:218 A:3 H:14092 HA:7118 DA:0 R:0

    CID:1 IP:172.21.160.20 P:45000 S:ESTAB (Curr Conn)

Audit Rule Configuration

 Audit name AUDIT.1

    info actions alarm

Sample Output for the show ip ips interfaces Command

The following example displays the output of the show ip ips interfaces command:

Router# show ip ips interfaces

Interface Configuration

 Interface Ethernet0

  Inbound IPS audit rule is AUDIT.1

    info actions alarm

  Outgoing IPS audit rule is not set

 Interface Ethernet1

  Inbound IPS audit rule is AUDIT.1

    info actions alarm

  Outgoing IPS audit rule is AUDIT.1

    info actions alarm

Sample Output for the show ip ips statistics Command

The following example displays the output of the show ip ips statistics command:

Router# show ip ips statistics

Signature audit statistics [process switch:fast switch]

  signature 2000 packets audited: [0:2]

  signature 2001 packets audited: [9:9]

  signature 2004 packets audited: [0:2]

  signature 3151 packets audited: [0:12]

Interfaces configured for audit 2

Session creations since subsystem startup or last reset 11

Current session counts (estab/half-open/terminating) [0:0:0]

Maxever session counts (estab/half-open/terminating) [2:1:0]

Last session created 19:18:27

Last statistic reset never

HID:1000 OID:100 S:218 A:3 H:14085 HA:7114 DA:0 R:0

Sample Output for the show ip ips statistics vrf Command

The following example displays the output of the show ip ips statistics vrf vrf-name command:

Router# show ip ips statistics vrf VRF_600

Signature statistics [process switch:fast switch]

  signature 5170:1 packets checked: [0:2]

Interfaces configured for ips 3

Session creations since subsystem startup or last reset 4

Current session counts (estab/half-open/terminating) [1:0:0]

Maxever session counts (estab/half-open/terminating) [2:1:1]

Last session created 00:02:34

Last statistic reset never

TCP reassembly statistics

  received 8 packets out-of-order; dropped 0

  peak memory usage 12 KB; current usage: 0 KB

  peak queue length 6

Sample Output for the show ip ips sessions vrf Command

The following example displays the output of the show ip ips sessions vrf vrf-name command:

Router# show ip ips sessions vrf VRF_600

Established Sessions

 Session 67D5C744 (10.0.4.2:34000)=>(10.0.6.2:23) tcp SIS_OPEN

Sample Output for the show ip ips license Command

The following example displays the output of the show ip ips license command:

Router# show ip ips license

IPS License Status Valid

Expiration Date: 2009-12-31

Signatures Loaded: 2009-06-25 S375

Signature Package: 2009-06-25 S375

The sample output shows the details for a valid IPS license. Note the license expiration date (2009-12-31), the version date of the existing S375 loaded signatures (2009-07-24 S375), and the version date of the last signature package (S375) loaded (2009-07-24 S375). The license is valid as the existing loaded signature version date is the same as the last signature package version date. The last signature package date (2009-07-24) is also before the license expiration date (2009-12-31).

Related Commands

Command	Description
clear ip ips statistics	Resets statistics on packets analyzed and alarms sent.

show ip ips auto-update

To display the automatic signature update configuration, use the show ip ips auto-update command in EXEC mode.

show ip ips auto-update

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC

Command History

Release	Modification
12.4(11)T	This command was introduced.

Usage Guidelines

Automatic signature updates allow users to override the existing Intrusion Prevention System (IPS) configuration and automatically keep signatures up to date on the basis of a preset time, which can be configured to a preferred setting.

Use the show ip ips auto-update command to verify the auto update configuration.

Examples

The following example shows how to configure automatic signature updates and issue the show ip ips auto-update command to verify the configuration. In this example, the signature package file is pulled from the TFTP server at the start of every hour or every day, Sunday through Thursday. (Note that adjustments are made for months without 31 days and daylight savings time.)

Router# clock set ?

hh:mm:ss Current Time

Router# clock set 10:38:00 20 apr 2006

Router#

*Apr 20 17:38:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 10:37:55 MST 
Thu Apr 20 2006 to 10:38:00 MST Thu Apr 20 2006, configured from console by cisco on 
console.

