Table Of Contents
show diameter peer
show dmvpn
show dnsix
show dot1x
show dot1x (EtherSwitch)
show dss log
show eap registrations
show eap sessions
show eou
show epm session
show fm private-hosts
show fpm package-group
show fpm package-info
show ip access-list
show ip access-lists
show ip admission
show ip audit configuration
show ip audit interface
show ip audit statistics
show ip auth-proxy
show ip auth-proxy watch-list
show ip bgp labels
show ip device tracking
show ip inspect
show ip inspect ha
show ip interface
show ip ips
show ip ips auto-update
show ip port-map
show ip sdee
show ip source-track
show ip source-track export flows
show ip ssh
show ip traffic-export
show ip trigger-authentication
show ip trm config
show ip trm subscription status
show ip urlfilter cache
show ip urlfilter config
show ip urlfilter statistics
show ip virtual-reassembly
show kerberos creds
show logging ip access-list
show login
show mab
show mac access-group interface
show mac-address-table
show management-interface
show mls rate-limit
show object-group
show diameter peer
To display the configuration and status of a specific Diameter peer, or all Diameter peers, use the show diameter peer command in privileged EXEC mode.
show diameter peer [peer-name]
Syntax Description
peer-name
|
Displays the configuration and status of the specified Diameter peer.
Note If no peer name is specified, the command will display information for all configured Diameter peers.
|
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.4(9)T
|
This command was introduced.
|
Usage Guidelines
This command displays the peer status information, as well as counters, including:
•
Total packets sent
•
Total responses seen
•
Packets with responses
•
Packets without responses
•
Average response delay (ms)
•
Number of Diameter timeouts
•
Buffer allocation failures
Examples
The following is a sample output from the show diameter peer command:
Router# show diameter peer iwan-view5
Peer information for iwan-view5
-------------------------------
Peer transport protocol: TCP
Peer listening port: 3688
Peer security protocol: IPSEC
Peer connection timer value: 30 seconds
Peer watch dog timer value: 35 seconds
Peer connection status: UP
The fields shown above are self-explanatory.
Related Commands
Command
|
Description
|
debug diameter
|
Displays information about the Diameter protocol.
|
show dmvpn
To display Dynamic Multipoint VPN (DMVPN) specific session information, use the show dmvpn command in privileged EXEC mode.
show dmvpn [ipv4 | ipv6] [peer [nbma | tunnel {ip-address | ipv6-address}] | network
{ip-address mask}] [vrf vrf-name] [interface tunnel number] [detail] [static]
[debug-condition]
Syntax Description
ipv4
|
(Optional) View information only about IPv4 private networks
|
ipv6
|
(Optional) View information only about IPv6 private networks
|
peer
|
(Optional) Displays information for a specific DMVPN peer.
|
nbma
|
(Optional) Displays DMVPN information based on nonbroadcast multiaccess (NBMA) addresses.
|
tunnel
|
(Optional) Displays DMVPN information based on the peer virtual private network (VPN) address.
|
ip-address
|
(Optional) Specifies DMVPN peer IP address.
|
ipv6-address
|
(Optional) Specifies DMVPN peer IPv6 address.
|
network ip-address mask
|
(Optional) Displays DMVPN information based on a specific destination network and mask address.
|
vrf vrf-name
|
(Optional) Displays information based on the specified virtual routing forwarding (VRF).
|
interface
|
(Optional) Displays DMVPN information based on a specific interface.
|
tunnel number
|
(Optional) Specifies tunnel address for DMVPN peer.
|
detail
|
(Optional) Displays detail DMVPN information for each session, including Next Hop Server (NHS) and NHS status, crypto session information, and socket details.
|
static
|
(Optional) Displays only static DMVPN information.
|
debug-condition
|
(Optional) Displays DMVPN conditional debugging.
|
Command Default
Information is displayed for all DMVPN-specific sessions.
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.4(9)T
|
This command was introduced.
|
12.4(20)T
|
The ipv4 keyword, the ipv6 keyword, the ipv6-address argument, and the network ipv6-address keyword and argument combination were added.
|
12.4(22)T
|
The output of this command was extended to display the NHRP group received from the spoke and the QoS policy applied to the spoke tunnel.
|
Usage Guidelines
Use this command to obtain DMVPN specific session information. By default, summary information will be displayed.
When the detail keyword is used, command output will include information from the show crypto session detail command, including inbound and outbound security parameter indexes (SPI) and the show crypto socket command.
Examples
The following example shows sample summary output:
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
! The line below indicates that the sessions are being displayed for Tunnel1.
! Tunnel1 is acting as a spoke and is a peer with three other NBMA peers.
Tunnel1, Type: Spoke, NBMA Peers: 3,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
2 192.0.2.21 192.0.2.116 IKE 3w0d D
1 192.0.2.102 192.0.2.11 NHRP 02:40:51 S
1 192.0.2.225 192.0.2.10 UP 3w0d S
Tunnel2, Type: Spoke, NBMA Peers: 1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 192.0.2.25 192.0.2.171 IKE never S
Table 121 describes the significant fields shown in the display.
Table 121 show dmvpn Field Descriptions
Field
|
Description
|
# Ent
|
The number of Next Hop Routing Protocol (NHRP) entries in the current session.
|
Peer NBMA Addr
|
The remote NBMA address.
|
Peer Tunnel Add
|
The remote tunnel endpoint IP address.
|
State
|
The state of the DMVPN session. The DMVPN session is either up or down. If the DMVPN state is down, the reason for the down state error is displayed—Internet Key Exchange (IKE), IPsec, or NHRP.
|
UpDn Tm
|
Displays how long the session has been in the current state.
|
Attrib
|
Displays any associated attributes of the current session. One of the following attributes will be displayed—dynamic (D), static (S), incomplete (I), Network Address Translation (NAT) for the peer address, or NATed, (N), local (L), no socket (X).
|
The following example shows output of the show dmvpn command with the detail keyword:
Router# show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
-------------- Interface Tunnel1 info: --------------
Intf. is up, Line Protocol is up, Addr. is 192.0.2.5
Source addr: 192.0.2.229, Dest addr: MGRE
Protocol/Transport: "multi-GRE/IP", Protect "gre_prof",
Tunnel VRF "" ip vrf forwarding ""
NHRP Details: NHS: 192.0.2.10 RE 192.0.2.11 E
Type: Spoke, NBMA Peers: 4
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
2 192.0.2.21 192.0.2.116 UP 00:14:59 D 192.0.2.118/24
UP 00:14:59 D 192.0.2.116/32
IKE SA: local 192.0.2.229/500 remote 192.0.2.21/500 Active
Capabilities:(none) connid:1031 lifetime:23:45:00
Crypto Session Status: UP-ACTIVE
IPSEC FLOW: permit 47 host 192.0.2.229 host 192.0.2.21
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 1 drop 0 life (KB/Sec) 4494994/2700
Outbound: #pkts enc'ed 1 drop 0 life (KB/Sec) 4494994/2700
Outbound SPI : 0xD1EA3C9B, transform : esp-3des esp-sha-hmac
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 192.0.2.229 192.0.2.5 UP 00:15:00 DLX 192.0.2.5/32
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 192.0.2.102 192.0.2.11 NHRP 02:55:47 S 192.0.2.11/32
IKE SA: local 192.0.2.229/4500 remote 192.0.2.102/4500 Active
Capabilities:N connid:1028 lifetime:11:45:37
Crypto Session Status: UP-ACTIVE
IPSEC FLOW: permit 47 host 192.0.2.229 host 192.0.2.102
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 199056 drop 393401 life (KB/Sec) 4560270/1524
Outbound: #pkts enc'ed 416631 drop 10531 life (KB/Sec) 4560322/1524
Outbound SPI : 0x9451AF5C, transform : esp-3des esp-sha-hmac
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 192.0.2.225 192.0.2.10 UP 3w0d S 192.0.2.10/32
IKE SA: local 192.0.2.229/500 remote 192.0.2.225/500 Active
Capabilities:(none) connid:1030 lifetime:03:46:44
Crypto Session Status: UP-ACTIVE
IPSEC FLOW: permit 47 host 192.0.2.229 host 192.0.2.225
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 430261 drop 0 life (KB/Sec) 4415197/3466
Outbound: #pkts enc'ed 406232 drop 4 life (KB/Sec) 4415197/3466
Outbound SPI : 0xAF3E15F2, transform : esp-3des esp-sha-hmac
-------------- Interface Tunnel2 info: --------------
Intf. is up, Line Protocol is up, Addr. is 192.0.2.172
Source addr: 192.0.2.20, Dest addr: MGRE
Protocol/Transport: "multi-GRE/IP", Protect "gre_prof",
Tunnel VRF "" ip vrf forwarding ""
NHRP Details: NHS: 192.0.2.171 E
Type: Spoke, NBMA Peers: 1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 192.0.2.25 192.0.2.171 IKE never S 192.0.2.171/32
IKE SA: local 192.0.2.20/500 remote 192.0.2.25/500 Inactive
Capabilities:(none) connid:0 lifetime:0
IKE SA: local 192.0.2.20/500 remote 192.0.2.25/500 Inactive
Capabilities:(none) connid:0 lifetime:0
Crypto Session Status: DOWN-NEGOTIATING
IPSEC FLOW: permit 47 host 192.0.2.20 host 192.0.2.25
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 436431 life (KB/Sec) 0/0
Outbound SPI : 0x 0, transform :
!There are no pending DMVPN sessions.
The following example shows output of the show dmvpn command with the detail keyword. This example displays the NHRP group received from the spoke and the QoS policy applied to the spoke tunnel:
Router# show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
-------------- Interface Tunnel0 info: --------------
Intf. is up, Line Protocol is up, Addr. is 10.0.0.1
Source addr: 172.17.0.1, Dest addr: MGRE
Protocol/Transport: "multi-GRE/IP", Protect "dmvpn-profile",
Tunnel VRF "", ip vrf forwarding ""
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 172.17.0.2 10.0.0.2 UP 00:19:57 D 10.0.0.2/32
Output QoS service-policy applied: queueing
IKE SA: local 172.17.0.1/500 remote 172.17.0.2/500 Active
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 172.17.0.2
IPSEC FLOW: permit 47 host 172.17.0.1 host 172.17.0.2
Active SAs: 2, origin: crypto map
Outbound SPI : 0x44E4E634, transform : esp-des esp-sha-hmac
IKE SA: local 172.17.0.1/500 remote 172.17.0.2/500 Active
IPSEC FLOW: permit 47 host 172.17.0.1 host 172.17.0.2
Active SAs: 2, origin: crypto map
Outbound SPI : 0x44E4E634, transform : esp-des esp-sha-hmac
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 172.17.0.3 10.0.0.3 UP 00:02:21 D 10.0.0.3/32
Output QoS service-policy applied: queueing
IKE SA: local 172.17.0.1/500 remote 172.17.0.3/500 Active
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 172.17.0.3
IPSEC FLOW: permit 47 host 172.17.0.1 host 172.17.0.3
Active SAs: 2, origin: crypto map
Outbound SPI : 0xBF13C9CC, transform : esp-des esp-sha-hmac
IKE SA: local 172.17.0.1/500 remote 172.17.0.3/500 Active
IPSEC FLOW: permit 47 host 172.17.0.1 host 172.17.0.3
Active SAs: 2, origin: crypto map
Outbound SPI : 0xBF13C9CC, transform : esp-des esp-sha-hmac
-------------- Interface Tunnel1 info: --------------
Intf. is up, Line Protocol is up, Addr. is 11.0.0.1
Source addr: 172.17.0.1, Dest addr: MGRE
Protocol/Transport: "multi-GRE/IP", Protect "dmvpn-profile",
Tunnel VRF "", ip vrf forwarding ""
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 172.17.0.2 11.0.0.2 UP 00:20:01 D 11.0.0.2/32
Output QoS service-policy applied: queueing
The following example shows DMVPN debug-condition information:
Router# show dmvpn debug-condition
NBMA addresses under debug are:
Interfaces under debug are:
DMVPN Conditional debug context unmatched flag: OFF
Related Commands
Command
|
Description
|
debug dmvpn
|
Debugs DMVPN sessions.
|
show crypto session detail
|
Displays detailed status information for active crypto sessions.
|
show crypto socket
|
Lists crypto sockets.
|
show policy-map mgre
|
Displays statistics about a specific QoS policy as it is applied to a tunnel endpoint.
|
show dnsix
To display state information and the current configuration of the DNSIX audit writing module, use the show dnsix command in privileged EXEC mode.
show dnsix
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
10.0
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Examples
The following is sample output from the show dnsix command:
Audit Trail Enabled with Source 192.168.2.5
Authorization Redirection List:
show dot1x
To display details for an identity profile, use the show dot1x command in privileged EXEC mode.
show dot1x [all | interface interface-name [details | statistics]] [statistics]
Syntax Description
all
|
(Optional) Displays 802.1X status for all ports.
|
interface interface-name
|
(Optional) Displays 802.1X status for the specified port (including type, stack member, module, and port number).
|
interface interface-name details
|
(Optional) Displays the interface configuration as well as the authenticator instances on the interface.
|
interface interface-name statistics
|
(Optional) Displays the interface statistics.
|
statistics
|
(Optional) Displays 802.1X statistics for all the interfaces.
|
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.1(11)AX
|
This command was introduced.
|
12.1(14)EA1
|
The all keyword was added.
|
12.3(2)XA
|
This command was integrated into Cisco IOS Release 12.3(2)XA.
|
12.3(4)T
|
This command was integrated into Cisco IOS Release 12.3(4)T.
|
12.2(25)SED
|
The output display was expanded to include auth-fail-vlan information in the authorization state machine state and port status fields.
|
12.2(25)SEE
|
The details and statistics keywords were added.
|
12.3(11)T
|
The PAE, HeldPeriod, StartPeriod, and MaxStart fields were added to the show dot1x command output.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
If you do not specify a port, global parameters and a summary appear. If you specify a port, details for that port appear in the output.
Examples
The following is sample output for the show dot1x command:
Sysauthcontrol = Disabled
Dot1x Info for interface Ethernet0
-----------------------------------------
ReAuthentication = Disabled
ReAuthPeriod = 3600 Seconds
ServerTimeout = 30 Seconds
Dot1x Info for interface Ethernet1
-----------------------------------------
ReAuthentication = Disabled
ReAuthPeriod = 3600 Seconds
ServerTimeout = 30 Seconds
The following is sample output for the show dot1x command using both the interface and interface details keywords. The clients are authenticated in this output example.
Router# show dot1x interface ethernet 0 details
ReAuthentication = Enabled
ReAuthPeriod = 36000 Seconds
ServerTimeout = 30 Seconds
-------------------------------------
-------------------------------------
0000.1111.0001 AUTHENTICATED
0000.1111.0002 UNAUTHENTICATED
The following show dot1x sample output shows information for all three possible interface configurations (that is, as an authenticator, as a supplicant, and as an authenticator and supplicant).
