Table Of Contents

show parameter-map type consent

show parameter-map type inspect

show parameter-map type protocol-info

show parameter-map type inspect-vrf

show parameter-map type inspect-zone

show parameter-map type regex

show parameter-map type trend-global

show parameter-map type urlf-glob

show parameter-map type urlfilter

show parameter-map type urlfpolicy

show parser view

show platform hardware qfp feature

show platform hardware qfp act feature ipsec datapath memory

show platform software ipsec f0 encryption-processor registers

show policy-firewall config

show policy-firewall mib

show policy-firewall session

show policy-firewall stats

show policy-firewall stats vrf

show policy-firewall stats vrf global

show policy-firewall stats zone

show policy-firewall summary-log

show policy-map type inspect

show policy-map type inspect urlfilter

show policy-map type inspect zone-pair

show policy-map type inspect zone-pair urlfilter

show port-security

show ppp queues

show pppoe session

show private-hosts access-lists

show private-hosts configuration

show private-hosts interface configuration

show private-hosts mac-list

show privilege

show radius local-server statistics

show radius server-group

show radius statistics

show radius table attributes

show redundancy application control-interface group

show redundancy application data-interface

show redundancy application faults group

show redundancy application group

show redundancy application if-mgr

show redundancy application protocol

show redundancy application transport

show redundancy linecard-group

show running-config

show running-config vrf

show sasl

show secure bootset

show smm

show snmp mib nhrp status

show ssh

show ssl-proxy module state

show tacacs

show tcp intercept connections

show tcp intercept statistics

show tech-support

show tech-support ipsec

show tunnel endpoints

show usb controllers

show usb device

show usb driver

show usb port

show usb tree

show usbtoken

show user-group

show users

show parameter-map type consent

To display consent parameter map information, use the show parameter-map type consent command in privileged EXEC mode.

show parameter-map type consent [parameter-map-name | default]

Syntax Description

parameter-map-name	(Optional) Name of the parameter map.
default	(Optional) Specifies default consent parameter map information.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(15)T	This command was introduced.
12.4(20)T	The command was modified. The parameter-map-name argument was added.

Examples

The following is sample output from the show parameter-map type consent command. The fields are self-explanatory.

Router# show parameter-map type consent

parameter-map type consent map1

    Syslog : Enabled

    File download time(in minutes) : 456

    Number of Accepted Users : 0

    Number of Denied Users : 0

show parameter-map type inspect

To display user-configured or default inspect type parameter maps, use the show parameter-map type inspect command in privileged EXEC mode.

show parameter-map type inspect [default | global]

Syntax Description

default	(Optional) Displays the default inspect type parameter map values. Note Use this keyword when no parameter map is attached to the inspect action.
global	(Optional) Displays the default inspect type parameter map values.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(6)T	This command was introduced.
15.1(1)T	The global keyword was added.

Examples

The following is sample output from the show parameter-map type inspect command. The field descriptions are self-explanatory.

Router# show parameter-map type inspect 

audit-trail off

 alert on

 max-incomplete low 2147483647 

 max-incomplete high 2147483647 

 one-minute low 2147483647

 one-minute high 2147483647

 udp idle-time 30

 icmp idle-time 10

 dns-timeout 5

 tcp idle-time 3600

 tcp finwait-time 5

 tcp synwait-time 30

 tcp max-incomplete host 4294967295 block-time 0

 sessions maximum 2147483647

The following is sample output with the default keyword. The field descriptions are self-explanatory.

Router# show parameter-map type inspect default 

parameter-map type inspect default values

 audit-trail off

 alert on

 max-incomplete low unlimited 

 max-incomplete high unlimited 

 one-minute low unlimited

 one-minute high unlimited

 udp idle-time 30

 icmp idle-time 10

 dns-timeout 5

 tcp idle-time 3600

 tcp finwait-time 5

 tcp synwait-time 30

 tcp max-incomplete host 50 block-time 0

The following is sample output with the global keyword. The field descriptions are self-explanatory.

Router# show parameter-map type inspect global

alert on

 sessions maximum 2147483647

 waas disabled

 l2-transparent dhcp-passthrough disabled

 log dropped-packets disabled

 log summary disabled

 max-incomplete low 2147483647

 max-incomplete high 2147483647

 one-minute low 2147483647

 one-minute high 2147483647

show parameter-map type protocol-info

To display protocol parameter map information, use the show parameter-map type protocol-info command in privileged EXEC mode.

show parameter-map type protocol-info [parameter-map-name [dns-cache] | dns-cache | msrpc | zone-pair zone-pair-name | stun-ice [parameter-map-name]]

Syntax Description

parameter-map-name	(Optional) Name of the parameter map.
dns-cache	(Optional) Displays the protocol information about the Domain Name System (DNS) cache.
msrpc	(Optional) Displays the protocol information about the Microsoft Remote Procedure Call (MSRPC) parameter map.
zone-pair zone-pair-name	(Optional) Specifies the name of the zone pair.
stun-ice	(Optional) Displays the protocol information of Session Traversal Utilities for Network Address Translation (NAT) and Interactive Connectivity Establishment (STUN-ICE). STUN is an Internet standards-track suite of methods, including a network protocol, used in NAT traversal for applications of real-time voice, video, messaging, and other interactive IP communications. ICE is a technique used in computer networking involving NATs in Internet applications of VoIP, peer-to-peer communications, video, instant messaging, and other interactive media. In such applications, NAT traversal is an important component to facilitate communications involving hosts on private network installations, which often are located behind firewalls.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(11)T	This command was introduced.
12.4(22)T	The command was modified. The stun-ice keyword was added.
15.1(4)M	This command was modified. The msrpc keyword was added.

Examples

The following is sample output from the show parameter-map type protocol-info command. The fields are self-explanatory.

Router# show parameter-map type protocol-info

parameter-map type protocol-info map2

  server ip 192.168.1.1

Related Commands

Command	Description
parameter-map type protocol-info	Creates or modifies a protocol-specific parameter map and enters parameter-map type configuration mode.

show parameter-map type inspect-vrf

To display information about the configured inspect VPN Routing and Forwarding (VRF) type parameter map, use the show parameter-map type inspect-vrf command in user EXEC or privileged EXEC mode.

show parameter-map type inspect-vrf [name | default]

Syntax Description

name	(Optional) Name of the inspect VRF type parameter map.
default	(Optional) Specifies the default inspect VRF type parameter map.

Command Default

This command has no default settings.

Command Modes

User EXEC (>)
Privileged EXEC (#)

Command History

Release	Modification
Cisco IOS XE Release 3.3S	This command was introduced.

Examples

The following is sample output from the show parameter-map type inspect-vrf command:

Router# show parameter-map type inspect-vrf vpmap01

  VRF: vrf001, Parameter-Map: vpmap01

       total_session_cnt: 3500

       exceed_cnt:        40

       tcp_half_open_cnt: 3520

       syn_exceed_cnt:    40

Table 168 describes the significant fields shown in the display.

Table 168 show parameter-map type inspect-vrf Field Descriptions 

Field	Description
total_session_cnt	Total session count.
exceed_cnt	Number of sessions that exceeded the configured session count.
tcp_half_open_cnt	TCP half-open sessions configured for each VRF. When the configured session limit is reached, the TCP synchronization (SYN) cookie verifies the source of the half-open TCP sessions before creating more sessions. A TCP half-open session is a session that has not reached the established state.
syn_exceed_count	Number of SYN packets that exceeded the configured SYN flood rate limit.

Related Commands

Command	Description
parameter-map type inspect-vrf	Configures an inspect VRF type parameter map.

show parameter-map type inspect-zone

To display information about the configured inspect zone-type parameter map, use the show parameter-map type inspect-zone command in user EXEC or privileged EXEC mode.

show parameter-map type inspect-zone [name | default]

Syntax Description

name	(Optional) Name of the inspect zone-type parameter map.
default	(Optional) Specifies the default inspect zone-type parameter map.

Command Default

This command has no default settings.

Command Modes

User EXEC (>)
Privileged EXEC(#)

Command History

Release	Modification
Cisco IOS XE Release 3.3S	This command was introduced.

Examples

The following is sample output from the show parameter-map type inspect-zone command:

Router# show parameter-map type inspect-zone zone-pmap 

parameter-map type inspect-zone zone-pmap

 tcp syn-flood-rate 400 

 max-destination 10000 

Table 169 describes the fields shown in the display.

Table 169 show parameter-map type inspect-zone Field Descriptions 

Field	Description
parameter-map type inspect-zone	Name of the inspect zone-type parameter map.
tcp syn-flood-rate	TCP synchronization (SYN) flood rate limit. When the configured maximum packet rate is reached, the TCP SYN cookie protection is triggered.
max-destination	Maximum number of destinations that a firewall can track.

Related Commands

Command	Description
parameter-map type inspect-zone	Configures an inspect zone-type parameter map.

show parameter-map type regex

To display regex parameter-map information, use the show parameter-map type regex command in privileged EXEC mode.

show parameter-map type regex [parameter-map-name]

Syntax Description

parameter-map-type

(Optional) Name of the parameter map.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(11)T	This command was introduced.

Examples

The following is sample output from the show parameter-map type regex command. The fields are self-explanatory.

Router# show parameter-map type regex

parameter-map type regex map3

 pattern x*y

show parameter-map type trend-global

To display the parameter map for the global parameters for a Trend Micro URL filtering policy, use the show parameter-map type trend-global command in privileged EXEC mode.

show parameter-map type trend-global [parameter-map-name] [default]

Syntax Description

parameter-map-name	(Optional) The name of the parameter map for which to display parameters.
default	(Optional) Specifies that the default values for the global Trend Micro filtering parameters be displayed.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(15)XZ	This command was introduced.
12.4(20)T	This command was integrated into Cisco IOS Release 12.4(20)T.

Usage Guidelines

Use the show parameter-map type trend-global command to display the global parameters for Trend Micro URL filtering policies.

Examples

The following is sample output from the show parameter-map type trend-global default command:

Router# show parameter-map type trend-global default 

parameter-map type trend-global default values

   server trps.trendmicro.com http-port 80 https-port 443 retrans 3 timeout 60 

   alert on

   cache-size 256 KB

   cache-lifetime 24

The following is sample output from the show parameter-map type trend-global command when the server name and maximum cache size have been specified in the parameter map Global-Parameters:

Router# show parameter-map type trend-global Global-Parameters 

parameter-map type trend-global Global-Parameters

   server trps1.example.com http-port 80 https-port 443 retrans 3 timeout 60 

   alert on

   cache-size 300 KB

   cache-lifetime 24

Related Commands

Command	Description
show parameter-map type urlfpolicy	Displays the parameters for a URL filtering policy.

show parameter-map type urlf-glob

To display the parameter maps for local URL filtering, use the show parameter-map type urlf-glob command in privileged EXEC mode.

show parameter-map type urlf-glob [parameter-map-name]

Syntax Description

parameter-map-name

(Optional) Name of the URL filtering parameter map to display.

Command Default

The parameter maps for all local URL filtering policies are displayed.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(15)XZ	This command was introduced.
12.4(20)T	This command was integrated into Cisco IOS Release 12.4(20)T.

Usage Guidelines

Use the show parameter-map type urlf-glob command to display the parameter maps for local URL filtering policies.

Examples

The following is sample output from the show parameter-map type urlf-glob command when two parameter maps for local URL filtering have been configured:

Router# show parameter-map type urlf-glob 

parameter-map type urlf-glob trusted-domain-param

 pattern www.example.com

 pattern *.example1.com

parameter-map type urlf-glob untrusted-domain-param

 pattern www.example3.com

 pattern *.example4.com

Related Commands

Command	Description
show parameter-map type trend-global	Displays the global parameters for a Trend Micro URL filtering policy.
show parameter-map type urlfpolicy	Displays the parameters for a URL filtering policy.

show parameter-map type urlfilter

---

Note Effective with Cisco IOS Release 12.4(15)XZ, the show parameter-map type urlfilter command is not available in Cisco IOS software.

---

To display user-configured or default URL filter type parameter maps, use the show parameter-map type urlfilter command in privileged EXEC mode.

show parameter-map type urlfilter [default]

Syntax Description

default

(Optional) Displays the default urlfilter parameter map values. Note If this keyword is not issued, user-configured parameter maps will be displayed.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(6)T	This command was introduced.
12.4(15)XZ	This command was removed.

Examples

The following example shows sample output from the show parameter-map type urlfilter command:

Router# show parameter-map type urlfilter 

 parameter-map type urlfilter default values

  urlf-server-log off

  audit-trail off

  alert on

  max-request 1000

  max-resp-pak 200

  source-interface default

  allow-mode off

  cache 5000

The following example shows sample output from the show parameter-map type urlfilter default command:

Router# show parameter-map type urlfilter default

parameter-map type urlfilter default values

 urlf-server-log off

 audit-trail off

 alert on

 max-request 1000

 max-resp-pak 200

 source-interface default

 allow-mode off

 cache 5000

show parameter-map type urlfpolicy

To display the parameter maps associated with a URL filtering policy, use the show parameter-map type urlfpolicy command in privileged EXEC mode.

show parameter-map type urlfpolicy {local | trend | n2h2 | websense}
[parameter-map-name] [default]

Syntax Description

local	Specifies that the parameters for local URL filtering policies be displayed.
trend	Specifies that the parameters for Trend Micro URL filtering policies be displayed.
n2h2	Specifies that the parameters for SmartFilter URL filtering policies be displayed.
websense	Specifies that the parameters for Websense URL filtering policies be displayed.
parameter-map-name	(Optional) The name of the parameter map for a URL filtering policy to be displayed.
default	(Optional) Displays the default values for the URL filtering policy. Note If this keyword is not issued, user-configured values will be displayed.

Command Default

The parameter maps for all URL filtering policies of the type specified (local, trend, n2h2, or websense) are displayed.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(15)XZ	This command was introduced.
12.4(20)T	This command was integrated into Cisco IOS Release 12.4(20)T.

Examples

The following example shows the default values for a Websense URL filtering policy:

Router# show parameter-map type urlfpolicy websense default

 parameter-map type urlfilter websense default values

  urlf-server-log off

  audit-trail off

  alert on

  max-request 1000

  max-resp-pak 200

  source-interface default

  allow-mode off

  cache 5000

show parser view

To display command-line interface (CLI) view information, use the show parser view command in privileged EXEC mode.

show parser view [all]

Syntax Description

all	(Optional) Displays information about all CLI views that are configured on the router.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.3(7)T	This command was introduced.
12.2(33)SRB	This command was integrated into Cisco IOS Release 12.2(33)SRB.
Cisco IOS XE Release 2.1	This command was integrated into Cisco IOS XE Release 2.1
12.2(33)SXI	This command was integrated into Cisco IOS Release 12.2(33)SXI.

Usage Guidelines

The show parser view command will display information only about the view that the user is currently in. This command is available for both root view users and lawful intercept view users—except for the all keyword, which is available only to root view users. However, the all keyword can be configured by a user in root view to be available for users in lawful intercept view.

The show parser view command cannot be excluded from any view.

Examples

The following example shows how to display information from the root view and the CLI view "first":

Router# enable view

Router# 

01:08:16:%PARSER-6-VIEW_SWITCH:successfully set to view 'root'.

Router# 

! Enable the show parser view command from the root view

Router# show parser view 

Current view is 'root'

! Enable the show parser view command from the root view to display all views

Router# show parser view all 

Views Present in System:

View Name:   first 

View Name:   second 

! Switch to the CLI view "first."

Router# enable view first 

Router#

01:08:09:%PARSER-6-VIEW_SWITCH:successfully set to view 'first'.

! Enable the show parser view command from the CLI view "first."

Router# show parser view

Current view is 'first'

Related Commands

Command	Description
parser view	Creates or changes a CLI view and enters view configuration mode.

show platform hardware qfp feature

To display feature-specific information in the Cisco Quantum Flow Processor (QFP), use the show platform hardware qfp feature command in privileged EXEC mode.

show platform hardware qfp {active | standby} feature alg {memory | statistics [protocol | clear [clear]]}

Syntax Description

active	Displays the active instance of the processor.
standby	Displays the standby instance of the processor.
alg	Displays the Application Level Gateway (ALG) information of the processor.
memory	Displays ALG memory usage information of the processor.
statistics	Displays ALG common statistics information of the processor.
protocol	Protocol name. It can be one of the following values: •dns —Displays Domain Name System (DNS) ALG information in the QFP datapath. •exec—Displays exec ALG information in the QFP datapath. •ftp—Displays FTP ALG information in the QFP datapath. •h323—Displays H.323 ALG information in the QFP datapath. •http—Displays HTTP ALG information in the QFP datapath. •imap—Displays Internet Message Access Protocol (IMAP) ALG information in the QFP datapath. •ldap—Displays Lightweight Directory Access Protocol (LDAP) ALG information in the QFP datapath. •login—Displays login ALG information in the QFP datapath. •netbios—Displays Network Basic Input Output System (NetBIOS) ALG information in the QFP datapath. •pop3—Displays pop3 ALG information in the QFP datapath. •rtsp—Displays Rapid Spanning Tree Protocol (RSTP) ALG information in the QFP datapath. •shell—Displays shell ALG information in the QFP datapath. •sip—Displays Session Initiation Protocol (SIP) ALG information in the QFP datapath. •skinny—Displays skinny ALG information in the QFP datapath. •smtp—Displays Simple Mail Transfer Protocol (SMTP) ALG information in the QFP datapath. •sunrpc—Displays Sun RPC ALG information in the QFP datapath. •tftp—Displays TFTP ALG information in the QFP datapath.
clear	Clears ALG common counters after display.
clear	(Optional) Clears the ALG counters.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
Cisco IOS XE Release 2.2	This command was introduced.
Cisco IOS XE Release 3.1S	This command was modified. Support for the NetBIOS protocol was added.
Cisco IOS XE Release 3.2S	This command was modified. The show output was modified to display SIP statistics information.

Usage Guidelines

The show platform hardware qfp feature command when used with the netbios keyword displays the NetBIOS ALG memory usage and statistics information of the processor.

Examples

The following example displays the NetBIOS ALG statistics information of the processor:

Router# show platform hardware qfp active feature alg statistics netbios 

NetBIOS ALG Statistics:

  No. of allocated chunk elements in L7 data pool:0

  No. of times L7 data is allocated:0  No. of times L7 data is freed:0

  Datagram Service statistics

    Total packets            :0

    Direct unique packets    :0

    Direct group packets     :0

    Broadcast packets        :0

    DGM Error packets        :0

    Query request packets    :0

    Positive Qry response packets :0

    Netgative Qry response packets:0

    Unknown packets          :0

    Total error packets      :0

  Name Service statistics

    Total packets            :0

    Query request packets    :0

    Query response packets   :0

    Registration req packets :0

    Registration resp packets:0

    Release request packets  :0

    Release response packets :0

    WACK packets             :0

    Refresh packets          :0

    Unknown packets          :0

    Total error packets      :0

  Session Service statistics

    Total packets            :0

    Message packets          :0

    Request packets          :0

    Positive response packets:0

    Negative response packets:0

    Retarget response packets:0

    Keepalive packets        :0

    Unknown packets          :0

    Total error packets      :0

Table 170 describes the significant fields shown in the display.

Table 170 show platform hardware qfp feature Field Descriptions 

Field	Description
No. of allocated chunk elements in L7 data pool	Number of memory chunks allocated for processing NetBIOS packets.
No. of times L7 data is allocated:0 No. of times L7 data is freed	Number of times memory is allocated and freed for processing NetBIOS packets.
Direct unique packets	Number of direct unique NetBIOS packets processed.
Direct group packets	Number of direct group NetBIOS packets processed.
Broadcast packets	Number of broadcast NetBIOS packets processed.
DGM Error packets	Number of Datagram Error NetBIOS packets processed.
Query request packets	Number of query request NetBIOS packets processed.
Positive Qry response packets	Number of positive query response NetBIOS packets processed.
Negative Qry response packets	Number of negative query response NetBIOS packets processed.
Unknown packets	Number of unknown packets.
Total error packets	Counter tracking number of error packets.

The following example displays SIP statistics information of the processor. The field descriptions are self-explanatory.

Router# show platform hardware qfp active feature alg statistics sip 

SIP info pool used chunk entries number: 0

RECEIVE 
Register: 0 -> 200-OK: 0 
Invite: 0 -> 200-OK: 0 Re-invite 0 
Update: 0 -> 200-OK: 0 
Bye: 0 -> 200-OK: 0 
Trying: 0 Ringing: 0 Ack: 0 
Info: 0 Cancel: 0 Sess Prog: 0 
Message: 0 Notify: 0 Prack: 0 
OtherReq: 0 OtherOk: 0 

Events 
Null dport: 0 Media Port Zero: 0 
Malform Media: 0 No Content Length: 0 
Cr Trunk Chnls: 0 Del Trunk Chnls: 0 
Cr Normal Chnls: 0 Del Normal Chnls: 0 
Media Addr Zero: 0 Need More Data: 0 

Errors 
Create Token Err: 0 Add portlist Err: 0 
Invalid Offset: 0 Invalid Pktlen: 0 
Free Magic: 0 Double Free: 0 
Retmem Failed: 0 Malloc Failed: 0 
Bad Format: 0 Invalid Proto: 0 
Add ALG state Fail: 0 No Call-id: 0 
Parse SIP Hdr Fail: 0 Parse SDP Fail: 0 
Error New Chnl: 0 Huge Size: 0 
Create Failed: 0 

Writeback Errors 
Offset Err: 0 PA Err: 0 
No Info: 0

Related Commands

Command	Description
debug platform hardware qfp feature	Debugs feature-specific information in the QFP.

show platform hardware qfp act feature ipsec datapath memory

To display debugging information about the consumption of IPsec datapath memory, use the show platform hardware qfp act feature ipsec datapath memory command in privileged EXEC or diagnostic mode.

show platform hardware qfp act feature ipsec datapath memory

Command Default

No default behavior or values

Command Modes

Privileged EXEC (#)

Diagnostic (diag)

Command History

Release	Modification
Cisco IOS XE Release 2.4.2	This command was introduced on the Cisco ASR 1000 Series Routers.

Usage Guidelines

This command displays the consumption of dynamic random access memory (DRAM) on the IPSec Cisco QuantumFlow Processor (QFP) datapath.

show platform hardware qfp act feature ipsec datapath memory

pstate chunk totalfree: 80000, allocated: 0

Related Commands

Command	Description
show platform software ipsec f0 encryption-processor registers	Displays dubugging information about the crypto engine processor registers.

show platform software ipsec f0 encryption-processor registers

To display debugging information about the crypto engine processor registers, use the show platform software ipsec f0 encryption-processor registers command in privileged EXEC or diagnostic mode.

show platform software ipsec f0 encryption-processor registers

Command Default

No default behavior or values

Command Modes

Privileged EXEC (#)

Diagnostic (diag)

Command History

Release	Modification
Cisco IOS XE Release 2.4.2	This command was introduced on the Cisco ASR 1000 Series Routers.

Usage Guidelines

This command displays debugging information for crypto engine processor registers.

show platform software ipsec f0 encryption-processor registers

Forwarding Manager Encryption-processor Registers

     reg_addr : 00000000,    reg_val  : 0000ca5b

     reg_addr : 00000008,    reg_val  : 00000000

     reg_addr : 00000010,    reg_val  : 00000000

     reg_addr : 00000018,    reg_val  : 22f10038

     reg_addr : 00000020,    reg_val  : 00000800

     reg_addr : 00000028,    reg_val  : 00002040

     reg_addr : 00000030,    reg_val  : 00000000

     reg_addr : 00000038,    reg_val  : 23158838 

Related Commands

Command	Description
show platform hardware qfp act feature ipsec datapath memory	Displays debugging information about the consumption of IPsec datapath memory.

show policy-firewall config

To display the firewall configuration on the router, use the show policy-firewall config command in privileged EXEC mode.

show policy-firewall config {all | class-map [class-map-name | protocol-name] | parameter-map [parameter-map-name | default | global | protocol-info | regex [protocol-info-name]] | policy-map [policy-map-name | protocol-name] | zone [self] | zone-pair}

Syntax Description

all	Displays the entire firewall configuration on the router.
class-map class-map-name	Displays the class-maps configured on the router.
protocol-name	Displays the protocols configured for the class-map.
parameter-map	Displays the parameter-maps configured in the router.
parameter-map-name	Displays configuration information about a specific parameter map.
default	Displays configuration information about the default inspect parameter map.
global	Displays configuration information about the global inspect parameter map.
protocol-info	Displays configuration information about the protocol-specific inspect parameter map.
regex	Displays configuration information about the regex inspect parameter map.
protocol-info-name	Displays configuration information about a specific protocol.
policy-map policy-map-name	Displays the policy maps configured on the router.
protocol-name	Displays the protocols configured for the policy map.
zone	Displays configuration information about the zones configured on the router.
self	(Optional) Displays configuration information about the system-defined zone.
zone-pair	Displays configuration information about each each zone-pair.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
15.1(1)T	This command was introduced.

Usage Guidelines

Use this command to display a summary of the firewall configuration on the router.

Examples

The following is the sample output from the show policy-firewall config all command. The field descriptions are self-explanatory.