Router(config)# ip ips auto-update

Router(config-ips-auto-update)# occur-at 0 0-23 1-31 1-5

Router(config-ips-auto-update)# $s-auto-update/IOS_reqSeq-dw.xml 

Router(config-ips-auto-update)#^Z

Router#

*May 4 2006 15:50:28 MST: IPS Auto Update: setting update timer for next update: 0 hrs 10 
min

*May 4 2006 15:50:28 MST: %SYS-5-CONFIG_I: Configured from console by cisco on console

Router#

Router# show ip ips auto-update 

IPS Auto Update Configuration

URL : tftp://192.168.0.2/jdoe/ips-auto-update/IOS_reqSeq-dw.xml

Username : not configured

Password : not configured

Auto Update Intervals

  minutes (0-59) : 0

  hours (0-23) : 0-23

  days of month (1-31) : 1-31

  days of week: (0-6) : 1-5

Related Commands

Command	Description
ip ips auto-update	Enables automatic signature updates for Cisco IOS IPS.

show ip port-map

To display the port-to-application mapping (PAM) information, use the show ip port-map command in privileged EXEC mode.

show ip port-map [appl-name | port port-num [detail]]

Syntax Description

appl-name	(Optional) Specifies the name of the application to which to apply the port mapping.
port port-num	(Optional) Specifies the alternative port number that maps to the application.
detail	(Optional) Shows the port or application details.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.0(5)T	This command was introduced.
12.3(14)T	The detail keyword was added and command output was modified to display user-defined applications.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use this command to display the port mapping information at the firewall, including the system-defined and user-defined information. Include the application name to display the list of entries by application. Include the port number to display the entries by port.

Examples

The following is sample output from the show ip port-map command, including system- and user-defined mapping information. Notice that multiple port numbers display in a series such as 554, 8554, or 1512...1525, or a range such as 55000 to 62000. When there are multiple ports, they all display if they can fit into the fixed-field width. If they cannot fit into the fixed-field width, they display with an ellipse, such as 1512...1525 shown below.

Router# show ip port-map

Default mapping:  snmp       udp port 161                    system defined

Host specific:    snmp       udp port 577         in list 55 user defined

Host specific:    snmp       udp port 55000-62000 in list 57 user defined

Default mapping:  echo       tcp port 7                      system defined

Default mapping:  echo       udp port 7                      system defined

Default mapping:  telnet     tcp port 23                     system defined

Default mapping:  wins       tcp port 1512...1525            system defined

Default mapping:  n2h2server tcp port 9285                   system defined

Default mapping:  n2h2server udp port 9285                   system defined

Default mapping:  nntp       tcp port 119                    system defined

Default mapping:  pptp       tcp port 1725                   system defined

Default mapping:  rtsp       tcp port 554,8554               system defined

Default mapping:  bootpc     udp port 68                     system defined

Default mapping:  gdoi       udp port 848                    system defined

Default mapping:  tacacs     udp port 49                     system defined

Default mapping:  gopher     tcp port 70                     system defined

Default mapping:  icabrowser udp port 1604                   system defined

The following sample output from the show ip port-map snmp command displays information about the SNMP application:

Router# show ip port-map snmp

Default mapping:  snmp    udp port 161                      system defined

Host specific:    snmp    udp port 577          in list 55  user defined

Host specific:    snmp    udp port 55000-62000  in list 57  user defined

The following sample output from the show ip port-map snmp detail command displays detailed information about the SNMP application:

Router# show ip port-map snmp detail

 IP port-map entry for application 'snmp':

     udp 161                    Simple Network Management Protoco system defined

     udp 577            list 55 User's SNMP Port                  user defined

     udp 55000-62000    list 57 User's Another SNMP Port          user defined

The following sample output from the show ip port-map port 577 command displays information about port 577:

Router# show ip port-map port 577

Host specific:   snmp  udp port 577    in list 55   user defined

The following sample output from the show ip port-map port 55800 command displays information about port 55800:

Router# show ip port-map port 55800

Host specific:   snmp   udp port 55800  in list 57   user defined

The following sample output from the show ip-port-map port 577 detail command displays detailed information about port 577:

Router# show ip port-map port 577 detail 

 IP Port-map entry for port 577:

 snmp                 udp list 55                            user defined

Related Commands

Command	Description
ip port-map	Establishes PAM entries.

show ip sdee

To display Security Device Event Exchange (SDEE) notification information, use the show ip sdee command in privileged EXEC mode.

show ip sdee {[alerts] [all] [errors] [events] [configuration] [status] [subscriptions]}

Syntax Description

alerts	Displays the Intrusion Detection System (IDS) alert buffer.
all	Displays all information available for IDS SDEE notifications.
errors	Displays IDS SDEE error messages.
events	Displays IDS SDEE events.
configuration	Displays SDEE configuration parameters.
status	Displays the status events that are currently in the buffer.
subscriptions	Displays IDS SDEE subscription information.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(8)T	This command was introduced.

Examples

The following is sample output from the show ip sdee alerts command. In this example, the alerts are numbered from 1 to 100 (because 100 events are currently in the event buffer). Following the alert number are 3 digits, which indicate whether the alert has been reported for the 3 possible subscriptions. In this example, these alerts have been reported for subscription number 1. The event ID is composed of the alert time and an increasing count, separated by a colon.

Router# show ip sdee alerts

Event storage:1000 events using 656000 bytes of memory

                                SDEE Alerts

SigID       SrcIP     DstIP       SrcPort  DstPort  Sev     Event ID        SigName

1:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211478597901  ICMP Echo Req

2:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211478887902  ICMP Echo Req

3:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211479247903  ICMP Echo Req

4:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211479457904  ICMP Echo Req

5:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211479487905  ICMP Echo Req

6:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211480077906  ICMP Echo Req

7:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211480407907  ICMP Echo Req

...........................................................

...........................................................

96:000 2004 10.0.0.2  10.0.0.1    8        0        2       10211750898596  ICMP Echo Req

97:000 2004 10.0.0.2  10.0.0.1    8        0        2       10211750898597  ICMP Echo Req

98:000 2004 10.0.0.2  10.0.0.1    8        0        2       10211750898598  ICMP Echo Req

99:000 2004 10.0.0.2  10.0.0.1    8        0        2       10211750908599  ICMP Echo Req

100:000 2004 10.0.0.2 10.0.0.1    8        0        2       10211750918600  ICMP Echo Req 

The following is sample output is from the show ip sdee subscriptions command. In this example, SDEE is enabled, the maximum event buffer size has been set to 100, and the maximum number of subscriptions that can be open at the same time is 1.

Router# show ip sdee subscriptions 

SDEE is enabled

Alert buffer size:100 alerts 65600 bytes

Maximum subscriptions:1

SDEE open subscriptions: 1

Subscription ID IDS1720:0:

Client address 10.0.0.2 port 1500

        Subscription opened at 13:21:30 MDT July 18 2003

        Total GET requests:0

        Max number of events:50

        Timeout:30

        Event Start Time:0

        Report alerts:true

        Alert severity level is INFORMATIONAL

        Report errors:false

        Report status:false

Table 135 describes the significant fields shown in the display.

Table 135 show ip sdee subscriptions Field Descriptions 

Field	Description
Alert buffer size:100 alerts 65600 bytes	Maximum number of events that can be stored in the buffer. The maximum number of events to be stored refers to all types of events (alert, status, and error). (This value can be changed via the ip sdee events command.)
Maximum subscriptions:1	Maximum number of subscriptions that can be open at the same time. (This value can be changed via the ip sdee subscriptions command.)

The following is sample output from the show ip sdee status command. In this example, the buffer is set to store a maximum of 1000 events.