Dot1x Information for interface Ethernet0
-----------------------------------------
ReAuthentication = Enabled
ReAuthPeriod = 60 Seconds
ServerTimeout = 30 Seconds
Dot1x Information for interface Ethernet1
-----------------------------------------
Dot1x Information for interface Ethernet2
-----------------------------------------
ReAuthentication = Enabled
ReAuthPeriod = 60 Seconds
ServerTimeout = 30 Seconds
The following is sample output for the show dot1x command using the interface and details keywords.
Router# show dot1x interface ethernet0
ReAuthentication = Enabled
ReAuthPeriod = 60 Seconds
ServerTimeout = 30 Seconds
Router# show dot1x interface ethernet0 details
ReAuthentication = Enabled
ReAuthPeriod = 60 Seconds
ServerTimeout = 30 Seconds
-------------------------------------
-------------------------------------
0001.f380.87ce AUTHENTICATED
0001.87ce.f380 AUTHENTICATING
0010.a7b4.97af UNAUTHENTICATED
Dot1x List of Supplicant Instances
-----------------------------------------
-----------------------------------------
0180.c200.0003 AUTHORIZED
Table 122 describes the significant fields shown in the displays.
Table 122 show dot1x Field Descriptions
Field
|
Description
|
Sysauthcontrol
|
802.1X port-based authentication is enabled or disabled.
|
PortControl
|
Port control value.
• AUTO—the authentication status of the client PC is being determined by the authentication process.
• Force-authorize—all the client PCs on the interface are being authorized.
• Force-unauthorized—all the client PCs on the interface are being unauthorized.
|
PAE
|
Port Access Entity. Defines the role of an interface (as a supplicant, as an authenticator, or as an authenticator and supplicant).
|
ReAuthentication
|
Periodic reauthentication of client PCs on the interface has been enabled or disabled.
|
ReAuthPeriod
|
Time after which an automatic reauthentication will be initiated.
|
ServerTimeout
|
Timeout that has been set for RADIUS retries. If an 802.1X packet is sent to the server and the server does not send a response, the packet will be sent again after the number of seconds that are shown.
|
SuppTimeout
|
Time that has been set for supplicant (client PC) retries. If an 802.1X packet is sent to the supplicant and the supplicant does not send a response, the packet will be sent again after the number of seconds that are shown.
|
QuietWhile
|
After authentication fails for a client, the authentication gets restarted after the quiet period that is shown.
|
MaxReq
|
Maximum number of times that the router sends an Extensible Authentication Protocol (EAP) request/identity frame (assuming that no response is received) to the client PC before concluding that the client PC does not support 802.1X.
|
HeldPeriod
|
Interval for which the supplicant (client PC) will wait before trying to send its credentials after being unauthenticated by the authenticator.
|
StartPeriod
|
Interval between two successive Extensible Authentication Protocol over LAN- (EAPOL-) start messages (when they are being retransmitted).
|
MaxStart
|
Number of EAPOL-start messages that the supplicant (client PC) sends before the supplicant assumes that the other end is not 802.1X capable.
|
Dot1x Client List
|
Table providing information regarding MAC addresses and the state of the PCs. This list displays in the output if the interface is configured only as an authenticator or as an authenticator and a supplicant. If the interface is configured as a supplicant, a separate list is displayed.
|
Dot1x List of Supplicant Instances
|
Table providing information regarding MAC addresses and the state of the PCs. This list displays in the output if the interface is configured only as a supplicant.
|
MAC Address
|
List of MAC addresses (for example, the MAC address of the PC or of any 802.1X client).
|
State
|
The state of the PC can be authenticated or unauthenticated.
|
Related Commands
Command
|
Description
|
clear dot1x
|
Clears 802.1X interface information.
|
debug dot1x
|
Displays 802.1X debugging information.
|
dot1x default
|
Resets the global 802.1X parameters to their default values.
|
identity profile
|
Creates an identity profile.
|
show dot1x (EtherSwitch)
To display the 802.1X statistics, administrative status, and operational status for the Ethernet switch network module or for the specified interface, use the show dot1x command in privileged EXEC mode.
show dot1x [statistics] [interface interface-type interface-number]
Syntax Description
statistics
|
(Optional) Displays 802.1X statistics.
|
interface interface-type interface-number
|
(Optional) Specifies the slot and port number of the interface to reauthenticate.
|
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.1(6)EA2
|
This command was introduced.
|
12.2(15)ZJ
|
This command was implemented on the following platforms: Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series routers.
|
12.3(4)T
|
This command was integrated into Cisco IOS Release 12.3(4)T on the following platforms: Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series routers.
|
Usage Guidelines
If you do not specify an interface, global parameters and a summary appear. If you specify an interface, details for that interface appear.
If you specify an interface with the statistics keyword, statistics appear for all physical ports.
Examples
The following is sample output from the show dot1x command:
Port Name Status Mode Authorized
Gi0/2 enabled Auto (negotiate) no
802.1X is disabled on GigabitEthernet0/1
802.1X is enabled on GigabitEthernet0/2
Supplicant 0060.b0f8.fbfb
Multiple Hosts Disallowed
Authenticator State Machine
Reauthentication State Machine
Table 123 describes the significant fields shown in the display.
Table 123 show dot1x Field Descriptions
Field
|
Description
|
reauth-enabled
|
Periodic reauthentication of client PCs on the interface has been enabled or disabled.
|
reauth-period
|
Time, in seconds, after which an automatic reauthentication will be initiated.
|
quiet-period
|
After authentication fails for a client, the authentication gets restarted after this quiet period shown in seconds.
|
tx-period
|
Time, in seconds, that the device waits for a response from a client to an Extensible Authentication Protocol (EAP) request or identity frame before retransmitting the request.
|
supp-timeout
|
Time, in seconds, that has been set for supplicant (client PC) retries. If an 802.1X packet is sent to the supplicant and the supplicant does not send a response, the packet will be sent again after the number of seconds that are shown.
|
server-timeout
|
Timeout, in seconds, that has been set for RADIUS retries. If an 802.1X packet is sent to the server and the server does not send a response, the packet will be sent again after the number of seconds that are shown.
|
reauth-max
|
The maximum number of times that the device tries to authenticate the client without receiving any response before the switch resets the port and restarts the authentication process.
|
max-req
|
Maximum number of times that the router sends an EAP request/identity frame (assuming that no response is received) to the client PC before concluding that the client PC does not support 802.1X.
|
Port Name
|
Interface type and slot/port numbers.
|
Status
|
Displays the 802.1X status of the port as either enabled or disabled.
|
Mode
|
Operational status of the port:
• Auto—The port control value has been configured to be Force-unauthorized but the port has not changed to that state.
• n/a—802.1X is disabled.
|
Authorized
|
Authorization state of the port.
|
Status
|
Status of the port (authorized or unauthorized). The status of a port appears as authorized if the dot1x port-control interface configuration command is set to auto, and authentication was successful.
|
Port-control
|
Setting of the dot1x port-control interface configuration command. The port control value is one of the following:
• Auto—The authentication status of the client PC is being determined by the authentication process.
• Force-authorize—All the client PCs on the interface are being authorized.
• Force-unauthorized—All the client PCs on the interface are being unauthorized.
|
Supplicant
|
Ethernet MAC address of the client, if one exists. If the device has not discovered the client, this field displays Not set.
|
Multiple Hosts
|
Setting of the dot1x multiple-hosts interface configuration command (allowed or disallowed).
|
Current Identifier
|
Each exchange between the device and the client includes an identifier, which matches requests with responses. This number is incremented with each exchange and can be reset by the authentication server.
Note This field and the remaining fields in the output show internal state information. For a detailed description of these state machines and their settings, refer to the IEEE 802.1X standard.
|
The following is sample output from the show dot1x interface gigabitethernet0/2 privileged EXEC command. Table 123 describes the fields in the output.
Router# show dot1x interface gigabitethernet0/2
802.1X is enabled on GigabitEthernet0/2
Supplicant 0060.b0f8.fbfb
Multiple Hosts Disallowed
Authenticator State Machine
Reauthentication State Machine
The following is sample output from the show dot1x statistics interface gigiabitethernet0/1 command. Table 124 describes the fields in the example.
Router# show dot1x statistics interface gigabitethernet0/1
Rx: EAPOL EAPOL EAPOL EAPOL EAP EAP EAP
Start Logoff Invalid Total Resp/Id Resp/Oth LenError
Table 124 show dot1x statistics Field Descriptions
Field
|
Description
|
Rx EAPOL Start
|
Number of valid EAPOL-start frames that have been received.
Note EAPOL = Extensible Authentication Protocol over LAN
|
Rx EAPOL Logoff
|
Number of EAPOL-logoff frames that have been received.
|
Rx EAPOL Invalid
|
Number of EAPOL frames that have been received and have an unrecognized frame type.
|
Rx EAPOL Total
|
Number of valid EAPOL frames of any type that have been received.
|
Rx EAP Resp/ID
|
Number of EAP-response/identity frames that have been received.
|
Rx EAP Resp/Oth
|
Number of valid EAP-response frames (other than response/identity frames) that have been received.
|
Rx EAP LenError
|
Number of EAPOL frames that have been received in which the packet body length field is invalid.
|
Last EAPOLVer
|
Protocol version number carried in the most recently received EAPOL frame.
|
LAST EAPOLSrc
|
Source MAC address carried in the most recently received EAPOL frame.
|
Tx EAPOL Total
|
Number of EAPOL frames of any type that have been sent.
|
Tx EAP Req/Id
|
Number of EAP-request/identity frames that have been sent.
|
Tx EAP Req/Oth
|
Number of EAP-request frames (other than request/identity frames) that have been sent.
|
Related Commands
Command
|
Description
|
dot1x default
|
Resets the global 802.1X parameters to their default values.
|
show dss log
To display the invalidation routes for the DSS range on the NetFlow table in the EXEC command mode, use the show dss log command.
show dss log {ip | ipv6}
Syntax Description
ip
|
Displays the range-invalidation profile for the DSS IP.
|
ipv6
|
Displays the range-invalidation profile for the DSS IPv6.
|
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
|
Modification
|
12.2(14)SX
|
Support for this command was introduced on the Supervisor Engine 720.
|
12.2(17b)SXA
|
This command was changed to support the ipv6 keyword.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
Usage Guidelines
This command is not supported in Cisco 7600 series routers that are configured with a Supervisor Engine 2.
Whenever an IPv6 entry is deleted from the routing table, a message is sent to the switch processor to remove the entries that are associated to that network. Several IPv6 prefixes are collapsed to the less specific one if too many invalidations occur in a short period of time.
Examples
This example shows how to display the range-invalidation profile for the DSS IP:
22:50:18.551 prefix 172.20.52.18 mask 172.20.52.18
22:50:20.059 prefix 127.0.0.0 mask 255.0.0.0
22:51:48.767 prefix 172.20.52.18 mask 172.20.52.18
22:51:52.651 prefix 0.0.0.0 mask 0.0.0.0
22:53:02.651 prefix 0.0.0.0 mask 0.0.0.0
22:53:19.651 prefix 0.0.0.0 mask 0.0.0.0
show eap registrations
To display Extensible Authentication Protocol (EAP) registration information, use the show eap registrations command in privileged EXEC mode.
show eap registrations [method | transport]
Syntax Description
method
|
(Optional) Displays information about EAP method registrations only.
|
transport
|
(Optional) Displays information about EAP transport registrations only.
|
Command Default
If a keyword is not used, information is displayed for all lower layers used by EAP and for the methods that are registered with the EAP framework.
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.2(25)SEE
|
This command was introduced.
|
12.4(6)T
|
This command was integrated into Cisco IOS Release 12.4(6)T.
|
Usage Guidelines
This command is used to check which EAP methods are enabled on a router.
Examples
The following is an example of output from the show eap registrations command:
Router# show eap registrations
Registered EAP Lower Layers:
2 Authenticator Dot1x-Authenticator
The following is an example of output from the show eap registrations command using the transport keyword:
Router# show eap registrations transport
Registered EAP Lower Layers:
2 Authenticator Dot1x-Authenticator
The output fields are self-explanatory.
Related Commands
Related Commands1 Authenticator MAB
Command
|
Description
|
clear eap
|
Clears EAP session information for the switch or specified port.
|
show eap sessions
To display active Extensible Authentication Protocol (EAP) session information, use the show eap sessions command in privileged EXEC mode.
show eap sessions [credentials credentials-name | interface interface-name | method
method-name | transport transport-name]
Syntax Description
credentials credentials-name
|
(Optional) Displays information about the specified credentials profile.
|
interface interface-name
|
(Optional) Displays information, such as type, module, and port number, about sessions that are associated with the specified interface.
|
method method-name
|
(Optional) Displays information about sessions that are associated with the specified EAP method.
|
transport transport-name
|
(Optional) Displays information about sessions that are associated with the specified lower layer.
|
Command Default
All active EAP sessions are displayed.
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.2(25)SEE
|
This command was introduced.
|
12.4(6)T
|
This command was integrated into Cisco IOS Release 12.4(6)T.
|
Usage Guidelines
The command output can be filtered using any of the optional keywords, singly or in combination.
Examples
The following is an example of output from the show eap sessions command:
Router# show eap sessions
Role: Authenticator Decision: Fail
Lower layer: Dot1x-AuthenticaInterface: Gi1/0/1
Current method: None Method state: Uninitialised
Retransmission count: 0 (max: 2) Timer: Authenticator
ReqId Retransmit (timeout: 30s, remaining: 2s)
EAP handle: 0x5200000A Credentials profile: None
Lower layer context ID: 0x93000004 Eap profile name: None
Method context ID: 0x00000000 Peer Identity: None
Start timeout (s): 1 Retransmit timeout (s): 30 (30)
Current ID: 2 Available local methods: None
Role: Authenticator Decision: Fail
Lower layer: Dot1x-AuthenticaInterface: Gi1/0/2
Current method: None Method state: Uninitialised
Retransmission count: 0 (max: 2) Timer: Authenticator
ReqId Retransmit (timeout: 30s, remaining: 2s)
EAP handle: 0xA800000B Credentials profile: None
Lower layer context ID: 0x0D000005 Eap profile name: None
Method context ID: 0x00000000 Peer Identity: None
Start timeout (s): 1 Retransmit timeout (s): 30 (30)
Current ID: 2 Available local methods: None
The following is an example of output from the show eap sessions interface command:
Router# show eap sessions interface gigabitethernet1/0/1
Role: Authenticator Decision: Fail
Lower layer: Dot1x-AuthenticaInterface: Gi1/0/1
Current method: None Method state: Uninitialised
Retransmission count: 1 (max: 2) Timer: Authenticator
ReqId Retransmit (timeout: 30s, remaining: 13s)
EAP handle: 0x5200000A Credentials profile: None
Lower layer context ID: 0x93000004 Eap profile name: None
Method context ID: 0x00000000 Peer Identity: None
Start timeout (s): 1 Retransmit timeout (s): 30 (30)
The fields in the above output are self-explanatory.