Router# show policy-firewall config all

Zone: self

  Description: System defined zone

Parameter-map Config:

 Global:

  alert on

  sessions maximum 2147483647

  waas disabled

  l2-transparent dhcp-passthrough disabled

  dropped-packets disabled

  log summary disabled

  max-incomplete low 2147483647

  max-incomplete high 2147483647

  one-minute low 2147483647

  one-minute high 2147483647

 Default:

  audit-trail off

  alert on

  max-incomplete low 2147483647 

  max-incomplete high 2147483647 

  one-minute low 2147483647

  one-minute high 2147483647

  udp idle-time 30

  icmp idle-time 10

  dns-timeout 5

  tcp idle-time 3600

  tcp finwait-time 5

  tcp synwait-time 30

  tcp max-incomplete host 4294967295 block-time 0

  sessions maximum 2147483647

The following example is a sample output from the show policy-firewall config class-map command:

Router# show policy-firewall config class-map c1

Class Map type inspect match-all c1 (id 1)

   Match access-group  101 

   Match protocol http

The following example shows output related to user-defined parameter map:

Router# show policy-firewall config parameter-map params1

parameter-map type inspect params1

  audit-trail off

  alert on

  max-incomplete low 2147483647 

  max-incomplete high 2147483647 

  one-minute low 2147483647

  one-minute high 2147483647

  udp idle-time 30

  icmp idle-time 10

  dns-timeout 5

  tcp idle-time 3600

  tcp finwait-time 5

  tcp synwait-time 30

  tcp max-incomplete host 4294967295 block-time 0

  sessions maximum 2147483647

The following example shows output related default parameter map:

Router# show policy-firewall config parameter-map default 

  audit-trail off

  alert on

  max-incomplete low 2147483647 

  max-incomplete high 2147483647 

  one-minute low 2147483647

  one-minute high 2147483647

  udp idle-time 30

  icmp idle-time 10

  dns-timeout 5

  tcp idle-time 3600

  tcp finwait-time 5

  tcp synwait-time 30

  tcp max-incomplete host 4294967295 block-time 0

  sessions maximum 2147483647

The following example shows output related to global parameter map:

Router# show policy-firewall config parameter-map global  

  alert on

  sessions maximum 2147483647

  waas disabled

  l2-transparent dhcp-passthrough disabled

  log dropped-packets disabled

  log summary disabled

  max-incomplete low 2147483647

  max-incomplete high 2147483647

  one-minute low 2147483647

  one-minute high 2147483647

show policy-firewall mib

To display connection statistics of the firewall policy on the router, use the show policy-firewall mib command in privileged EXEC mode.

show policy-firewall mib connection-statistics {global | policy policy-name zone-pair name | L4-Protocol | L7-Protocol |}{name | all}

Syntax Description

connection-statistics	Displays the statistics for one of the following selected options.
global	Displays the global connection statistics.
policy policy-name	Displays statistics for a specific firewall policy.
zone-pair name	Displays statistics for a zone pair in a specific firewall policy.
L4-Protocol name	Displays statistics for a specific Layer 4 protocol.
L7-Protocol name	Displays statistics for a specific Layer 7 protocol.
all	Displays statistics for all Layer 4 or Layer 7 protocols.

Command Default

Privileged EXEC (#)

Command History

Release	Modification
15.1(1)T	This command was introduced.

Usage Guidelines

Use this command to display the global connection statistics and the statistics per protocol in Layer 4 or Layer 7 for each policy or zone pair. Use the debug policy-firewall mib command to toggle on or off the support for MIBs in zone-based policy firewalls.

Examples

The following is sample output from five versios of the show policy-firewall mib command:

Router# show policy-firewall mib connection-statistics global

--------------------------------------------------

Connections Attempted                             26

Connections Setup Aborted                         0

Connections Policy Declined                       0

Connections Resource Declined                     0

Connections Half Open                             0

Connections Active                                0

Connections Expired                               25

Connections Aborted                               0

Connections Embryonic                             0

Connections 1-min Setup Count                     0

Connections 5-min Setup Count                     0

Router# show policy-firewall mib connection-statistics L4-Protocol all

--------------------------------------------------

Protocol 												udp

Connections Attempted                             1

Connections Setup Aborted                         0

Connections Policy Declined                       0

Connections Resource Declined                     0

Connections Half Open                             0

Connections Active                                0

Connections Aborted                               0

Connections Embryonic                             0

Connections 1-min Setup Count                     0

Connections 5-min Setup Count                     0

--------------------------------------------------

Protocol 												tcp

Connections Attempted                             25

Connections Setup Aborted                         0

Connections Policy Declined                       0

Connections Resource Declined                     0

Connections Half Open                             0

Connections Active                                0

Connections Aborted                               0

Connections Embryonic                             0

Connections 1-min Setup Count                     0

Connections 5-min Setup Count                     0

Router# show policy-firewall mib connection-statistics L7-Protocol all

--------------------------------------------------

Protocol 												http

Connections Attempted                             14

Connections Setup Aborted                         0

Connections Policy Declined                       0

Connections Resource Declined                     0

Connections Half Open                             0

Connections Active                                0

Connections Aborted                               0

Connections Embryonic                             0

Connections 1-min Setup Count                     0

Connections 5-min Setup Count                     0

--------------------------------------------------

Protocol 												tacacs

Connections Attempted                             12

Connections Setup Aborted                         0

Connections Policy Declined                       0

Connections Resource Declined                     0

Connections Half Open                             0

Connections Active                                0

Connections Aborted                               0

Connections Embryonic                             0

Connections 1-min Setup Count                     0

Connections 5-min Setup Count                     0

Router# show policy-firewall mib connection-statistics policy inout-policy zone-pair inout 
L4-Protocol all

--------------------------------------------------

Policy												inout-policy

Zone-pair												inout

--------------------------------------------------

Protocol 												udp

Connections Attempted                             1

Connections Setup Aborted                         0

Connections Policy Declined                       0

Connections Resource Declined                     0

Connections Half Open                             0

Connections Active                                0

Connections Aborted                               0

--------------------------------------------------

Protocol 												tcp

Connections Attempted                             11

Connections Setup Aborted                         0

Connections Policy Declined                       0

Connections Resource Declined                     0

Connections Half Open                             0

Connections Active                                0

Connections Aborted                               0

Router# show policy-firewall mib connection-statistics policy inout-policy zone-pair inout 
L7-Protocol all

--------------------------------------------------

Policy												inout-policy

Zone-pair												inout

--------------------------------------------------

Protocol 												tacacs

Connections Attempted                             12

Connections Setup Aborted                         0

Connections Policy Declined                       0

Connections Resource Declined                     0

Connections Half Open                             0

Connections Active                                0

Connections Aborted                               0

Table 171 describes the significant fields shown in the displays.

Table 171 show policy-firewall mib Field Descriptions 

Field	Description
Connections Attempted	The total number of connection attempts sent to the firewall. This is a cumulative value.
Connections Policy Declined	The number of connection attempts that were declined due to a firewall security policy. This is a cumulative value.
Connections Resource Declined	The number of connection attempts that were declined due to firewall resource constraints. This is a cumulative value.
Connections Half Open	The number of connections that are being established with the firewall. This is a reflection of the current state of the system.
Connections Active	The number of connections that are currently active. This is a reflection of the current state of the system.
Connections Expired	The number of connections that were active and terminated. This is a cumulative value.
Connections Aborted	The number of connections that were abnormally terminated after a successful connection. This is a cumulative value.
Connections Embryonic	The number of embryonic application layer connections. This is a reflection of the current state of the system.
Connections 1-min Setup Count	The number of connections that the firewall attempts to establish per second averaged over the last 60 seconds. This is a reflection of the current state of the system.
Connections 5-min Setup Count	The number of connections that the firewall attempts to establish per second, averaged over the last 300 seconds. This is a reflection of the current state of the system.

Related Commands

Command	Description
debug policy-firewall mib	Toggles on or off the MIB support.

show policy-firewall session

To display the session details of a firewall policy, use the show policy-firewall session command in privileged EXEC mode.

show policy-firewall session [msrpc | zone-pair]

Syntax Description

msrpc	(Optional) Displays the Microsoft Remote Procedure Call (MSRPC) sessions.
zone-pair	(Optional) Displays the sessions pertaining to the zone pairs.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
15.1(1)T	This command was introduced.
15.1(4)M	This command was modified. The msrpc keyword was added.

Usage Guidelines

Use the show policy-firewall session command to display the session details. Sessions details could either be global, zone pair-specific or MSRPC-specific. Global session details incorporate all the sessions created by the firewall, and zone pair-specific details pertain to each zone pair.

Examples

The following is sample output from the show policy-firewall session command:

Router# show policy-firewall session zone-pair

Zone-pair: zone-pair-source2destination

  Service-policy inspect : policy-test

    Class-map: class-test (match-any)

   Inspect

      Number of Established Sessions = 100

      Established Sessions

        Session 3F4DF38 (10.0.0.148:13686)=>(11.0.0.33:80) http:tcp SIS_OPEN

          Created 00:00:02, Last heard 00:00:01

          Bytes sent (initiator:responder) [257:10494]

        Session 43F0F58 (10.0.0.149:13687)=>(11.0.0.33:80) http:tcp SIS_OPEN

          Created 00:00:02, Last heard 00:00:01

          Bytes sent (initiator:responder) [274:10494]

        Session 3F3BD98 (10.0.0.98:13770)=>(11.0.0.33:80) http:tcp SIS_OPEN

          Created 00:00:02, Last heard 00:00:02

          Bytes sent (initiator:responder) [251:0]

        Session 3F2E498 (10.0.0.104:13774)=>(11.0.0.33:80) http:tcp SIS_OPEN

          Created 00:00:02, Last heard 00:00:01

          Bytes sent (initiator:responder) [277:10220]

        Session 3F3B008 (10.0.0.105:13775)=>(11.0.0.33:80) http:tcp SIS_OPEN

          Created 00:00:02, Last heard 00:00:01

          Bytes sent (initiator:responder) [264:10220]

        Session 3F31AD8 (10.0.0.108:13776)=>(11.0.0.33:80) http:tcp SIS_OPEN

          Created 00:00:02, Last heard 00:00:01

          Bytes sent (initiator:responder) [265:10220]

        Session 2F91030 (10.0.0.113:13780)=>(11.0.0.33:80) http:tcp SIS_OPEN

          Created 00:00:02, Last heard 00:00:01

          Bytes sent (initiator:responder) [257:10220]

        Session 3F35308 (10.0.0.229:13966)=>(11.0.0.33:80) http:tcp SIS_OPEN

          Created 00:00:00, Last heard 00:00:00

          Bytes sent (initiator:responder) [278:10494]

        Session 3F30B58 (10.0.0.231:13968)=>(11.0.0.33:80) http:tcp SIS_OPEN

          Created 00:00:00, Last heard 00:00:00

          Bytes sent (initiator:responder) [257:10494]

        Session 3F30588 (10.0.0.234:13969)=>(11.0.0.33:80) http:tcp SIS_OPEN

          Created 00:00:00, Last heard 00:00:00

          Bytes sent (initiator:responder) [259:10494]

      Number of Half-open Sessions = 8

      Half-open Sessions

        Session 3F32298 (10.0.0.99:13068)=>(11.0.0.33:80) http:tcp SIS_OPENING

          Created 00:00:06, Last heard 00:00:06

          Bytes sent (initiator:responder) [0:0]

        Session 2F8F510 (10.0.0.123:13428)=>(11.0.0.33:80) http:tcp SIS_OPENING

          Created 00:00:04, Last heard 00:00:04

          Bytes sent (initiator:responder) [0:0]

        Session 3F4E128 (10.0.0.125:13430)=>(11.0.0.33:80) http:tcp SIS_OPENING

          Created 00:00:04, Last heard 00:00:04

          Bytes sent (initiator:responder) [0:0]

        Session 3F4E318 (10.0.0.126:13431)=>(11.0.0.33:80) http:tcp SIS_OPENING

          Created 00:00:04, Last heard 00:00:04

          Bytes sent (initiator:responder) [0:0]

        Session 3F4E6F8 (10.0.0.127:13432)=>(11.0.0.33:80) http:tcp SIS_OPENING

          Created 00:00:04, Last heard 00:00:04

          Bytes sent (initiator:responder) [0:0]

        Session 43ECF68 (10.0.0.138:13561)=>(11.0.0.33:80) http:tcp SIS_OPENING

          Created 00:00:03, Last heard 00:00:03

          Bytes sent (initiator:responder) [0:0]

        Session 3F4D968 (10.0.0.130:13674)=>(11.0.0.33:80) http:tcp SIS_OPENING

          Created 00:00:02, Last heard 00:00:02

          Bytes sent (initiator:responder) [0:0]

        Session 3F4DB58 (10.0.0.147:13685)=>(11.0.0.33:80) http:tcp SIS_OPENING

          Created 00:00:02, Last heard 00:00:02

          Bytes sent (initiator:responder) [0:0]

      Number of Terminating Sessions = 3

      Terminating Sessions

        Session 2F9DD90 (10.0.0.203:13603)=>(11.0.0.33:80) http:tcp SIS_CLOSING

          Created 00:00:03, Last heard 00:00:02

          Bytes sent (initiator:responder) [268:10494]

        Session 3F3AA38 (10.0.0.209:13844)=>(11.0.0.33:80) http:tcp SIS_CLOSING

          Created 00:00:01, Last heard 00:00:01

          Bytes sent (initiator:responder) [251:2301]

        Session 43F20C8 (10.0.0.224:14070)=>(11.0.0.33:80) http:tcp SIS_CLOSING

          Created 00:00:00, Last heard 00:00:00

          Bytes sent (initiator:responder) [264:2301]

Zone-pair: zone-pair-destination2source

  Service-policy inspect : policy-test

    Class-map: class-test (match-any)

   Inspect

Table 172 describes the significant fields shown in the display.

Table 172 show policy-firewall session Field Descriptions 

Field	Description
Number of Established Sessions	Number of established sessions. A session is established when the traffic flows between the sessions.
Number of Half-open Sessions	Number of half-open sessions. A TCP session that has not yet reached the established state is called a half-opened session.
Number of Terminating Sessions	A link or session between a pair of devices that get closed. The terminating side waits for a timeout and closes the connection between the devices; at this point of time, the local port of the terminating side is not available for new connections.

show policy-firewall stats

To display the statistics of the firewall activity on the router, use the show policy-firewall stats command in privileged EXEC mode.

show policy-firewall stats [all | drop-counters | zone-pair [name]]

Syntax Description

all	(Optional) Displays all firewall statistics on the router.
drop-counters	(Optional) Displays the number of packets dropped for each error code.
zone-pair name	(Optional) Displays statistics pertaining to zone-pair.

Command Default

Privileged EXEC (#)

Command History

Release	Modification
15.1(1)T	This command was introduced.

Usage Guidelines

This command provides the statistics of all the firewall activity on the router. The command displays the box-wide statistics or the statistics for each zone pair. To get all statistics, use the all keyword. Use the drop-counters keyword to display the packets dropped and grouped by their error codes. The output displays only the error codes for which the drop counter is greater than zero. If the number of packets dropped is similar for multiple error codes, the error codes are sorted in alphabetical order.

Examples

The following is sample output from the show policy-firewall stats command. The field descriptions are self-explanatory.

Router# show policy-firewall stats drop-counters

REASON								   					PACKETS DROPPED

    Invalid Header length 														39	

    policy match failure 														38

    Police rate limiting 														37

    Session limiting 														36		

    Bidirectional traffic disabled 														35

    SYN with data or with PSH/URG flags					 									34

    Segment matching no TCP connection 														33

    Invalid Segment 														32

    Invalid Seq# 														31

    Invalid Ack (or no Ack) 														30

    Invalid Flags 														29	

    Invalid Checksum 														28

    SYN inside current window 														27

    RST inside current window 														26

    Out-Of-Order Segment 														25	

    Retransmitted Segment 														24

    Retransmitted Segment with Invalid Flags 														23

    Stray Segment 														22

    Internal Error 														21

    Invalid Window scale option 														20	

    Invalid TCP options 														19

    No zone-pair between zones 														18

    One of the interfaces not being configured for zoning 17

    Policy not present on zone-pair 														16	

    DROP action found in policy-map  														15

show policy-firewall stats vrf

To display VPN Routing and Forwarding (VRF)-level policy firewall statistics, use the show policy-firewall stats command in user EXEC or privileged EXEC mode.

show policy-firewall stats vrf [vrf-name]

Syntax Description

vrf-name

(Optional) VRF name.

Command Default

This command has no default settings.

Command Modes

User EXEC (>)
Privileged EXEC (#)

Command History

Release	Modification
Cisco IOS XE Release 3.3S	This command was introduced.

Examples

The following is sample output from the show policy-firewall stats vrf command:

Router# show policy-firewall stats vrf vpmap1 

  VRF: vrf1, Parameter-Map: vpmap1

  Interface reference count: 0

       total_session_cnt: 0

       exceed_cnt:        0

       tcp_half_open_cnt: 0

       syn_exceed_cnt:    0

Table 173 describes the significant fields shown in the display.

Table 173 show policy-firewall stats vrf Field Descriptions 

Field	Description
total_session_cnt	Total session count.
exceed_cnt	Number of sessions that exceeded the configured session count.
tcp_half_open_cnt	TCP half-open sessions configured for each VRF. When the configured session limit is reached, the TCP SYN cookie verifies the source of the half-open TCP sessions before creating more sessions. A TCP half-open session is a session that has not reached the established state.
syn_exceed_count	Number of synchronization (SYN) packets that exceeded the configured SYN flood rate limit.

Related Commands

Command	Description
clear policy-firewall stats vrf	Clears the policy firewall statistics counter at a VRF level.

show policy-firewall stats vrf global

To display global VPN Routing and Forwarding (VRF) firewall policy statistics, use the show policy-firewall stats vrf global command in user EXEC or privileged EXEC mode.

show policy-firewall stats vrf global

Syntax Description

This command has no arguments or keywords.

Command Default

This command has no default settings.

Command Modes

User EXEC (>)
Privileged EXEC (#)

Command History

Release	Modification
Cisco IOS XE Release 3.3S	This command was introduced.

Examples

The following is sample output from the show policy-firewall stats vrf global command:

Router# show policy-firewall stats vrf global 

Global table statistics

       total_session_cnt: 0

       exceed_cnt:        0

       tcp_half_open_cnt: 0

       syn_exceed_cnt:    0

Table 174 describes the fields shown in the display.

Table 174 show policy-firewall stats vrf global Field Descriptions 

Field	Description
total_session_cnt	Total session count.
exceed_cnt	Number of sessions that exceeded the configured session count.
tcp_half_open_cnt	TCP half-open sessions configured at a global VRF level. When the configured session limit is reached, the TCP synchronization (SYN) cookie verifies the source of the half-open TCP sessions before creating more sessions. A TCP half-open session is a session that has not reached the established state.
syn_exceed_cnt	Number of SYN packets that exceeded the configured SYN flood rate limit.

Related Commands

Command	Description
clear policy-firewall stats vrf global	Clears the global VRF policy firewall statistics.

show policy-firewall stats zone

To display policy firewall statistics at a zone level, use the show policy-firewall stats zone command in user EXEC or privileged EXEC mode.

show policy-firewall stats zone [zone-name]

Syntax Description

zone-name

(Optional) Zone name.

Command Default

This command has no default settings.

Command Modes

User EXEC (>)
Privileged EXEC (#)

Command History

Release	Modification
Cisco IOS XE Release 3.3S	This command was introduced.

Examples

The following is sample output from the show policy-firewall stats zone command:

Router# show policy-firewall stats zone zone02

Zone: zone02

Parameter-map: zpmap01

TCP SYN packet conform limit: 10

TCP SYN packet exceed limit: 4

Table 175 describes the fields shown in the display.

Table 175 show policy-firewall stats zone Field Descriptions 

Field	Description
Zone	Name of the zone.
Parameter-map	Name of the configured zone-type parameter map.
TCP SYN packet conform limit	Number of TCP synchronization (SYN) packets that are within the configured limit.
TCP SYN packet exceed limit	Number of TCP synchronization (SYN) packets that exceeded the configured SYN packet rate limit.

Related Commands

Command	Description
clear policy-firewall stats zone	Clears the policy firewall statistics counter at a zone level.
tcp syn-flood limit	Configures a limit to the number of TCP half-open sessions before triggering SYN cookie processing for new SYN packets.

show policy-firewall summary-log

To display summary logs, use the show policy-firewall summary log command in privileged EXEC mode.

show policy-firewall summary-log

Syntax Description

This command has no arguments or keywords.

Command Default

Summary logs are not displayed.

Command Modes

Privileged EXEC(#)

Command History

Release	Modification
15.1(1)T	This command was introduced.

Usage Guidelines

Use this command to display the summary logs captured as follows:

•Configured flow

•Configured flow value

•Number of flows

---

Note When the number of flows for the log summary reaches the configured flow value, some flows are not summarized.

---

Examples

The following is sample output from the show policy-firewall summary-log. The field descriptions are self-explanatory.

Router# show policy-firewall summary-log

*Apr 1 12:38:29.103: %FW-6-LOG_SUMMARY: 10 http packets were dropped from

10.0.0.1:1024 => 20.0.0.1:23 (target: class)-(z1toz2:C1)

Related Commands

Command	Description
clear policy-firewall	Clears the information collected by the firewall.

show policy-map type inspect

To display a specified policy map, use the show policy-map type inspect command in privileged EXEC mode.

show policy-map type inspect [policy-map-name] [class class-map-name]

Syntax Description

policy-map-name	(Optional) Name of the policy map.
class class-map-name	(Optional) Name of the class map.

Command Default

If a policy-map name is not specified, all Level 7 policy maps are displayed.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.4(6)T	This command was introduced.
Cisco IOS XE Release 3.2S	This command was integrated into Cisco IOS XE Release 3.2S.

Examples

The following example displays the policy map for policy map p1:

Router # show policy-map type inspect p1 

 Policy Map type inspect p1

  Class c1

   Inspect

The following example shows sample command output:

Router# show policy-map type inspect p_inside 

Policy Map type inspect p_inside

 Description: Policy map with inspect action

 Class c_permit

  Pass

 Class c_test

 Class class-default

Table 176 describes the significant fields shown in the display.

Table 176 show policy-map type inspect Field Descriptions 

Field	Description
p_inside	Name of the policy map.
Description	Description of the policy map.
Class	Name of the class map.
Pass	Allows packets to be sent to the router without being inspected.

show policy-map type inspect urlfilter

To display the details of a URL filtering policy map, use the show policy-map type inspect urlfilter command in privileged EXEC mode.

show policy-map type inspect urlfilter [policy-map-name]

Syntax Description

policy-map-name

(Optional) Name of the policy map for which details are displayed.

Command Default

The details of all URL filtering policy maps are displayed.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(15)XZ	This command was introduced.
12.4(20)T	This command was integrated into Cisco IOS Release 12.4(20)T.

Usage Guidelines

Use the show policy-map type inspect urlfilter command to display the details of all URL filtering policy maps. To display the details of a particular URL filtering policy map, specify the name of the policy map.

Examples

The following is sample output from the show policy-map type inspect urlfilter command for a policy map named websense-policy:

Router# show policy-map type inspect urlfilter websense-policy

policy-map type inspect urlfilter url-websense-policy

  parameter-map urlfpolicy websense websense-parameter-map

  class type urlfilter trusted-domain-lists

   allow

  class type urlfilter untrusted-domain-lists

   reset

  class type urlfilter block-url-keyword-lists

   reset 

  class type urlfilter websense websense-map

   server-specified-action

show policy-map type inspect zone-pair

To display the runtime inspect type policy map statistics and other information such as sessions existing on a specified zone pair, use the show policy-map type inspect zone-pair command in privileged EXEC mode.

show policy-map type inspect zone-pair [zone-pair-name] [sessions]

Syntax Description

zone-pair-name	(Optional) Zone pair for which the system displays the runtime inspect type policy-map statistics. Default: The requested information is shown for all zone pairs.
sessions	(Optional) Displays the Cisco IOS stateful packet inspection sessions created because of the policy-map application on the specified zone pair.

Command Default

If the optional argument and keyword are not entered, information about policy maps for all zone pairs is displayed.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(6)T	This command was introduced.
12.4(9)T	The output from this command was enhanced to display the police action configuration.
12.4(15)XZ	This command was implemented on the following platforms: Cisco 881 and Cisco 888.
Cisco IOS XE Release 3.1S	This command was integrated into Cisco IOS XE Release 3.1S.

Usage Guidelines

If you do not specify a zone-pair name, the policy maps on all zone pairs are displayed.

When packets are matched to an access group (match access-group), protocol (match protocol), or class map (match class-map), a traffic rate is generated for these packets. In a zone-based firewall policy, only the first packet that creates a session matches the policy. Subsequent packets in this flow do not match the filters in the configured policy, but instead match the session directly. The statistics related to subsequent packets are shown as part of the "inspect" action. This information is shown when using the show policy-map type inspect zone-pair sessions command.

Command Limitations

The cumulative counters in the show policy-map type inspect zone-pair command output do not increment for match statements in a nested class-map configuration in Cisco IOS Releases 12.4(20)T and 12.4(15)T. The problem with the counters exists regardless of whether the top level class map uses the match-any or match-all keywords.

The following configuration example causes the match counter problem in the show policy-map type inspect zone-pair command output:

class-map type inspect match-any y

 match protocol tcp

 match protocol icmp

class-map type inspect match-all x

 match class y

However, cumulative counters for the above configuration are displayed in the show policy-map type inspect zone-pair command output if the class map matches any class map:

Router# show policy-map type inspect zone-pair session

policy exists on zp zp

 Zone-pair: zp

  Service-policy inspect : fw

    Class-map: x (match-any)

      Match: class-map match-any y

        2 packets, 48 bytes   <======== Cumulative class map counters are incrementing.

        30 second rate 0 bps

        Match: protocol tcp

          0 packets, 0 bytes     <===== The match for the protocol is not incrementing.