Router# show ip sdee status

Event storage:1000 events using 656000 bytes of memory

                   SDEE Status Messages

Time                            Message              Description

1:000 22:10:58 UTC Apr 18 2003  applicationStarted   STRING.UDP,0 ms

2:000 22:10:58 UTC Apr 18 2003  applicationStarted   STRING.TCP,0 ms

3:000 22:10:58 UTC Apr 18 2003  applicationStarted   OTHER,0 ms

4:000 22:10:58 UTC Apr 18 2003  applicationStarted   SERVICE.FTP,276 ms

5:000 22:11:07 UTC Apr 18 2003  applicationStarted   SERVICE.SMTP,8884 ms

6:000 22:11:07 UTC Apr 18 2003  applicationStarted   SERVICE.RPC,72 ms

7:000 22:11:07 UTC Apr 18 2003  applicationStarted   SERVICE.DNS,132 ms

8:000 22:11:15 UTC Apr 18 2003  applicationStarted   SERVICE.HTTP,7632 ms

9:000 22:11:15 UTC Apr 18 2003  applicationStarted   ATOMIC.TCP,24 ms

10:000 22:11:15 UTC Apr 18 2003  applicationStarted  ATOMIC.UDP,12 ms

11:000 22:11:15 UTC Apr 18 2003  applicationStarted  ATOMIC.ICMP,12 ms

12:000 22:11:15 UTC Apr 18 2003  applicationStarted  ATOMIC.IPOPTIONS,8 ms

13:000 22:11:15 UTC Apr 18 2003  applicationStarted  ATOMIC.L3.IP,8 ms

Related Commands

Command	Description
ip ips notify	Specifies the method of event notification.
id sdee events	Sets the maximum number of SDEE events that can be stored in the event buffer.
ip sdee subscriptions	Sets the maximum number of SDEE subscriptions that can be open simultaneously.

show ip source-track

To display traffic flow statistics for tracked IP host addresses, use the show ip source-track command in privileged EXEC mode.

show ip source-track [ip-address] [summary | cache]

Syntax Description

ip-address	(Optional) Displays the IP address of the tracked host for which traffic flow information is displayed.
summary	(Optional) Displays a summary of traffic flow information that is collected for a specified host address (via the ip-address argument) or for all configured hosts.
cache	(Optional) Displays detailed packet and flow information that is collected on line cards and port adapters for all tracked IP addresses or for specified IP address (not displayed in the a distributed platform such as the gigabit route processor (GRP) or route switch processor (RSP)).

Command Modes

Privileged EXEC

Command History

Release	Modification
12.0(21)S	This command was introduced.
12.0(22)S	This command was implemented on the Cisco 7500 series routers.
12.0(26)S	This command was implemented on Cisco 12000 series ISE line cards.
12.3(7)T	This command was integrated into Cisco IOS Release 12.3(7)T.
12.2(25)S	This command was integrated into Cisco IOS Release 12.2(25)S.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Examples

The following example, which is sample output from the show ip source-track summary command, shows how to verify that IP source tracking is enabled for one or more hosts:

Router# show ip source-track summary

Address          Bytes    Pkts    Bytes/s   Pkts/s

10.0.0.1          119G   1194M    443535      4432

192.168.1.1       119G   1194M    443535      4432

192.168.42.42     119G   1194M    443535      4432

The following example, which is sample output from the show ip source-track summary command, shows how to verify that no traffic has yet to be received for the destination hosts that are being tracked:

Router# show ip source-track summary

Address        Bytes   Pkts   Bytes/s   Pkts/s

10.0.0.1           0      0         0        0 

192.168.1.1        0      0         0        0 

192.168.42.42      0      0         0        0 

The following example, which is sample output from the show ip source-track command, shows that IP source tracking is processing packets to the hosts and exporting statistics from the line card or port adapter to the route processor:

Router# show ip source-track

Address         SrcIF    Bytes   Pkts   Bytes/s   Pkts/s

10.0.0.1        PO0/0    119G   1194M    513009     5127

192.168.1.1     PO0/0    119G   1194M    513009     5127

192.168.42.42   PO0/0    119G   1194M    513009     5127

Related Commands

Command	Description
ip source-track	Enables IP source tracking for a specified host.
ip source-track address-limit	Configures the maximum number of destination hosts that can be simultaneously tracked at any given moment.
ip source-track syslog-interval	Sets the time interval (in minutes) in which syslog messages are generated if IP source tracking is enabled on a device.

show ip source-track export flows

To display the last ten packet flows that were exported from the line card to the route processor, use the show ip source-track export flows command in privileged EXEC mode.

show ip source-track export flows

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.0(21)S	This command was introduced.
12.0(22)S	This command was implemented on the Cisco 7500 series routers.
12.0(26)S	This command was implemented on Cisco 12000 series ISE line cards.
12.3(7)T	This command was integrated into Cisco IOS Release 12.3(7)T.
12.2(25)S	This command was integrated into Cisco IOS Release 12.2(25)S.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

The show ip source-track export flows command can be issued only on distributed platforms such as the GRP and the RSP.