Related Commands
Related CommandsCurrent ID: 2 Available local methods: None
Command
|
Description
|
clear eap sessions
|
Clears EAP session information for the switch or for the specified port.
|
show eou
To display information about Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) global values or EAPoUDP session cache entries, use the show eou command in privileged EXEC mode.
show eou {all | authentication {clientless | eap | static} | interface {interface-type} | ip
{ip-address} | mac {mac-address} | posturetoken {name}} [{begin | exclude | include}
expression]
Syntax Description
all
|
Displays EAPoUDP information about all clients.
|
authentication
|
Authentication type.
|
clientless
|
Authentication type is clientless, that is, the endpoint system is not running Cisco Trust Agent (CTA) software.
|
eap
|
Authentication type is EAP.
|
static
|
Authentication type is statically configured.
|
interface
|
Provides information about the interface.
|
interface-type
|
Type of interface (see Table 125 for the interface types that may be shown).
|
ip
|
Specifies an IP address.
|
ip-address
|
IP address of the client device.
|
mac
|
Specifies a MAC address.
|
mac-address
|
The 48-bit address of the client device.
|
posturetoken
|
Displays information about a posture token name.
|
name
|
Name of the posture token.
|
begin
|
(Optional) Display begins with the line that matches the expression argument.
|
exclude
|
(Optional) Display excludes lines that match the expression argument.
|
include
|
(Optional) Display includes lines that match the specified expression argument.
|
expression
|
(Optional) Expression in the output to use as a reference point.
|
Command Default
All global EAPoUDP global values are displayed.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
12.2(18)SXF
|
This command was integrated into Cisco IOS Release 12.2(18)SXF.
|
12.2(25)SED
|
This command was integrated into Cisco IOS Release 12.2(25)SED.
|
12.2(25)SG
|
This command was integrated into Cisco IOS Release 12.2(25)SG.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.4(11)T
|
The output of this command was enhanced to display information about whether the session is using the AAA timeout policy.
|
12.2(33)SXI
|
This command was integrated into Cisco IOS Release 12.2(33)SXI.
|
Usage Guidelines
If you do not specify a port, global parameters and a summary appear. If you specify a port, details for that port appear.
Expressions are case sensitive. For example, if you enter "exclude output," the lines that contain "output" are not displayed, but the lines that contain "Output" appear.
Table 125 lists the interface types that may be used for the interface-type argument.
Table 125 Description of Interface Types
Interface Type
|
Description
|
Async
|
Asynchronous interface
|
BVI
|
Bridge-Group Virtual Interface
|
CDMA-Ix
|
Code division multiple access Internet exchange (CDMA Ix) interface
|
CTunnel
|
Connectionless Network Protocol (CLNS) tunnel (Ctunnel) interface
|
Dialer
|
Dialer interface
|
Ethernet
|
IEEE 802.3 standard interface
|
Lex
|
Lex interface
|
Loopback
|
Loopback interface
|
MFR
|
Multilink Frame Relay bundle interface
|
Multilink
|
Multilink-group interface
|
Null
|
Null interface
|
Serial
|
Serial interface
|
Tunnel
|
Tunnel interface
|
Vif
|
Pragmatic General Multicast (PGM) Multicase Host interface
|
Virtual-PPP
|
Virtual PPP interface
|
Virtual-Template
|
Virtual template interface
|
Virtual-TokenRing
|
Virtual TokenRing interface
|
Examples
The following output displays information about a global EAPoUDP configuration. The default values can be changed or customized using the eou default, eou max-retry, eou revalidate, or eou timeout commands, depending on whether you configure them globally or on a specific interface.
Global EAPoUDP Configuration
----------------------------
Clientless Hosts = Disabled
Revalidation Period = 36000 Seconds
ReTransmit Period = 3 Seconds
StatusQuery Period = 300 Seconds
Hold Period = 180 Seconds
EAPoUDP Logging = Disabled
Clientless Host Username = clientless
Clientless Host Password = clientless
Interface Specific EAPoUDP Configurations
-----------------------------------------
No interface specific configuration
The following output displays information about a global EAPoUDP configuration that includes a
NAC Auth Fail Open policy for use when the AAA server is unavailable:
Router# show eou ip 10.0.0.1
Address : 10.0.0.1
MAC Address : 0001.027c.f364
Interface : Vlan333
AuthType : AAA DOWN
AAA Down policy : rule_policy
Audit Session ID : 00000000011C11830000000311000001
PostureToken : -------
Age(min) : 0
URL Redirect : NO URL REDIRECT
URL Redirect ACL : NO URL REDIRECT ACL
ACL Name : rule_acl
Tag Name : NO TAG NAME
User Name : UNKNOWN USER
Revalidation Period : 500 Seconds
Status Query Period : 300 Seconds
Current State : AAA DOWN
Table 126 describes the significant fields shown in the display
Table 126 show eou Field Descriptions
Field
|
Description
|
EAPoUDP Version
|
EAPoUDP protocol version.
|
EAPoUDP Port
|
EAPoUDP port number.
|
Clientless Hosts
|
Clientless hosts are enabled or disabled.
|
IP Station ID
|
Specifies whether the IP address is allowed in the AAA station-id field. By default, it is disabled.
|
Revalidation
|
Revalidation is enabled or disabled.
|
Revalidation Period
|
Specifies whether revalidation of hosts is enabled. By default, it is disabled.
|
ReTransmit Period
|
Specifies the EAPoUDP packet retransmission interval. The default is 3 seconds.
|
StatusQuery Period
|
Specifies the EAPoUDP status query interval for validated hosts. The default is 300 seconds.
|
Hold Period
|
Hold period following a failed authentication.
|
AAA Timeout
|
AAA timeout period.
|
Max Retries
|
Maximum number of allowable retransmissions.
|
EAPoUDP Logging
|
Logging is enabled or disabled.
|
AAA Down policy
|
Name of policy to be applied when the AAA server is unreachable. (This is the NAC Auth Fail Open policy.)
|
Related Commands
Command
|
Description
|
eou default
|
Sets global EAPoUDP parameters to the default values.
|
eou max-retry
|
Sets the number of maximum retry attempts for EAPoUDP.
|
eou rate-limit
|
Sets the number of simultaneous posture validations for EAPoUDP.
|
eou timeout
|
Sets the EAPoUDP timeout values.
|
show epm session
To display information about Enforcement Policy Module (EPM) sessions, use the show epm session command in privileged EXEC mode.
show epm session {interface type number | ip {ip-address [client client-type] | all} | mac
{mac-address [client client-type] | all} | summary}
Syntax Description
interface
|
Displays interface based session information.
|
type
|
Interface type.
|
number
|
Interface number.
|
ip
|
Displays information specifically for an IP address.
|
ip-address
|
IP address for the session.
|
client
|
(Optional) Specifies information about the type of client.
|
client-type
|
(Optional) Type of client. Values are cts, dot1x, eapoudp, mab, and proxy.
|
mac
|
Displays MAC address based session information.
|
mac-address
|
MAC address of the client.
|
all
|
Displays information for all sessions.
|
summary
|
Displays summary of session information such as IP address, MAC address, and so on for all the active sessions.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.4(6)T
|
This command was introduced.
|
12.2(33)SXI2
|
This command was integrated into Cisco IOS Release 12.2(33)SXI2. The all keyword was added, and, cts, dot1x, and mab values for the client-type argument were added.
|
Examples
The following output shows information specifically for MAC address 0001.027c.f380:
Router# show epm session mac 0001.027c.f380 client dot1x
Admission feature : DOT1X
ACS ACL : xACSACLx-IP-VERY_SIMPLE_ACL-459b9870
The following output shows information specifically for IP address 10.9.0.1:
Router# show epm session ip 10.9.0.1
Admission feature : AUTHPROXY
Input Service Policy : epm-pol-map
Proxy ACL : permit udp any any
Proxy ACL : deny icmp any any
ACS ACL : xACSACLx-IP-VERY_SIMPLE_ACL-472594af
Admission feature : EAPOUDP
ACS ACL : xACSACLx-IP-VERY_SIMPLE_ACL-459b9870
Proxy ACL : permit udp any any
Proxy ACL : permit icmp any any
Proxy ACL : permit tcp an
Admission feature : DOT1X
ACS ACL : xACSACLx-IP-VERY_SIMPLE_ACL-459b9870
The following example shows summary information for all sessions:
Router# show epm session summary
--------------------------
Total sessions seen so far : 5
Total active sessions : 5
Interface IP Address MAC Address Audit Session Id:
--------------------------------------------------------------------------------------
GigabitEthernet7/2 209.165.200.225 0001.027c.f380 16000002000000000003A4EC
GigabitEthernet7/2 209.165.200.227 0001.027c.f380 16000002000000010003AD68
GigabitEthernet7/2 209.165.200.230 0001.027c.f380 16000002000000020003C110
GigabitEthernet7/2 209.165.200.235 0001.027c.f380 16000002000000030003D6BC
GigabitEthernet7/15 0.0.0.0 0030.6eb6.c69a 0904010C000000000002F6A4
Table 127 describes significant fields shown in the displays.
Table 127 show epm session ip Field Descriptions
Field
|
Description
|
Admission feature
|
Admission feature authentication proxy or Extensible Authentication Protocol over UDP (EOU) acting on the host.
|
AAA Policies
|
AAA policy information.
|
ACS ACL
|
Access control server (ACS) access control list (ACL).
|
SGT
|
Security group tag (SGT) value assigned to the host of that initiated the session.
|
Input Service Policy
|
Input service policy for the session.
|
Proxy ACL
|
Proxy access control list.
|
Total sessions seen so far
|
Total number of hosts connected to the Network Access Device (NAD) until now.
|
Total active sessions
|
Total number of active sessions.
|
Interface
|
Interface type and number.
|
IP Address
|
IP address of the host.
|
MAC Address
|
MAC address of the host.
|
Audit Session Id
|
Audit session ID.
|
show fm private-hosts
To display information about the Private Hosts feature manager, use the show fm private-hosts command in privileged EXEC mode.
show fm private-hosts {all | interface type/num}
Syntax Description
all
|
Displays the feature manager information for all of the interfaces that are configured for Private Hosts.
|
interface type/num
|
Displays the feature manager information for a specific interface. The slash (/) is required.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.2(33)SRB
|
This command was introduced.
|
12.2(33)SXH
|
This command was integrated into Cisco IOS Release 12.2(33)SXH.
|
Examples
The following example displays information about the Private Hosts feature manager:
Router# show fm private-hosts interface GigabitEthernet1/2
-----------------------------------------------------------------------------
FM_FEATURE_PVT_HOST_INGRESS i/f: Gi1/2 map name:
=============================================================================
------------------------------------------------------------
MAC Seq. No: 10 Seq. Result : PVT_HOSTS_ACTION_DENY
------------------------------------------------------------
Indx - VMR index T - V(Value)M(Mask)R(Result)
EtTy - Ethernet Type EtCo - Ethernet Code
+----+-+--------------+--------------+----+----+
|Indx|T| Dest Node | Source Node |EtTy|EtCo|
+----+-+--------------+--------------+----+----+
1 V 0000.0000.0000 0000.1111.4001 0 0
M 0000.0000.0000 ffff.ffff.ffff 0 0
2 V 0000.0000.0000 0000.0000.0000 0 0
M 0000.0000.0000 0000.0000.0000 0 0
------------------------------------------------------------
MAC Seq. No: 20 Seq. Result : PVT_HOSTS_ACTION_PERMIT
------------------------------------------------------------
+----+-+--------------+--------------+----+----+
|Indx|T| Dest Node | Source Node |EtTy|EtCo|
+----+-+--------------+--------------+----+----+
1 V 0000.1111.4001 0000.0000.0000 0 0
M ffff.ffff.ffff 0000.0000.0000 0 0
2 V 0000.0000.0000 0000.0000.0000 0 0
M 0000.0000.0000 0000.0000.0000 0 0
------------------------------------------------------------
MAC Seq. No: 30 Seq. Result : PVT_HOSTS_ACTION_REDIRECT
------------------------------------------------------------
+----+-+--------------+--------------+----+----+
|Indx|T| Dest Node | Source Node |EtTy|EtCo|
+----+-+--------------+--------------+----+----+
1 V ffff.ffff.ffff 0000.0000.0000 0 0
M ffff.ffff.ffff 0000.0000.0000 0 0
2 V 0000.0000.0000 0000.0000.0000 0 0
M 0000.0000.0000 0000.0000.0000 0 0
------------------------------------------------------------
MAC Seq. No: 40 Seq. Result : PVT_HOSTS_ACTION_PERMIT
------------------------------------------------------------
+----+-+--------------+--------------+----+----+
|Indx|T| Dest Node | Source Node |EtTy|EtCo|
+----+-+--------------+--------------+----+----+
1 V 0100.5e00.0000 0000.0000.0000 0 0
M ffff.ff80.0000 0000.0000.0000 0 0
2 V 3333.0000.0000 0000.0000.0000 0 0
M ffff.0000.0000 0000.0000.0000 0 0
3 V 0000.0000.0000 0000.0000.0000 0 0
M 0000.0000.0000 0000.0000.0000 0 0
------------------------------------------------------------
MAC Seq. No: 50 Seq. Result : PVT_HOSTS_ACTION_DENY
------------------------------------------------------------
+----+-+--------------+--------------+----+----+
|Indx|T| Dest Node | Source Node |EtTy|EtCo|
+----+-+--------------+--------------+----+----+
1 V 0000.0000.0000 0000.0000.0000 0 0
M 0000.0000.0000 0000.0000.0000 0 0
2 V 0000.0000.0000 0000.0000.0000 0 0
M 0000.0000.0000 0000.0000.0000 0 0
Interfaces using this pvt host feature in ingress dir.:
------------------------------------------------
Interfaces (I/E = Ingress/Egress)
Related Commands
Command
|
Description
|
private-hosts
|
Enables or configures the private host feature.
|
private-hosts mode
|
Sets the switchport mode.
|
show fm private-hosts
|
Displays the FM-related private hosts information.
|
show private-hosts configuration
|
Displays Private Hosts configuration information for the router.
|
show private-hosts interface configuration
|
Displays Private Hosts configuration information for individual interfaces.
|
show fpm package-group
To display configuration information about flexible packat matching (fpm) package support, use the show fpm package-group command in user EXEC or privileged EXEC mode.
show fpm package-group [control-plane | fpm-package-group | interface interface-name]
Syntax Description
control-plane
|
(Optional) Displays fpm package group control plane information.
|
fpm-group-name
|
(Optional) Displays fpm group name information.
|
interface
|
(Optional) Displays fpm package group interface information.
|
interface-name
|
Name of the Interface for which you want to show the fpm package group information. See Table 132 for a list of valid interfaces.
|
Command Modes
User EXEC (>)
Privileged EXEC (#)
Command History
Release
|
Modification
|
15.0(1)M
|
This command was introduced.
|
Usage Guidelines
Table 132 displays valid interfaces that may be shown as the interface-name argument with the interface keyword.