          30 second rate 0 bps

        Match: protocol icmp

          0 packets, 0 bytes

          30 second rate 0 bps

   Inspect

      Number of Established Sessions = 1

      Established Sessions

        Session 53105C0 (1.1.1.2:19180)=>(2.1.1.2:23) tacacs:tcp SIS_OPEN

          Created 00:00:02, Last heard 00:00:02

          Bytes sent (initiator:responder) [30:69]

    Class-map: class-default (match-any)

      Match: any 

      Drop

        0 packets, 0 bytes

Examples

The following examples show sample output when a zone pair name is specified:

Router# show policy-map type inspect zone-pair zp 

 Zone-pair: zp

  Service-policy : p1

   Class-map: c1 (match-all)

    Match: protocol tcp

    Inspect

     Session creations since subsystem startup or last reset 0

     Current session counts (estab/half-open/terminating) [0:0:0]

     Maxever session counts (estab/half-open/terminating) [0:0:0]

     Last session created never

     Last statistic reset never

     Last session creation rate 0

     half-open session total 0   

   Class-map: c2 (match-all)

    Match: protocol udp

    Pass

     0 packets, 0 bytes

   Class-map: class-default (match-any)

    Match: any

    Drop

     0 packets, 0 bytes

Router# show policy-map type inspect zone-pair trusted_untrusted

 Zone-pair: trusted_untrusted

  Service-policy inspect : firewall_policy

Class-map: class_4 (match-any)  

      Match: protocol dbcontrol_agent

      Match: protocol ddns-v3

      Match: protocol dhcp-failover

      Match: protocol discard

      Match: protocol dns

      Match: protocol dnsix

      Match: protocol echo

      Match: protocol entrust-svc-handler

      Inspect

        Packet inspection statistics [process switch:fast switch]

        dns packets: [0:28949015] 

        Session creations since subsystem startup or last reset 4

        Current session counts (estab/half-open/terminating) [0:0:0]

        Maxever session counts (estab/half-open/terminating) [1:0:0]

        Last session created 00:06:16

        Last statistic reset never

        Last session creation rate 0

        Last half-open session total 0

---

Note Only some important protocols may undergo the L7 inspections have the dedicated statistics and the others are grouped into either TCP statistics or UDP statistics.

---

The following example shows sample output when the sessions keyword is specified:

---

Note The information shown under the class-map field is the traffic rate (bits per second) of the traffic belonging to the connection initiating traffic only. Unless the connection setup rate is significantly high and sustained for multiple intervals over which the rate is computed, no significant data is shown for the connection.

---

Router# show policy-map type inspect zone-pair sessions 

Zone-pair: hi2int

  Service-policy inspect : pg1 

    Class-map: c1 (match-any)

      Match: protocol ftp

      Match: protocol telnet

      Match: protocol smtp

      Match: protocol http

      Match: protocol tacacs

      Match: protocol dns

      Match: protocol sql-net

      Match: protocol https

      Match: protocol tftp

      Match: protocol gopher

      Match: protocol finger

      Match: protocol kerberos

      Match: protocol pop3

      Match: protocol sunrpc

      Match: protocol msrpc

      Match: protocol icmp

      Inspect

        Established Sessions

         Session 10E28550 (10.1.1.1:50536)=>(172.16.1.1:111) sunrpc SIS_OPEN

          Created 00:09:44, Last heard 00:09:18

          Bytes sent (initiator:responder) [108:0]

         Session 10E28550 (10.1.1.1:39377)=>(172.16.1.1:150) sql-net SIS_CLOSED

          Created 00:03:01, Last heard 00:03:01

          Bytes sent (initiator:responder) [0:0]

         Session 10E2859C (10.1.1.1:39377)=>(172.16.1.1:110) pop3 SIS_CLOSED

          Created 00:02:59, Last heard 00:02:59

          Bytes sent (initiator:responder) [0:0]

         Session 10E285E8 (10.1.1.1:39377)=>(172.16.1.1:443) https SIS_CLOSED

          Created 00:03:33, Last heard 00:03:33

          Bytes sent (initiator:responder) [0:0]

    Class-map: class-default (match-any)

      Match: any

      Drop (default action)

        147127 packets, 8485742 bytes

The following example is sample output from the show policy-map type inspect zone-pair command, which can now be used to verify the police action configuration:

Router# show policy-map type inspect zone-pair 

Zone-pair: zp

Service-policy inspect : test-udp

  Class-map: check-udp (match-all)

   Match: protocol udp

   Inspect

    Packet inspection statistics [process switch:fast switch]

    udp packets: [3:4454]

    Session creations since subsystem startup or last reset 92

    Current session counts (estab/half-open/terminating) [5:33:0]

    Maxever session counts (estab/half-open/terminating) [5:59:0]

    Last session created 00:00:06

    Last statistic reset never

    Last session creation rate 61

    Last half-open session total 33

   Police

   rate 8000 bps,1000 limit 

   conformed 2327 packets, 139620 bytes; actions: transmit

   exceeded 36601 packets, 2196060 bytes; actions: drop

   conformed 6000 bps, exceed 61000 bps

  Class-map: class-default (match-any)

   Match: any 

   Drop (default action)

   0 packets, 0 bytes 

show policy-map type inspect zone-pair urlfilter

To display the details of a URL filtering policy map—URL filter state, URL filter statistics, and URL filter server details—use the show policy-map type inspect zone-pair urlfilter command in privileged EXEC mode.

show policy-map type inspect zone-pair [zone-pair-name] urlfilter cache [detail]

Syntax Description

zone-pair-name	(Optional) Zone pair for which the system will display the runtime inspect type policy-map statistics. Default: The requested information is shown for all zone pairs.
cache	Displays information about the URL filter cache.
detail	(Optional) Displays each entry in the cache. Because cache entries can be long, only the first few bytes are displayed.

Command Default

The URL filter information for all zone pairs is displayed. Details about the URL filtering cache are not displayed.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(6)T	This command was introduced.
12.4(15)XZ	This command was implemented on the following platforms: Cisco 881 and Cisco 888. The detail keyword was added to show more information about the URL filtering cache.
12.4(20)T	This command was integrated into Cisco IOS Release 12.4(20)T. The detail keyword was added to show more information about the URL filtering cache.

Examples

The following example shows sample output for a Websense URL filtering server:

Router# show policy-map type inspect zone-pair urlfilter cache 

Zone-pair: zp

 Urlfilter

 Websense URL Filtering is ENABLED

 Websense Primary server: 10.3.3.3(port : 15868)   

 recount: 0

 Current packet buffer count(in use): 0

 Current cache entry count: 0

 Maxever request count: 0

 Maxever packet buffer count: 0

 Maxever cache entry count: 0

 Total requests sent to URL Filter Server :0

 Total responses received from URL Filter Server :0

 Total requests allowed: 0

 Total requests blocked: 0

Drop (default action)

 packets, 0 bytes

 Service-policy inspect : test

  Class-map: test (match-all)

   Match: protocol http

  Class-map: class-default (match-any)

   Match: any 

The following example shows sample output for a Trend Micro URL filtering server, including the cache details:

Router# show policy-map type inspect zone-pair urlfilter cache detail 

policy exists on zp zp_in

 Zone-pair: zp_in

 Service-policy inspect : trend-global-policy

  Class-map: http-class (match-all)

   Match: protocol http

   Match: access-group 101

 Inspect

   Packet inspection statistics [process switch:fast switch]

   tcp packets: [3353:0]

   Session creations since subsystem startup or last reset 21

   Current session counts (estab/half-open/terminating) [3:0:0]

   Maxever session counts (estab/half-open/terminating) [4:1:1]

   Last session created 00:00:22

   Last statistic reset never

   Last session creation rate 7

   Maxever session creation rate 14

   Last half-open session total 0

   Maximum number of bytes in cache: 131072000

   Time to live for eache cache entry (in hrs): 1

   Total number of bytes used by cache: 442

   Number of bytes used by domain type cache: 442

   Number of bytes used by directory type cache: 0

   ------------------------------------------------------------

   URL                                  Age   Access #/  Cat::Rep

   (Directory cache end with /)   (day:h:m:s)    Idle Time

   ------------------------------------------------------------

   example.com             0:00:00:23      28   58::100                                                                                  

   example1.com            0:00:00:25       1   56::100                                                                                  

   example.example2.com    0:00:00:34       1   56::100                                                                                  

  Class-map: class-default (match-any)

   Match: any

   Drop

     0 packets, 0 bytes

policy exists on zp zp_out

 Zone-pair: zp_out

 Service-policy inspect : icmp_permit

  Class-map: icmp_permit (match-all)

   Match: access-group 110

   Pass

    0 packets, 0 bytes

  Class-map: class-default (match-any)

   Match: any

   Drop

    0 packets, 0 bytes

show port-security

To display information about the port-security setting in EXEC command mode, use the show port-security command.

show port-security [interface interface interface-number]

show port-security [interface interface interface-number] {address | vlan}

Syntax Description

interface interface	(Optional) Specifies the interface type; possible valid values are ethernet, fastethernet, gigabitethernet, and longreachethernet.
interface-number	Interface number. Valid values are 1 to 6.
address	Displays all the secure MAC addresses that are configured on all the switch interfaces or on a specified interface with aging information for each address.
vlan	Virtual LAN.

Defaults

This command has no default settings.

Command Modes

EXEC

Command History

Release	Modification
12.2(14)SX	Support for this command was introduced on the Supervisor Engine 720.
12.2(17d)SXB	Support for this command on the Supervisor Engine 2 was extended to Release 12.2(17d)SXB.
12.2(18)SXE	The address keyword was added to display the maximum number of MAC addresses configured per VLAN on a trunk port on the Supervisor Engine 720 only.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.

Usage Guidelines

The vlan keyword is supported on trunk ports only and displays per-Vlan maximums set on a trunk port.

The interface-number argument designates the module and port number. Valid values for interface-number depend on the specified interface type and the chassis and module that are used. For example, if you specify a Gigabit Ethernet interface and have a 48-port 10/100BASE-T Ethernet module that is installed in a 13-slot chassis, valid values for the module number are from 1 to 13 and valid values for the port number are from 1 to 48.

Examples

This example shows the output from the show port-security command when you do not enter any options:

Router# show port-security

Secure Port      MaxSecureAddr  CurrentAddr  SecurityViolation  Security

Action

                    (Count)        (Count)      (Count)

----------------------------------------------------------------------------

     Fa5/1           11            11            0            Shutdown

     Fa5/5           15            5             0            Restrict

     Fa5/11          5             4             0            Protect

----------------------------------------------------------------------------

Total Addresses in System: 21

Max Addresses limit in System: 128

Router# 

This example shows how to display port-security information for a specified interface:

Router# show port-security interface fastethernet 5/1

Port Security: Enabled

Port status: SecureUp

Violation mode: Shutdown

Maximum MAC Addresses: 11

Total MAC Addresses: 11

Configured MAC Addresses: 3

Aging time: 20 mins

Aging type: Inactivity

SecureStatic address aging: Enabled

Security Violation count: 0

Router# 

This example show how to display all the secure MAC addresses that are configured on all the switch interfaces or on a specified interface with aging information for each address:

Router# show port-security address

Default maximum: 10 

VLAN Maximum Current 

1    5       3 

2    4       4 

3    6       4

Router#

Related Commands

Command	Description
clear port-security	Deletes configured secure MAC addresses and sticky MAC addresses from the MAC address table.

show ppp queues

To monitor the number of requests processed by each authentication, authorization, and accounting (AAA) background process, use the show ppp queues command in privileged EXEC mode.

show ppp queues

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.3(2)AA	This command was introduced.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use the show ppp queues command to display the number of requests handled by each AAA background process, the average amount of time it takes to complete each request, and the requests still pending in the work queue. This information can help you balance the data load between the network access server and the AAA server.

This command displays information about the background processes configured by the aaa processes global configuration command. Each line in the display contains information about one of the background processes. If there are AAA requests in the queue when you enter this command, the requests will be printed as well as the background process data.

Examples

The following example shows output from the show ppp queues command:

Router# show ppp queues

Proc #0   pid=73  authens=59   avg. rtt=118s. authors=160  avg. rtt=94s.

Proc #1   pid=74  authens=52   avg. rtt=119s. authors=127  avg. rtt=115s.

Proc #2   pid=75  authens=69   avg. rtt=130s. authors=80   avg. rtt=122s.

Proc #3   pid=76  authens=44   avg. rtt=114s. authors=55   avg. rtt=106s.

Proc #4   pid=77  authens=70   avg. rtt=141s. authors=76   avg. rtt=118s.

Proc #5   pid=78  authens=64   avg. rtt=131s. authors=97   avg. rtt=113s.

Proc #6   pid=79  authens=56   avg. rtt=121s. authors=57   avg. rtt=117s.

Proc #7   pid=80  authens=43   avg. rtt=126s. authors=54   avg. rtt=105s.

Proc #8   pid=81  authens=139  avg. rtt=141s. authors=120  avg. rtt=122s.

Proc #9   pid=82  authens=63   avg. rtt=128s. authors=199  avg. rtt=80s.

queue len=0 max len=499

Table 177 describes the fields shown in the example.

Table 177 show ppp queues Field Descriptions

Field	Description
Proc #	Identifies the background process allocated by the aaa processes command to handle AAA requests for PPP. All of the data in this row relates to this process.
pid=	Identification number of the background process.
authens=	Number of authentication requests the process has performed.
avg. rtt=	Average delay (in seconds) until the authentication request was completed.
authors=	Number of authorization requests the process has performed.
avg. rtt=	Average delay (in seconds) until the authorization request was completed.
queue len=	Current queue length.
max len=	Maximum length the queue ever reached.

Related Commands

Command	Description
aaa processes	Allocates a specific number of background processes to be used to process AAA authentication and authorization requests for PPP.

show pppoe session

To display information about currently active PPP over Ethernet (PPPoE) sessions, use the show pppoe session command in privileged EXEC mode.

show pppoe session [all | interface type number] [packets]

Syntax Description

all	(Optional) Displays detailed information about the PPPoE session.
interface type number	(Optional) Displays information about the interface on which the PPPoE session is active.
packets	(Optional) Displays packet statistics for the PPPoE session.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.2(4)YG	This command was introduced on the Cisco SOHO 76, 77, and 77H routers.
12.3(4)T	This command was integrated into Cisco IOS Release 12.3(4)T and was enhanced to display information about relayed PPPoE Active Discovery (PAD) messages.
12.2(28)SB	This command was integrated into Cisco IOS Release 12.2(28)SB and support was added for the Cisco 7200, 7301, 7600, and 10000 series platforms.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2 and the output following the use of the all keyword was modified to indicate if a session is Interworking Functionality (IWF)-specific or if the tag ppp-max-payload tag is in the discovery frame and accepted.
12.4(15)XF	The output was modified to display Virtual Multipoint Interface (VMI) and PPPoE process-level values.
12.4(15)T	This command was integrated into Cisco IOS Release 12.4(15)T to support VMIs in Mobile Ad Hoc Router-to-Radio Networks (MANETs).
12.2(33)SRC	This command was integrated into Cisco IOS Release 12.2(33)SRC.
Cisco IOS XE Release 2.5	This command was implemented on Cisco ASR 1000 series routers.

Examples

Single Session: Example

The following is sample output from the show pppoe session command:

Router# show pppoe session

     1 session  in FORWARDED (FWDED) State

     1 session  total

Uniq ID	PPPoE SID	RemMAC	Port	VT	VA	State	LocMAC	VA-st
26	19	0001.96da.a2c0	Et0/0.1	5	N/A	RELFWD	000c.8670.1006	VLAN:3434

PPPoE Session with IWF and ppp-max-payload Tag Example

The following is sample output from the show pppoe session command when there is an IWF session and the ppp-max-payload tag is accepted in the discovery frame (available in Cisco IOS Release 12.2(31)SB2):

Router# show pppoe session   

     1 session  in LOCALLY_TERMINATED (PTA) State

     1 session  total.  1 session of it is IWF type

Uniq ID	PPPoE SID	RemMAC	Port	VT	VA	State	LocMAC	VA-st	Type
26	21	0001.c9f2.a81e	Et1/2	1	Vi2.1	PTA	0006.52a4.901e	UP	IWF

Table 178 describes the significant fields shown in the displays.

Table 178 show pppoe session Field Descriptions 

Field	Description
Uniq ID	Unique identifier for the PPPoE session.
PPPoE SID	PPPoE session identifier.
RemMAC	Remote MAC address.
Port	Port type and number.
VT	Virtual-template interface.
VA	Virtual access interface.
State	Displays the state of the session, which will be one of the following: •FORWARDED •FORWARDING •LCP_NEGOTIATION •LOCALLY_TERMINATED •PPP_START •PTA •RELFWD (a PPPoE session was forwarded for which the Active discovery messages were relayed) •SHUTTING_DOWN •VACCESS_REQUESTED
LocMAC	Local MAC address.

show pppoe session all: Example

The following example shows information per session for the show pppoe session all command.

Router# show pppoe session all

Total PPPoE sessions 1

session id: 21

local MAC address: 0006.52a4.901e, remote MAC address: 0001.c9f2.a81e

virtual access interface: Vi2.1, outgoing interface: Et1/2, IWF

PPP-Max-Payload tag: 1500

    15942 packets sent, 15924 received

    224561 bytes sent, 222948 received

PPPoE Session Including Credit Flow Statistics Example

The following example shows the output from the show pppoe session all command. This version of the display includes PPPoE credit flow statistics for the session.

Router# show pppoe session all 

Total PPPoE sessions 1 

session id: 1 

local MAC address: aabb.cc00.0100, remote MAC address: aabb.cc00.0200 

virtual access interface: Vi2, outgoing interface: Et0/0 

17 packets sent, 24 received 

1459 bytes sent, 2561 received 

PPPoE Flow Control Stats 

Local Credits: 65504 Peer Credits: 65478 

Credit Grant Threshold: 28000 Max Credits per grant: 65534 

PADG Seq Num: 7 PADG Timer index: 0 

PADG last rcvd Seq Num: 7 

PADG last nonzero Seq Num: 0 

PADG last nonzero rcvd amount: 0 

PADG Timers: [0]-1000 [1]-2000 [2]-3000 [3]-4000 

PADG xmit: 7 rcvd: 7 

PADC xmit: 7 rcvd: 7 

PADQ xmit: 0 rcvd: 0

Related Commands

Command	Description
clear pppoe relay context	Clears PPPoE relay contexts created for relaying PAD messages.
show pppoe relay context all	Displays PPPoE relay contexts created for relaying PAD messages.

show private-hosts access-lists

To display the access lists for your Private Hosts configuration, use the show private-hosts access-lists command in privileged EXEC mode.

show private-hosts access-lists

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.2(33)SRB	This command was introduced.
12.2(33)SXH	This command was integrated into Cisco IOS Release 12.2(33)SXH.

Examples

The following example shows how to display the Private Hosts access lists for your configuration:

Router# show private-hosts access-lists 

Promiscuous ACLs

Action Permit   Sequence # 010

    Source:0000.1111.4001 0000.0000.0000 Destination:0000.0000.0000 ffff.ffff.ffff

Action Deny     Sequence # 020

    Source:0000.0000.0000 ffff.ffff.ffff Destination:0000.0000.0000 ffff.ffff.ffff

Isolated ACLs

Action Deny     Sequence # 010

    Source:0000.1111.4001 0000.0000.0000 Destination:0000.0000.0000 ffff.ffff.ffff

Action Permit   Sequence # 020

    Source:0000.0000.0000 ffff.ffff.ffff Destination:0000.1111.4001 0000.0000.0000 Action 
Redirect Sequence # 030 Redirect index 6

    Source:0000.0000.0000 ffff.ffff.ffff Destination:ffff.ffff.ffff 0000.0000.0000

Action Permit   Sequence # 040

    Source:0000.0000.0000 ffff.ffff.ffff Destination:0100.5e00.0000 0000.007f.ffff

    Source:0000.0000.0000 ffff.ffff.ffff Destination:3333.0000.0000 0000.ffff.ffff

Action Deny     Sequence # 050

    Source:0000.0000.0000 ffff.ffff.ffff Destination:0000.0000.0000 ffff.ffff.ffff

Mixed ACLs

Action Permit   Sequence # 010

    Source:0000.1111.4001 0000.0000.0000 Destination:ffff.ffff.ffff 0000.0000.0000 Action 
Redirect Sequence # 020 Redirect index 6

    Source:0000.0000.0000 ffff.ffff.ffff Destination:ffff.ffff.ffff 0000.0000.0000

Action Permit   Sequence # 030

    Source:0000.1111.4001 0000.0000.0000 Destination:0000.0000.0000 ffff.ffff.ffff

Action Permit   Sequence # 040

    Source:0000.0000.0000 ffff.ffff.ffff Destination:0000.1111.4001 0000.0000.0000

Action Deny     Sequence # 050

    Source:0000.0000.0000 ffff.ffff.ffff Destination:0000.0000.0000 ffff.ffff.ffff

Related Commands

Command	Description
show fm private-hosts	Displays information about the Private Hosts feature manager.
show private-hosts configuration	Displays Private Hosts configuration information for the networking device.
show private-hosts interface configuration	Displays Private Hosts configuration information for individual interfaces.

show private-hosts configuration

To display information about the Private Hosts configuration on the router, use the show private-hosts configuration command in privileged EXEC mode.

show private-hosts configuration

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(33)SRB	This command was introduced.
12.2(33)SXH	This command was integrated into Cisco IOS Release 12.2(33)SXH.

Examples

The following example shows sample command output:

Router# show private-hosts configuration 

Private hosts enabled. BR INDEX 6 State 0000000F

Privated hosts vlans lists:

200

Privated promiscuous MAC configuration:

A '*' mark behind the mac list indicates non-existent mac-list

--------------------------------------------------------------------------------

MAC-list                      VLAN list

--------------------------------------------------------------------------------

bras-list                    *** Uses the isolated vlans (if any) ***

The following example shows sample command output:

Router# show private-hosts configuration

Private-hosts enabled

Isolated vlan-list 10,12,15,200-300

Promiscuous MAC configuration:

------------------------------------------------------------------------------------

MAC-List               VLAN List 

-----------------------------------------------------------------------------------

Bras_list              10,12,15,200-300

Mcast_server_list      10,12,15

Router#

Related Commands

Command	Description
private-hosts	Enables or configures the Private Hosts feature.
private-hosts mode	Sets the switchport mode.
show fm private-hosts interface configuration	Displays the FM-related Private Hosts information.
show private-hosts interface configuration	Displays Private Hosts configuration information for individual interfaces.

show private-hosts interface configuration

To display information about the Private Hosts configuration on individual interfaces (ports), use the show private-hosts interface configuration command in privileged EXEC mode.

show private-hosts interface configuration

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.2(33)SRB	This command was introduced.
12.2(33)SXH	This command was integrated in Cisco IOS Release 12.2(33)SXH.

Examples

The following example shows sample command output:

Router# show private-hosts interface configuration 

Private hosts enabled

Debug Events: 0 Acl: 0 API: 0

Promiscuous interface list

--------------------------

GigabitEthernet1/1 promiscuous connected Facing BRAS Jupiter

Isolated interface list

-------------------------

FastEthernet3/1-14 isolated connected Facing DSLAM AB-125-1

Mixed mode interface list

--------------------------

GigabitEthernet1/4-5 mixed connected Facing Server Mars

Router#

Related Commands

Command	Description
private-hosts	Enables or configures the Private Hosts feature.
private-hosts mode	Sets the switchport mode.
show fm private-hosts	Displays the FM-related Private Hosts information.
show private-hosts configuration	Displays Private Hosts configuration information for the router.

show private-hosts mac-list

To display the contents of the MAC address lists defined for Private Hosts, use the show private-hosts mac-list command in privileged EXEC mode.

show private-hosts mac-list [list-name]

Syntax Description

list-name

(Optional) The name of the MAC address list whose contents you want to display.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.2(33)SRB	This command was introduced.
12.2(33)SXH	This command was integrated into Cisco IOS Release 12.2(33)SXH.

Examples

The following example shows sample command output:

Router# show private-hosts mac-list 

MAC-List: bras-list

------------------------------------------------------------------

MAC address    Description

------------------------------------------------------------------

0000.1111.1111 BRAS-SERVER

Related Commands

Command	Description
private-hosts mac-list	Creates a MAC address list that identifies a content server that is being used to provide broadband services to isolated hosts.

show privilege

To display your current level of privilege, use the show privilege command in EXEC mode.

show privilege

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
10.3	This command was introduced.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Examples

The following example shows sample output from the show privilege command. The current privilege level is 15.

Router# show privilege

Current privilege level is 15

Related Commands

Command	Description
enable password	Sets a local password to control access to various privilege levels.
enable secret	Specifies an additional layer of security over the enable password command.

show radius local-server statistics

To display the statistics for the local authentication server, use the show radius local-server statistics command in privileged EXEC mode.

show radius local-server statistics

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(11)JA	This command was introduced on the Cisco Aironet Access Point 1100 and the Cisco Aironet Access Point 1200.
12.3(11)T	This command was integrated into Cisco IOS Release 12.3(11)T and implemented on the following platforms: Cisco 2600XM, Cisco 2691, Cisco 2811, Cisco 2821, Cisco 2851, Cisco 3700, and Cisco 3800 series routers.

Examples

The following output displays statistics for the local authentication server.

Router# show radius local-server statistics

Successes              : 11262       Unknown usernames      : 0

Client blocks          : 0           Invalid passwords      : 8

Unknown NAS            : 0           Invalid packet from NAS: 0

NAS : 10.0.0.1

Successes              : 11262       Unknown usernames      : 0

Client blocks          : 0           Invalid passwords      : 8

Corrupted packet       : 0           Unknown RADIUS message : 0

No username attribute  : 0           Missing auth attribute : 0

Shared key mismatch    : 0           Invalid state attribute: 0

Unknown EAP message    : 0           Unknown EAP auth type  : 0

PAC refresh            : 0           Invalid PAC received   : 0

Maximum number of configurable users: 50, current user count: 11

Username                  Successes  Failures  Blocks

vayu-ap-1                      2235         0       0

vayu-ap-2                      2235         0       0

vayu-ap-3                      2246         0       0

vayu-ap-4                      2247         0       0

vayu-ap-5                      2247         0       0

vayu-11                           3         0       0

vayu-12                           5         0       0

vayu-13                           5         0       0

vayu-14                          30         0       0

vayu-15                           3         0       0

scm-test                          1         8       0

The first section of statistics lists cumulative statistics from the local authenticator.