Examples

The following example displays the packet flow information that is exported from line cards and port adapters to the gigabit route processor (GRP) and the route switch processor (RSP):

Router# show ip source-track export flows

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts

PO0/0         10.1.1.0       Null          10.1.1.1       06 0000 0000    88K

PO0/0         10.1.1.0       Null          10.1.1.3       06 0000 0000    88K

PO0/0         10.1.1.0       Null          10.1.1.2       06 0000 0000    88K

Related Commands

Command	Description
ip source-track	Enables IP source tracking for a specified host.
ip source-track export-interval	Sets the time interval (in seconds) in which IP source tracking statistics are exported from the line card to the RP.

show ip ssh

To display the version and configuration data for Secure Shell (SSH), use the show ip ssh command in privileged EXEC mode.

show ip ssh

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.0(5)S	This command was introduced.
12.1(1)T	This command was integrated into Cisco IOS Release 12.1 T.
12.1(5)T	This command was modified to display the SSH status—enabled or disabled.
12.2(17a)SX	This command was integrated into Cisco IOS Release 12.2(17a)SX.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.

Usage Guidelines

Use the show ip ssh command to view the status of configured options such as retries and timeouts. This command allows you to see if SSH is enabled or disabled.

Examples

The following is sample output from the show ip ssh command when SSH has been enabled:

Router# show ip ssh

SSH Enabled - version 1.5

Authentication timeout: 120 secs; Authentication retries: 3

The following is sample output from the show ip ssh command when SSH has been disabled:

Router# show ip ssh

%SSH has not been enabled

Related Commands

Command	Description
show ssh	Displays the status of SSH server connections.

show ip traffic-export

To display information related to router IP traffic export (RITE), use the show ip traffic-export command in privileged EXEC mode.

show ip traffic-export [interface interface-name | profile profile-name]

Syntax Description

interface interface-name	(Optional) Only data associated with the monitored ingress interface is shown.
profile profile-name	(Optional) Only flow statistics, such as exported packets and number of bytes, are shown.

Defaults

If this command is enabled, all data (both interface- and profile-related data) is shown.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(4)T	This command was introduced.
12.2(25)S	This command was integrated into Cisco IOS Release 12.2(25)S.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Examples

The following sample output from the show ip traffic-export command is for the profile "one." This example is for a single configured interface. If multiple interfaces are configured, the information shown below is displayed for each interface.

Router# show ip traffic-export

Router IP Traffic Export Parameters

Monitored Interface FastEthernet0/0

Export Interface FastEthernet0/1

Destination MAC address 0030.7131.abfc

bi-directional traffic export is off

Input IP Traffic Export Information Packets/Bytes Exported 0/0

Packets Dropped 0

Sampling Rate one-in-every 1 packets

        No Access List configured

        Profile one is Active

Table 136 describes the significant fields shown in the display.

Table 136 show ip traffic-export Field Descriptions 

Field	Description
Monitored Interface	Interface in which the profile was applied. (This interface is specified via the ip traffic-export apply profile command.)
Export Interface	Interface in which the profile exports all captured IP traffic. (This interface is specified via the ip traffic-export profile command.)
Destination MAC address	Ethernet address of the destination host, which is specified via the mac-address command.
bi-directional traffic export is	Incoming and outgoing IP traffic is exported on the monitored interface (via the bidirectional command). By default, only incoming traffic is exported.
Input IP Traffic Export Information        Packets Dropped        Sampling Rate        No Access List Configured       Profile one is Active	Incoming IP traffic information. The sampling rate and ACL can be defined via the incoming command. If the profile is incomplete, the profile will be listed as inactive.