Table 128 Interfaces That Can Be Shown
Interface
|
Description
|
ATM
|
ATM interface
|
Async
|
Asynchronous interface
|
Auto-template
|
Auto-Template interface
|
BVI
|
Bridge-Group Virtual Interface
|
CDMA-Ix
|
CDMA Ix interface
|
CTunnel
|
CTunnel interface
|
Dialer
|
Dialer interface
|
FastEthernet
|
FastEthernet IEEE 802.3
|
Lex
|
Lex interface
|
LongReachEthernet
|
Long-Reach Ethernet interface
|
Loopback
|
Loopback interface
|
MFR
|
Multilink Frame Relay bundle intrface
|
Multilink
|
Multilink-group interface
|
Null
|
Null interface
|
Pos
|
Packet over sonet interface
|
Port-channel
|
Ethernet channel of interfaces
|
SSLVPN-VIF
|
Secure Socket Layer Virtual Private Network (SSLVPN) Virtual Interface
|
Serial
|
Serial
|
Tunnel
|
Tunnel interface
|
vif
|
Pragmatic General Multicast (PGM) multicast host interface
|
virtual-PPP
|
Virtual PPP interface
|
virtual-Template
|
Virtual template interface
|
virtual-TokenRing
|
Virtual TokenRing
|
vmi
|
Virtual Multipoint Interface
|
Examples
The following is sample output from the show fpm package-group command.
Router# show fpm package-group
Router# show fpm package-group
group name: cisco-fpm-packages
fpm package: fpm-package-11
fpm package: fpm-package-43
Table 129 describes the significant fields shown in the display.
Table 129 show fpm package-group Field Descriptions
Field
|
Description
|
Auto-load
|
Displays if automatic loading of fpm package support is configured.
|
FPM package
|
Displays the name of the fpm package loaded from the fpm-server.
|
Group name
|
Displays the protocol to connect to the fpm-server.
|
Package action
|
Displays the action taken when the fpm package is loaded.
|
Related Commands
Command
|
Description
|
show fpm package-info
|
Displays fpm package transfer configuration details.
|
show fpm package-info
To display information about fpm package transfer between an fpm-server and a local server, use the show fpm package-info command in user EXEC or privileged EXEC mode.
show fpm package-info
Syntax Description
This command has no keywords or arguments.
Command Default
The command displays information about the transfer of fpm package groups from the fpm-server to a local server.
Command Modes
User EXEC (>)
Privileged EXEC (#)
Command History
Release
|
Modification
|
15.0(1)M
|
This command was introduced.
|
Examples
The following is sample output from the show fpm package-info command.
Router# show fpm package-info
Router# show fpm package-info
password 7 0101130A5D04141D245F5A1B0C0B57
Table 129 describes the significant fields shown in the display.
Table 130 show fpm package-info Field Descriptions
Field
|
Description
|
Host
|
Displays the download server address.
|
Local-path
|
Displays the location where packages are stored on the local router.
|
Password
|
Displays and encrypted password for the server.
|
Protocol
|
Displays the protocol to connect to the server.
|
Remote-path
|
Displays the file server name.
|
Time-range
|
Displays the interval between searches for fpm updates.
|
User
|
Displays the username on the server.
|
Related Commands
Command
|
Description
|
show fpm package-group
|
Displays fpm package matching support configuration details.
|
show ip access-list
To display the contents of all current IP access lists, use the show ip access-list command in privileged EXEC mode.
show ip access-list [access-list-number | access-list-name | dynamic access-list-name | interface
interface-name [in | out]]
Syntax Description
access-list-number
|
(Optional) Number of the IP access list to display.
|
access-list-name
|
(Optional) Name of the IP access list to display.
|
dynamic access-list-name
|
(Optional) Displays the specified dynamic IP access lists.
|
interface interface-name
|
(Optional) Displays the access list for the specified interface.
|
in
|
(Optional) Displays input interface statistics.
|
out
|
(Optional) Displays output interface statistics.
|
Defaults
All standard and extended IP access lists are displayed.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
10.3
|
This command was introduced.
|
12.3(7)T
|
The dynamic keyword was added.
|
12.4(6)T
|
The interface interface-name keyword/attribute pair was added. The in and out keywords were added.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.4(11)T
|
Example output from the dynamic keyword was added.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
12.4(20)T
|
The output of this command was extended to display access lists that contain object groups.
|
Usage Guidelines
The show ip access-list command provides output identical to the show access-lists command, except that it is IP-specific and allows you to specify a particular access list.
Examples
The following is sample output from the show ip access-list command when all access lists are requested:
Router# show ip access-list
Extended IP access list 101
permit udp any any eq tftp
permit udp any any eq domain
The following is sample output from the show ip access-list command when the name of a specific access list is requested:
Router# show ip access-list Internetfilter
Extended IP access list Internetfilter
permit tcp any 171.16.0.0 0.0.255.255 eq telnet
deny udp any 171.16.0.0 0.0.255.255 lt 1024
The following is sample output from the show ip access-list command when the name of a specific access list that contains an object group is requested:
Router# show ip access-list my_ogacl_policy
Extended IP access list my_ogacl_policy
10 permit object-group eng_service any any
The following is sample output from the show ip access-list command, which shows input statistics for Fast Ethernet interface 0/0:
Router# show ip access-list interface FastEthernet0/0 in
Extended IP access list 150 in
10 permit ip host 10.1.1.1 any
30 permit ip host 10.2.2.2 any (15 matches)
The following is sample output from the show ip access-list command using the dynamic keyword:
Router# show ip access-list dynamic
Extended IP access list CM_SF#1
10 permit udp any any eq 5060 (650 matches)
20 permit tcp any any eq 5060
30 permit udp any any dscp ef (806184 matches) c2801-61#
To check your configuration when the dynamic keyword is used, use the show run interfaces cable command:
Router# show run interfaces cable 0/1/0
Building configuration...
Current configuration : 144 bytes
interface cable-modem0/1/0
service-flow primary upstream
service-policy output llq
Related Commands
Command
|
Description
|
deny
|
Sets conditions in a named IP access list or OGACL that will deny packets.
|
ip access-group
|
Applies an ACL or OGACL to an interface or a service policy map.
|
ip access-list
|
Defines an IP access list or OGACL by name or number.
|
object-group network
|
Defines network object groups for use in OGACLs.
|
object-group service
|
Defines service object groups for use in OGACLs.
|
permit
|
Sets conditions in a named IP access list or OGACL that will permit packets.
|
show object-group
|
Displays information about object groups that are configured.
|
show ip access-lists
To display the contents of all current IP access lists, use the show ip access-lists command in privileged EXEC mode.
show ip access-lists [access-list-number | name]
Syntax Description
access-list-number
|
(Optional) Number of the IP access list to display.
|
name
|
(Optional) Name of the IP access list to display.
|
Command Default
All standard and extended IP access lists are displayed by default.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.2(33)SXH
|
This command was introduced.
|
Usage Guidelines
The show ip access-lists command provides output identical to the show access-lists command, except that it is IP-specific and allows you to specify a particular access list.
Examples
This example shows how to display the configuration contents of all current IP access lists:
Router# show ip access-lists
Extended IP access list test1
10 permit tcp addrgroup myAG portgroup myPG any
This example shows how to display the contents of a specific access list:
Router# show ip access-lists Internetfilter
Extended IP access list Internetfilter
permit tcp any 172.16.0.0 0.0.255.255 eq telnet
deny udp any 172.16.0.0 0.0.255.255 lt 1024
Related Commands
Command
|
Description
|
show access-lists
|
Displays the contents of current access lists.
|
show ip admission
To display the network admission (NAC) control cache entries or the running network admission control configuration, use the show ip admission command in privileged EXEC mode.
show ip admission {[cache [consent]] [configuration] [eapoudp]}
Syntax Description
cache
|
Displays the current list of network admission entries.
|
consent
|
Displays the authentication proxy consent webpage sessions.
|
configuration
|
Displays the running network admission control configuration.
|
eapoudp
|
Displays the Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) network admission control entries.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
12.4(11)T
|
The output of this command was enhanced to display whether the AAA timeout policy is configured.
|
12.4(15)T
|
The consent keyword was added.
|
12.2(33)SXI
|
This command was integrated into Cisco IOS Release 12.2(33)SXI.
|
Usage Guidelines
Use show ip admission cache eapoudp to list the host IP addresses, the session timeout, and the posture state. If the posture statue is POSTURE ESTAB, the host validation was successful.
Examples
The following output displays all the IP admission control rules that are configured on the router:
Router# show ip admission configuration
Authentication global cache time is 60 minutes
Authentication global absolute time is 0 minutes
Authentication Proxy Watch-list is disabled
Authentication Proxy Rule Configuration
eapoudp list not specified auth-cache-time 60 minutes
The following output displays the host IP addresses, the session timeout, and the posture states:
Router# show ip admission cache eapoudp
Posture Validation Proxy Cache
Total Sessions: 3 Init Sessions: 1
Client IP 10.0.0.112, timeout 60, posture state POSTURE ESTAB
Client IP 10.0.0.142, timeout 60, posture state POSTURE INIT
Client IP 10.0.0.205, timeout 60, posture state POSTURE ESTAB
The following output displays a configuration that includes both a global and a rule-specific NAC Auth Fail Open policy:
Router# show ip admission configuration
Authentication global cache time is 60 minutes
Authentication global absolute time is 0 minutes
Authentication global init state time is 2 minutes
Authentication Proxy Watch-list is enabled
Watch-list expiry timeout is 1 minutes
! The line below shows the global policy:
Authentication global AAA fail identity policy aaa_fail_policy
Authentication Proxy Rule Configuration Auth-proxy name greentree
eapoudp list 101 specified auth-cache-time 60 minutes
! The line below shows the rule-specific AAA fail policy; the name changes based on what
the user configured.
Identity policy name aaa_fail_policy for AAA fail policy
The field descriptions in the display are self-explanatory.
In the following example, a session has been initiated via https://192.168.104.136 from the client 192.168.100.132. After a successful session establishment, the output is as follows:
Router# show ip admission cache
Authentication Proxy Cache
Client Name N/A, Client IP 192.168.100.132, Port 1204, timeout 204, Time Remaining 204,
state ESTAB
Router# show ip admission cache consent
Authentication Proxy Consent Cache
Client Name N/A, Client IP 192.168.100.132, Port 1204, timeout 204, Time Remaining 204,
state ESTAB
Router# show ip admission cache eapoudp
Posture Validation Proxy Cache
Total Sessions: 0 Init Sessions: 0
Related Commands
Command
|
Description
|
clear ip admission cache
|
Clears IP admission cache entries from the router.
|
ip admission name
|
Creates a Layer 3 network admission control rule.
|
show ip audit configuration
To display additional configuration information, including default values that may not be displayed using the show running-config command, use the show ip audit configuration command in EXEC mode.
show ip audit configuration
Syntax Description
This command has no argument or keywords.
Command Modes
EXEC
Command History
Release
|
Modification
|
12.0(5)T
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
Use the show ip audit configuration EXEC command to display additional configuration information, including default values that may not be displayed using the show running-config command.
Examples
The following example displays the output of the show ip audit configuration command:
Event notification through syslog is enabled
Event notification through Net Director is enabled
Default action(s) for info signatures is alarm
Default action(s) for attack signatures is alarm
Default threshold of recipients for spam signature is 25
PostOffice:HostID:5 OrgID:100 Addr:10.2.7.3 Msg dropped:0
HID:1000 OID:100 S:218 A:3 H:14092 HA:7118 DA:0 R:0
CID:1 IP:172.21.160.20 P:45000 S:ESTAB (Curr Conn)
Related Commands
Command
|
Description
|
clear ip audit statistics
|
Resets statistics on packets analyzed and alarms sent.
|
show ip audit interface
To display the interface configuration, use the show ip audit interface command in EXEC mode.
show ip audit interface
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Release
|
Modification
|
12.0(5)T
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
Use the show ip audit interface EXEC command to display the interface configuration.
Examples
The following example displays the output of the show ip audit interface command:
Inbound IDS audit rule is AUDIT.1
Outgoing IDS audit rule is not set
Inbound IDS audit rule is AUDIT.1
Outgoing IDS audit rule is AUDIT.1
show ip audit statistics
To display the number of packets audited and the number of alarms sent, among other information, use the show ip audit statistics command in EXEC mode.
show ip audit statistics
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Release
|
Modification
|
12.0(5)T
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
Use the show ip audit statistics EXEC command to display the number of packets audited and the number of alarms sent, among other information.
Examples
The following displays the output of the show ip audit statistics command:
Signature audit statistics [process switch:fast switch]
signature 2000 packets audited: [0:2]
signature 2001 packets audited: [9:9]
signature 2004 packets audited: [0:2]
signature 3151 packets audited: [0:12]
Interfaces configured for audit 2
Session creations since subsystem startup or last reset 11
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [2:1:0]
Last session created 19:18:27
Last statistic reset never
HID:1000 OID:100 S:218 A:3 H:14085 HA:7114 DA:0 R:0
Related Commands
Command
|
Description
|
clear ip audit statistics
|
Resets statistics on packets analyzed and alarms sent.
|
show ip auth-proxy
To display the authentication proxy entries or the running authentication proxy configuration, use the show ip auth-proxy command in privileged EXEC mode.
show ip auth-proxy {cache | configuration}
Syntax Description
cache
|
Displays the current list of the authentication proxy entries.
|
configuration
|
Displays the running authentication proxy configuration.
|
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.0(5)T
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
Use the show ip auth-proxy to display either the authentication proxy entries or the running authentication proxy configuration. Use the cache keyword to list the host IP address, the source port number, the timeout value for the authentication proxy, and the state for connections using authentication proxy. If authentication proxy state is HTTP_ESTAB, the user authentication was successful.
Use the configuration keyword to display all authentication proxy rules configured on the router.
Examples
The following example shows sample output from the show ip auth-proxy cache command after one user authentication using the authentication proxy:
Router# show ip auth-proxy cache
Authentication Proxy Cache
Client IP 192.168.25.215 Port 57882, timeout 1, state HTTP_ESTAB
The following example shows how the show ip auth-proxy configuration command displays the information about the authentication proxy rule pxy. The global idle timeout value is 60 minutes. The idle timeouts value for this named rule is 30 minutes. No host list is specified in the rule, meaning that all connection initiating HTTP traffic at the interface is subject to the authentication proxy rule.