The second section lists statistics for each access point (NAS) authorized to use the local authenticator. The EAP-FAST statistics in this section include the following:

•Auto provision success—the number of PACs generated automatically

•Auto provision failure—the number of PACs not generated because of an invalid handshake packet or invalid username or password

•PAC refresh—the number of PACs renewed by clients

•Invalid PAC received—the number of PACs received that were expired, that the authenticator could not decrypt, or that were assigned to a client username not in the authenticator's database

The third section lists stats for individual users. If a user is blocked and the lockout time is set to infinite, blocked appears at the end of the stat line for that user. If the lockout time is not infinite, Unblocked in x seconds appears at the end of the stat line for that user.

Use the clear radius local-server statistics command in privileged EXEC mode to reset local authenticator statistics to zero.

Related Commands

Command	Description
block count	Configures the parameters for locking out members of a group to help protect against unauthorized attacks.
clear radius local-server	Clears the statistics display or unblocks a user.
debug radius local-server	Displays the debug information for the local server.
group	Enters user group configuration mode and configures shared setting for a user group.
nas	Adds an access point or router to the list of devices that use the local authentication server.
radius-server host	Specifies the remote RADIUS server host.
radius-server local	Enables the access point or router to be a local authentication server and enters into configuration mode for the authenticator.
reauthentication time	Specifies the time (in seconds) after which access points or wireless-aware routers must reauthenticate the members of a group.
ssid	Specifies up to 20 SSIDs to be used by a user group.
user	Authorizes a user to authenticate using the local authentication server.
vlan	Specifies a VLAN to be used by members of a user group.

show radius server-group

To display properties for the RADIUS server group, use the show radius server-group command in user EXEC or privileged EXEC mode.

show radius server-group {server-group-name | all | 123}

Syntax Description

server-group-name	Displays properties for the server group named. The character string used to name the group of servers must be defined using the aaa group server radius command.
all	Displays properties for all the server group.
server	Displays properties for a specific server or servers in the group.

Command Modes

User EXEC (>)
Privileged EXEC (#)

Command History

Release	Modification
12.2(2)T	This command was introduced.
12.2(33)SRA	The server argument was introduced.

Usage Guidelines

Use the show radius server-group command to display the server groups that you defined by using the aaa group server radius command.

Examples

The following show radius server-group command output displays properties for the server group "rad_sg":

Router# show radius server-group rad_sg

server group rad-sg

 Sharecount = 1  sg_unconfigured = FALSE

 Type = standard  Memlocks = 1

The following show radius server-group command output displays the properties for two server groups, 123 and 456, respectively. Using the aaa group server radius command, the configuration of each server group is also shown.

Router(config)# aaa new-model

!

!

Router(config)# aaa group server radius 123

 server 10.9.8.1 auth-port 1645 acct-port 1646

!

Router(config)# aaa group server radius 456

 server 10.9.8.2 auth-port 1645 acct-port 1646

Router(config)# exit

Router# show radius server-group all

Server group 123

 Sharecount = 1  sg_unconfigured = FALSE

 Type = standard 

Server group 456

 Sharecount = 1  sg_unconfigured = FALSE

 Type = standard  

Router# show radius server-group 123

Server group 123

 Sharecount = 1  sg_unconfigured = FALSE

 Type = standard 

Table 179 describes the significant fields shown in the display.

Table 179 show radius server-group command Field Descriptions 

Field	Description
Server group	Name of the server group.
Sharecount	Number of method lists that are sharing this server group. For example, if one method list uses a particular server group, the sharecount would be 1. If two method lists use the same server group, the sharecount would be 2.
sg_unconfigured	Server group has been unconfigured.
Type	The type can be either "standard" or "nonstandard". The type indicates whether the servers in the group accept nonstandard attributes. If all servers within the group are configured with the nonstandard option, the type will be shown as "nonstandard".
Memlocks	An internal reference count for the server-group structure that is in memory. The number represents how many internal data structure packets or transactions are holding references to this server group. Memlocks is used internally for memory management purposes.

Related Commands

Command	Description
aaa group server radius	Groups different RADIUS server hosts into distinct lists and distinct methods.
show aaa servers	Displays information about the number of packets sent to and received from AAA servers.
show radius statistics	Displays the RADIUS statistics for accounting and authentication packets.

show radius statistics

To display the RADIUS statistics for accounting and authentication packets, use the show radius statistics command in EXEC mode.

show radius statistics

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.1(3)T	This command was introduced.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Examples

The following example is sample output for the show radius statistics command:

Router# show radius statistics

                                   Auth.      Acct.       Both

		Maximum inQ length:          NA         NA          1

       Maximum waitQ length:         NA         NA          2

       Maximum doneQ length:         NA         NA          1

       Total responses seen:         33         67        100

     Packets with responses:         33         67        100

  Packets without responses:          0          0          0

  Access Rejects           :          0

Average response delay(ms) :       1331        124        523

 Maximum response delay(ms):       5720       4800       5720

  Number of Radius timeouts:          8          2         10

       Duplicate ID detects:          0          0          0

 Buffer Allocation Failures:          0          0          0

Maximum Buffer Size (bytes):        156        327        327

Malformed Responses        :          0          0          0

Bad Authenticators         :          0          0          0

 Source Port Range: (2 ports only)

 1645 - 1646

 Last used Source Port/Identifier:

 1645/33

 1646/69

Table 180 describes significant fields shown in the display.

Table 180 show radius statistics Field Descriptions 

Field	Description
Auth.	Statistics for authentication packets.
Acct.	Statistics for accounting packets.
Both	Combined statistics for authentication and accounting packets.
Maximum inQ length	Maximum number of entries allowed in the queue, that holds the RADIUS messages not yet sent.
Maximum waitQ length	Maximum number of entries allowed in the queue, that holds the RADIUS messages that have been sent and are waiting for a response.
Maximum doneQ length	Maximum number of entries allowed in the queue, that holds the messages that have received a response and will be forwarded to the code that is waiting for the messages.
Total responses seen	Number of RADIUS responses seen from the server. In addition to the expected packets, this includes repeated packets and packets that do not have a matching message in the waitQ.
Packets with responses	Number of packets that received a response from the RADIUS server.
Packets without responses	Number of packets that never received a response from any RADIUS server.
Access Rejects	Number of times access requests have been rejected by a radius server.
Average response delay	Average time from when the packet was first transmitted to when it received a response. If the response timed out and the packet was sent again, this value includes the timeout. If the packet never received a response, this is not included in the average.
Maximum response delay	Maximum delay observed while gathering average response delay information.
Number of RADIUS timeouts	Number of times a server did not respond, and the RADIUS server re-sent the packet.
Duplicate ID detects	RADIUS has a maximum of 255 unique IDs. In some instances there can be more than 255 outstanding packets. When a packet is received, the doneQ is searched from the oldest entry to the youngest. If the IDs are the same, further techniques are used to see if this response matches this entry. If it is determined that this does not match, the duplicate ID detect counter is increased.
Buffer Allocation Failures	Number of times the buffer failed to get allocated.
Maximum Buffer Size (bytes)	Displays the maximum size of the buffer.
Malformed Responses	Number of corrupted responses, mostly due to bad authenticators.
Bad Authenticators	Number of authentication failures due to shared secret mismatches.
Source Port Range: (2 ports only)	Displays the port numbers.
Last used Source Port/Identifier	The ports that were last used by radius server for authentication.

Related Commands

Command	Description
radius-server host	Specifies a RADIUS server host.
radius-server retransmit	Specifies how many times the Cisco IOS software searches the list of RADIUS server hosts before giving up.
radius-server timeout	Sets the interval for which a router waits for a server host to reply.

show radius table attributes

To display a list of all attributes supported by the RADIUS subsystem, use the show radius table attributes command in user EXEC or privileged EXEC mode.

show radius table attributes

Syntax Description

This command has no arguments or keywords.

Command Modes

User EXEC (>)
Privileged EXEC (#)

Command History

Release	Modification
12.2(33)SRA	This command was introduced.

Usage Guidelines

This command enables you to verify that a required RADIUS attribute is supported in a specific release.

Examples

The following example displays the complete table attribute list from the show radius table attributes command.

Router# show radius table attributes 

IETF ATTRIBUTE LIST:

    Name User-Name                      Format String

    Name User-Password                  Format Binary

    Name CHAP-Password                  Format Binary

    Name NAS-IP-Address                 Format IPv4 Address

    Name NAS-Port                       Format Ulong

    Name Service-Type                   Format Enum

    Name Framed-Protocol                Format Enum

    Name Framed-IP-Address              Format IPv4 Address

    Name Framed-IP-Netmask              Format IPv4 Address

    Name Framed-Routing                 Format Ulong

    Name Filter-Id                      Format Binary

    Name Framed-MTU                     Format Ulong

    Name Framed-Compression             Format Enum

    Name login-ip-addr-host             Format IPv4 Address

    Name Login-Service                  Format Enum

    Name login-tcp-port                 Format Ulong

    Name Reply-Message                  Format Binary

    Name Callback-Number                Format String

    Name Framed-Route                   Format String

    Name Framed-IPX-Network             Format IPv4 Address

    Name State                          Format Binary

    Name Class                          Format Binary

    Name Vendor-Specific                Format Binary

    Name Session-Timeout                Format Ulong

    Name Idle-Timeout                   Format Ulong

    Name Termination-Action             Format Boolean

    Name Called-Station-Id              Format String

    Name Calling-Station-Id             Format String

    Name Nas-Identifier                 Format String

    Name Acct-Status-Type               Format Enum

    Name Acct-Delay-Time                Format Ulong

    Name Acct-Input-Octets              Format Ulong

    Name Acct-Output-Octets             Format Ulong

    Name Acct-Session-Id                Format String

    Name Acct-Authentic                 Format Enum

    Name Acct-Session-Time              Format Ulong

    Name Acct-Input-Packets             Format Ulong

    Name Acct-Output-Packets            Format Ulong

    Name Acct-Terminate-Cause           Format Enum

    Name Multilink-Session-ID           Format String

    Name Acct-Link-Count                Format Ulong

    Name Acct-Input-Giga-Words          Format Ulong

    Name Acct-Output-Giga-Words         Format Ulong

    Name Event-Timestamp                Format Ulong

    Name CHAP-Challenge                 Format Binary

    Name NAS-Port-Type                  Format Enum

    Name Port-Limit                     Format Ulong

    Name Tunnel-Type                    Format Enum

    Name Tunnel-Medium-Type             Format Enum

    Name Tunnel-Client-Endpoint         Format String

    Name Tunnel-Server-Endpoint         Format String

    Name Acct-Tunnel-Connection         Format String

    Name Tunnel-Password                Format Binary

    Name Prompt                         Format Enum

    Name Connect-Info                   Format String

    Name EAP-Message                    Format Binary

    Name Message-Authenticator          Format Binary

    Name Tunnel-Private-Group-Id        Format String

    Name Tunnel-Assignment-Id           Format String

    Name Tunnel-Preference              Format Ulong

    Name Acct-Interim-Interval          Format Ulong

    Name Tunnel-Packets-Lost            Format Ulong

    Name NAS-Port-Id                    Format String

    Name Tunnel-Client-Auth-ID          Format String

    Name Tunnel-Server-Auth-ID          Format String

    Name Framed-Interface-Id            Format Binary

    Name Framed-IPv6-Prefix             Format Binary

    Name login-ip-addr-host             Format Binary

    Name Framed-IPv6-Route              Format String

    Name Framed-IPv6-Pool               Format String

    Name Dynamic-Author-Error-Cause     Format Enum

Non Standard ATTRIBUTE LIST:

    Name Old-Password                   Format Binary

    Name Ascend-Filter-Required         Format Enum

    Name Ascend-Cache-Refresh           Format Enum

    Name Ascend-Cache-Time              Format Ulong

    Name Ascend-Auth-Type               Format Ulong

    Name Ascend-Redirect-Number         Format String

    Name Ascend-Private-Route           Format String

    Name Ascend-Shared-Profile-Enable   Format Boolean

    Name Ascend-Client-Primary-DNS      Format IPv4 Address

    Name Ascend-Client-Secondary-DNS    Format IPv4 Address

    Name Ascend-Client-Assign-DNS       Format Ulong

    Name Ascend-Session-Svr-Key         Format String

    Name Ascend-Multicast-Rate-Limit    Format Ulong

    Name Ascend-Multicast-Client        Format Ulong

    Name Ascend-Multilink-Session-ID    Format Ulong

    Name Ascend-Num-In-Multilink        Format Ulong

    Name Ascend-Presession-Octets-In    Format Ulong

    Name Ascend-Presession-Octets-Out   Format Ulong

    Name Ascend-Presession-Packets-In   Format Ulong

    Name Ascend-Presession-Packets-Out  Format Ulong

    Name Ascend-Max-Time                Format Ulong

    Name Ascend-Disconnect-Cause        Format Enum

    Name Ascend-Connection-Progress     Format Enum

    Name Ascend-Data-Rate               Format Ulong

    Name Ascend-Presession-Time         Format Ulong

    Name Ascend-Require-Auth            Format Ulong

    Name Ascend-PW-Liftime              Format Ulong

    Name Ascend-IP-Direct               Format IPv4 Address

    Name Ascend-PPP-VJ-Slot-Comp        Format Boolean

    Name Ascend-Asyncmap                Format Ulong

    Name Ascend-Send-Secret             Format Binary

    Name ascend_pool_definition         Format String

    Name Ascend-IP-Pool                 Format Ulong

    Name Ascend-Dial-Number             Format String

    Name Ascend-Route-IP                Format Boolean

    Name Ascend-Send-Auth               Format Enum

    Name Ascend-Link-Compression        Format Enum

    Name Ascend-Target-Util             Format Ulong

    Name Ascend-Max-Channels            Format Ulong

    Name Ascend-Data-Filter             Format Binary

    Name Ascend-Call-Filter             Format Binary

    Name Ascend-Idle-Limit              Format Ulong

    Name Ascend-Data-Service            Format Ulong

    Name Ascend-Force-56                Format Ulong

    Name Ascend-Xmit-Rate               Format Ulong

Cisco VSA ATTRIBUTE LIST:

    Name Cisco AVpair                   Format String

    Name cisco-nas-port                 Format String

    Name fax_account_id_origin          Format String

    Name fax_msg_id                     Format String

    Name fax_pages                      Format String

    Name fax_modem_time                 Format String

    Name fax_connect_speed              Format String

    Name fax_mdn_address                Format String

    Name fax_mdn_flag                   Format String

    Name fax_auth_status                Format String

    Name email_server_address           Format String

    Name email_server_ack_flag          Format String

    Name gateway_id                     Format String

    Name call_type                      Format String

    Name port_used                      Format String

    Name abort_cause                    Format String

    Name h323-remote-address            Format String

    Name Conf-Id                        Format String

    Name h323-setup-time                Format String

    Name h323-call-origin               Format String

    Name h323-call-type                 Format String

    Name h323-connect-time              Format String

    Name h323-disconnect-time           Format String

    Name h323-disconnect-cause          Format String

    Name h323-voice-quality             Format String

    Name h323-gw-id                     Format String

    Name Cisco AVpair                   Format Binary

    Name Cisco encrypted string vsa     Format String

    Name Sub_Policy_In                  Format String

    Name Sub_Policy_Out                 Format String

    Name h323-credit-amount             Format String

    Name h323-credit-time               Format String

    Name h323-return-code               Format String

    Name h323-prompt-id                 Format String

    Name h323-time-and-day              Format String

    Name h323-redirect-number           Format String

    Name h323-preferred-lang            Format String

    Name h323-redirect-ip-address       Format String

    Name h323-billing-model             Format String

    Name h323-currency                  Format String

    Name ssg-account-info               Format String

    Name ssg-service-info               Format String

    Name ssg-command-code               Format Binary

    Name ssg-control-info               Format String

Microsoft VSA ATTRIBUTE LIST:

    Name MS-CHAP-Response               Format Binary

    Name MS-CHAP-ERROR                  Format Binary

    Name MS-CHAP-CPW-1                  Format Binary

    Name MS-CHAP-CPW-2                  Format Binary

    Name MS-CHAP-LM-Enc-PW              Format Binary

    Name MS-CHAP-NT-Enc-PW              Format Binary

    Name MS-MPPE-Enc-Policy             Format Binary

    Name MS-MPPE-Enc-Type               Format Binary

    Name MS-RAS-Vendor                  Format String

    Name MS-CHAP-DOMAIN                 Format String

    Name MSCHAP_Challenge               Format Binary

    Name MS-CHAP-MPPE-Keys              Format Binary

    Name MS-BAP-Usage                   Format Binary

    Name MS-Link-Util-Thresh            Format Binary

    Name MS-Link-Drop-Time-Limit        Format Binary

    Name MS-MPPE-Send-Key               Format Binary

    Name MS-MPPE-Recv-Key               Format Binary

    Name MS-RAS-Version                 Format String

    Name MS-Old-ARAP-Password           Format Binary

    Name New-ARAP-Password              Format Binary

    Name MS-ARAP-PW-Change-Reason       Format Binary

    Name MS-Filter                      Format Binary

    Name MS-Acct-Auth-Type              Format Binary

    Name MS-MPPE-EAP-Type               Format Binary

    Name MS-CHAP-V2-Response            Format Binary

    Name MS-CHAP-V2-Success             Format String

    Name MS-CHAP-CPW-2                  Format Binary

    Name MS-Primary-DNS                 Format IPv4 Address

    Name MS-Secondary-DNS               Format IPv4 Address

    Name MS-1st-NBNS-Server             Format IPv4 Address

    Name MS-2nd-NBNS-Server             Format IPv4 Address

    Name MS-ARAP-Challenge              Format Binary

3GPP VSA ATTRIBUTE LIST:

    Name Charging-ID                    Format Ulong

    Name PDP Type                       Format Enum

    Name Charging-Gateway-Address       Format IPv4 Address

    Name GPRS-QoS-Profile               Format String

    Name SGSN-Address                   Format IPv4 Address

    Name GGSN-Address                   Format IPv4 Address

    Name IMSI-MCC-MNC                   Format String

    Name GGSN-MCC-MNC                   Format String

    Name NSAPI                          Format String

    Name Session-Stop-Ind               Format Binary

    Name Selection-Mode                 Format String

    Name Charging-Characteristics       Format String

3GPP2 VSA ATTRIBUTE LIST:

    Name cdma-reverse-tnl-spec          Format Ulong

    Name cdma-diff-svc-class-opt        Format Ulong

    Name cdma-container                 Format String

    Name cdma-ha-ip-addr                Format IPv4 Address

    Name cdma-pcf-ip-addr               Format IPv4 Address

    Name cdma-bs-msc-addr               Format String

    Name cdma-user-id                   Format Ulong

    Name cdma-forward-mux               Format Ulong

    Name cdma-reverse-mux               Format Ulong

    Name cdma-forward-rate              Format Ulong

    Name cdma-reverse-rate              Format Ulong

    Name cdma-service-option            Format Ulong

    Name cdma-forward-type              Format Ulong

    Name cdma-reverse-type              Format Ulong

    Name cdma-frame-size                Format Ulong

    Name cdma-forward-rc                Format Ulong

    Name cdma-reverse-rc                Format Ulong

    Name cdma-ip-tech                   Format Ulong

    Name cdma-comp-flag                 Format Enum

    Name cdma-reason-ind                Format Enum

    Name cdma-bad-frame-count           Format Ulong

    Name cdma-num-active                Format Ulong

    Name cdma-sdb-input-octets          Format Ulong

    Name cdma-sdb-output-octets         Format Ulong

    Name cdma-numsdb-input              Format Ulong

    Name cdma-numsdb-output             Format Ulong

    Name cdma-ip-qos                    Format Ulong

    Name cdma-airlink-qos               Format Ulong

    Name cdma-rp-session-id             Format Ulong

    Name cdma-hdlc-layer-bytes-in       Format Ulong

    Name cdma-correlation-id            Format String

    Name cdma-moip-inbound              Format Ulong

    Name cdma-moip-outbound             Format Ulong

    Name cdma-session-continue          Format Ulong

    Name cdma-active-time               Format Ulong

    Name cdma-frame-size                Format Ulong

    Name cdma-esn                       Format String

    Name cdma-mn-ha-spi                 Format Ulong

    Name cdma-mn-ha-shared-key          Format Binary

    Name cdma-sess-term-capability      Format Ulong

    Name cdma-disconnect-reason         Format Ulong

Verizon VSA ATTRIBUTE LIST:

    Name mip-key-data                   Format Binary

    Name aaa-authenticator              Format Binary

    Name public-key-invalid             Format Binary

Table 179 describes the significant fields shown in the display.