Related Commands

Command	Description
bidirectional	Enables incoming and outgoing IP traffic to be exported across a monitored interface.
ip traffic-export apply profile	Applies an IP traffic export profile to a specific interface.
ip traffic-export profile	Creates or edits an IP traffic export profile and enables the profile on an ingress interface.
incoming	Configures filtering for incoming export traffic.
outgoing	Configures filtering for outgoing export traffic.

show ip trigger-authentication

To display the list of remote hosts for which automated double authentication has been attempted, use the show ip trigger-authentication command in privileged EXEC mode.

show ip trigger-authentication

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.3 T	This command was introduced.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Whenever a remote user needs to be user-authenticated in the second stage of automated double authentication, the local device sends a User Datagram Protocol (UDP) packet to the remote user's host. When the UDP packet is sent, the user's host IP address is added to a table. If additional UDP packets are sent to the same remote host, a new table entry is not created; instead, the existing entry is updated with a new time stamp. This remote host table contains a cumulative list of host entries; entries are deleted after a timeout period or after you manually clear the table using the
clear ip trigger-authentication command. You can change the timeout period with the
ip trigger-authentication (global) command.

Use this command to view the list of remote hosts for which automated double authentication has been attempted.

Examples

The following example shows output from the show ip trigger-authentication command:

Router# show ip trigger-authentication

Trigger-authentication Host Table:

Remote Host          Time Stamp

209.165.200.230       2940514234

This output shows that automated double authentication was attempted for a remote user; the remote user's host has the IP address 209.165.200.230. The attempt to automatically double authenticate occurred when the local host (myfirewall) sent the remote host (209.165.200.230) a packet to UDP port 7500. (The default port was not changed in this example.)

Related Commands

Command	Description
clear ip trigger-authentication	Clears the list of remote hosts for which automated double authentication has been attempted.

show ip trm config

To display the configuration information for the Trend Router Provisioning Server (TRPS), use the show ip trm config command in privileged EXEC mode.

show ip trm config

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(15)XZ	This command was introduced.
12.4(20)T	This command was integrated into Cisco IOS Release 12.4(20)T.

Usage Guidelines

Use the show ip trm config command to display information about the TRPS. The output shows both the current configuration and the default configuration.

Examples

The following shows sample output from the show ip trm config command when the router is registered with the TRPS named trps.example.com:

Router# show ip trm config 

 Server: trps.example.com

   HTTPS Port: 443

   HTTP  Port: 80

       Status: Active

 Server: trps.trendmicro.com ( Default )

   HTTPS Port: 443

   HTTP  Port: 80

       Status: Standby

Table 137 describes the significant fields shown in the display.

Table 137 show ip trm config Field Descriptions 

Field	Description
Server	The name of the TRPS.
HTTPS Port	The port on which the TRPS listens for secure HTTP requests.
HTTP Port	The port on which the TRPS listens for HTTP requests.
Status	The status of the named TRPS—either Active or Standby.

Related Commands

Command	Description
show ip trm subscription status	Displays the status of the subscription with Trend Micro.

show ip trm subscription status

To display information about the status of the Trend Micro subscription, use the show ip trm subscription status command in privileged EXEC mode.

show ip trm subscription status

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(15)XZ	This command was introduced.
12.4(20)T	This command was integrated into Cisco IOS Release 12.4(20)T.

Usage Guidelines

Use the show ip trm subscription status command to display the status of the Trend Micro subscription. If the router is registered with the Trend Router Provisioning Server (TRPS), the router displays the subscription status information. If the router is not registered with the TRPS, a message indicating that the router is not registered is displayed.

Examples

The following shows sample output from show ip trm subscription status command when the router is registered with the TRPS:

Router# show ip trm subscription status 

Package Name:	Security & Productivity

 ------------------------------------------------

				Status:     Active

	Status Update Time:     08:55:07 MDT Thu Apr 3 2008

	   Expiration-Date:     Tue Jul 21 10:12:59 2020

	   Last Req Status:     Processed response successfully

	Last Req Sent Time:     08:55:07 MDT Thu Apr 3 2008

Table 137 describes the significant fields shown in the display.