Router# show ip auth-proxy configuration
Authentication cache time is 60 minutes
Authentication Proxy Rule Configuration
http list not specified auth-cache-time 30 minutes
Related Commands
Command
|
Description
|
clear ip auth-proxy cache
|
Clears authentication proxy entries from the router.
|
ip auth-proxy
|
Sets the authentication proxy idle timeout value (the length of time an authentication cache entry, along with its associated dynamic user ACL, is managed after a period of inactivity).
|
ip auth-proxy (interface configuration)
|
Applies an authentication proxy rule at a firewall interface.
|
ip auth-proxy name
|
Creates an authentication proxy rule.
|
show ip auth-proxy watch-list
To display the information about the authentication proxy watch list in the EXEC command mode, use the show ip auth-proxy watch-list command.
show ip auth-proxy watch-list
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
|
Modification
|
12.2(17d)SXB
|
Support for this command on the Supervisor Engine 2 was extended to Release 12.2(17d)SXB.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
Usage Guidelines
This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 720.
Examples
This example shows how to display the information about the authentication proxy watch list:
Router# show ip auth-proxy watch-list
Authentication Proxy Watch-list is enabled
Watch-list expiry timeout is 2 minutes
Total number of watch-list entries: 3
Source IP Type Violation-count
10.0.0.2 MAX_RETRY MAX_LIMIT
10.0.0.3 TCP_NO_DATA MAX_LIMIT
Total number of watch-listed users: 3
Related Commands
Command
|
Description
|
clear ip auth-proxy watch-list
|
Deletes a single watch-list entry or all watch-list entries.
|
ip auth-proxy max-login-attempts
|
Limits the number of login attempts at a firewall interface.
|
ip auth-proxy watch-list
|
Enables and configures an authentication proxy watch list.
|
show ip bgp labels
To display information about Multiprotocol Label Switching (MPLS) labels from the external Border Gateway Protocol (eBGP) route table, use the show ip bgp labels command in privileged EXEC mode.
show ip bgp labels
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.0(21)ST
|
This command was introduced.
|
12.0(22)S
|
This command was integrated into Cisco IOS Release 12.0(22)S.
|
12.2(13)T
|
This command was integrated into Cisco IOS Release 12.2(13)T.
|
12.2(14)S
|
This command was integrated into Cisco IOS Release 12.2(14)S.
|
12.2(28)SB
|
This command was integrated into Cisco IOS Release 12.2(28)SB and implemented on the Cisco 10000 series router.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2(33)SXH
|
This command was integrated into Cisco IOS Release 12.2(33)SXH.
|
Usage Guidelines
Use this command to display eBGP labels associated with an Autonomous System Boundary Router (ASBR).
This command displays labels for BGP routes in the default table only. To display labels in the Virtual Private Network (VPN) routing and forwarding (VRF) tables, use the show ip bgp vpnv4 {all | vrf vrf-name} command with the optional labels keyword.
Examples
The following example shows output for an ASBR using BGP as a label distribution protocol:
Router# show ip bgp labels
Network Next Hop In Label/Out Label
10.3.0.0/16 0.0.0.0 imp-null/exp-null
10.15.15.15/32 10.15.15.15 18/exp-null
10.16.16.16/32 0.0.0.0 imp-null/exp-null
10.17.17.17/32 10.0.0.1 20/exp-null
10.18.18.18/32 10.0.0.1 24/31
10.18.18.18/32 10.0.0.1 24/33
Table 131 describes the significant fields shown in the display.
Table 131 show ip bgp labels Field Descriptions
Field
|
Description
|
Network
|
Displays the network address from the eGBP table.
|
Next Hop
|
Specifies the eBGP next hop address.
|
In Label
|
Displays the label (if any) assigned by this router.
|
Out Label
|
Displays the label assigned by the BGP next hop router.
|
Related Commands
Command
|
Description
|
show ip bgp vpnv4
|
Displays VPN address information from the BGP table.
|
show ip device tracking
To display information about entries in the IP device tracking table, use the show ip device tracking command in privileged EXEC mode.
show ip device tracking {all count | interface type-of-interface | ip ip-address | mac mac-address}
Syntax Description
all count
|
Displays a count of all IP tracking host entries.
|
interface type-of-interface
|
Displays interface information. See Table 132 for a list of valid interfaces.
|
ip ip-address
|
Displays the IP address of the client.
|
mac mac-address
|
Displays the 48-bit hardware MAC address.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.2SX
|
This command was introduced.
|
12.4(15)T
|
This command was integrated into Cisco IOS Release 12.4(15)T.
|
Usage Guidelines
Table 132 displays valid interfaces that may be shown as the type-of-interface argument with the interface keyword.
Table 132 Interfaces That Can Be Tracked
Interface
|
Description
|
Async
|
Asynchronous interface
|
BVI
|
Bridge-Group Virtual Interface
|
CDMA-Ix
|
CDMA Ix interface
|
CTunnel
|
CTunnel interface
|
Dialer
|
Dialer interface
|
FastEthernet
|
FastEthernet IEEE 802.3
|
Lex
|
Lex interface
|
Loopback
|
Loopback interface
|
MFR
|
Multilink Frame Relay bundle intrface
|
Multilink
|
Multilink-group interface
|
Null
|
Null interface
|
Port-channel
|
Ethernet channel of interfaces
|
Serial
|
Serial
|
Tunnel
|
Tunnel interface
|
vif
|
Pragmatic General Multicast (PGM) multicast host interface
|
virtual
|
Virtual interface
|
virtual-PPP
|
Virtual PPP interface
|
virtual-Template
|
Virtual template interface
|
virtual-TokenRing
|
Virtual TokenRing
|
XTagATM
|
Extended Tag ATM interface
|
Examples
The following example shows that all host entries are to be tracked:
Router# show ip device tracking all count
IP Device Tracking = Enabled
The fields in the above display are self-explanatory.
show ip inspect
To display Context-Based Access Control (CBAC) configuration and session information, use the show ip inspect command in privileged EXEC mode.
show ip inspect {name inspection-name | config | interfaces | session [detail] | statistics | all | sis
| tech-support} [vrf vrf-name]
Firewall MIB Statistics Syntax
show ip inspect mib connection-statistics {global | l4-protocol {all | icmp | tcp | udp} |
l7-protocol {all | other | telnet | ftp} | policy policy-name target target name {l4-protocol
{all | icmp | tcp | udp} | l7-protocol {all | other | telnet | ftp}}
Syntax Description
name inspection-name
|
Displays the configured inspection rule with the name inspection-name.
|
config
|
Displays the complete CBAC or HA inspection configuration.
|
interfaces
|
Displays the interface configuration with respect to applied inspection rules and access lists.
|
session [detail]
|
Displays existing sessions that are currently being tracked and inspected by CBAC or HA. The optional detail keyword allows additional details about these sessions to be shown.
|
statistics
|
Displays CBAC sessions statistics, such as the number of TCP and HTTP packets that are processed through the inspection, the number of sessions that have been created since the subsystem startup, the current session count, the maximum session count, and the session creation rate.
|
all
|
Displays all CBAC configuration and all existing sessions that are currently being tracked and inspected by CBAC.
|
sis
|
Displays CBAC session information such as window-size information of initiator and responder windows in a session.
|
tech-support
|
Displays additional information regarding drops that are not shown in the show ip inspect statistics command. This information is useful for troubleshooting IP inspect issues.
|
vrf vrf-name
|
(Optional) Displays information only for the specified Virtual Routing and Forwarding (VRF) interface.
|
mib connection-statistics
|
Displays firewall performance summary statistics that are monitored via firewall MIBs.
|
global
|
Displays global connection summary statistics, which are kept for the entire device.
|
l4-protocol
|
Displays Layer 4 protocol-based connection summary statistics for one of the follwing specified protocols: all, icmp, tcp, udp.
|
l7-protocol
|
Displays Layer 7 protocol-based connection summary statistics for one of the follwing specified protocols: all, other, telnet, ftp.
|
policy policy-name
|
Name of the firewall policy that is being monitored.
|
target target name
|
Name of the interface on which the specified firewall policy is applied.
|
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
11.2 P
|
This command was introduced.
|
12.3(4)T
|
The output for the show ip inspect session detail command was enhanced to support dynamic access control list (ACL) bypass.
|
12.3(11)T
|
The statistics keyword was added.
|
12.3(14)T
|
The output shows the IMAP and POP3 configuration. The vrf vrf-name keyword/argument pair was added.
|
12.4(6)T
|
The firewall MIB statistics syntax was added to support firewall performance via SNMP.
High Availability (HA) configuration and session information was added to support Stateful Failover.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.4(11)T
|
The tech-support and sis keywords were unhidden and are now supported.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
Use this command to view the CBAC and HA configuration and session information.
ACL Bypass Functionality
ACL bypass allows a packet to avoid redundant ACL checks by allowing the firewall to permit the packet on the basis of existing inspection sessions instead of dynamic ACLs. Because input and output dynamic ACLs have been eliminated from the firewall configuration, the show ip inspect session detail command output no longer shows dynamic ACLs. Instead, the output displays the matching inspection session for each packet that is permitted through the firewall.
Firewall MIB Functionality
The Cisco Unified Firewall MIB monitors the following firewall performance statistics:
•
Connection statistics, which are a record of the firewall traffic streams that have attempted to flow through the firewall system. Connection statistics can be displayed on a global basis, a protocol-specific basis, or a firewall policy basis.
•
URL filtering statistics, which include the status of distinct URL filtering servers that are configured on the firewall and the impact of the performance of the URL filtering servers on the latency and throughput of the firewall.
Examples
The following example shows sample output for the show ip inspect name myinspectionrule command, where the inspection rule "myinspectionrule" is configured. In this example, the output shows the protocols that should be inspected by CBAC and the corresponding idle timeouts for each protocol.
Router# show ip inspect name myinspectionrule
Inspection Rule Configuration
Inspection name myinspectionrule
The following is sample output for the show ip inspect config command. In this example, the output shows CBAC configuration, including global timeouts, thresholds, and inspection rules.
Session audit trail is disabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
Inspection Rule Configuration
Inspection name myinspectionrule
The following is sample output for the show ip inspect interfaces command:
Inbound inspection rule is myinspectionrule
Outgoing inspection rule is not set
Inbound access list is not set
Outgoing access list is not set
The following is sample output for the show ip inspect session command. In this example, the output shows the source and destination addresses and port numbers (separated by colons), and it indicates that the session is an FTP session.
Router# show ip inspect session
Session 25A3318 (10.0.0.1:20)=>(10.1.0.1:46068) ftp-data SIS_OPEN
Session 25A6E1C (10.1.0.1:46065)=>(10.0.0.1:21) ftp SIS_OPEN
The following is sample output for the show ip inspect all command:
Router# show ip inspect all
Session audit trail is disabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
Inspection Rule Configuration
Inbound inspection rule is all
Outgoing inspection rule is not set
Inbound access list is not set
Outgoing access list is not set
Session 25A6E1C (10.3.0.1:46065)=>(10.4.0.1:21) ftp SIS_OPEN
Session 25A34A0 (10.4.0.1:20)=>(10.3.0.1:46072) ftp-data SIS_OPEN
The following is sample output from the show ip inspect session detail command, which shows that an outgoing ACL and an inbound ACL (dynamic ACLs) have been created to allow return traffic:
Router# show ip inspect session detail
Session 80E87274 (192.168.1.116:32956)=>(192.168.101.115:23) tcp SIS_OPEN
Created 00:00:08, Last heard 00:00:04
Bytes sent (initiator:responder) [140:298] acl created 2
Outgoing access-list 102 applied to interface FastEthernet0/0
Inbound access-list 101 applied to interface FastEthernet0/1
The following is sample output from the show ip inspect session detail command, which shows related ACL information (such as session identifiers [SIDs]), but does not show dynamic ACLs, which are no longer created:
Router# show ip inspect session detail
Session 814063CC (192.168.1.116:32955)=>(192.168.101.115:23) tcp SIS_OPEN
Created 00:00:10, Last heard 00:00:06
Bytes sent (initiator:responder) [140:298]
In SID 192.168.101.115[23:23]=>192.168.1.117[32955:32955] on ACL 101 (15 matches)
Out SID 192.168.101.115[23:23]=>192.168.1.116[32955:32955] on ACL 102
The following is sample output from the show ip inspect statistics command:
Router# show ip inspect statistics
Packet inspection statistics [process switch:fast switch]
Interfaces configured for inspection 1
Session creations since subsystem startup or last reset 42940
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [98:68:50]
Last session created 5d21h
Last statistic reset never
Last session creation rate 0
Last half-open session total 0
The following example is sample output from the show ip inspect tech-support command:
Router# show ip inspect tech-support
Packet inspection statistics [process switch:fast switch]
Interfaces configured for inspection 1 Pre-gen sessions 0
Session creations since subsystem startup or last reset 19
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [1:1:1]
Last session created 02:25:37
Last statistic reset never
Last session creation rate 0
Last half-open session total 0
Packet disposition statistics [process switch:fastswitch]
tcp packets dropped: [1:3]
tcp packets skipped: [0:35]
The following examples are sample outputs from the show ip inspect mib command with global or protocol-specific keywords.
Global MIB Statistics
Router# show ip inspect mib connection-statistics global
--------------------------------------------------
Connections Attempted 7
Connections Setup Aborted 0
Connections Policy Declined 0
Connections Resource Declined 0
Connections Half Open 2 Connections Active 3
Connections Expired 2
Connections Aborted 0
Connections Embryonic 0
Connections 1-min Setup Rate 5
Connections 5-min Setup Rate 7
Protocol-Based MIB Statistics
Router# show ip inspect mib connection-statistics l4-protocol tcp
--------------------------------------------------
Protocol tcp
Connections Attempted 3
Connections Setup Aborted 0
Connections Policy Declined 0
Connections Resource Declined 0
Connections Half Open 1
Connections Active 2
Connections Aborted 0
Connections 1-min Setup Rate 3
Connections 5-min Setup Rate 3
Router# show ip inspect mib connection-statistics l7-protocol http
--------------------------------------------------
Protocol http
Connections Attempted 3
Connections Setup Aborted 0
Connections Policy Declined 2
Connections Resource Declined 0
Connections Half Open 0
Connections Active 1
Connections Aborted 0
Connections 1-min Setup Rate 1
Connections 5-min Setup Rate 2
Policy-target-Based MIB Statistics
Router# show ip inspect mib connection-statistics policy ftp interface GigabitEthernet0/0
l4-protocol tcp
! Policy Target Protocol Based Connection Summary Stats
------------------------------------------------------
Policy ftp-inspection
Target GigabitEthernet0/0
Protocol tcp
Connections Attempted 3
Connections Setup Aborted 0
Connections Policy Declined 0
Connections Resource Declined 0
Connections Half Open 1
Connections Active 2
Connections Aborted 0
Router# show ip inspect mib connection-statistics policy ftp interface GigabitEthernet0/0
l7-protocol ftp
! Policy Target Protocol Based Connection Summary Stats
------------------------------------------------------
Policy ftp-inspection
Target GigabitEthernet0/0
Protocol ftp
Connections Attempted 3
Connections Setup Aborted 0
Connections Policy Declined 0
Connections Resource Declined 0
Connections Half Open 1
Connections Active 2
Connections Aborted 0
show ip inspect ha
To display Stateful Failover High Availability (HA) session information, use the show ip inspect ha command in privileged EXEC mode.
show ip inspect ha { session [detail] | statistics} [vrf vrf-name]
Syntax Description
session [detail]
|
Displays additional information on pin-holes created for the return traffic, number of bytes that have passed through this session, and session time information.
|
statistics
|
Displays HA sessions statistics for both the active and standby devices.
|
vrf vrf-name
|
(Optional) Displays information only for the specified Virtual Routing and Forwarding (VRF) interface.
|
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.4(6)T
|
This command was introduced.
|
Usage Guidelines
Use this command to view the Stateful Failover HA session information.