Table 181 show radius table attributes Field Descriptions 

Field	Description
User-Name	The name of the user on the system. The format is String.
User-Password	The password of the user on the system. The format is Binary.
CHAP-Password	Challenge Handshake Authentication Protocol (CHAP) password. The format is Binary.
NAS-IP-Address	Network-Attached Storage (NAS) IP address. The format is IPv4 Address.
NAS-Port	The RADIUS Attribute 5 (NAS-Port) format specified on a per-server group level. The format is Ulong.
Service-Type	Sets the service type. The format is Enum.
Framed-Protocol	Indicates the framing to be used for framed access. It may be used in both Access-Request and Access-Accept packets. The format is Enum.
Framed-IP-Address	Indicates the address to be configured for the user. It may be used in Access-Accept packets. The format is IPv4 Address.
Framed-IP-Netmask	Indicates the IP netmask to be configured for the user when the user is a router to a network. The format is IPv4 Address.
Framed-Routing	Indicates the routing method for the user when the user is a router to a network. The format is Ulong.
Filter-Id	To disable, enable, get, or set a filter, the filter ID must be valid. The format is Binary.
Framed-MTU	Indicates the maximum transmission unit to be configured for the user, when it is not negotiated by some other means (such as PPP). The format is Ulong.
Framed-Compression	Indicates a compression protocol to be used for the link. The format is Enum.
login-ip-addr-host	Indicates the host to which the user will connect when the Login-Service attribute is included. The format is IPv4 Address.
Login-Service	The Login-IP-Host AVP (AVP Code 14) is of type Address and contains the system with which to connect the user, when the Login-Service AVP is included. The format is Enum.
login-tcp-port	The Login-TCP-Port AVP (AVP Code 16) is of type Integer32 and contains the TCP port with which the user is to be connected, when the Login-Service AVP is also present. The format is Ulong.
Reply-Message	Indicates text that may be displayed to the user. The format is Binary.
Callback-Number	Indicates a dialing string to be used for callback. The format is String.
Framed-Route	Provides routing information to be configured for the user on the NAS. The format is String.
Framed-IPX-Network	The Framed-IPX-Network AVP (AVP Code 23) is of type Unsigned32, and contains the IPX Network number to be configured for the user. The format is Pv4 Address.
State	Is available to be sent by the server to the client in an Access-Challenge and must be sent unmodified from the client to the server in the new Access-Request reply to that challenge, if any. The format is Binary.
Class	Is available to be sent by the server to the client in an Access-Accept and should be sent unmodified by the client to the accounting server as part of the Accounting-Request packet if accounting is supported. The format is Binary.
Vendor-Specific	Is available to allow vendors to support their own extended attributes not suitable for general usage. The format is Binary.
Session-Timeout	Sets the maximum number of seconds of service to be provided to the user before termination of the session or prompt. The format is Ulong.
Idle-Timeout	Sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt. The format is Ulong.
Termination-Action	Indicates what action the NAS should take when the specified service is completed. The format is Boolean.
Called-Station-Id	The Called-Station-Id AVP (AVP Code 30) is of type String and allows the NAS to send in the request the phone number that the user called, using Dialed Number Identification (DNIS) or a similar technology. The format is String.
Calling-Station-Id	The Calling-Station-Id AVP (AVP Code 31) is of type String and allows the NAS to send in the request the phone number that the call came from, using Automatic Number Identification (ANI) or a similar technology. The format is String.
Nas-Identifier	Contains a string identifying the NAS originating the access request. The format is String.
Acct-Status-Type	Indicates whether this Accounting-Request marks the beginning of the user service (Start) or the end (Stop). The format is Enum.
Acct-Delay-Time	Indicates how many seconds the client has been trying to send this record for, and can be subtracted from the time of arrival on the server to find the approximate time of the event generating this Accounting-Request. (Network transit time is ignored.) The format is Ulong.
Acct-Input-Octets	Indicates how many octets have been received from the port over the course of this service being provided, and can only be present in Accounting-Request records where Acct-Status-Type is set to Stop. The format is Ulong.
Acct-Output-Octets	Indicates how many octets have been sent to the port in the course of delivering this service, and can only be present in Accounting-Request records where Acct-Status-Type is set to Stop. The format is Ulong.
Acct-Session-Id	Is a unique accounting ID to make it easy to match start and stop records in a log file. The format is String.
Acct-Authentic	Indicate how the user was authenticated, whether by Radius, the NAS itself, or another remote authentication protocol. It may be included in an Accounting-Request. The format is Enum.
Acct-Session-Time	Indicates how many seconds the user has received service for, and can only be present in Accounting-Request records where Acct-Status-Type is set to Stop. The format is Ulong.
Acct-Input-Packets	Indicates how many packets have been received from the port over the course of this service being provided to a framed user, and can only be present in Accounting-Request records where Acct-Status-Type is set to Stop. The format is Ulong.
Acct-Output-Packets	Indicates how many packets have been sent to the port in the course of delivering this service to a framed user, and can only be present in Accounting-Request records where Acct-Status-Type is set to Stop. The format is Ulong.
Acct-Terminate-Cause	Indicates how the session was terminated, and can only be present in Accounting-Request records where Acct-Status-Type is set to Stop. The format is Enum.
Multilink-Session-ID	Indicates the service to use to connect the user to the login host. It is only used in Access-Accept packets. The format is String.
Acct-Link-Count	Gives the count of links which are known to have been in a given multilink session at the time the accounting record is generated. The format is Ulong.
Acct-Input-Giga-Words	Indicates how many times the Acct-Input-Octets counter has wrapped around 2^32 over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop or Interim-Update. The format is Ulong.
Acct-Output-Giga-Words	Indicates how many times the Acct-Output-Octets counter has wrapped around 2^32 in the course of delivering this service, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop or Interim-Update. The format is Ulong.
Event-Timestamp	Use to include the Event-Timestamp attribute in Acct-Start or Acct-Stop messages. The format is Ulong.
CHAP-Challenge	The CHAP is used to verify periodically the identity of the peer using a 3-way handshake. The format is Binary.
NAS-Port-Type	Indicates the physical port number of the NAS which is authenticating the user. The format is Enum.
Port-Limit	Sets the maximum number of ports to be provided to the user by the NAS. The format is Ulong.
Tunnel-Type	Indicates the tunneling protocol(s) to be used (in the case of a tunnel initiator) or the the tunneling protocol in use (in the case of a tunnel terminator). The format is Enum.
Tunnel-Medium-Type	Indicates which transport medium to use when creating a tunnel for those protocols (such as L2TP) that can operate over multiple transports. The format is Enum.
Tunnel-Client-Endpoint	Contains the address of the initiator end of the tunnel. The format is String.
Tunnel-Server-Endpoint	Indicates the address of the server end of the tunnel. The format is String.
Acct-Tunnel-Connection	Indicates the identifier assigned to the tunnel session. The format is String.
Tunnel-Password	Can contain a password to be used to authenticate to a remote server. The format is Binary.
Prompt	Used only in Access-Challenge packets, and indicates to the NAS whether it should echo the user's response as it is entered, or not echo it. The format is Enum.
Connect-Info	Is sent from the NAS to indicate the nature of the user's connection. The format is String.
EAP-Message	Encapsulates Extensible Authentication Protocol packets so as to allow the NAS to authenticate dial-in users via EAP without having to understand the protocol. The format is Binary.
Message-Authenticator	Can be used to authenticate and integrity-protect Access-Requests in order to prevent spoofing. The format is Binary.
Tunnel-Private-Group-Id	Indicates the group ID for a particular tunneled session. The format is String.
Tunnel-Assignment-Id	Used to indicate to the tunnel initiator the particular tunnel to which a session is to be assigned. The format is String.
Tunnel-Preference	Should be included in each set to indicate the relative preference assigned to each tunnel if more than one set of tunneling attributes is returned by the RADIUS server to the tunnel initiator. The format is Ulong.
Acct-Interim-Interval	Indicates the number of seconds between each interim update in seconds for this specific session. The format is Ulong.
Tunnel-Packets-Lost	Indicates the number of packets lost on a given link. The format is Ulong.
NAS-Port-Id	Used to identify the IEEE 802.1X Authenticator port which authenticates the Supplicant. The format is String.
Tunnel-Client-Auth-ID	Specifies the name used by the tunnel initiator during the authentication phase of tunnel establishment. The format is String.
Tunnel-Server-Auth-ID	Specifies the name used by the tunnel terminator during the authentication phase of tunnel establishment. The format is String.
Framed-Interface-Id	Indicates the IPv6 interface identifier to be configured for the user. The format is Binary.
Framed-IPv6-Prefix	Indicates an IPv6 prefix (and corresponding route) to be configured for the user. The format is Binary.
Framed-IPv6-Route	Provides routing information to be configured for the user on the NAS. The format is String.
Framed-IPv6-Pool	Contains the name of an assigned pool that should be used to assign an IPv6 prefix for the user. The format is String.
Dynamic-Author-Error-Cause	Specifies the error causes associated with dynamic authorization. The format is Enum.
Old-Password	Is 16 octets in length. It contains the encrypted Lan Manager hash of the old password. The format is Binary.
Ascend-Filter-Required	Specifies whether the call should be permitted if the specified filter is not found. If present, this attribute will be applied after any authentication, authorization, and accounting (AAA) filter method-list. The format is Enum.
Ascend-Cache-Refresh	Specifies whether cache entries should be refreshed each time an entry is referenced by a new session. This attribute corresponds to the cache refresh command. The format is Enum.
Ascend-Cache-Time	Specifies the idle time out, in minutes, for cache entries. This attribute corresponds to the cache clear age command. The format is Ulong.
Ascend-Auth-Type	Indicates the type of name and password (PPP) authorization to use. The format Ulong.
Ascend-Redirect-Number	Indicates the original number in the information sent to the authentication server when the number dialed by a device is redirected to another number for authentication. The format is String.
Ascend-Private-Route	Specifies whether IP routing is allowed for the user profile. The format is String.
Ascend-Shared-Profile-Enable	Specifies whether multiple incoming callers can share a single RADIUS user profile. The format is Boolean.
Ascend-Client-Primary-DNS	Specifies a primary DNS server address to send to any client connecting to the MAX TNT. The format is IPv4 Address.
Ascend-Client-Secondary-DNS	Specifies a secondary DNS server address to send to any client connecting to the MAX TNT. The format is IPv4 Address.
Ascend-Client-Assign-DNS	Specifies whether or not the MAX TNT sends the Ascend-Client-Primary-DNS and Ascend-Client-Secondary-DNS values during connection negotiation. The format is Ulong.
Ascend-Session-Svr-Key	Specifies the session key that identifies the user session. You can specify up to 16 characters. The default value is null. The format is String.
Ascend-Multicast-Rate-Limit	Specifies how many seconds the MAX waits before accepting another packet from the multicast client. The format is Ulong.
Ascend-Multicast-Client	Specifies whether the user is a multicast client of the MAX. The format is Ulong.
Ascend-Multilink-Session-ID	Specifies the ID number of the Multilink bundle when the session closes. A Multilink bundle is a multichannel MP or MP+ call. The format is Ulong.
Ascend-Num-In-Multilink	Indicates the number of sessions remaining in a Multilink bundle when the session closes. A Multilink bundle is a multichannel MP or MP+ call. The format is Ulong.
Ascend-Presession-Octets-In	Reports the number of octets received before authentication. The value reflects only the data delivered by PPP or other encapsulation. It does not include the header or other protocol-dependent components of the packet. The format is Ulong.
Ascend-Presession-Octets-Out	Reports the number of octets transmitted before authentication. The value reflects only the data delivered by PPP or other encapsulation. It does not include the header or other protocol-dependent components of the packet. The format is Ulong.
Ascend-Presession-Packets-In	Reports the number of packets received before authentication. The packets are counted before the encapsulation is removed. The attribute's value does not include maintenance packets, such as keepalive or management packets. The format is Ulong.
Ascend-Presession-Packets-Out	Reports the number of packets transmitted before authentication. The packets are counted before the encapsulation is removed. The attribute's value does not include maintenance packets, such as keepalive or management packets. The format is Ulong.
Ascend-Max-Time	Specifies the maximum length of time in seconds that any session can remain online. Once a session reaches the time limit, its connection goes offline. The format is Ulong.
Ascend-Disconnect-Cause	Indicates the reason a connection went offline. The format is Enum.
Ascend-Connection-Progress	Indicates the state of the connection before it disconnects. The format is Enum.
Ascend-Data-Rate	Specifies the rate of data received on the connection in bits per second. The format is Ulong.
Ascend-Presession-Time	Reports the length of time in seconds from when a call connected to when it completes authentication. The format is Ulong.
Ascend-Require-Auth	Specifies whether the MAX TNT requires additional authentication after Calling-Line ID (CLID) or called-number authentication. The format is Ulong.
Ascend-PW-Liftime	Specifies the number of days that a password is valid. The format is Ulong.
Ascend-IP-Direct	Specifies the IP address to which the MAX TNT redirects packets from the user. When you include this attribute in a user profile, the MAX TNT bypasses all internal routing tables, and simply sends all packets it receives on the connection's WAN interface to the specified IP address. The format is IPv4 Address.
Ascend-PPP-VJ-Slot-Comp	Instructs the MAX TNT to not use slot compression when sending VJ-compressed packets. The format is Boolean.
Ascend-Asyncmap	The format is Ulong.
Ascend-Send-Secret	Specifies the password that the RADIUS server sends to the remote end of a connection on an outgoing call. It is encrypted when passed between the RADIUS server and the MAX TNT. The format is Binary.
Ascend_pool_definition	Specifies all the addresses in the pool. The format is String.
Ascend-IP-Pool	Specifies the first address in an IP address pool, as well as the number of addresses in the pool. The format is Ulong.
Ascend-Dial-Number	Specifies the phone number the MAX TNT dials to reach the router or node at the remote end of the link. The format is String.
Ascend-Route-IP	Specifies whether IP routing is allowed for the user profile. The format is Boolean.
Ascend-Send-Auth	Specifies the authentication protocol that the MAX TNT requests when initiating a PPP or MP+ connection. The answering side of the connection determines which authentication protocol, if any, the connection uses. The format is Enum.
Ascend-Link-Compression	Turns data compression on or off for a PPP link. The format is Enum.
Ascend-Target-Util	Specifies the percentage of bandwidth use at which the MAX TNT adds or subtracts bandwidth. The format is Ulong.
Ascend-Max-Channels	Specifies the maximum number of channels allowed on an MP+ call. The format is Ulong.
Ascend-Data-Filter	Specifies the characteristics of a data filter in a RADIUS user profile. The MAX TNT uses the filter only when it places or receives a call associated with the profile that includes the filter definition. The format is Binary.
Ascend-Call-Filter	Specifies the characteristics of a call filter in a RADIUS user profile. The MAX TNT uses the filter only when it places a call or receives a call associated with the profile that includes the filter definition. The format is Binary.
Ascend-Idle-Limit	Specifies the number of seconds the MAX TNT waits before clearing a call when a session is inactive. The format is Ulong.
Ascend-Data-Service	Specifies the type of data service the link uses for outgoing calls. The format is Ulong.
Ascend-Force-56	Indicates whether the MAX uses only the 56-kbps portion of a channel, even when all 64-kbps appear to be available. The format is Ulong.
Ascend-Xmit-Rate	Specifies the rate of data transmitted on the connection in bits per second. For ISDN calls, Ascend-Xmit-Rate indicates the transmit data rate. For analog calls, it indicates the modem baud rate at the time of the initial connection. The format is Ulong.
Cisco AVpair	The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair". The format is String.
cisco-nas-port	Enables the display of physical interface information and parent interface details as part of the of the cisco-nas-port vendor-specific attribute (VSA) for login calls. The format is String.
fax_account_id_origin	Indicates the account ID origin as defined by system administrator for the mmoip aaa receive-id or the mmoip aaa send-id command. The format is String.
fax_msg_id	Indicates a unique fax message identification number assigned by Store and Forward Fax. The format is String.
fax_pages	Indicates the number of pages transmitted or received during this fax session. This page count includes cover pages. The format is String.
fax_modem_time	Indicates the amount of time in seconds the modem sent fax data (x) and the amount of time in seconds of the total fax session (y), which includes both fax-mail and PSTN time, in the form x/y. For example, 10/15 means that the transfer time took 10 seconds, and the total fax session took 15 seconds. The format is String.
fax_connect_speed	Indicates the modem speed at which this fax-mail was initially transmitted or received. Possible values are 1200, 4800, 9600, and 14400. The format is String.
fax_mdn_address	Indicates the address to which message delivery notifications (MDNs) will be sent. The format is String.
fax_mdn_flag	Indicates whether or not MDNs has been enabled. True indicates that MDN had been enabled; false means that MDN had not been enabled. The format is String.
fax_auth_status	Indicates whether or not authentication for this fax session was successful. Possible values for this field are success, failed, bypassed, or unknown. The format is String.
email_server_address	Indicates the IP address of the e-mail server handling the on-ramp fax-mail message. The format is String.
email_server_ack_flag	Indicates that the on-ramp gateway has received a positive acknowledgment from the e-mail server accepting the fax-mail message. The format is String.
gateway_id	Indicates the name of the gateway that processed the fax session. The name appears in the following format: hostname.domain-name. The format is String.
call_type	Describes the type of fax activity: fax receive or fax send. The format is String.
port_used	Indicates the slot/port number of the Cisco AS5300 used to either transmit or receive this fax-mail. The format is String.
abort_cause	If the fax session aborts, indicates the system component that signaled the abort. Examples of system components that could trigger an abort are FAP (Fax Application Process), TIFF (the TIFF reader or the TIFF writer), fax-mail client, fax-mail server, ESMTP client, or ESMTP server. The format is String.
h323-remote-address	Indicates the IP address of the remote gateway. The format is String.
Conf-Id	Indicates a unique call identifier generated by the gateway. Used to identify the separate billable events (calls) within a single calling session. The format is String.
h323-setup-time	Indicates the setup time in NTP format: hour, minutes, seconds, microseconds, time_zone, day, month, day_of_month, year. The format is String.
h323-call-origin	Indicates the gateway's behavior in relation to the connection that is active for this leg. The format is String.
h323-call-type	Indicates the protocol type or family used on this leg of the call. The format is String.
h323-connect-time	Indicates the connect time in Network Time Protocol (NTP) format: hour, minutes, seconds, microseconds, time_zone, day, month, day_of_month, and year. The format is String.
h323-disconnect-time	Indicates the disconnect time in NTP format: hour, minutes, seconds, microseconds, time_zone, day, month, day_of_month, year. The format is String.
h323-disconnect-cause	Indicates the Q.931 disconnect cause code retrieved from CCAPI. The source of the code is the disconnect location such as a PSTN, terminating gateway, or SIP. The format is String.
h323-voice-quality	Indicates the ICPIF of the voice quality. The format is String.
h323-gw-id	Indicate the name of the tenor. The format is String.
Cisco AVpair	The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair". The format is String.
Cisco encrypted string vsa	Cisco allows several forms of sub-attribute encryption. The only method supported is the Cisco Encrypted String VSA Format also supported by an IETF draft for Salt-Encryption of RADIUS attributes. The format is String.
Sub_Policy_In	Defines the service policy input. The format is String.
Sub_Policy_Out	Defines the service policy output. The format is String.
h323-credit-amount	Indicates the amount of credit (in currency) that the account contains. The format is String.
h323-credit-time	Indicates the number of seconds for which the call is authorized. The format is String.
h323-return-code	Return codes are instructions from the RADIUS server to the voice gateway. The format is String.
h323-prompt-id	Indexes into an array that selects prompt files used at the gateway. The format is String.
h323-time-and-day	Indicates the time of day at the dialed number or at the remote gateway in the format: hour, minutes, seconds. The format is String.
h323-redirect-number	Indicates the phone number to which the call is redirected; for example, to a toll-free number or a customer service number. The format is String.
h323-preferred-lang	Indicates the language to use when playing the audio prompt specified by the h323-prompt-id. The format is String.
h323-redirect-ip-address	Indicates the IP address for an alternate or redirected call. The format is String.
h323-billing-model	Indicates the type of billing service for a specific call. The format is String.
h323-currency	Indicates the currency to use with h323-credit-amount. The format is String.
ssg-account-info	Subscribes the subscriber to the specified service and indicates that the subscriber should be automatically connected to this service after successful logon. The format is String.
ssg-service-info	SSG redirects the user's HTTP traffic to a server in the specified server group. All the service features (such as quality of service (QoS) and prepaid billing) are applied to the HTTP traffic. The format is String.
ssg-command-code	Specifies account logon and logoff, session query, and service activate and deactivate information. The format is Binary.
ssg-control-info	Indicates the control-info code for prepaid quota. The format is String.
MS-CHAP-Response	This attribute contains the response value provided by a PPP Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) user in response to the challenge. The format is Binary.
MS-CHAP-ERROR	Contains error data related to the preceding MS-CHAP exchange. The format is Binary.
MS-CHAP-CPW-1	Allows the user to change their password if it has expired. The format is Binary.
MS-CHAP-CPW-2	Allows the user to change their password if it has expired. The format is Binary.
MS-CHAP-LM-Enc-PW	Contains the new Windows NT password encrypted with the old LAN Manager password hash. The format is Binary.
MS-CHAP-NT-Enc-PW	Contains the new Windows NT password encrypted with the old Windows NT password hash. The format is Binary.
MS-MPPE-Enc-Policy	The MS-MPPE-Encryption-Policy attribute may be used to signify whether the use of encryption is allowed or required. The format is Binary.
MS-MPPE-Enc-Type	The MS-MPPE-Encryption-Types attribute is used to signify the types of encryption available for use with Microsoft Point-to-Point Encryption (MPPE). The format is Binary.
MS-RAS-Vendor	Used to indicate the manufacturer of the RADIUS client machine. The format is Binary.
MS-CHAP-DOMAIN	Indicates the Windows NT domain in which the user was authenticated. The format is Binary.
MSCHAP_Challenge	Contains the challenge sent by a NAS to a MS-CHAP user. The format is Binary.
MS-CHAP-MPPE-Keys	Contains two session keys for use by the MPPE. The format is Binary.
MS-BAP-Usage	Describes whether the use of Bandwidth Allocation Protocol (BAP) is allowed, disallowed or required on new multilink calls. The format is Binary.
MS-Link-Util-Thresh	Represents the percentage of available bandwidth utilization below which the link must fall before the link is eligible for termination. The format is Binary.
MS-Link-Drop-Time-Limit	Indicates the length of time (in seconds) that a link must be underutilized before it is dropped. The format is Binary.
MS-MPPE-Send-Key	Contains a session key for use by the MPPE. The format is Binary.
MS-MPPE-Recv-Key	Contains a session key for use by the MPPE. The format is Binary.
MS-RAS-Version	Used to indicate the version of the RADIUS client software. The format is Binary.
MS-Old-ARAP-Password	Used to transmit the old Apple Remote Access Protocol (ARAP) password during an ARAP password change operation. The format is Binary.
New-ARAP-Password	Used to transmit the new ARAP password during an ARAP password change operation. The format is Binary.
MS-ARAP-PW-Change-Reason	Used to indicate reason for a server-initiated password change. The format is Binary.
MS-Filter	Used to transmit traffic filters. The format is Binary.
MS-Acct-Auth-Type	Used to represent the method used to authenticate the dial-up user. The format is Binary.
MS-MPPE-EAP-Type	Used to represent the EAP type used to authenticate the dial-up user. The format is Binary.
MS-CHAP-V2-Response	This attribute is identical in format to the standard CHAP Response packet. The format is Binary.
MS-CHAP-V2-Success	Contains a 42-octet authenticator response string and must be included in the Message field packet sent from the NAS to the peer. The format is Binary.
MS-CHAP-CPW-2	Allows the user to change their password if it has expired. The format is Binary.
MS-Primary-DNS	Used to indicate the address of the primary DNS server to be used by the PPP peer. The format is IPv4 Address.
MS-Secondary-DNS	Used to indicate the address of the secondary DNS server to be used by the PPP peer. The format is IPv4 Address.
MS-1st-NBNS-Server	Used to indicate the address of the primary NetBIOS Name Server (NBNS) server to be used by the PPP peer. The format is IPv4 Address.
MS-2nd-NBNS-Server	Used to indicate the address of the secondary NBNS server to be used by the PPP peer. The format is IPv4 Address.
MS-ARAP-Challenge	Only present in an Access-Request packet containing a Framed-Protocol Attribute with the value 3 (ARAP). The format is Binary.
Charging-ID	Generated for each activated context. It is a unique four octet value generated by the GGSN when a PDP Context is activated. The format is Ulong.
PDP Type	Indicates the Packet Data Protocol (PDP) is to be used by the mobile for a certain service. The format is Enum.
Charging-Gateway-Address	The IP address of the recommended Charging Gateway Functionality to which the SGSN should transfer the Charging Detail Records (CDR) for this PDP Context. The format is IPv4 Address.
GPRS-QoS-Profile	Controls the QoS negotiated values. The format is String.
SGSN-Address	This is the IP address of the SGSN that is used by the GTP control plane for handling control messages. The format is IPv4 Address.
GGSN-Address	IP address of the GGSN that is used by the GTP control plane for the context establishment. This address is the same as the GGSN IP address used in G-CDRs. The format is IPv4 Address.
IMSI-MCC-MNC	The MCC and MNC extracted from the user's IMSI number (the first 5 or 6 digits depending on the IMSI). The format is String.
GGSN-MCC-MNC	The MCC and MNC of the network to which the GGSN belongs. The format is String.
NSAPI	Identifies a particular PDP context for the associated PDN and MSISDN/IMSI from creation to deletion. The format is String.
Session-Stop-Ind	Indicates to the AAA server that the last PDP context of a session is released and that the PDP session has been terminated. The format is Binary
Selection-Mode	Contains the selection mode for this PDP Context received in the Create PDP Context Request Message. The format is String.
Charging-Characteristics	Contains the charging characteristics for this PDP Context received in the Create PDP Context Request Message (only available in R99 and later releases). The format is String.
cdma-reverse-tnl-spec	Indicates the style of reverse tunneling that is required, and optionally appears in a RADIUS Access-Accept message. The format is Ulong.
cdma-diff-svc-class-opt	This attribute is deprecated and is replaced by the Allowed Differentiated Services Marking attribute. The Home RADIUS server authorizes differentiated services via the Differentiated Services Class Options attribute, and optionally appears in a RADIUS Access-Accept message. The format is Ulong.
cdma-container	Contains embedded 3GPP2 VSAs and/or RADIUS accounting attributes. The format is String.
cdma-ha-ip-addr	A Home Agent (HA) IP address used during a MIP session by the user as defined in IETF RFC 2002. The format is IPv4 Address.
cdma-pcf-ip-addr	The IP address of the serving PCF (the PCF in the serving RN). The format is IPv4 Address.
cdma-bs-msc-addr	The Base Station (BS) Mobile Switching Center (MSC) address. The format is String.
cdma-user-id	The name of the user on the system. The format is Ulong.
cdma-forward-mux	Forwards FCH multiplex option. The format is Ulong.
cdma-reverse-mux	Reverses FCH multiplex option. The format is Ulong.
cdma-forward-rate	The format and structure of the radio channel in the forward Dedicated Control Channel. A set of forward transmission formats that are characterized by data rates, modulation characterized, and spreading rates. The format is Ulong.
cdma-reverse-rate	The format and structure of the radio channel in the reverse Dedicated Control Channel. A set of reverse transmission formats that are characterized by data rates, modulation characterized, and spreading rates. The format is Ulong.
cdma-service-option	Code Division Multiple Access (CDMA) service option as received from the RN. The format is Ulong.
cdma-forward-type	Forward direction traffic type. It is either Primary or Secondary. The format is Ulong.
cdma-reverse-type	Reverse direction traffic type. It is either Primary or Secondary. The format is Ulong.
cdma-frame-size	Specifies the Fundamental Channel (FCH) frame size. The format is Ulong.
cdma-forward-rc	The format and structure of the radio channel in the forward FCH. A set of forward transmission formats that are characterized by data rates, modulation characterized, and spreading rates. The format is Ulong.
cdma-reverse-rc	The format and structure of the radio channel in the reverse FCH. A set of reverse transmission formats that are characterized by data rates, modulation characterized, and spreading rates. The format is Ulong.
cdma-ip-tech	Identifies the IP technology to use for the call: Simple IP or Mobile IP. The format is Ulong.
cdma-comp-flag	Indicates the type of compulsory tunnel. The format is Ulong.
cdma-reason-ind	Indicates the reasons for a stop record. The format is Ulong.
cdma-bad-frame-count	The total number of PPP frames from the MS dropped by the Packet Data Serving Node (PDSN) due to uncorrectable errors. The format is Ulong.
cdma-num-active	The number of active transitions. The format is Ulong.
cdma-sdb-input-octets	This is the Short Data Burst (SDB) octet count reported by the RN in the SDB Airlink Record. The format is Ulong.
cdma-sdb-output-octets	The SDB octet count reported by the RN in the SDB Airlink Record. The format is Ulong.
cdma-numsdb-input	The number of terminating SDBs. The format is Ulong.
cdma-numsdb-output	The number of originating SDBs. The format is Ulong.
cdma-ip-qos	Indicates the IP Quality of Service (QoS). The format is Ulong.
cdma-airlink-qos	Identifies Airlink Priority associated with the user. This is the user's priority associated with the packet data service. The format is Ulong.
cdma-rp-session-id	Identifies the resource reservation protocol type session identifier. The format is Ulong.
cdma-hdlc-layer-bytes-in	The count of all octets received in the reverse direction by the High-Level Data Link Control (HDLC) layer in the PDSN. The format is Ulong.
cdma-correlation-id	Indicates a unique accounting ID created by the Serving PDSN for each packet data session that allows multiple accounting events for each associated R-P connection or P-P connection to be correlated.The format is String.
cdma-moip-inbound	This is the total number of octets in registration requests and solicitations sent by the MS. The format is Ulong.
cdma-moip-outbound	This is the total number of octets in registration replies and agent advertisements, sent to the MS. The format is Ulong.
cdma-session-continue	This attribute when set to "true" means it is not the end of a Session and an Accounting Stop is immediately followed by an Account Start Record. "False" means end of a session. The format is Ulong.
cdma-active-time	The total active connection time on traffic channel in seconds. The format is Ulong.
cdma-frame-size	Specifies the FSH frame size. The format is Ulong.
cdma-esn	Indicates the Electronic Serial Number (ESN). The format is String.
cdma-mn-ha-spi	The SPI for the MN-HA shared key that optionally appears in a RADIUS Access-Request message. It is used to request an MN-HA shared key. The format is Ulong.
cdma-mn-ha-shared-key	A shared key for MN-HA that may appear in a RADIUS Access-Accept message. The MN-HA shared key is encrypted using a method based on the RSA Message Digest Algorithm MD5 [RFC 1321] as described in Section 3.5 of RFC 2868. The format is Binary.
cdma-sess-term-capability	The value shall be bitmap encoded rather than a raw integer. This attribute shall be included in a RADIUS Access-Request message to the Home RADIUS server and shall contain the value 3 to indicate that the PDSN and HA support both Dynamic authorization with RADIUS and Registration Revocation for Mobile IPv4. The attribute shall also be included in the RADIUS Access-Accept message and shall contain the preferred resource management mechanism by the home network, which shall be used for the session and may include values 1 to 3. The format is Ulong.
cdma-disconnect-reason	Indicates the reason for disconnecting the user. This attribute may be included in a RADIUS Disconnect-Request message from Home RADIUS server to the PDSN. The format is Ulong.
mip-key-data	This is the key data payload containing the encrypted MN_AAA key, MN_HA key, CHAP key, MN_Authenticator, and AAA_Authenticator. The format is Binary.
aaa-authenticator	This is the 64-bit AAA_Authenticator value decrypted by the Home RADIUS AAA Server. The format is Binary.
public-key-invalid	The home RADIUS AAA Server includes this attribute to indicate that the Public key used by the MN is not valid. The format is Binary.