Table 138 show ip trm subscription status Field Descriptions 

Field	Description
Status	Displays the status of the Trend Micro subscription.
Status Update Time	Displays the time and date that status of the Trend Micro subscription was last updated.
Expiration Date	Displays the date and time that the Trend Micro subscription expires.
Last Req Status	Displays the status of the most recent request.
Last Req Sent Time	Displays the time and date of the most recent lookup request to the TRPS.

Related Commands

Command	Description
show ip trm config	Displays information about the TRPS.

show ip urlfilter cache

To display the maximum number of entries that can be cached into the cache table and the number of entries and the destination IP addresses that are cached into the cache table, use the show ip urlfilter cache command in privileged EXEC mode.

show ip urlfilter cache [vrf vrf-name]

Syntax Description

vrf vrf-name

(Optional) Displays the information only for the specified Virtual Routing and Forwarding (VRF) interface.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(11)YU	This command was introduced.
12.2(15)T	This command was integrated into Cisco IOS Release 12.2(15)T.
12.3(14)T	The vrf vrf-name keyword/argument pair was added.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Examples

The following example is sample output from the show ip urlfilter cache command:

Router# show ip urlfilter cache

Maximum number of entries allowed: 5000

Number of entries cached: 5

IP addresses cached ....

 10.64.128.54

 172.28.139.21

 10.76.82.25

 192.168.0.1

 10.0.1.2

Table 139 describes the significant fields shown in the display.

Table 139 show ip urlfilter cache Field Descriptions

Field	Description
Maximum number of entries allowed	Maximum number of destination IP addresses that can be cached into the cache table. This parameter can be configured using the ip url filter cache command. (The default is 5000.)
Number of entries cached	Number of entries that have already been cached into the cache table.
IP addresses cached	IP addresses that have already been cached into the cache table.

Related Commands

Command	Description
clear ip urlfilter cache	Clears the cache table.
ip urlfilter cache	Configures cache parameters.

show ip urlfilter config

To display the size of the cache, the maximum number of outstanding requests, the allow mode state, and the list of configured vendor servers, use the show ip urlfilter config command in EXEC mode.

show ip urlfilter config [vrf vrf-name]

Syntax Description

vrf vrf-name

(Optional) Displays the information only for the specified Virtual Routing and Forwarding (VRF) interface.

Command Modes

EXEC

Command History

Release	Modification
12.2(11)YU	This command was introduced.
12.2(15)T	This command was integrated into Cisco IOS Release 12.2(15)T.
12.3(14)T	The vrf vrf-name keyword/argument pair was added.

Examples

The following example is sample output from the show ip urlfilter config command:

Router# show ip urlfilter config

URL filter is ENABLED

Primary Websense server configurations

===========================

Websense server IP address: 10.0.0.3

Websense server port: 15868

Websense retransmit time out: 5 (seconds)

Websense number of retransmit:2

Secondary Websense server configurations:

==============================

None.

Other configurations

===============

Allow mode: OFF

System Alert: ON

Log message on the router: OFF

Log message on URL filter server:ON

Maximum number of cache entries :5000

Cache timeout :12 (hours)

Maximum number of packet buffers:200

Maximum outstanding requests:1000

Related Commands

Command	Description
ip urlfilter allowmode	Turns on the default mode (allow mode) of the filtering algorithm.
ip urlfilter cache	Configures cache parameters.
ip urlfilter max-request	Sets the maximum number of outstanding requests that can exist at any given time.
ip urlfilter server vendor	Configures a vendor server for URL filtering.

show ip urlfilter statistics

To display URL filtering statistics, use the show ip urlfilter statistics command in privileged EXEC mode.

show ip urlfilter [mib] statistics [vrf vrf-name] [{global | server {ip-address [port] | all}}]

Syntax Description

mib	(Optional) Displays statistics only for firewall MIB events.
vrf vrf-name	(Optional) Displays the information only for the specified Virtual Routing and Forwarding (VRF) interface. Note The firewall MIB is not yet VRF aware; thus, this option is not supported if the mib keyword is used.
global	(Optional) Displays global URL filtering statistics.
server ip-address	(Optional) Displays statistics for the server specified via IP address.
server port	(Optional) Displays statistics for the server specified via IP address and port. Note You must issue the ip-address argument before issuing the port argument.
all	(Optional) Displays statistics for all configured servers.

Command Modes

Privi