Examples
The following is sample output for the show ip inspect ha {session | detail} command. The following information is displayed for each session:
•
Session ID
•
Source address and port
•
Destination address and port
•
Protocol
•
Session State
•
HA State
Router# show ip inspect ha sessions
Sess_ID (src_addr:port)=>(dst_addr:port) proto sess_state ha_state
2CA8958 (10.0.0.5:37690)=>(10.0.0.4:00023) tcp SIS_OPEN HA_ACTIVE
The following is sample output for the show ip inspect ha session detail command. This command displays additional information for each session.
Router #show ip inspect ha sessions detail
Sess_ID (src_addr:port)=>(dst_addr:port) proto sess_state ha_state
2CA8958 (10.0.0.5:37690)=>(10.0.0.4:00023) tcp SIS_OPEN HA_ACTIVE
Created 00:01:52, Last heard 00:01:39
Bytes sent (initiator:responder) [50:91]
In SID 10.11.0.4[23:23]=>10.0.0.5[37690:37690] on ACL test (25 matches)
The following is sample output for the show ip inspect ha statistics command. This command displays the following information for each session.
On the active router:
Router #show ip inspect ha statistics
****************************************************
****************************************************
FW HA active num add session sent 1
FW HA active num delete session sent 0
FW HA active num update session requests 0
FW HA active num update session sent 17
FW HA active bulk sync session 0
FW HA active manager error 0
****************************************************
On the standby router:
Router #show ip inspect ha statistics
****************************************************
****************************************************
FW HA standby num add session received 1
FW HA standby num delete session received 0
FW HA standby num update session received 17
FW HA standby num bulk sync request sent 0
FW HA standby num error 0
FW HA standby config error 0
*****************************************************
The following information displays on the active router:
•
Number of add session message sent
•
Number of delete session message sent
•
Number of update session message requests
•
Number of update session message sent
•
Number of bulk sync requests received and
•
Error statistics
The following information displays on the standby router:
•
Number of add session message received
•
Number of delete session message received
•
Number of update session message received
•
Number of bulk sync requests sent and
•
Error statistics
show ip interface
To display the usability status of interfaces configured for IP, use the show ip interface command in privileged EXEC mode.
show ip interface [type number] [brief]
Syntax Description
type
|
(Optional) Interface type.
|
number
|
(Optional) Interface number.
|
brief
|
(Optional) Displays a summary of the usability status information for each interface.
|
Command Default
The full usability status is displayed for all interfaces configured for IP.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
10.0
|
This command was introduced.
|
12.0(3)T
|
This command was expanded to include the status of the ip wccp redirect out and ip wccp redirect exclude add in commands.
|
12.2(14)S
|
The command output was modified to display the status of NetFlow on a subinterface.
|
12.2(15)T
|
The command output was modified to display the status of NetFlow on a subinterface.
|
12.3(6)
|
The command output was modified to identify the downstream VPN routing and forwarding (VRF) instance in the output.
|
12.3(14)YM2
|
The command output was modified to show the usability status of interfaces configured for Multi-Processor Forwarding (MPF) and implemented on the Cisco 7301 and Cisco 7206VXR routers.
|
12.2(14)SX
|
This command was introduced on the Supervisor Engine 720.
|
12.2(17d)SXB
|
This command was integrated into Cisco IOS 12.2(17d)SXB on the Supervisor Engine 2, and the command output was changed to include NDE for hardware flow status.
|
12.4(4)T
|
This command was integrated into Cisco IOS Release 12.4(4)T.
|
12.2(28)SB
|
This command was integrated into Cisco IOS Release 12.2(28)SB.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2(31)SB2
|
The command output was modified to display information about the Unicast Reverse Path Forwarding (RPF) notification feature.
|
12.4(20)T
|
The command output was modified to display information about the Unicast RPF notification feature.
|
12.2(33)SXI2
|
This command was modified. The command output was modified to display information about the Unicast RPF notification feature.
|
Usage Guidelines
The Cisco IOS software automatically enters a directly-connected route in the routing table if the interface is usable (which means that it can send and receive packets). If an interface is not usable, the directly-connected routing entry is removed from the routing table. Removing the entry lets the software use dynamic routing protocols to determine backup routes to the network, if any.
If the interface can provide two-way communication, the line protocol is marked "up." If the interface hardware is usable, the interface is marked "up."
If you specify an optional interface type, you see information for that specific interface. If you specify no optional arguments, you see information on all the interfaces.
When an asynchronous interface is encapsulated with PPP or Serial Line Internet Protocol (SLIP), IP fast switching is enabled. A show ip interface command on an asynchronous interface encapsulated with PPP or SLIP displays a message indicating that IP fast switching is enabled.
You can use the show ip interface brief command to view a summary of the router interfaces. This command displays the IP address, the interface status, and other information.
The show ip interface brief command does not display any information related to Unicast RPF.
Examples
The following example shows configuration information on interface Gigabit Ethernet 0/3. In this example, the IP flow egress feature is configured on the output side (where packets go out of the interface), and the policy route-map named PBR_NAME is configured on the input side (where packets come into the interface).
Router# show running-config interface gigabitethernet 0/3
interface GigabitEthernet0/3
ip address 10.1.1.1 255.255.0.0
ip policy route-map PBR_NAME
The following example shows interface information on Gigabit Ethernet interface 0/3. In this example, MPF is enabled, and both features are not supported by MPF and are ignored.
Router# show ip interface gigabitethernet 0/3
GigabitEthernet0/3 is up, line protocol is up
Internet address is 10.1.1.1/16
Broadcast address is 255.255.255.255
Address determined by setup command
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Local Proxy ARP is disabled
Security level is default
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP Feature Fast switching turbo vector
IP VPN Flow CEF switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is enabled, using route map PBR
Network address translation is disabled
BGP Policy Mapping is disabled
IP Multi-Processor Forwarding is enabled
IP Input features, "PBR",
are not supported by MPF and are IGNORED
IP Output features, "NetFlow",
are not supported by MPF and are IGNORED
The following example identifies a downstream VRF instance. In the example, "Downstream VPN Routing/Forwarding "D"" identifies the downstream VRF instance.
Router# show ip interface virtual-access 3
Virtual-Access3 is up, line protocol is up
Interface is unnumbered. Using address of Loopback2 (10.0.0.8)
Broadcast address is 255.255.255.255
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Local Proxy ARP is disabled
Security level is default
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP Feature Fast switching turbo vector
IP VPN CEF switching turbo vector
VPN Routing/Forwarding "U"
Downstream VPN Routing/Forwarding "D"
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
The following example shows the information displayed when Unicast RPF drop-rate notification is configured:
Router# show ip interface ethernet 2/3
Ethernet2/3 is up, line protocol is up
Internet address is 10.0.0.4/16
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Local Proxy ARP is disabled
Security level is default
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP Flow switching is disabled
IP CEF switching is disabled
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
IP route-cache flags are No CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
Unicast RPF Information
IP verify source reachable-via RX, allow default
0 suppressed verification drops
The following example shows how to display the usability status for a specific VLAN:
Router# show ip interface vlan 1
Vlan1 is up, line protocol is up
Internet address is 10.0.0.4/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Local Proxy ARP is disabled
Security level is default
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP Fast switching turbo vector
IP Normal CEF switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
Sampled Netflow is disabled
IP multicast multilayer switching is disabled
Netflow Data Export (hardware) is enabled
Table 133 describes the significant fields shown in the display.
Table 133 show ip interface Field Descriptions
Field
|
Description
|
Virtual-Access3 is up
|
Shows whether the interface hardware is usable (up). For an interface to be usable, both the interface hardware and line protocol must be up.
|
Broadcast address is
|
Broadcast address.
|
Peer address is
|
Peer address.
|
MTU is
|
MTU value set on the interface.
|
Helper address
|
Helper address, if one is set.
|
Directed broadcast forwarding
|
Shows whether directed broadcast forwarding is enabled.
|
Outgoing access list
|
Shows whether the interface has an outgoing access list set.
|
Inbound access list
|
Shows whether the interface has an incoming access list set.
|
Proxy ARP
|
Shows whether Proxy Address Resolution Protocol (ARP) is enabled for the interface.
|
Security level
|
IP Security Option (IPSO) security level set for this interface.
|
Split horizon
|
Shows whether split horizon is enabled.
|
ICMP redirects
|
Shows whether redirect messages will be sent on this interface.
|
ICMP unreachables
|
Shows whether unreachable messages will be sent on this interface.
|
ICMP mask replies
|
Shows whether mask replies will be sent on this interface.
|
IP fast switching
|
Shows whether fast switching is enabled for this interface. It is generally enabled on serial interfaces, such as this one.
|
IP Flow switching
|
Shows whether Flow switching is enabled for this interface.
|
IP CEF switching
|
Shows whether Cisco Express Forwarding (CEF) switching is enabled for the interface.
|
Downstream VPN Routing/Forwarding "D"
|
Shows the VRF instance where the PPP peer routes and AAA per-user routes are being installed.
|
IP multicast fast switching
|
Shows whether multicast fast switching is enabled for the interface.
|
IP route-cache flags are Fast, Flow init, CEF, Ingress Flow
|
Shows whether NetFlow is enabled on an interface. Displays "Flow init" to specify that NetFlow is enabled on the interface. Displays "Ingress Flow" to specify that NetFlow is enabled on a subinterface using the ip flow ingress command. Shows "Flow" to specify that NetFlow is enabled on a main interface using the ip route-cache flow command.
|
Router Discovery
|
Shows whether the discovery process is enabled for this interface. It is generally disabled on serial interfaces.
|
IP output packet accounting
|
Shows whether IP accounting is enabled for this interface and what the threshold (maximum number of entries) is.
|
TCP/IP header compression
|
Shows whether compression is enabled.
|
WCCP Redirect outbound is disabled
|
Shows the status of whether packets received on an interface are redirected to a cache engine. Displays "enabled" or "disabled."
|
WCCP Redirect exclude is disabled
|
Shows the status of whether packets targeted for an interface will be excluded from being redirected to a cache engine. Displays "enabled" or "disabled."
|
Netflow Data Export (hardware) is enabled
|
NDE hardware flow status on the interface.
|
The following example shows how to display a summary of the usability status information for each interface:
Router# show ip interface brief
Interface IP-Address OK? Method Status Protocol
Ethernet0 10.108.00.5 YES NVRAM up up
Ethernet1 unassigned YES unset administratively down down
Loopback0 10.108.200.5 YES NVRAM up up
Serial0 10.108.100.5 YES NVRAM up up
Serial1 10.108.40.5 YES NVRAM up up
Serial2 10.108.100.5 YES manual up up
Serial3 unassigned YES unset administratively down down
Table 134 describes the significant fields shown in the display.
Table 134 show ip interface brief Field Descriptions
Field
|
Description
|
Interface
|
Type of interface.
|
IP-Address
|
IP address assigned to the interface.
|
OK?
|
"Yes" means that the IP Address is currently valid. "No" means that the IP Address is not currently valid.
|
Method
|
The Method field has the following possible values:
• RARP or SLARP—Reverse Address Resolution Protocol (RARP) or Serial Line Address Resolution Protocol (SLARP) request.
• BOOTP—Bootstrap protocol.
• TFTP—Configuration file obtained from the TFTP server.
• manual—Manually changed by CLI command.
• NVRAM—Configuration file in NVRAM.
• IPCP—ip address negotiated command.
• DHCP—ip address dhcp command.
• unassigned—No IP address.
• unset—Unset.
• other—Unknown.
|
Status
|
Shows the status of the interface. Valid values and their meanings are:
• up—Interface is administratively up.
• down—Interface is administratively down.
• administratively down—Interface is administratively down.
|
Protocol
|
Shows the operational status of the routing protocol on this interface.
|
Related Commands
Command
|
Description
|
ip address
|
Sets a primary or secondary IP address for an interface.
|
ip vrf autoclassify
|
Enables VRF autoclassify on a source interface.
|
match ip source
|
Specifies a source IP address to match to required route maps that have been set up based on VRF connected routes.
|
route-map
|
Defines the conditions for redistributing routes from one routing protocol into another or to enable policy routing.
|
set vrf
|
Enables VPN VRF selection within a route map for policy-based routing VRF selection.
|
show ip arp
|
Displays the ARP cache, in which SLIP addresses appear as permanent ARP table entries.
|
show route-map
|
Displays static and dynamic route maps.
|
show ip ips
To display Intrusion Prevention System (IPS) information such as configured sessions and signatures, use the show ip ips command in privileged EXEC mode.
show ip ips {all | configuration | interfaces | license | name name | sessions [detail] [vrf vrf-name]
| signatures [[count] [detail | engine [engine-name] | sigid [sigid [subid [subid]]]] |
[statistics]] | statistics [reset] [vrf vrf-name]}
Syntax Description
all
|
Displays all available IPS information.
|
configuration
|
Displays additional configuration information, including default values that may not be displayed using the show running-config command.
|
interfaces
|
Displays the interface configuration.
|
license
|
Displays license and signature package information.
|
name name
|
Displays information only for the specified IPS rule.
|
sessions
|
Displays IPS session-related information.
|
detail
|
(Optional) Shows detailed session information.
|
vrf vrf-name
|
(Optional) Shows detailed session and latest statistics information per user specific VRF.
|
signatures
|
Displays signature information, such as which signatures are disabled and marked for deletion.
|
count
|
(Optional) Displays the number of signatures enabled, retired, and compiled.
|
detail
|
(Optional) Displays detailed signature information.
|
engine engine-name
|
(Optional) Displays signatures of a selected engine.
|
sigid sigid
|
(Optional) Displays signature ID for selected signatures.
|
subid subid
|
(Optional) Displays the sub ID for selected signatures.
|
statistics
|
(Optional) Displays the information such as the number of packets audited and the number of alarms sent.
|
statistics
|
Displays the information such as the number of packets audited and the number of alarms sent.
|
reset
|
(Optional) Resets sample output to reflect the latest statistics.
|
Command Modes
User EXEC (>)
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.0(5)T
|
This command was introduced.
|
12.3(8)T
|
This command was modified. The command name was changed from show ip audit to show ip ips. Also, all show ip ips commands were combined into a single command.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2SX
|
This command was integrated into a release earlier than Cisco IOS Release 12.2(33)SXI.
|
12.4(20)T
|
This command was modified. The vrf keyword and vrf-name argument were added.
|
12.4(22)T
|
This command was modified. The count, detail, engine, sigid, signatures, and subid keywords and the engine-name, subid, and sigid arguments were added.
|
15.0(1)M
|
This command was modified. The license keyword was added.
|
Usage Guidelines
Use the show ip ips configuration command to display additional configuration information, including default values that may not be displayed using the show running-config command.