Related Commands

Command	Description
show radius	Displays information about the RADIUS servers that are configured in the system.

show redundancy application control-interface group

To display control interface information for a redundancy group, use the show redundancy application control-interface group command in privileged EXEC mode.

show redundancy application control-interface group [group-id]

Syntax Description

group-id

(Optional) Redundancy group ID. Valid values are 1 and 2.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
Cisco IOS XE Release 3.1S	This command was introduced.

Usage Guidelines

The show redundancy application control-interface command shows information for the redundancy group control interfaces.

Examples

The following is sample output from the show redundancy application control-interface command:

Router# show redundancy application control-interface group 2

The control interface for rg[2] is GigabitEthernet0/1/0

Interface is Control interface associated with the following protocols: 2 1 

BFD Enabled

Interface Neighbors: 

Related Commands

Command	Description
show redundancy application faults	Displays fault-specific information for a redundancy group.
show redundancy application group	Displays redundancy group information.
show redundancy application if-mgr	Displays if-mgr information for a redundancy group.
show redundancy application protocol	Displays protocol-specific information for a redundancy group.

show redundancy application data-interface

To display data interface-specific information, use the show redundancy application data-interface command in privileged EXEC mode.

show redundancy application data-interface group [group-id]

Syntax Description

group	Specifies the redundancy group.
group-id	(Optional) Redundancy group ID. Valid values are 1 and 2.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
Cisco IOS XE Release 3.1S	This command was introduced.

Usage Guidelines

The show redundancy application data-interface command displays information about the redundancy group data interfaces.

Examples

The following is sample output from the show redundancy application data-interface command:

Router# show redundancy application data-interface group 1 

The data interface for rg[1] is GigabitEthernet0/1/1

Related Commands

Command	Description
show redundancy application control-interface	Displays control interface information for a redundancy group.
show redundancy application faults	Displays fault-specific information for a redundancy group.
show redundancy application group	Displays redundancy group information.
show redundancy application if-mgr	Displays if-mgr information for a redundancy group.
show redundancy application protocol	Displays protocol-specific information for a redundancy group.

show redundancy application faults group

To display fault-specific information for a redundancy group, use the show redundancy application faults group command in privileged EXEC mode.

show redundancy application faults group [group-id]

Syntax Description

group-id

(Optional) Redundancy group ID. Valid values are 1 and 2.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
Cisco IOS XE Release 3.1S	This command was introduced.

Usage Guidelines

The show redundancy application faults command shows information returned by redundancy group faults.

Examples

The following is sample output from the show redundancy application faults command:

Router# show redundancy application faults group 2

Faults states Group 2 info: 

        Runtime priority: [150]

                RG Faults RG State: Up. 

                        Total # of switchovers due to faults:           2

                        Total # of down/up state changes due to faults: 2 

Table 182 describes the significant fields shown in the display.

Table 182 show redundancy application group all Field Descriptions 

Field	Description
Faults states Group 1 info	Redundancy group faults information for Group 1.
Runtime priority	Current redundancy group priority of the group. This field is important when monitoring redundancy group switchover and when configuring interface tracking.
RG Faults RG State	Redundancy group state returned by redundancy group faults.
Total # of switchovers due to faults	Number of switchovers triggered by redundancy group fault events.
Total # of down/up state changes due to faults	Number of down and up state changes triggered by redundancy group fault events.

Related Commands

Command	Description
show redundancy application control-interface	Displays control interface information for a redundancy group.
show redundancy application group	Displays redundancy group information.
show redundancy application if-mgr	Displays if-mgr information for a redundancy group.
show redundancy application protocol	Displays protocol-specific information for a redundancy group.

show redundancy application group

To display the redundancy group information, use the show redundancy application group command in privileged EXEC mode.

show redundancy application group [group-id | all]

Syntax Description

group-id	(Optional) redundancy group ID. Valid values are 1 and 2.
all	(Optional) Display the redundancy group information.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
Cisco IOS XE Release 3.1S	This command was introduced.

Usage Guidelines

Use the show redundancy application group command to display the current state of each interbox redundancy group on the device and the peer device.

Examples

The following is sample output from the show redundancy application group all command:

Router# show redundancy application group all 

Faults states Group 1 info: 

        Runtime priority: [200]

                RG Faults RG State: Up. 

                        Total # of switchovers due to faults:           3

                        Total # of down/up state changes due to faults: 2

Group ID:1

Group Name:grp2

Administrative State: No Shutdown

Aggregate operational state : Up

My Role: ACTIVE

Peer Role: UNKNOWN

Peer Presence: No

Peer Comm: No

Peer Progression Started: No

RF Domain: btob-one

         RF state: ACTIVE

         Peer RF state: DISABLED

RG Protocol RG 1

------------------

        Role: Active

        Negotiation: Enabled

        Priority: 200

        Protocol state: Active

        Ctrl Intf(s) state: Down

        Active Peer: Local

        Standby Peer: Not exist

        Log counters:

                role change to active: 2

                role change to standby: 0

                disable events: rg down state 1, rg shut 0

                ctrl intf events: up 0, down 2, admin_down 1

                reload events: local request 3, peer request 0

RG Media Context for RG 1

--------------------------

        Ctx State: Active

        Protocol ID: 1

        Media type: Default

        Control Interface: GigabitEthernet0/1/0

        Hello timer: 5000

        Effective Hello timer: 5000, Effective Hold timer: 15000

         LAPT values: 0, 0

        Stats:

                Pkts 0, Bytes 0, HA Seq 0, Seq Number 0, Pkt Loss 0

                Authentication not configured

                Authentication Failure: 0

                Reload Peer: TX 0, RX 0

                Resign: TX 1, RX 0

        Standby Peer: Not Present. 

Faults states Group 2 info: 

        Runtime priority: [150]

                RG Faults RG State: Up. 

                        Total # of switchovers due to faults:           2

                        Total # of down/up state changes due to faults: 2

Group ID:2

Group Name:name1

Administrative State: No Shutdown

Aggregate operational state : Up

My Role: ACTIVE

Peer Role: UNKNOWN

Peer Presence: No

Peer Comm: No

Peer Progression Started: No

RF Domain: btob-two

         RF state: ACTIVE

         Peer RF state: DISABLED

RG Protocol RG 2

------------------

        Role: Active

        Negotiation: Enabled

        Priority: 150

        Protocol state: Active

        Ctrl Intf(s) state: Down

        Active Peer: Local

        Standby Peer: Not exist

        Log counters:

                role change to active: 1

                role change to standby: 0

                disable events: rg down state 1, rg shut 0

                ctrl intf events: up 0, down 2, admin_down 1

                reload events: local request 2, peer request 0

RG Media Context for RG 2

--------------------------

        Ctx State: Active

        Protocol ID: 2

        Media type: Default

        Control Interface: GigabitEthernet0/1/0

        Hello timer: 5000

        Effective Hello timer: 5000, Effective Hold timer: 15000

         LAPT values: 0, 0

        Stats:

                Pkts 0, Bytes 0, HA Seq 0, Seq Number 0, Pkt Loss 0

                Authentication not configured

                Authentication Failure: 0

                Reload Peer: TX 0, RX 0

                Resign: TX 0, RX 0

        Standby Peer: Not Present. 

Table 183 describes the significant fields shown in the display.

Table 183 show redundancy application group all Field Descriptions 

Field	Description
Faults states Group 1 info	Redundancy group faults information for Group 1.
Runtime priority	Current redundancy group priority of the group.
RG Faults RG State	Redundancy group state returned by redundancy group faults.
Total # of switchovers due to faults	Number of switchovers triggered by redundancy group fault events.
Total # of down/up state changes due to faults	Number of down and up state changes triggered by redundancy group fault events.
Group ID	Redundancy group ID.
Group Name	Redundancy group name.
Administrative State	The redundancy group state configured by users.
Aggregate operational state	Current redundancy group state.
My Role	The current role of the device.
Peer Role	The current role of the peer device.
Peer Presence	Indicates if the peer device is detected or not.
Peer Comm	Indicates the communication state with the peer device.
Peer Progression Started	Indicates if the peer box has started RF progression.
RF Domain	The name of RF domain for the redundancy group.

Related Commands

Command	Description
show redundancy application control-interface	Displays control interface information for a redundancy group.
show redundancy application faults	Displays fault-specific information for a redundancy group.
show redundancy application if-mgr	Displays if-mgr information for a redundancy group.
show redundancy application protocol	Displays protocol-specific information for a redundancy group.

show redundancy application if-mgr

To display interface manager information for a redundancy group, use the show redundancy application if-mgr command in privileged EXEC mode.

show redundancy application if-mgr group [group-id]

Syntax Description

group	Specifies the redundancy group.
group-id	(Optional) Redundancy group ID. Valid values are 1 to 2.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
Cisco IOS XE Release 3.1S	This command was introduced.

Usage Guidelines

The show redundancy application if-mgr command shows information of traffic interfaces protected by redundancy groups. When a traffic interface is functioning with the redundancy group, the state is no shut on the active device, and shut on the standby device. On the other hand, it is always shut on the standby device.

Examples

The following is sample output from the show redundancy application if-mgr command:

Router# show redundancy application if-mgr group 2 

RG ID: 2

 Interface       VIP         VMAC        Shut   Decrement

 ==========================================================

 GigabitEthernet0/1/7 10.1.1.3 0007.b422.0016  no shut    50

 GigabitEthernet0/3/1 11.1.1.3 0007.b422.0017  no shut    50 

Table 184 describes the significant fields shown in the display.

Table 184 show redundancy application if-mgr Field Descriptions 

Field	Description
RG ID	Redundancy group ID.
Interface	Interface name.
VIP	Virtual IP address for this traffic interface.
VMAC	Virtual MAC address for this traffic interface.
Shut	The state of this interface. Note It is always "shut" on the standby box.
Decrement	The decrement value for this interface. When this interface goes down, the runtime priority of its redundancy group decreases.

Related Commands

Command	Description
show redundancy application control-interface	Displays control interface information for a redundancy group.
show redundancy application faults	Displays fault-specific information for a redundancy group.
show redundancy application group	Displays redundancy group information.
show redundancy application protocol	Displays protocol-specific information for a redundancy group

show redundancy application protocol

To display protocol-specific information for a redundancy group, use the show redundancy application protocol command in privileged EXEC mode.

show redundancy application protocol {protocol-id | group [group-id]

Syntax Description

protocol-id	Protocol ID. The range is from 1 to 8.
group	Specifies the redundancy group.
group-id	(Optional) Redundancy group ID. Valid values are 1 and 2.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
Cisco IOS XE Release 3.1S	This command was introduced.

Usage Guidelines

The show redundancy application protocol command shows information returned by redundancy group protocol.

Examples

The following is sample output from the show redundancy application protocol command:

Router# show redundancy application protocol 3 

Protocol id: 3, name: 

 BFD: ENABLE

 Hello timer in msecs: 0

 Hold timer in msecs: 0 

Table 185 describes the significant fields shown in the display.

Table 185 show redundancy application protocol Field Descriptions 

Field	Description
Protocol id	Redundancy group protocol ID.
BFD	Indicates whether the BFD protocol is enabled for the redundancy group protocol.
Hello timer in msecs	Redundancy group hello timer, in milliseconds, for the redundancy group protocol. The default is 3000 msecs.
Hold timer in msecs	Redundancy group hold timer, in milliseconds, for the redundancy group protocol. The default is 10000 msecs.

Related Commands

Command	Description
show redundancy application group	Displays redundancy group information.
show redundancy application control-interface	Displays control interface information for a redundancy group.
show redundancy application faults	Displays fault-specific information for a redundancy group.
show redundancy application if-mgr	Displays if-mgr information for a redundancy group.

show redundancy application transport

To display transport-specific information for a redundancy group, use the show redundancy application transport command in privileged EXEC mode.

show redundancy application transport {client | group [group-id]}

Syntax Description

client	Displays transport client-specific information.
group	Displays the redundancy group name.
group-id	(Optional) Redundancy group ID. Valid values are 1 and 2.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
Cisco IOS XE Release 3.1S	This command was introduced.

Usage Guidelines

The show redundancy application transport command shows information for redundancy group transport.

Examples

The following is sample output from the show redundancy application transport group command:

Router# show redundancy application transport group 1

Transport Information for RG (1) 

Related Commands

Command	Description
show redundancy application control-interface	Displays control interface information for a redundancy group.
show redundancy application faults	Displays fault-specific information for a redundancy group.
show redundancy application group	Displays redundancy group information.
show redundancy application if-mgr	Displays if-mgr information for a redundancy group.
show redundancy application protocol	Displays protocol-specific information for a redundancy group.

show redundancy linecard-group

To display the components of a Blade Failure Group, use the show redundancy linecard-group command in privileged EXEC mode.

show redundancy linecard-group group-id

Syntax Description

group-id

Group ID.

Defaults

No default behavior or values.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(18)SXE2	This command was introduced.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.

Examples

The following example shows the components of a Blade Failure Group:

Router# show redundancy linecard-group 1

Line Card Redundancy Group:1 Mode:feature-card

Class:load-sharing

Cards:

Slot:3 Subslot:0

Slot:5 Subslot:0

Related Commands

Command	Description
linecard-group feature card	Assigns a group ID to a Blade Failure Group.

show running-config

To display the contents of the current running configuration file or the configuration for a specific module, Layer 2 VLAN, class map, interface, map class, policy map, or virtual circuit (VC) class, use the show running-config command in privileged EXEC mode.

show running-config [options]

Syntax Description

options	(Optional) Keywords used to customize output. You can enter more than one keyword. •all—Expands the output to include the commands that are configured with default parameters. If the all keyword is not used, the output does not display commands configured with default parameters. •brief—Displays the configuration without certification data and encrypted filter details. The brief keyword can be used with the linenum keyword. •class-map [name] [linenum]—Displays class map information. The linenum keyword can be used with the class-map name option. •control-plane [cef-exception | host | transit]—Displays control-plane information. The cef-exception, host, and transit keywords can be used with the control-plane option. •flow {exporter | monitor | record}—Displays global flow configuration commands. The exporter, monitor, and record keywords can be used with the flow option. •full—Displays the full configuration. •interface type number—Displays interface-specific configuration information. If you use the interface keyword, you must specify the interface type and the interface number (for example, interface ethernet 0). Keywords for common interfaces include async, ethernet, fastEthernet, group-async, loopback, null, serial, and virtual-template. Use the show run interface ? command to determine the interfaces available on your system. •linenum—Displays line numbers in the output. The brief or full keyword can be used with the linenum keyword. The linenum keyword can be used with the class-map, interface, map-class, policy-map, and vc-class keywords. •map-class [atm | dialer | frame-relay] [name] [linenum]—Displays map class information. This option is described separately; see the show running-config map-class command page.
	•partition types—Displays the configuration corresponding to a partition. The types keyword can be used with the partition option. •policy-map [name] [linenum]—Displays policy map information. The linenum keyword can be used with the policy-map name option. •vc-class [name] [linenum]—Displays VC-class information (the display is available only on certain routers such as the Cisco 7500 series routers). The linenum keyword can be used with the vc-class name option.
	•view full—Enables the display of a full running configuration. This is for view-based users who typically can only view the configuration commands that they are entitled to access for that particular view. •vrf name—Displays the Virtual routing and forwarding (VRF)-aware configuration module number. •vlan [vlan-id]—Displays the specific VLAN information ; valid values are from 1 to 4094.

Command Default

The default syntax, show running-config, displays the contents of the running configuration file, except commands configured using the default parameters.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
11.0	This command was introduced.
12.0	This command was replaced by the more system:running-config command.
12.0(1)T	This command was integrated into Cisco IOS Release 12.0(1)T, and the output modifier (|) was added.
12.2(4)T	This command was modified. The linenum keyword was added.
12.3(8)T	This command was modified. The view full option was added.
12.2(14)SX	This command was integrated into Cisco IOS Release 12.2(14)SX. The module number and vlan vlan-id keywords and arguments were added for the Supervisor Engine 720.
12.2(17d)SXB	This command was integrated into Release 12.2(17d)SXB and implemented on the Supervisor Engine 2.
12.2(33)SXH	This command was modified. The all keyword was added.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2. This command was enhanced to display the configuration information for traffic shaping overhead accounting for ATM and was implemented on the Cisco 10000 series router for the PRE3.
12.2(33)SRC	This command was integrated into Cisco IOS Release 12.2(33)SRC.
12.2(33)SB	This command was modified. Support for the Cisco 7300 series router was added.
12.4(24)T	This command was modified in a release earlier than Cisco IOS Release 12.4(24)T. The partition and vrf keywords were added. The module and vlan keywords were removed.
15.0(1)M	This command was modified. The output was modified to include encrypted filter information.
12.2(33)SXI	This command was modified. The output was modified to display Access Control List (ACL) information.

Usage Guidelines

The show running-config command is technically a command alias (substitute or replacement syntax) of the more system:running-config command. Although the use of more commands is recommended (because of their uniform structure across platforms and their expandable syntax), the show running-config command remains enabled to accommodate its widespread use, and to allow typing shortcuts such as show run.

The show running-config interface command is useful when there are multiple interfaces and you want to look at the configuration of a specific interface.

The linenum keyword causes line numbers to be displayed in the output. This option is useful for identifying a particular portion of a very large configuration.

You can enter additional output modifiers in the command syntax by including a pipe character (|) after the optional keyword. For example, show running-config interface serial 2/1 linenum | begin 3. To display the output modifiers that are available for a keyword, enter | ? after the keyword. Depending on the platform you are using, the keywords and the arguments for the options argument may vary.

Prior to Cisco IOS Release 12.2(33)SXH, the show running-config command output omitted configuration commands set with default values. Effective with Cisco IOS Release 12.2(33)SXH, the show running-config all command displays complete configuration information, including the default settings and values. For example, if the Cisco Discovery Protocol (abbreviated as CDP in the output) hold-time value is set to its default of 180:

•The show running-config command does not display this value.

•The show running-config all displays the following output: cdp holdtime 180.

If the Cisco Discovery Protocol holdtime is changed to a nondefault value (for example, 100), the output of the show running-config and show running-config all commands is the same; that is, the configured parameter is displayed.

---

Note In Cisco IOS Release 12.2(33)SXH, the all keyword expands the output to include some of the commands that are configured with default values. In subsequent Cisco IOS releases, additional configuration commands that are configured with default values will be added to the output of the show running-config all command.

---

Effective with Cisco IOS Release 12.2(33)SXI, the show running-config command displays ACL information. To exclude ACL information from the output, use the show running | section exclude ip access | access list command.

Cisco 7600 Series Router

In some cases, you might see a difference in the duplex mode that is displayed between the show interfaces command and the show running-config command. The duplex mode that is displayed in the show interfaces command is the actual duplex mode that the interface is running. The show interfaces command displays the operating mode of an interface, and the show running-config command displays the configured mode of the interface.

The show running-config command output for an interface might display the duplex mode but no configuration for the speed. This output indicates that the interface speed is configured as auto and that the duplex mode that is displayed becomes the operational setting once the speed is configured to something other than auto. With this configuration, it is possible that the operating duplex mode for that interface does not match the duplex mode that is displayed with the show running-config command.

Examples

The following example shows the configuration for serial interface 1. The fields are self-explanatory.

Router# show running-config interface serial 1

Building configuration...

Current configuration:

!

interface Serial1

 no ip address

 no ip directed-broadcast

 no ip route-cache

 no ip mroute-cache

 shutdown

end

The following example shows the configuration for Ethernet interface 0/0. Line numbers are displayed in the output. The fields are self-explanatory.

Router# show running-config interface ethernet 0/0 linenum

Building configuration...

Current configuration : 104 bytes

 1 : !

 2 : interface Ethernet0/0

 3 :  ip address 10.4.2.63 255.255.255.0

 4 :  no ip route-cache

 5 :  no ip mroute-cache

 6 : end 

The following example shows how to set line numbers in the command output and then use the output modifier to start the display at line 10. The fields are self-explanatory.

Router# show running-config linenum | begin 10 

   10 : boot-start-marker

   11 : boot-end-marker

   12 : !

   13 : no logging buffered

   14 : enable password #####

   15 : !

   16 : spe 1/0 1/7

   17 :  firmware location bootflash:mica-modem-pw.172.16.0.0.bin

   18 : !

   19 : !

   20 : resource-pool disable

   21 : !

   22 : no aaa new-model

   23 : ip subnet-zero

   24 : ip domain name cisco.com

   25 : ip name-server 172.16.11.48

   26 : ip name-server 172.16.2.133

   27 : !

   28 : !

   29 : isdn switch-type primary-5ess

   30 : !

   .

   .

   .

   126 : end 

The following example shows how to display the module and status configuration for all modules on a Cisco 7600 series router. The fields are self-explanatory.

Router# show running-config

Building configuration...

Current configuration:

!

version 12.0

service timestamps debug datetime localtime

service timestamps log datetime localtime

no service password-encryption

!

hostname Router

!

boot buffersize 126968

boot system flash slot0:7600r

boot bootldr bootflash:c6msfc-boot-mz.120-6.5T.XE1.0.83.bin

enable password lab

!

clock timezone Pacific -8

clock summer-time Daylight recurring

redundancy

 main-cpu

  auto-sync standard

!                                       

ip subnet-zero

!

ip multicast-routing

ip dvmrp route-limit 20000

ip cef

mls flow ip destination

mls flow ipx destination

cns event-service server

!

spanning-tree portfast bpdu-guard

spanning-tree uplinkfast

spanning-tree vlan 200 forward-time 21

port-channel load-balance sdip

!

!

!

 shutdown

!

!

.

.

.

In the following sample output from the show running-config command, the shape average command indicates that the traffic shaping overhead accounting for ATM is enabled. The BRAS-DSLAM encapsulation type is qinq and the subscriber line encapsulation type is snap-rbe based on the ATM adaptation layer 5 (AAL5) service. The fields are self-explanatory

Router# show running-config

.

.

.

subscriber policy recording rules limit 64

no mpls traffic-eng auto-bw timers frequency 0

call rsvp-sync

!

controller T1 2/0

framing sf

linecode ami

!

controller T1 2/1

framing sf

linecode ami

!

!

policy-map unit-test

class class-default

shape average percent 10 account qinq aal5 snap-rbe 

!

The following is sample output from the show running-config class-map command. The fields in the display are self-explanatory.

Router# show running-config class-map

Building configuration...

Current configuration : 2910 bytes

!

class-map type stack match-all ip_tcp_stack

 match field IP protocol eq 0x6 next TCP

class-map type access-control match-all my

 match field UDP dest-port eq 1111

 match encrypted 

  filter-version 0.1, Dummy Filter 2 

  filter-id      123 

  filter-hash    DE0EB7D3C4AFDD990038174A472E4789 

  algorithm      aes256cbc 

  cipherkey      realm-cisco.sym 

  ciphervalue    #

oeahb4L6JK+XuC0q8k9AqXvBeQWzVfdg8WV67WEXbiWdXGQs6BEXqQeb4Pfow570zM4eDw0gxlp/Er8w

/lXsmolSgYpYuxFMYb1KX/H2iCXvA76VX7w5TElb/+6ekgbfP/d5ms6DEzKa8DlOpl+Q95lP194PsIlU

wCyfVCwLS+T8p3RDLi8dKBgQMcDW4Dha1ObBJTpV4zpwhEdMvJDu5PATtEQhFjhN/UYeyQiPRthjbkJn

LzT8hQFxwYwVW8PCjkyqEwYrr+R+mFG/C7tFRiooaW9MU9PCpFd95FARvlU=#

  exit

class-map type stack match-all ip_udp_stack

 match field IP protocol eq 0x11 next UDP

class-map type access-control match-all psirt1

 match encrypted 

  filter-version 0.0_DummyVersion_20090101_1830 

  filter-id      cisco-sa-20090101-dummy_ddts_001 

  filter-hash    FC50BED10521002B8A170F29AF059C53 

  algorithm      aes256cbc 

  cipherkey      realm-cisco.sym 

  ciphervalue    #

DkGbVq0FPAsVJKguU15lQPDfZyTcHUXWsj8+tD+dCSYW9cjkRU9jyST4vO4u69/L62QlbyQuKdyQmb10

6sAeY5vDsDfDV05k4o5eD+j8cMt78iZT0Qg7uGiBSYBbak3kKn/5w2gDd1vnivyQ7g4Ltd9+XM+GP6XL

27RrXeP5A5iGbzC7KI9t6riZXk0gmR/vFw1a5wck0D/iQHIlFa/yRPoKMSFlqfIlLTe5NM7JArSTKET2

pu7wZammTz4FF6rY#

  exit

 match start TCP payload-start offset 0 size 10 regex "abc.*def"

 match field TCP source-port eq 1234

class-map type access-control match-all psirt2

 match encrypted 

  filter-version 0.0_DummyVersion_20090711_1830 

  filter-id      cisco-sa-20090711-dummy_ddts_002 

  filter-hash    DE0EB7D3C4AFDD990038174A472E4789 

  algorithm      aes256cbc 

  cipherkey      realm-cisco.sym 

Related Commands

Command	Description
bandwidth	Specifies or modifies the bandwidth allocated for a class belonging to a policy map, and enables ATM overhead accounting.
boot config	Specifies the device and filename of the configuration file from which the router configures itself during initialization (startup).
configure terminal	Enters global configuration mode.
copy running-config startup-config	Copies the running configuration to the startup configuration. (Command alias for the copy system:running-config nvram:startup-config command.)
shape	Shapes traffic to the indicated bit rate according to the algorithm specified, and enables ATM overhead accounting.
show interfaces	Displays statistics for all interfaces configured on the router or access server.
show policy-map	Displays the configuration of all classes for a specified service policy map or all classes for all existing policy maps, and displays ATM overhead accounting information, if configured.
show startup-config	Displays the contents of NVRAM (if present and valid) or displays the configuration file pointed to by the CONFIG_FILE environment variable. (Command alias for the more:nvram startup-config command.)

show running-config vrf

To display the subset of the running configuration of a router that is linked to a specific Virtual Private Network (VPN) routing and forwarding (VRF) instance or to all VRFs configured on the router, use the show running-config vrf command in user EXEC or privileged EXEC mode.

show running-config vrf [vrf-name]

Syntax Description

vrf-name

(Optional) Name of the VRF configuration that you want to display.

Command Default

If you do not specify a vrf-name argument, the running configurations of all VRFs on the router are displayed.

Command Modes

User EXEC (>)
Privileged EXEC (#)

Command History

Release	Modification
12.2(28)SB	This command was introduced.
12.2(33)SRB	This command was integrated into Cisco IOS Release 12.2(33)SRB.
12.2(33)SXH	This command was integrated into Cisco IOS Release 12.2(33)SXH.
12.4(20)T	This command was integrated into Cisco IOS Release 12.4(20)T.

Usage Guidelines

Use the show running-config vrf command to display a specific VRF configuration or to display all VRF configurations on the router. To display the configuration of a specific VRF, enter the name of the VRF as an argument to the command.

This command displays the following elements of the VRF configuration:

•The VRF submode configuration

•The routing protocol and static routing configurations associated with the VRF

•The configuration of the interfaces in the VRF, which includes the configuration of any owning controller and physical interface for a subinterface

Examples

The following is sample output from the show running-config vrf command. It includes a base VRF configuration for VRF vpn3 and Border Gateway Protocol (BGP) and Open Shortest Path First (OSPF) configurations associated with VRF vpn3.

Router# show running-config vrf vpn3

Building configuration...

Current configuration : 604 bytes

ip vrf vpn3

 rd 100:3

 route-target export 100:3

 route-target import 100:3

!

!

interface Loopback1

 ip vrf forwarding vpn3

 ip address 10.43.43.43 255.255.255.255

!

interface Ethernet6/0

 ip vrf forwarding vpn3

 ip address 172.17.0.1 255.0.0.0

 no ip redirects

 duplex half

!

router bgp 100

!

address-family ipv4 vrf vpn3

 redistribute connected

 redistribute ospf 101 match external 1 external 2

 no auto-summary

 no synchronization

 exit-address-family

 !

router ospf 101 vrf vpn3

 log-adjacency-changes

 area 1 sham-link 10.43.43.43 10.23.23.23 cost 10

 network 172.17.0.0 0.255.255.255 area 1

!

end

Table 186 describes the significant fields shown in the display.

Table 186 show running-config vrf Field Descriptions 

Field	Description
Current configuration: 604 bytes	Number of bytes (604) in the VRF vpn3 configuration.
ip vrf vpn3	Name of the VRF (vpn3) for which the configuration is displayed.
rd 100:3	Identifies the route distinguisher (100:3) for VRF vpn3.
route-target export 100:3 route-target import 100:3	Specifies the route-target extended community for VRF vpn3. •Routes tagged with route-target export 100:3 are exported from VRF vpn3. •Routes tagged with the route-target import 100:3 are imported into VRF vpn3.
interface Loopback1	Virtual interface associated with VRF vpn3.
ip vrf forwarding vpn3	Associates VRF vpn3 with the named interface.
ip address 10.43.43.43 255.255.255.255	IP address of the loopback interface.
interface Ethernet6/0	Interface associated with VRF vpn3.
ip address 172.17.0.1 255.0.0.0	IP address of the Ethernet interface.
router bgp 100	Sets up a BGP routing process for the router with autonomous system number 100.
address-family ipv4 vrf vpn3	Sets up a routing session for VRF vpn3 using standard IP Version 4 address prefixes.
redistribute connected	Redistributes routes automatically established by IP on an interface into the BGP routing domain.
redistribute ospf 101 match external 1 external 2	Redistribute routes from the OSPF 101 routing domain into the BGP routing domain.
router ospf 101 vrf vpn3	Set up an OSPF routing process and associates VRF vpn3 with OSPF VRF processes.
area 1 sham-link 10.43.43.43 10.23.23.23 cost 10	Configure a sham-link interface on a provider edge (PE) router in a Multiprotocol Label Switching (MPLS) VPN backbone. •1 is the ID number of the OSPF area assigned to the sham-link. •10.43.43.43 is the IP address of the source PE router. •10.23.23.23 is the IP address of the destination PE router. •10 is the OSPF cost to send IP packets over the sham-link interface.
network 172.17.0.0 0.255.255.255 area 1	Defines the interfaces on which OSPF runs and defines the area ID for those interfaces.

Related Commands

Command	Description
ip vrf	Configures a VRF routing table.
show ip interface	Displays the usability status of interfaces configured for IP.
show ip vrf	Displays the set of defined VRFs and associated interfaces.
show running-config interface	Displays the configuration for a specific interface.

show sasl

To display Simple Authentication and Security Layer (SASL) information, use the show sasl command in user EXEC or privileged EXEC mode.

show sasl {all | context | mechanisms | profile {profile-name | all}}

Syntax Description

all	Displays detailed information for all SASL profiles.
context	Displays context information for SASL profiles.
mechanisms	Displays the mechanisms applied for all SASL profiles.
profile profile-name	Displays detailed information for the specified SASL profile.
profile all	Displays all configured profiles.

Command Modes

User EXEC (>)
Privileged EXEC (#)

Command History

Release	Modification
12.3(1)	This command was introduced.
12.2(33)SRC	This command was integrated into a release earlier than Cisco IOS Release 12.2(33)SRC.
12.2(33)SXI	This command was integrated into a release earlier than Cisco IOS Release 12.2(33)SXI.
Cisco IOS XE Release 2.1	This command was integrated into Cisco IOS XE Release 2.1.

Examples

The following is sample output from the show sasl profile all command:

Router# show sasl profile all

SASL profile 'sgw_sasl' Refs:0 Mechs:0x2

    client:  <NONE>/<NONE>

    servers: ravi/ravi

SASL profile 'sgw_1' Refs:0 Mechs:0x1

    client:  us1/pw1

    servers: server1/user

Table 187 describes the significant fields shown in the display.

Table 187 show sasl profile all Field Descriptions 

Field	Description
SASL profile	Indicates the name of the SASL profile.
Refs	Indicates the number of active sessions.
Mechs	Indicates the profile mechanisms configured.
client	Indicates the SASL client configured for the specified profile.
servers	Indicates the SASL server configured for the specified profile.

Related Commands

Command	Description
sasl	Configures SASL.

show secure bootset

To display the status of Cisco IOS image and configuration resilience, use the show secure command in privileged EXEC mode.

show secure bootset

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.3(8)T	This command was introduced.

Usage Guidelines

Use the show secure bootset command, instead of the Cisco IOS directory listing dir command, to verify the existence of an image archive. This command also displays output that specifies whether the image or configuration archive is ready for an upgrade.

Examples

The following is sample output from the show secure bootset command. The field descriptions are self-explanatory:

Router# show secure bootset

%IOS image and configuration resilience is not active

Router# show secure bootset

IOS resilience router id JMX0704L5GH

IOS image resilience version 12.3 activated at 08:16:51 UTC Sun Jun 16 2002

Secure archive slot0:c3745-js2-mz type is image (elf) []

  file size is 25469248 bytes, run size is 25634900 bytes

  Runnable image, entry point 0x80008000, run from ram

IOS configuration resilience version 12.3 activated at 08:17:02 UTC Sun Jun 16 2002

Secure archive slot0:.runcfg-20020616-081702.ar type is config

configuration archive size 1059 bytes

Related Commands

Command	Description
dir	Displays a list of files on a file system.
secure boot-config	Saves a secure copy of the router running configuration in persistent storage.
secure boot-image	Enables Cisco IOS image resilience.

show smm

To display string matching module (SMM) information, use the show smm command in privileged EXEC mode.

show smm {counters | timing | tree [tree-index | details]}

Syntax Description

counters	Displays information about SMM counters.
timing	Displays timing information about the SMM.
tree	Displays the AVL tree containing the string information.
tree-index	(Optional) Specifies the tree index.
details	(Optional) Displays detailed information about the AVL tree.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
15.0(1)	This command was introduced in a release earlier than Cisco IOS Release 15.0(1) on Cisco 3845 series routers.

Examples

The following is sample output from the show smm counters command. Fields in the output are self-explanatory.

Router# show smm counters 

Number of non-matching packets processed   - 0

Number of cache hits                       - 0

Number of cache misses                     - 0

Cache full instances                       - 0

Number of matching packets processed       - 0

Number of matches for Stage0               - 0

Number of matches for Stage1               - 0

Number of matches for Stage2               - 0

Number of matches for Stage3               - 0

Number of signatures in signature database - 0

The following is sample output from the show smm timing command:

Router# show smm timing

Packet processing stats (in microseconds) :

--------------------------------------------

Minimum processing time per packet - 0

Maximum processing time per packet - 0

Average processing time for non-matching packets - 0

Average processing time for matching packets     - 0

Related Commands

Command	Description
action string match	Returns 1 to the $_string_result, if the string matches the pattern when an EEM applet is triggered.

show snmp mib nhrp status

To display status information about the Next Hop Resolution Protocol (NHRP) MIB, use the show snmp mib nhrp status command in privileged EXEC mode.

show snmp mib nhrp status

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(20)T	This command was introduced.

Usage Guidelines

This command is used to display the status of the MIB for NHRP and whether the NHRP MIB is enabled or disabled.

Examples

The following output is from the show snmp mib nhrp status command:

Spoke_103# show snmp mib nhrp status 

NHRP-SNMP Agent Feature: Enabled

NHRP-SNMP Tree State: Good

ListEnqueue Count = 0 Node Malloc Counts = 1

Spoke_103#

Table 1 describes the significant fields shown in the display.

Table 188 show snmp mib nhrp status Field Descriptions 

Field	Description
NHRP-SNMP Agent Feature:	Shows the status of the NHRP MIB. "Enabled" indicates that the NHRP MIB is enabled. If the NHRP MIB was disabled, it would display "Disabled".
ListEnqueue Count	Indicates how many nodes have been queued for freeing.
Node Malloc Counts	Indicates how many nodes are allocated.

Related Commands

Command	Description
show snmp mib	Displays a list of the MIB OIDs registered on the system.

show ssh

To display the status of Secure Shell (SSH) server connections on the router, use the show ssh command in user EXEC or privileged EXEC mode.

show ssh vty [ssh-number]

Syntax Description

vty	Displays virtual terminal line (VTY) connection details.
ssh-number	(Optional) The number of SSH server connections on the router. Range is from 0 to 1510. The default value is 0.

Command Modes

User Exec (>)
Privileged EXEC (#)

Command History

Release	Modification
12.1(15)T	This command was introduced.
12.2(33)SRA	This command was modified. It was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXI	This command was modified. It was integrated into Cisco IOS Release 12.2(33)SXI.
Cisco IOS XE Release  2.1	This command was modified. It was integrated into Cisco IOS XE Release 2.1.

Usage Guidelines

Use the show ssh command to display the status of the SSH connections on your router. This command does not display any SSH configuration data. Use the show ip ssh command for SSH configuration information such as timeouts and retries.

Examples

The following is sample output from the show ssh command with SSH enabled:

Router# show ssh

Connection     Version      Encryption     State                 Username

0               1.5         3DES           Session Started        guest

Table 189 describes the significant fields shown in the display.

Table 189 show ssh Field Descriptions 

Field	Description
Connection	Number of SSH connections on the router.
Version	Version number of the SSH terminal.
Encryption	Type of transport encryption.
State	The status of SSH connection to indicate if the session has started or stopped.
Username	Uesrname to log in to the SSH.

Related Commands

Command	Description
show ip ssh	Displays version and configuration data for SSH.

show ssl-proxy module state

To display the spanning-tree state for the specified VLAN, enter the show ssl-proxy module state command in EXEC mode.

show ssl-proxy module mod state

Syntax Description

mod	Module number.

Defaults

This command has no default settings.

Command Modes

EXEC

Command History

Release	Modification
12.2(18)SXD	Support for this command was introduced on the Supervisor Engine 720.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.

Usage Guidelines

This command is supported on Cisco 7600 series routers that are configured with a Secure Sockets Layer (SSL) Services Module only.

Examples

This example shows how to verify that the VLAN information displayed matches the VLAN configuration:

Router# show ssl-proxy module 6 state

SSL-services module 6 data-port:

 Switchport:Enabled

Administrative Mode:trunk

Operational Mode:trunk

Administrative Trunking Encapsulation:dot1q

Operational Trunking Encapsulation:dot1q

Negotiation of Trunking:Off

Access Mode VLAN:1 (default)

Trunking Native Mode VLAN:1 (default)

Trunking VLANs Enabled:100

Pruning VLANs Enabled:2-1001

Vlans allowed on trunk:100

Vlans allowed and active in management domain:100

Vlans in spanning tree forwarding state and not pruned:

100

Allowed-vlan :100 

Router#

Related Commands

Command	Description
ssl-proxy module allowed-vlan	Adds the VLANs allowed over the trunk to the SSL Services Module.

show tacacs

To display statistics for a TACACS+ server, use the show tacacs command in privileged EXEC mode.

show tacacs [private | public]

Syntax Description

private	(Optional) Displays private tacacs+ server statistics.
public	(Optional) Displays public tacacs+ server statistics.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
11.2	This command was introduced.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Cisco IOS XE Release 2.3	This command was integrated into Cisco IOS XE Release 2.3. The private and public keywords were added.

Examples

The following example is sample output for the show tacacs command:

Router# show tacacs 

Tacacs+ Server            : 172.19.192.80/49

              Socket opens:          3

             Socket closes:          3

             Socket aborts:          0

             Socket errors:          0

           Socket Timeouts:          0

   Failed Connect Attempts:          0

        Total Packets Sent:          7

        Total Packets Recv:          7

          Expected Replies:          0

  No current connection

he following is sample output from the show tacacs command for the private IP address 192.168.0.0:

Router# show tacacs private 192.168.0.0

Tacacs+ Server -  private  :  192.168.0.0

              Socket opens:          0

             Socket closes:          0

             Socket aborts:          0

             Socket errors:          0

           Socket Timeouts:          0

   Failed Connect Attempts:          0

        Total Packets Sent:          0

        Total Packets Recv:          0

The following is sample output from the show tacacs command for the public IP address 209.165.200.224:

Router# show tacacs public 209.165.200.224

Tacacs+ Server -  public  :  209.165.200.224

              Socket opens:          0

             Socket closes:          0

             Socket aborts:          0

             Socket errors:          0

           Socket Timeouts:          0

   Failed Connect Attempts:          0

        Total Packets Sent:          0

        Total Packets Recv:          0

Table 190 describes the significant fields shown in the display.

Table 190 show tacacs Field Descriptions 

Field	Description
Tacacs+ Server	IP address of the TACACS+ server.
Socket opens	Number of successful TCP socket connections to the TACACS+ server.
Socket closes	Number of successfully closed TCP socket attempts.
Socket aborts	Number of premature TCP socket closures to the TACACS+ server; That is, the peer did not wait for a reply from the server after a the peer sent its request.
Socket errors	Any other socket read or write errors, such as incorrect packet format and length.
Failed Connect Attempts	Number of failed TCP socket connections to the TACACS+ server.
Total Packets Sent	Number of packets sent to the TACACS+ server.
Total Packets Recv	Number of packets received from the TACACS+ server.
Tacacs+ Server	IP address of the TACACS+ server.

Related Commands

Command	Description
tacacs-server host	Specifies a TACACS+ host.

show tcp intercept connections

To display TCP incomplete and established connections, use the show tcp intercept connections command in EXEC mode.

show tcp intercept connections

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
11.2 F	This command was introduced.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use the show tcp intercept connections command to display TCP incomplete and established connections.

Examples

The following is sample output from the show tcp intercept connections command:

Router# show tcp intercept connections 

Incomplete:

Client                Server                State    Create   Timeout  Mode

172.19.160.17:58190   10.1.1.30:23          SYNRCVD  00:00:09 00:00:05 I

172.19.160.17:57934   10.1.1.30:23          SYNRCVD  00:00:09 00:00:05 I

Established:

Client                Server                State    Create   Timeout  Mode

172.16.232.23:1045    10.1.1.30:23          ESTAB    00:00:08 23:59:54 I

Table 191 describes significant fields shown in the display.

Table 191 show tcp intercept connections Field Descriptions 

Field	Description
Incomplete:	Rows of information under "Incomplete" indicate connections that are not yet established.
Client	IP address and port of the client.
Server	IP address and port of the server being protected by TCP intercept.
State	SYNRCVD—establishing with client. SYNSENT—establishing with server. ESTAB—established with both, passing data.
Create	Hours:minutes:seconds since the connection was created.
Timeout	Hours:minutes:seconds until the retransmission timeout.
Mode	I—intercept mode. W—watch mode.
Established:	Rows of information under "Established" indicate connections that are established. The fields are the same as those under "Incomplete" except for the Timeout field described below.
Timeout	Hours:minutes:seconds until the connection will timeout, unless the software sees a FIN exchange, in which case this indicates the hours:minutes:seconds until the FIN or RESET timeout.

Related Commands

Command	Description
ip tcp intercept connection-timeout	Changes how long a TCP connection will be managed by the TCP intercept after no activity.
ip tcp intercept finrst-timeout	Changes how long after receipt of a reset or FIN-exchange the software ceases to manage the connection.
ip tcp intercept list	Enables TCP intercept.
show tcp intercept statistics	Displays TCP intercept statistics.

show tcp intercept statistics

To display TCP intercept statistics, use the show tcp intercept statistics command in EXEC mode.

show tcp intercept statistics

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
11.2 F	This command was introduced.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use the show tcp intercept statistics command to display TCP intercept statistics.

Examples

The following is sample output from the show tcp intercept statistics command:

Router# show tcp intercept statistics

intercepting new connections using access-list 101

2 incomplete, 1 established connections (total 3)

1 minute connection request rate 2 requests/sec

Related Commands

Command	Description
ip tcp intercept connection-timeout	Changes how long a TCP connection will be managed by the TCP intercept after no activity.
ip tcp intercept finrst-timeout	Changes how long after receipt of a reset or FIN-exchange the software ceases to manage the connection.
ip tcp intercept list	Enables TCP intercept.
show tcp intercept connections	Displays TCP incomplete and established connections.

show tech-support

To display general information about the router when it reports a problem, use the show tech-support command in privileged EXEC mode.

show tech-support [page] [password] [cef | ipc | ipmulticast [vrf vrf-name] | isis | mpls | ospf [process-id | detail] | rsvp | voice | wccp]

Cisco 7600 Series

show tech-support [cef | ipmulticast [vrf vrf-name] | isis | password [page] | platform | page | rsvp]

Syntax Description

page	(Optional) Causes the output to display a page of information at a time.
password	(Optional) Leaves passwords and other security information in the output.
cef	(Optional) Displays show command output specific to Cisco Express Forwarding.
ipc	(Optional) Displays show command output specific to Inter-Process Communication (IPC).
ipmulticast	(Optional) Displays show command output related to the IP Multicast configuration, including Protocol Independent Multicast (PIM) information, Internet Group Management Protocol (IGMP) information, and Distance Vector Multicast Routing Protocol (DVMRP) information.
vrf vrf-name	(Optional) Specifies a multicast Virtual Private Network (VPN) routing and forwarding instance (VRF).
isis	(Optional) Displays show command output specific to Connectionless Network Service (CLNS) and Intermediate System-to-Intermediate System Protocol (IS-IS).
mpls	(Optional) Displays show command output specific to Multiprotocol Label Switching (MPLS) forwarding and applications.
ospf [process-id | detail]	(Optional) Displays show command output specific to Open Shortest Path First Protocol (OSPF) networking.
rsvp	(Optional) Displays show command output specific to Resource Reservation Protocol (RSVP) networking.
voice	(Optional) Displays show command output specific to voice networking.
wccp	(Optional) Displays show command output specific to Web Cache Communication Protocol (WCCP).
platform	(Optional) Displays platform-specific show command output.

Defaults

The output scrolls without page breaks.
Passwords and other security information are removed from the output.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
11.2	This command was introduced.
11.3(7), 11.2(16)	The output for this command was expanded to show additional information for boot, bootflash, context, and traffic for all enabled protocols.
12.0	The output for this command was expanded to show additional information for boot, bootflash, context, and traffic for all enabled protocols. The cef, ipmulticast, isis, mlps, and ospf keywords were added to this command.
12.2(13)T	Support for AppleTalk EIGRP, Apollo Domain, Banyan VINES, Novell Link-State Protocol, and XNS was removed from Cisco IOS software.
12.2(14)SX	Support for this command was added for the Supervisor Engine 720.
12.3(4)T	The output of this command was expanded to include the output from the show inventory command.
12.2(17d)SXB	Support for this command on the Supervisor Engine 2 was extended to Release 12.2(17d)SXB.
12.2(30)S	The show tech-support ipmulticast command was changed as follows: •Support for bidirectional PIM and Multicast VPN (MVPN) was added. CSCeh94431 •The vrf vrf-name option was added. CSCeh94431 The output of the show tech-support ipmulticast command (without the vrf vrf-name keyword and argument) was changed to include the output from these commands: •show ip pim int df •show ip pim mdt •show ip pim mdt bgp •show ip pim rp metric
12.3(16)	This command was integrated into Cisco IOS Release 12.3(16).
12.2(18)SXF	The show tech-support ipmulticast command was changed as follows: •Support for bidirectional PIM and MVPN was added. CSCeh94431 •The vrf vrf-name option was added. CSCeh94431 The output of the show tech-support ipmulticast vrf command was changed to include the output from these commands: CSCeh87476 •show mls ip multicast rp-mapping gm-cache •show mmls gc process •show mmls msc rpdf-cache The output of the show tech-support ipmulticast command (without the vrf vrf-name keyword and argument) was changed to include the output from these commands: •show ip pim int df •show ip pim mdt •show ip pim mdt bgp •show ip pim rp metric Support to interrupt and terminate the show tech-support output was added.
12.4(4)T	This command was integrated into Cisco IOS Release 12.4(4)T.
12.4(7)	This command was integrated into Cisco IOS Release 12.4(7).
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.4(9)T	The output of this command was expanded to include partial show dmvpn details command output.
15.0(1)M	This command was modified. The wccp and voice keywords were added.
12.2(33)SRE	This command was modified. The wccp keyword was added.
Cisco IOS XE Release 2.5	This command was modified. The wccp keyword was added.

Usage Guidelines

To interrupt and terminate the show tech-support output, simultaneously press and release the CTRL, ALT, and 6 keys.

Press the Return key to display the next line of output, or press the Spacebar to display the next page of information. If you do not enter the page keyword, the output scrolls (that is, it does not stop for page breaks).

If you do not enter the password keyword, passwords and other security-sensitive information in the output are replaced with the label "<removed>."

The show tech-support command is useful for collecting a large amount of information about your routing device for troubleshooting purposes. The output of this command can be provided to technical support representatives when reporting a problem.

---

Note This command can generate a very large amount of output. You may want to redirect the output to a file using the show inventory | redirect url command syntax extension. Redirecting the output to a file also makes sending this output to your technical support representative easier. See the command documentation for show <command> | redirect for more information on this option.

---

The show tech-support command displays the output of a number of show commands at once. The output from this command varies depending on your platform and configuration. For example, access servers display voice-related show command output. Additionally, the show protocol traffic commands are displayed for only the protocols enabled on your device. For a sample display of the output of the show tech-support command, see the individual show command listed.

If you enter the show tech-support command without arguments, the output displays, but is not limited to, the equivalent of these show commands:

•show appletalk traffic

•show bootflash

•show bootvar

•show buffers

•show cdp neighbors

•show cef

•show clns traffic

•show context

•show controllers

•show decnet traffic

•show disk0: all

•show dmvpn details

•show environment

•show fabric channel-counters

•show file systems

•show interfaces

•show interfaces switchport

•show interfaces trunk

•show ip interface

•show ip traffic

•show logging

•show mac-address-table

•show module

•show power

•show processes cpu

•show processes memory

•show running-config

•show spanning-tree

•show stacks

•show version

•show vlan

---

Note Crypto information is not duplicated by the show dmvpn details command output.

---

When the show tech-support command is entered on a virtual switch (VS), the output displays the output of the show module command and the show power command for both the active and standby switches.

Use of the optional cef, ipc, ipmulticast, isis, mpls, ospf, or rsvp keywords provides a way to display a number of show commands specific to a particular protocol or process in addition to the show commands listed previously.