Examples
Sample Output for the show ip ips configuration Command
The following example displays the output of the show ip ips configuration command:
Router# show ip ips configuration
Event notification through syslog is enabled
Event notification through Net Director is enabled
Default action(s) for info signatures is alarm
Default action(s) for attack signatures is alarm
Default threshold of recipients for spam signature is 25
PostOffice:HostID:5 OrgID:100 Addr:10.2.7.3 Msg dropped:0
HID:1000 OID:100 S:218 A:3 H:14092 HA:7118 DA:0 R:0
CID:1 IP:172.21.160.20 P:45000 S:ESTAB (Curr Conn)
Sample Output for the show ip ips interfaces Command
The following example displays the output of the show ip ips interfaces command:
Router# show ip ips interfaces
Inbound IPS audit rule is AUDIT.1
Outgoing IPS audit rule is not set
Inbound IPS audit rule is AUDIT.1
Outgoing IPS audit rule is AUDIT.1
Sample Output for the show ip ips statistics Command
The following example displays the output of the show ip ips statistics command:
Router# show ip ips statistics
Signature audit statistics [process switch:fast switch]
signature 2000 packets audited: [0:2]
signature 2001 packets audited: [9:9]
signature 2004 packets audited: [0:2]
signature 3151 packets audited: [0:12]
Interfaces configured for audit 2
Session creations since subsystem startup or last reset 11
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [2:1:0]
Last session created 19:18:27
Last statistic reset never
HID:1000 OID:100 S:218 A:3 H:14085 HA:7114 DA:0 R:0
Sample Output for the show ip ips statistics vrf Command
The following example displays the output of the show ip ips statistics vrf vrf-name command:
Router# show ip ips statistics vrf VRF_600
Signature statistics [process switch:fast switch]
signature 5170:1 packets checked: [0:2]
Interfaces configured for ips 3
Session creations since subsystem startup or last reset 4
Current session counts (estab/half-open/terminating) [1:0:0]
Maxever session counts (estab/half-open/terminating) [2:1:1]
Last session created 00:02:34
Last statistic reset never
TCP reassembly statistics
received 8 packets out-of-order; dropped 0
peak memory usage 12 KB; current usage: 0 KB
Sample Output for the show ip ips sessions vrf Command
The following example displays the output of the show ip ips sessions vrf vrf-name command:
Router# show ip ips sessions vrf VRF_600
Session 67D5C744 (10.0.4.2:34000)=>(10.0.6.2:23) tcp SIS_OPEN
Sample Output for the show ip ips license Command
The following example displays the output of the show ip ips license command:
Router# show ip ips license
Expiration Date: 2009-12-31
Signatures Loaded: 2009-06-25 S375
Signature Package: 2009-06-25 S375
The sample output shows the details for a valid IPS license. Note the license expiration date (2009-12-31), the version date of the existing S375 loaded signatures (2009-07-24 S375), and the version date of the last signature package (S375) loaded (2009-07-24 S375). The license is valid as the existing loaded signature version date is the same as the last signature package version date. The last signature package date (2009-07-24) is also before the license expiration date (2009-12-31).
Related Commands
Command
|
Description
|
clear ip ips statistics
|
Resets statistics on packets analyzed and alarms sent.
|
show ip ips auto-update
To display the automatic signature update configuration, use the show ip ips auto-update command in EXEC mode.
show ip ips auto-update
Syntax Description
This command has no arguments or keywords.
Command Default
None
Command Modes
EXEC
Command History
Release
|
Modification
|
12.4(11)T
|
This command was introduced.
|
Usage Guidelines
Automatic signature updates allow users to override the existing Intrusion Prevention System (IPS) configuration and automatically keep signatures up to date on the basis of a preset time, which can be configured to a preferred setting.
Use the show ip ips auto-update command to verify the auto update configuration.
Examples
The following example shows how to configure automatic signature updates and issue the show ip ips auto-update command to verify the configuration. In this example, the signature package file is pulled from the TFTP server at the start of every hour or every day, Sunday through Thursday. (Note that adjustments are made for months without 31 days and daylight savings time.)
Router# clock set 10:38:00 20 apr 2006
*Apr 20 17:38:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 10:37:55 MST
Thu Apr 20 2006 to 10:38:00 MST Thu Apr 20 2006, configured from console by cisco on
console.
Router(config)# ip ips auto-update
Router(config-ips-auto-update)# occur-at 0 0-23 1-31 1-5
Router(config-ips-auto-update)# $s-auto-update/IOS_reqSeq-dw.xml
Router(config-ips-auto-update)#^Z
*May 4 2006 15:50:28 MST: IPS Auto Update: setting update timer for next update: 0 hrs 10
min
*May 4 2006 15:50:28 MST: %SYS-5-CONFIG_I: Configured from console by cisco on console
Router# show ip ips auto-update
IPS Auto Update Configuration
URL : tftp://192.168.0.2/jdoe/ips-auto-update/IOS_reqSeq-dw.xml
Username : not configured
Password : not configured
days of month (1-31) : 1-31
days of week: (0-6) : 1-5
Related Commands
Command
|
Description
|
ip ips auto-update
|
Enables automatic signature updates for Cisco IOS IPS.
|
show ip port-map
To display the port-to-application mapping (PAM) information, use the show ip port-map command in privileged EXEC mode.
show ip port-map [appl-name | port port-num [detail]]
Syntax Description
appl-name
|
(Optional) Specifies the name of the application to which to apply the port mapping.
|
port port-num
|
(Optional) Specifies the alternative port number that maps to the application.
|
detail
|
(Optional) Shows the port or application details.
|
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.0(5)T
|
This command was introduced.
|
12.3(14)T
|
The detail keyword was added and command output was modified to display user-defined applications.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
Use this command to display the port mapping information at the firewall, including the system-defined and user-defined information. Include the application name to display the list of entries by application. Include the port number to display the entries by port.
Examples
The following is sample output from the show ip port-map command, including system- and user-defined mapping information. Notice that multiple port numbers display in a series such as 554, 8554, or 1512...1525, or a range such as 55000 to 62000. When there are multiple ports, they all display if they can fit into the fixed-field width. If they cannot fit into the fixed-field width, they display with an ellipse, such as 1512...1525 shown below.
Default mapping: snmp udp port 161 system defined
Host specific: snmp udp port 577 in list 55 user defined
Host specific: snmp udp port 55000-62000 in list 57 user defined
Default mapping: echo tcp port 7 system defined
Default mapping: echo udp port 7 system defined
Default mapping: telnet tcp port 23 system defined
Default mapping: wins tcp port 1512...1525 system defined
Default mapping: n2h2server tcp port 9285 system defined
Default mapping: n2h2server udp port 9285 system defined
Default mapping: nntp tcp port 119 system defined
Default mapping: pptp tcp port 1725 system defined
Default mapping: rtsp tcp port 554,8554 system defined
Default mapping: bootpc udp port 68 system defined
Default mapping: gdoi udp port 848 system defined
Default mapping: tacacs udp port 49 system defined
Default mapping: gopher tcp port 70 system defined
Default mapping: icabrowser udp port 1604 system defined
The following sample output from the show ip port-map snmp command displays information about the SNMP application:
Router# show ip port-map snmp
Default mapping: snmp udp port 161 system defined
Host specific: snmp udp port 577 in list 55 user defined
Host specific: snmp udp port 55000-62000 in list 57 user defined
The following sample output from the show ip port-map snmp detail command displays detailed information about the SNMP application:
Router# show ip port-map snmp detail
IP port-map entry for application 'snmp':
udp 161 Simple Network Management Protoco system defined
udp 577 list 55 User's SNMP Port user defined
udp 55000-62000 list 57 User's Another SNMP Port user defined
The following sample output from the show ip port-map port 577 command displays information about port 577:
Router# show ip port-map port 577
Host specific: snmp udp port 577 in list 55 user defined
The following sample output from the show ip port-map port 55800 command displays information about port 55800:
Router# show ip port-map port 55800
Host specific: snmp udp port 55800 in list 57 user defined
The following sample output from the show ip-port-map port 577 detail command displays detailed information about port 577:
Router# show ip port-map port 577 detail
IP Port-map entry for port 577:
snmp udp list 55 user defined
Related Commands
Command
|
Description
|
ip port-map
|
Establishes PAM entries.
|
show ip sdee
To display Security Device Event Exchange (SDEE) notification information, use the show ip sdee command in privileged EXEC mode.
show ip sdee {[alerts] [all] [errors] [events] [configuration] [status] [subscriptions]}
Syntax Description
alerts
|
Displays the Intrusion Detection System (IDS) alert buffer.
|
all
|
Displays all information available for IDS SDEE notifications.
|
errors
|
Displays IDS SDEE error messages.
|
events
|
Displays IDS SDEE events.
|
configuration
|
Displays SDEE configuration parameters.
|
status
|
Displays the status events that are currently in the buffer.
|
subscriptions
|
Displays IDS SDEE subscription information.
|
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
Examples
The following is sample output from the show ip sdee alerts command. In this example, the alerts are numbered from 1 to 100 (because 100 events are currently in the event buffer). Following the alert number are 3 digits, which indicate whether the alert has been reported for the 3 possible subscriptions. In this example, these alerts have been reported for subscription number 1. The event ID is composed of the alert time and an increasing count, separated by a colon.
Router# show ip sdee alerts
Event storage:1000 events using 656000 bytes of memory
SigID SrcIP DstIP SrcPort DstPort Sev Event ID SigName
1:100 2004 10.0.0.2 10.0.0.1 8 0 2 10211478597901 ICMP Echo Req
2:100 2004 10.0.0.2 10.0.0.1 8 0 2 10211478887902 ICMP Echo Req
3:100 2004 10.0.0.2 10.0.0.1 8 0 2 10211479247903 ICMP Echo Req
4:100 2004 10.0.0.2 10.0.0.1 8 0 2 10211479457904 ICMP Echo Req
5:100 2004 10.0.0.2 10.0.0.1 8 0 2 10211479487905 ICMP Echo Req
6:100 2004 10.0.0.2 10.0.0.1 8 0 2 10211480077906 ICMP Echo Req
7:100 2004 10.0.0.2 10.0.0.1 8 0 2 10211480407907 ICMP Echo Req
...........................................................
...........................................................
96:000 2004 10.0.0.2 10.0.0.1 8 0 2 10211750898596 ICMP Echo Req
97:000 2004 10.0.0.2 10.0.0.1 8 0 2 10211750898597 ICMP Echo Req
98:000 2004 10.0.0.2 10.0.0.1 8 0 2 10211750898598 ICMP Echo Req
99:000 2004 10.0.0.2 10.0.0.1 8 0 2 10211750908599 ICMP Echo Req
100:000 2004 10.0.0.2 10.0.0.1 8 0 2 10211750918600 ICMP Echo Req
The following is sample output is from the show ip sdee subscriptions command. In this example, SDEE is enabled, the maximum event buffer size has been set to 100, and the maximum number of subscriptions that can be open at the same time is 1.
Router# show ip sdee subscriptions
Alert buffer size:100 alerts 65600 bytes
SDEE open subscriptions: 1
Subscription ID IDS1720:0:
Client address 10.0.0.2 port 1500
Subscription opened at 13:21:30 MDT July 18 2003
Alert severity level is INFORMATIONAL
Table 135 describes the significant fields shown in the display.
Table 135 show ip sdee subscriptions Field Descriptions
Field
|
Description
|
Alert buffer size:100 alerts 65600 bytes
|
Maximum number of events that can be stored in the buffer. The maximum number of events to be stored refers to all types of events (alert, status, and error).
(This value can be changed via the ip sdee events command.)
|
Maximum subscriptions:1
|
Maximum number of subscriptions that can be open at the same time. (This value can be changed via the ip sdee subscriptions command.)
|
The following is sample output from the show ip sdee status command. In this example, the buffer is set to store a maximum of 1000 events.
Router# show ip sdee status
Event storage:1000 events using 656000 bytes of memory
1:000 22:10:58 UTC Apr 18 2003 applicationStarted STRING.UDP,0 ms
2:000 22:10:58 UTC Apr 18 2003 applicationStarted STRING.TCP,0 ms
3:000 22:10:58 UTC Apr 18 2003 applicationStarted OTHER,0 ms
4:000 22:10:58 UTC Apr 18 2003 applicationStarted SERVICE.FTP,276 ms
5:000 22:11:07 UTC Apr 18 2003 applicationStarted SERVICE.SMTP,8884 ms
6:000 22:11:07 UTC Apr 18 2003 applicationStarted SERVICE.RPC,72 ms
7:000 22:11:07 UTC Apr 18 2003 applicationStarted SERVICE.DNS,132 ms
8:000 22:11:15 UTC Apr 18 2003 applicationStarted SERVICE.HTTP,7632 ms
9:000 22:11:15 UTC Apr 18 2003 applicationStarted ATOMIC.TCP,24 ms
10:000 22:11:15 UTC Apr 18 2003 applicationStarted ATOMIC.UDP,12 ms
11:000 22:11:15 UTC Apr 18 2003 applicationStarted ATOMIC.ICMP,12 ms
12:000 22:11:15 UTC Apr 18 2003 applicationStarted ATOMIC.IPOPTIONS,8 ms
13:000 22:11:15 UTC Apr 18 2003 applicationStarted ATOMIC.L3.IP,8 ms
Related Commands
Command
|
Description
|
ip ips notify
|
Specifies the method of event notification.
|
id sdee events
|
Sets the maximum number of SDEE events that can be stored in the event buffer.
|
ip sdee subscriptions
|
Sets the maximum number of SDEE subscriptions that can be open simultaneously.
|
show ip source-track
To display traffic flow statistics for tracked IP host addresses, use the show ip source-track command in privileged EXEC mode.
show ip source-track [ip-address] [summary | cache]
Syntax Description
ip-address
|
(Optional) Displays the IP address of the tracked host for which traffic flow information is displayed.
|
summary
|
(Optional) Displays a summary of traffic flow information that is collected for a specified host address (via the ip-address argument) or for all configured hosts.
|
cache
|
(Optional) Displays detailed packet and flow information that is collected on line cards and port adapters for all tracked IP addresses or for specified IP address (not displayed in the a distributed platform such as the gigabit route processor (GRP) or route switch processor (RSP)).
|
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.0(21)S
|
This command was introduced.
|
12.0(22)S
|
This command was implemented on the Cisco 7500 series routers.
|
12.0(26)S
|
This command was implemented on Cisco 12000 series ISE line cards.
|
12.3(7)T
|
This command was integrated into Cisco IOS Release 12.3(7)T.
|
12.2(25)S
|
This command was integrated into Cisco IOS Release 12.2(25)S.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Examples
The following example, which is sample output from the show ip source-track summary command, shows how to verify that IP source tracking is enabled for one or more hosts:
Router# show ip source-track summary
Address Bytes Pkts Bytes/s Pkts/s
10.0.0.1 119G 1194M 443535 4432
192.168.1.1 119G 1194M 443535 4432
192.168.42.42 119G 1194M 443535 4432
The following example, which is sample output from the show ip source-track summary command, shows how to verify that no traffic has yet to be received for the destination hosts that are being tracked:
Router# show ip source-track summary
Address Bytes Pkts Bytes/s Pkts/s
The following example, which is sample output from the show ip source-track command, shows that IP source tracking is processing packets to the hosts and exporting statistics from the line card or port adapter to the route processor:
Router# show ip source-track
Address SrcIF Bytes Pkts Bytes/s Pkts/s
10.0.0.1 PO0/0 119G 1194M 513009 5127
192.168.1.1 PO0/0 119G 1194M 513009 5127
192.168.42.42 PO0/0 119G 1194M 513009 5127
Related Commands
Command
|
Description
|
ip source-track
|
Enables IP source tracking for a specified host.
|
ip source-track address-limit
|
Configures the maximum number of destination hosts that can be simultaneously tracked at any given moment.
|
ip source-track syslog-interval
|
Sets the time interval (in minutes) in which syslog messages are generated if IP source tracking is enabled on a device.
|
show ip source-track export flows
To display the last ten packet flows that were exported from the line card to the route processor, use the show ip source-track export flows command in privileged EXEC mode.
show ip source-track export flows
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.0(21)S
|
This command was introduced.
|
12.0(22)S
|
This command was implemented on the Cisco 7500 series routers.
|
12.0(26)S
|
This command was implemented on Cisco 12000 series ISE line cards.
|
12.3(7)T
|
This command was integrated into Cisco IOS Release 12.3(7)T.
|
12.2(25)S
|
This command was integrated into Cisco IOS Release 12.2(25)S.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
The show ip source-track export flows command can be issued only on distributed platforms such as the GRP and the RSP.
Examples
The following example displays the packet flow information that is exported from line cards and port adapters to the gigabit route processor (GRP) and the route switch processor (RSP):
Router# show ip source-track export flows
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
PO0/0 10.1.1.0 Null 10.1.1.1 06 0000 0000 88K
PO0/0 10.1.1.0 Null 10.1.1.3 06 0000 0000 88K
PO0/0 10.1.1.0 Null 10.1.1.2 06 0000 0000 88K
Related Commands
Command
|
Description
|
ip source-track
|
Enables IP source tracking for a specified host.
|
ip source-track export-interval
|
Sets the time interval (in seconds) in which IP source tracking statistics are exported from the line card to the RP.
|
show ip ssh
To display the version and configuration data for Secure Shell (SSH), use the show ip ssh command in privileged EXEC mode.
show ip ssh
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.0(5)S
|
This command was introduced.
|
12.1(1)T
|
This command was integrated into Cisco IOS Release 12.1 T.
|
12.1(5)T
|
This command was modified to display the SSH status—enabled or disabled.
|
12.2(17a)SX
|
This command was integrated into Cisco IOS Release 12.2(17a)SX.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
Usage Guidelines
Use the show ip ssh command to view the status of configured options such as retries and timeouts. This command allows you to see if SSH is enabled or disabled.
Examples
The following is sample output from the show ip ssh command when SSH has been enabled:
SSH Enabled - version 1.5
Authentication timeout: 120 secs; Authentication retries: 3
The following is sample output from the show ip ssh command when SSH has been disabled:
%SSH has not been enabled
Related Commands
Command
|
Description
|
show ssh
|
Displays the status of SSH server connections.
|
show ip traffic-export
To display information related to router IP traffic export (RITE), use the show ip traffic-export command in privileged EXEC mode.
show ip traffic-export [interface interface-name | profile profile-name]
Syntax Description
interface interface-name
|
(Optional) Only data associated with the monitored ingress interface is shown.
|
profile profile-name
|
(Optional) Only flow statistics, such as exported packets and number of bytes, are shown.
|
Defaults
If this command is enabled, all data (both interface- and profile-related data) is shown.
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
12.2(25)S
|
This command was integrated into Cisco IOS Release 12.2(25)S.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Examples
The following sample output from the show ip traffic-export command is for the profile "one." This example is for a single configured interface. If multiple interfaces are configured, the information shown below is displayed for each interface.
Router# show ip traffic-export
Router IP Traffic Export Parameters
Monitored Interface FastEthernet0/0
Export Interface FastEthernet0/1
Destination MAC address 0030.7131.abfc
bi-directional traffic export is off
Input IP Traffic Export Information Packets/Bytes Exported 0/0
Packets Dropped 0
Sampling Rate one-in-every 1 packets
No Access List configured
Table 136 describes the significant fields shown in the display.
Table 136 show ip traffic-export Field Descriptions
Field
|
Description
|
Monitored Interface
|
Interface in which the profile was applied. (This interface is specified via the ip traffic-export apply profile command.)
|
Export Interface
|
Interface in which the profile exports all captured IP traffic. (This interface is specified via the ip traffic-export profile command.)
|
Destination MAC address
|
Ethernet address of the destination host, which is specified via the mac-address command.
|
bi-directional traffic export is
|
Incoming and outgoing IP traffic is exported on the monitored interface (via the bidirectional command). By default, only incoming traffic is exported.
|
Input IP Traffic Export Information Packets Dropped Sampling Rate No Access List Configured Profile one is Active
|
Incoming IP traffic information. The sampling rate and ACL can be defined via the incoming command. If the profile is incomplete, the profile will be listed as inactive.
|
Related Commands
Command
|
Description
|
bidirectional
|
Enables incoming and outgoing IP traffic to be exported across a monitored interface.
|
ip traffic-export apply profile
|
Applies an IP traffic export profile to a specific interface.
|
ip traffic-export profile
|
Creates or edits an IP traffic export profile and enables the profile on an ingress interface.
|
incoming
|
Configures filtering for incoming export traffic.
|
outgoing
|
Configures filtering for outgoing export traffic.
|
show ip trigger-authentication
To display the list of remote hosts for which automated double authentication has been attempted, use the show ip trigger-authentication command in privileged EXEC mode.
show ip trigger-authentication
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
Whenever a remote user needs to be user-authenticated in the second stage of automated double authentication, the local device sends a User Datagram Protocol (UDP) packet to the remote user's host. When the UDP packet is sent, the user's host IP address is added to a table. If additional UDP packets are sent to the same remote host, a new table entry is not created; instead, the existing entry is updated with a new time stamp. This remote host table contains a cumulative list of host entries; entries are deleted after a timeout period or after you manually clear the table using the
clear ip trigger-authentication command. You can change the timeout period with the
ip trigger-authentication (global) command.
Use this command to view the list of remote hosts for which automated double authentication has been attempted.
Examples
The following example shows output from the show ip trigger-authentication command:
Router# show ip trigger-authentication
Trigger-authentication Host Table:
209.165.200.230 2940514234
This output shows that automated double authentication was attempted for a remote user; the remote user's host has the IP address 209.165.200.230. The attempt to automatically double authenticate occurred when the local host (myfirewall) sent the remote host (209.165.200.230) a packet to UDP port 7500. (The default port was not changed in this example.)
Related Commands
Command
|
Description
|
clear ip trigger-authentication
|
Clears the list of remote hosts for which automated double authentication has been attempted.
|
show ip trm config
To display the configuration information for the Trend Router Provisioning Server (TRPS), use the show ip trm config command in privileged EXEC mode.
show ip trm config
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.4(15)XZ
|
This command was introduced.
|
12.4(20)T
|
This command was integrated into Cisco IOS Release 12.4(20)T.
|
Usage Guidelines
Use the show ip trm config command to display information about the TRPS. The output shows both the current configuration and the default configuration.
Examples
The following shows sample output from the show ip trm config command when the router is registered with the TRPS named trps.example.com:
Router# show ip trm config
Server: trps.trendmicro.com ( Default )
Table 137 describes the significant fields shown in the display.
Table 137 show ip trm config Field Descriptions
Field
|
Description
|
Server
|
The name of the TRPS.
|
HTTPS Port
|
The port on which the TRPS listens for secure HTTP requests.
|
HTTP Port
|
The port on which the TRPS listens for HTTP requests.
|
Status
|
The status of the named TRPS—either Active or Standby.
|
Related Commands
Command
|
Description
|
show ip trm subscription status
|
Displays the status of the subscription with Trend Micro.
|
show ip trm subscription status
To display information about the status of the Trend Micro subscription, use the show ip trm subscription status command in privileged EXEC mode.
show ip trm subscription status
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.4(15)XZ
|
This command was introduced.
|
12.4(20)T
|
This command was integrated into Cisco IOS Release 12.4(20)T.
|
Usage Guidelines
Use the show ip trm subscription status command to display the status of the Trend Micro subscription. If the router is registered with the Trend Router Provisioning Server (TRPS), the router displays the subscription status information. If the router is not registered with the TRPS, a message indicating that the router is not registered is displayed.
Examples
The following shows sample output from show ip trm subscription status command when the router is registered with the TRPS:
Router# show ip trm subscription status
Package Name: Security & Productivity
------------------------------------------------
Status Update Time: 08:55:07 MDT Thu Apr 3 2008
Expiration-Date: Tue Jul 21 10:12:59 2020
Last Req Status: Processed response successfully
Last Req Sent Time: 08:55:07 MDT Thu Apr 3 2008
Table 137 describes the significant fields shown in the display.
Table 138 show ip trm subscription status Field Descriptions
Field
|
Description
|
Status
|
Displays the status of the Trend Micro subscription.
|
Status Update Time
|
Displays the time and date that status of the Trend Micro subscription was last updated.
|
Expiration Date
|
Displays the date and time that the Trend Micro subscription expires.
|
Last Req Status
|
Displays the status of the most recent request.
|
Last Req Sent Time
|
Displays the time and date of the most recent lookup request to the TRPS.
|
Related Commands
Command
|
Description
|
show ip trm config
|
Displays information about the TRPS.
|
show ip urlfilter cache
To display the maximum number of entries that can be cached into the cache table and the number of entries and the destination IP addresses that are cached into the cache table, use the show ip urlfilter cache command in privileged EXEC mode.
show ip urlfilter cache [vrf vrf-name]
Syntax Description
vrf vrf-name
|
(Optional) Displays the information only for the specified Virtual Routing and Forwarding (VRF) interface.
|
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.2(11)YU
|
This command was introduced.
|
12.2(15)T
|
This command was integrated into Cisco IOS Release 12.2(15)T.
|
12.3(14)T
|
The vrf vrf-name keyword/argument pair was added.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Examples
The following example is sample output from the show ip urlfilter cache command:
Router# show ip urlfilter cache
Maximum number of entries allowed: 5000
Number of entries cached: 5
Table 139 describes the significant fields shown in the display.
Table 139 show ip urlfilter cache Field Descriptions
Field
|
Description
|
Maximum number of entries allowed
|
Maximum number of destination IP addresses that can be cached into the cache table. This parameter can be configured using the ip url filter cache command. (The default is 5000.)
|
Number of entries cached
|
Number of entries that have already been cached into the cache table.
|
IP addresses cached
|
IP addresses that have already been cached into the cache table.
|
Related Commands
Command
|
Description
|
clear ip urlfilter cache
|
Clears the cache table.
|
ip urlfilter cache
|
Configures cache parameters.
|
show ip urlfilter config
To display the size of the cache, the maximum number of outstanding requests, the allow mode state, and the list of configured vendor servers, use the show ip urlfilter config command in EXEC mode.
show ip urlfilter config [vrf vrf-name]
Syntax Description
vrf vrf-name
|
(Optional) Displays the information only for the specified Virtual Routing and Forwarding (VRF) interface.
|
Command Modes
EXEC
Command History
Release
|
Modification
|
12.2(11)YU
|
This command was introduced.
|
12.2(15)T
|
This command was integrated into Cisco IOS Release 12.2(15)T.
|
12.3(14)T
|
The vrf vrf-name keyword/argument pair was added.
|
Examples
The following example is sample output from the show ip urlfilter config command:
Router# show ip urlfilter config
Primary Websense server configurations
===========================
Websense server IP address: 10.0.0.3
Websense server port: 15868
Websense retransmit time out: 5 (seconds)
Websense number of retransmit:2
Secondary Websense server configurations:
==============================
Log message on the router: OFF
Log message on URL filter server:ON
Maximum number of cache entries :5000
Cache timeout :12 (hours)
Maximum number of packet buffers:200
Maximum outstanding requests:1000
Related Commands
Command
|
Description
|
ip urlfilter allowmode
|
Turns on the default mode (allow mode) of the filtering algorithm.
|
ip urlfilter cache
|
Configures cache parameters.
|
ip urlfilter max-request
|
Sets the maximum number of outstanding requests that can exist at any given time.
|
ip urlfilter server vendor
|
Configures a vendor server for URL filtering.
|
show ip urlfilter statistics
To display URL filtering statistics, use the show ip urlfilter statistics command in privileged EXEC mode.
show ip urlfilter [mib] statistics [vrf vrf-name] [{global | server {ip-address [port] | all}}]
Syntax Description
mib
|
(Optional) Displays statistics only for firewall MIB events.
|
vrf vrf-name
|
(Optional) Displays the information only for the specified Virtual Routing and Forwarding (VRF) interface.
Note The firewall MIB is not yet VRF aware; thus, this option is not supported if the mib keyword is used.
|
global
|
(Optional) Displays global URL filtering statistics.
|
server ip-address
|
(Optional) Displays statistics for the server specified via IP address.
|
server port
|
(Optional) Displays statistics for the server specified via IP address and port.
Note You must issue the ip-address argument before issuing the port argument.
|
all
|
(Optional) Displays statistics for all configured servers.
|
Command Modes
Privi