For example, if your Technical Assistance Center (TAC) support representative suspects that you may have a problem in your Cisco Express Forwarding (CEF) configuration, you may be asked to provide the output of the show tech-support cef command. The show tech-support [page] [password] cef command will display the output from the following commands in addition to the output for the standard show tech-support command:

•show adjacency summary

•show cef drop

•show cef events

•show cef interface

•show cef not-cef-switched

•show cef timers

•show interfaces stats

•show ip cef events summary

•show ip cef inconsistency records detail

•show ip cef summary

If you enter the ipmulticast keyword, the output displays, but is not limited to, these show commands:

•show ip dvmrp route

•show ip igmp groups

•show ip igmp interface

•show ip mcache

•show ip mroute

•show ip mroute count

•show ip pim interface

•show ip pim interface count

•show ip pim interface df

•show ip pim mdt

•show ip pim mdt bgp

•show ip pim neighbor

•show ip pim rp

•show ip pim rp metric

•show mls ip multicast rp-mapping gm-cache

•show mmls gc process

•show mmls msc rpdf-cache

If you enter the wccp keyword, the output displays, but is not limited to, these show commands:

•show ip wccp service-number

•show ip wccp interfaces cef

Examples

For a sample display of the output from the show tech-support command, refer to the documentation for the show commands listed in the "Usage Guidelines" section.

Related Commands

Command	Description
dir	Displays a list of files on a file system.
show appletalk traffic	Displays statistics about AppleTalk traffic, including MAC IP traffic.
show bootflash	Displays the contents of boot flash memory.
show bootvar	Displays the contents of the BOOT environment variable, the name of the configuration file pointed to by the CONFIG_FILE environment variable, the contents of the BOOTLDR environment variable, and the configuration register setting.
show buffers	Displays statistics for the buffer pools on the network server.
show cdp neighbors	Displays detailed information about neighboring devices discovered using Cisco Discovery Protocol.
show cef	Displays information about packets forwarded by Cisco Express Forwarding.
show clns traffic	Displays a list of the CLNS packets this router has seen.
show <command> | redirect	Redirects the output of any show command to a file.
show context	Displays context data.
show controllers	Displays information that is specific to the hardware.
show controllers tech-support	Displays general information about a VIP card for problem reporting.
show decnet traffic	Displays the DECnet traffic statistics (including datagrams sent, received, and forwarded).
show disk:0	Displays flash or file system information for a disk located in slot 0:
show dmvpn details	Displays detail DMVPN information for each session, including Next Hop Server (NHS) and NHS status, crypto session information, and socket details.
show environment	Displays temperature, voltage, and blower information on the Cisco 7000 series routers, Cisco 7200 series routers, Cisco 7500 series routers, Cisco 7600 series routers, Cisco AS5300 series access servers, and the Gigabit Switch Router.
show fabric channel counters	Displays the fabric channel counters for a module.
show file system	Lists available file systems.
show interfaces	Displays statistics for all interfaces configured on the router or access server.
show interfaces switchport	Displays the administrative and operational status of a switching (nonrouting) port.
show interfaces trunk	Displays the interface-trunk information.
show inventory	Displays the product inventory listing and UDI of all Cisco products installed in the networking device.
show ip interface	Displays the usability status of interfaces configured for IP.
show ip traffic	Displays statistics about IP traffic.
show ip wccp	Displays global statistics related to WCCP.
show logging	Displays the state of syslog and the contents of the standard system logging buffer.
show mac-address table	Displays the MAC address table.
show module	Displays module status and information.
show power	Displays the current power status of system components.
show processes cpu	Displays information about the active processes.
show processes memory	Displays the amount of memory used.
show running-config	Displays the current configuration of your routing device.
show spanning-tree	Displays information about the spanning tree state.
show stacks	Displays the stack usage of processes and interrupt routines.
show version	Displays the configuration of the system hardware, the software version, the names and sources of configuration files, and the boot images.
show vlan	Displays VLAN information.

show tech-support ipsec

To display IP Security (IPsec) information to assist in troubleshooting, use the show tech-support ipsec command in privileged EXEC mode.

show tech-support ipsec [peer ipv4address | vrf vrf-name]

Syntax Description

peer ipv4address	(Optional) Displays information for the specified IPv4 peer.
vrf vrf-name	(Optional) Displays information for the specified Virtual Private Network (VPN) routing and forwarding (VRF) instance.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(20)T	This command was introduced.
Cisco IOS XE Release 2.4	This command was implemented on the Cisco ASR 1000 series routers.

Usage Guidelines

The show tech-support ipsec simplifies the collection of the IPsec related information if you are troubleshooting a problem. There are three variations of the show tech-support ipsec command:

•show tech-support ipsec

•show tech-support ipsec peer ipv4address

•show tech-support ipsec vrf vrf-name

Output of the show tech-support ipsec Command

If you enter the show tech-support ipsec command without any keywords, the command output displays the following show commands, in order of output:

•show version

•show running-config

•show crypto isakmp sa count

•show crypto ipsec sa count

•show crypto session summary

•show crypto session detail

•show crypto isakmp sa detail

•show crypto ipsec sa detail

•show crypto isakmp peers

•show crypto ruleset detail

•show processes memory | include Crypto IKMP

•show processes cpu | include Crypto IKMP

•show crypto eli

•show crypto engine accelerator statistic

Output of the show tech-support ipsec peer Command

If you enter the show tech-support ipsec command with the peer keyword and the ipv4address argument, the output displays the following show commands, in order of output for the specified peer:

•show version

•show running-config

•show crypto session remote ipv4address detail

•show crypto isakmp sa peer ipv4address detail

•show crypto ipsec sa peer ipv4address detail

•show crypto isakmp peers ipv4address

•show crypto ruleset detail

•show processes memory | include Crypto IKMP

•show processes cpu | include Crypto IKMP

•show crypto eli

•show crypto engine accelerator statistic

Output of the show tech-support ipsec vrf Command

If you enter the show tech-support ipsec command with the vrf keyword and the vrf-name argument, the output displays the following show commands, in order of output for the specified VRF:

•show version

•show running-config

•show crypto isakmp sa count vrf vrf-name

•show crypto ipsec sa count vrf vrf-name

•show crypto session ivrf ivrf-name detail

•show crypto session fvrf fvrf-name detail

•show crypto isakmp sa vrf vrf-name detail

•show crypto ipsec sa vrf vrf-name detail

•show crypto ruleset detail

•show processes memory | include Crypto IKMP

•show processes cpu | include Crypto IKMP

•show crypto eli

•show crypto engine accelerator statistic

Examples

For a sample display of the output from the show tech-support ipsec command, see the documentation for the individual show commands listed in the "Usage Guidelines" section.

Related Commands

Command	Description
show tech-support	Displays general information about the router when it reports a problem.

show tunnel endpoints

To display the contents of the tunnel endpoint database that is used for tunnel endpoint address resolution, when running a tunnel in multipoint generic routing encapsulation (mGRE) mode, use the show tunnel endpoints command in privileged EXEC mode.

show tunnel endpoints [tunnel tunnel-number]

Syntax Description

tunnel	(Optional) Specifies the tunnel interface. If a tunnel is specified, only the endpoint database for that tunnel is displayed. If a tunnel is not specified, endpoint databases for all tunnels are displayed.
tunnel-number	(Optional) Tunnel interface number. The range is from 0 to 2147483647.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.0(27)S	This command was introduced.
12.2(18)SXE	This command was integrated into Cisco IOS Release 12.2(18)SXE.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.(33)SRA.
12.4(11)T	This command was integrated into Cisco IOS Release 12.4(11)T.
Cisco IOS XE Release 2.1	This command was implemented on the Cisco ASR 1000 series routers.

Usage Guidelines

The output of show tunnel endpoints command displays the tunnel destination and transport address together with any overlay or virtual private network (VPN) address that resolves to it.

Examples

The following example shows that there are two tunnel endpoints in the database that are associated with tunnel 1 (192.0.2.0 and 192.0.2.1). Through these endpoints, VPN destination 192.0.2.3 is reachable by tunneling to endpoint 192.0.2.0 and VPN destination 192.0.2.2 is reachable by tunneling to endpoint 192.0.2.1.

Router# show tunnel endpoints

Tunnel0 running in multi-GRE/IP mode

 Endpoint transport 20.20.20.20 Refcount 4 Base 0x55BCC5E8 Create Time 00:01:08

   overlay ::FFFF:20.20.20.20 Refcount 2 Parent 0x55BCC5E8 Create Time 00:01:08

   overlay 20.20.20.20 Refcount 2 Parent 0x55BCC5E8 Create Time 00:01:08

Table 192 describes the significant fields shown in the display..

Table 192 show tunnel endpoints Field Descriptions

Field	Description
Transport	Displays the transport address.
Refcount	Number of overlay addresses that are resolving through the destination address.
Base	Displays the base address.
Overlay	Displays the overlay address.
Parent	Reference to the tunnel endpoint.

Related Commands

Command	Description
tunnel mode	Sets the encapsulation mode for the tunnel interface.
tunnel protection	Associates a tunnel interface with an IPSec profile.

show usb controllers

To display USB host controller information, use the show usb controllers command in privileged EXEC mode.

show usb controllers [controller-number]

Syntax Description

controller-number

(Optional) Displays information only for the specified controller.

Defaults

Information about all controllers on the system are displayed.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(14)T	This command was introduced.
12.4(11)T	This command was integrated into the Cisco 7200VXR NPE-G2 platform.

Usage Guidelines

Use the show usb controllers command to display content such as controller register specific information, current asynchronous buffer addresses, and period scheduling information. You can also use this command to verify that copy operations are occurring successfully onto a USB flash module.

Examples

The following example is sample output from the show usb controllers command:

Router# show usb controllers

Name:1362HCD

Controller ID:1

Controller Specific Information:

    Revision:0x11

    Control:0x80

    Command Status:0x0

    Hardware Interrupt Status:0x24

    Hardware Interrupt Enable:0x80000040

    Hardware Interrupt Disable:0x80000040

    Frame Interval:0x27782EDF

    Frame Remaining:0x13C1

    Frame Number:0xDA4C

    LSThreshold:0x628

    RhDescriptorA:0x19000202

    RhDescriptorB:0x0

    RhStatus:0x0

    RhPort1Status:0x100103

    RhPort2Status:0x100303

    Hardware Configuration:0x3029

    DMA Configuration:0x0

    Transfer Counter:0x1

    Interrupt:0x9

    Interrupt Enable:0x196

    Chip ID:0x3630

    Buffer Status:0x0

    Direct Address Length:0x80A00

    ATL Buffer Size:0x600

    ATL Buffer Port:0x0

    ATL Block Size:0x100

    ATL PTD Skip Map:0xFFFFFFFF

    ATL PTD Last:0x20

    ATL Current Active PTD:0x0

    ATL Threshold Count:0x1

    ATL Threshold Timeout:0xFF

Int Level:1

Transfer Completion Codes:

         Success              :920              CRC             :0       

         Bit Stuff            :0                Stall           :0       

         No Response          :0                Overrun         :0       

         Underrun             :0                Other           :0       

         Buffer Overrun       :0                Buffer Underrun :0       

Transfer Errors:

         Canceled Transfers   :2                Control Timeout :0       

Transfer Failures:

         Interrupt Transfer   :0                Bulk Transfer   :0       

         Isochronous Transfer :0                Control Transfer:0       

Transfer Successes:

         Interrupt Transfer   :0                Bulk Transfer   :26      

         Isochronous Transfer :0                Control Transfer:894     

USBD Failures:

         Enumeration Failures :0                No Class Driver Found:0       

         Power Budget Exceeded:0       

USB MSCD SCSI Class Driver Counters:

         Good Status Failures :3                Command Fail    :0       

         Good Status Timed out:0                Device not Found:0       

         Device Never Opened  :0                Drive Init Fail :0       

         Illegal App Handle   :0                Bad API Command :0       

         Invalid Unit Number  :0                Invalid Argument:0       

         Application Overflow :0                Device in use   :0       

         Control Pipe Stall   :0                Malloc Error    :0       

         Device Stalled       :0                Bad Command Code:0       

         Device Detached      :0                Unknown Error   :0       

         Invalid Logic Unit Num:0       

USB Aladdin Token Driver Counters:

         Token Inserted       :1                Token Removed   :0       

         Send Insert Msg Fail :0                Response Txns   :434     

         Dev Entry Add Fail   :0                Request Txns    :434     

         Dev Entry Remove Fail:0                Request Txn Fail:0       

         Response Txn Fail    :0                Command Txn Fail:0       

         Txn Invalid Dev Handle:0       

USB Flash File System Counters:

         Flash Disconnected   :0                Flash Connected :1       

         Flash Device Fail    :0                Flash Ok        :1       

         Flash startstop Fail :0                Flash FS Fail   :0       

USB Secure Token File System Counters:

         Token Inserted       :1                Token Detached  :0       

         Token FS success     :1                Token FS Fail   :0       

         Token Max Inserted   :0                Create Talker Failures:0       

         Token Event          :0                Destroy Talker Failures:0       

         Watched Boolean Create Failures:0 

show usb device

To display USB device information, use the show usb device command in privileged EXEC mode.

show usb device [controller-ID [device-address]]

Syntax Description

controller-ID	(Optional) Displays information only for the devices under the specified controller.
device-address	(Optional) Displays information only for the device with the specified address.

Defaults

Information for all devices attached to the system are displayed.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(14)T	This command was introduced.
12.4(11)T	This command was integrated into the Cisco 7200VXR NPE-G2 platform.

Usage Guidelines

Use the show usb device command to display information for either a USB flash drive or a USB eToken, as appropriate.

Examples

The following example is sample output from the show usb device command:

Router# show usb device 

Host Controller:1

Address:0x1

Device Configured:YES

Device Supported:YES

Description:DiskOnKey

Manufacturer:M-Sys

Version:2.0

Serial Number:0750D84030316868

Device Handle:0x1000000

USB Version Compliance:2.0

Class Code:0x0

Subclass Code:0x0

Protocol:0x0

Vendor ID:0x8EC

Product ID:0x15

Max. Packet Size of Endpoint Zero:64

Number of Configurations:1

Speed:Full

Selected Configuration:1

Selected Interface:0

Configuration:

    Number:1

    Number of Interfaces:1

    Description:

    Attributes:None

    Max Power:140 mA

    Interface:

        Number:0

        Description:

        Class Code:8

        Subclass:6

        Protocol:80

        Number of Endpoints:2

        Endpoint:

            Number:1

            Transfer Type:BULK

            Transfer Direction:Device to Host

            Max Packet:64

            Interval:0

        Endpoint:

            Number:2

            Transfer Type:BULK

            Transfer Direction:Host to Device

            Max Packet:64

            Interval:0

Host Controller:1

Address:0x11

Device Configured:YES

Device Supported:YES

Description:eToken Pro 4254

Manufacturer:AKS

Version:1.0

Serial Number:

Device Handle:0x1010000

USB Version Compliance:1.0

Class Code:0xFF

Subclass Code:0x0

Protocol:0x0

Vendor ID:0x529

Product ID:0x514

Max. Packet Size of Endpoint Zero:8

Number of Configurations:1

Speed:Low

Selected Configuration:1

Selected Interface:0

Configuration:

    Number:1

    Number of Interfaces:1

    Description:

    Attributes:None

    Max Power:60 mA

    Interface:

        Number:0

        Description:

        Class Code:255

        Subclass:0

        Protocol:0

        Number of Endpoints:0

Table 193 describes the significant fields shown in the display.

Table 193 show usb device Field Descriptions 

Field	Description
Device handle	Internal memory handle allocated to the device.
Device Class code	The class code supported by the device. This number is allocated by the USB-IF. If this field is reset to 0, each interface within a configuration specifies its own class information, and the various interfaces operate independently. If this field is set to a value between 1 and FEH, the device supports different class specifications on different interfaces, and the interfaces may not operate independently. This value identifies the class definition used for the aggregate interfaces. If this field is set to FFH, the device class is vendor-specific.
Device Subclass code	The subclass code supported by the device. This number is allocated by the USB-IF.
Device Protocol	The protocol supported by the device. If this field is set to 0, the device does not use class-specific protocols on a device basis. If this field is set to 0xFF, the device uses a vendor-specific protocol on a device basis.
Interface Class code	The class code supported by the interface. If the value is set to 0xFF, the interface class is vendor specific. All other values are allocated by the USB-IF.
Interface Subclass code	The subclass code supported by the interface. All values are allocated by the USB-IF.
Interface Protocol	The protocol code supported by the interface. If this field is set to 0, the device does not use a class-specific protocol on this interface. If this field is set to 0xFF, the device uses a vendor-specific protocol for this interface.
Max Packet	Maximum data packet size, in bytes.

show usb driver

To display information about registered USB class drivers and vendor-specific drivers, use the show usb driver command in privileged EXEC mode.

show usb driver [index]

Syntax Description

index

(Optional) Displays information only for drivers on the specified index.

Defaults

Information about all drivers is displayed.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(14)T	This command was introduced.
12.4(11)T	This command was integrated into the Cisco 7200VXR NPE-G2 platform.

Examples

The following example is sample output for the show usb driver command:

Router# show usb driver 

Index:0

Owner Mask:0x6

Class Code:0x0

Subclass Code:0x0

Protocol:0x0

Interface Class Code:0x8

Interface Subclass Code:0x6

Interface Protocol Code:0x50

Product ID:0x655BD598

Vendor ID:0x64E90000

Attached Devices:

    Controller ID:1, Device Address:1

Index:1

Owner Mask:0x1

Class Code:0x0

Subclass Code:0x0

Protocol:0x0

Interface Class Code:0x0

Interface Subclass Code:0x0

Interface Protocol Code:0x0

Product ID:0x514

Vendor ID:0x529

Attached Devices:

    Controller ID:1, Device Address:17

Index:2

Owner Mask:0x5

Class Code:0x9

Subclass Code:0x6249BD58

Protocol:0x2

Interface Class Code:0x5DC0

Interface Subclass Code:0x5

Interface Protocol Code:0xFFFFFFFF

Product ID:0x2

Vendor ID:0x1

Attached Devices:

    None

Index:3

Owner Mask:0x10

Class Code:0x0

Subclass Code:0x0

Protocol:0x0

Interface Class Code:0x0

Interface Subclass Code:0x0

Interface Protocol Code:0x0

Product ID:0x0

Vendor ID:0x0

Attached Devices:

    None 

Table 194 describes the significant field shown in the display.

Table 194 show usb driver Field Descriptions 

Field	Description
Owner Mask	Indicates the fields that are used in enumeration comparison. The driver can own different devices on the basis of their product or vendor IDs and device or interface class, subclass, and protocol codes.

show usb port

To sisplay USB root hub port information, use the show usb port command in privileged EXEC mode.

show usb port [port-number]

Syntax Description

port-number

(Optional) Displays information only for a specified. If the port-number is not issued, information for all root ports will be displayed.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(14)T	This command was introduced.

Examples

The following sample from the show usb port command shows the status of the port 1 on the router:

Router# show usb port

Port Number:0

Status:Enabled

Connection State:Connected

Speed:Full

Power State:ON 

Port Number:1

Status:Enabled

Connection State:Connected

Speed:Low

Power State:ON

show usb tree

To display information about the port state and all attached devices, use the show usb tree command in privileged EXEC mode.

show usb tree

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
12.3(14)T	This command was introduced.

Examples

The following example is sample output from the show usb tree command. This output shows that both a USB flash module and a USB eToken are currently enabled.

Router# show usb tree 

[Host Id:1, Host Type:1362HCD, Number of RH-Port:2]

<Root Port0:Power=ON      Current State=Enabled>

  Port0:(DiskOnKey) Addr:0x1 VID:0x08EC PID:0x0015 Configured (0x1000000)

<Root Port1:Power=ON      Current State=Enabled>

  Port1:(eToken Pro 4254) Addr:0x11 VID:0x0529 PID:0x0514 Configured (0x1010000)

show usbtoken

To display information about the USB eToken (such as the eToken ID), use the show usbtoken command in privileged EXEC mode.

show usbtoken[0-9]:[all | filesystem]

Syntax Description

0-9	(Optional) One of the ten available flash drives you can choose from; valid values: 0-9. If you do not specify a number, 0 is used by default
all	(Optional) All configuration files stored on the eToken.
filesystem	(Optional) Name of a configuration file.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(14)T	This command was introduced.
12.4(11)T	This command was integrated into the Cisco 7200VXR NPE-G2 platform.

Usage Guidelines

Use the show usbtoken command to verify whether a USB eToken is inserted in the router.

Examples

The following example is sample output from the show usbtoken command:

Router# show usbtoken0 

Token ID           :43353334

Token device name  : token0

Vendor name        : Vendor34 

Product Name       :Etoken Pro 

Serial number      : 22273a334353

Firmware version   :   4.1.3.2

Total memory size  : 32 KB

Free memory size   : 16 KB

FIPS version       :  Yes/No

Token state        :  "Active" | "User locked" | "Admin locked" | "System Error" | 
"Uknown"

ATR (Answer To Reset) :"3B F2 98 0  FF C1 10 31 FE 55 C8 3"

Table 195 describes the significant fields shown in the display.

Table 195 show usbtoken Field Descriptions 

Field	Description
Token ID	Token identifier.
Token device name	A unique name derived by the token driver.
ATR (Answer to Reset)	Information replied by Smart cards when a reset command is issued.

show user-group

To display information about user groups, use the show user-group command in privileged EXEC mode.

show user-group [group-name | count]

Syntax Description

group-name	(Optional) Name of the user-group.
count	(Optional) Displays the total number of user groups, the names of the user groups, and the number of members in each.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(20)T	This command was introduced.

Examples

The following is sample output from the show user-group command when the auth_proxy_ug user group is specified.

Router# show user-group auth_proxy_ug

!

Usergroup: auth_proxy_ug

----------------------------------------------------------------

User Name					Type		Interface			Learn			Age (min)

----------------------------------------------------------------

192.168.101.131					IPv4		Vlan333			Dynamic			0

!

The following is sample output from the show user-group command when the count keyword is used.

Router# show user-group count

!

Total Usergroup: 2

--------------------------

User Group				Members

--------------------------

auth_proxy_ug				1

eng_group_ug				1

!

Table 196 describes the significant fields shown in the displays.

Table 196 show user-group Field Descriptions 

Field	Description
User Name	IP address of the user-group.
Learn	Describes how the mapping of source IP addresses to user groups is learned.

Related Commands

Command	Description
class-map	Creates a class map to be used for matching packets to a specified class.
user-group	Defines the user-group associated with the identity policy.

show users

To display information about the active lines on the router, use the show users command in user EXEC or privileged EXEC mode.

show users [[all] [wide] | slot {slot-number | all} | summary] [lawful-intercept]

Syntax Description

all	(Optional) Specifies that all lines be displayed, regardless of whether anyone is using them.
wide	(Optional) Specifies that the wide format be used.
slot	(Optional) Displays information about remote logins to other processes in the chassis.
slot-number	(Optional) The slot number.
summary	(Optional) Displays a summary of user sessions.
lawful-intercept	(Optional) Displays lawful-intercept users.

Command Modes

User EXEC (>)
Privileged EXEC (#)

Command History

Release	Modification
10.0	This command was introduced.
12.3(2)T	The summary keyword was introduced.
12.3(7)T	The lawful-intercept keyword was introduced.
12.2(33)SRB	This command was integrated into Cisco IOS Release 12.2(33)SRB.
12.2(33)SXI	This command was modified in a release earlier than Cisco IOS Release 12.2(33)SXI. The slot keyword and slot-number argument were added.
Cisco IOS XE Release 2.1	This command was implemented on the Cisco ASR 1000 Series Aggregation Sevices Routers.

Usage Guidelines

This command displays the line number, connection name, idle time, hosts (including virtual access interfaces), and terminal location. An asterisk (*) indicates the current terminal session.

If the lawful-intercept keyword is issued, the names of all users who have access to a configured lawful intercept view will be displayed. To access the show users lawful-intercept command, you must be an authorized lawful-intercept-view user.

When an idle timeout is configured on a full virtual access interface and a subvirtual access interface, the show users command displays the idle time for both the interfaces. However, if the idle timeout is not configured on both the interfaces, then the show users command will display the idle time for the full virtual access interface only.

Examples

The following is sample output from the show users command:

Router# show users

     	Line          	User	           Host(s)	       Idle Location

     	0 con 0	                      	idle

*    	2 vty 0       	user1          	idle           	0   SERVICE1.CISCO.COM

The following is sample output identifying an active virtual access interface:

Router# show users

Line         User      Host(s)                 Idle    Location

*  0 con 0             idle                    01:58

  10 vty 0             Virtual-Access2          0      1212321

The following is sample output from the show users all command:

Router# show users all

	   Line      	User         	Host(s)     	Idle  Location

*  	0 vty 0	   user1        	idle         0    SERVICE1.CISCO.COM

   	1 vty 1

	   2 con 0

	   3 aux 0

	   4 vty 2

Table 197 describes the significant fields shown in the displays.

Table 197 show users Field Descriptions 

Field	Description
Line	Contains three subfields: •The first subfield (0 in the sample output) is the absolute line number. •The second subfield (vty in the sample output) indicates the type of line. Possible values follow: aux—auxiliary port con—console tty—asynchronous terminal port vty—virtual terminal •The third subfield (0 in the * sample output) indicates the relative line number within the type.
User	User using the line. If no user is listed in this field, no one is using the line.
Host(s)	Host to which the user is connected (outgoing connection). A value of idle means that there is no outgoing connection to a host.
Idle	Interval (in minutes) since the user has entered something.
Location	Either the hard-wired location for the line or, if there is an incoming connection, the host from which the incoming connection came.

The following sample output from the show users lawful intercept command shows three LI-View users on the system—li_admin, li-user1, and li-user2:

Router# show users lawful-intercept 

li_admin     

li-user1     

li-user2     

Router#

Related Commands

Command	Description
line	Identifies a specific line for configuration and starts the line configuration command collection mode.
li-view	Initializes a lawful intercept view.
show line	Displays the parameters of a terminal line.
username	Establishes a username-based authentication system.