The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes the Cisco NX-OS TrustSec show commands.
To display the global Cisco TrustSec configuration, use the show cts command.
show cts
This command has no arguments or keywords.
None
Any command mode
|
|
5.1(3)N1(1) |
This command was introduced. |
This command does not require a license.
This example shows how to display the Cisco TrustSec global configuration:
switch# show cts
CTS Global Configuration
==============================
CTS support : enabled
CTS device identity : not configured
SGT : 0
CTS caching support : disabled
Number of CTS interfaces in
DOT1X mode : 0
Manual mode : 1
switch#
|
|
---|---|
feature cts |
Enables the Cisco TrustSec feature. |
To display the Cisco TrustSec device credentials configuration, use the show cts credentials command.
show cts credentials
This command has no arguments or keywords.
None
Any command mode
|
|
5.1(3)N1(1) |
This command was introduced. |
This command does not require a license.
This example shows how to display the Cisco TrustSec credentials configuration:
switch# show cts credentials
|
|
---|---|
feature cts |
Enables the Cisco TrustSec feature. |
To display the global Cisco TrustSec environment data, use the show cts environment-data command.
show cts environment-data
This command has no arguments or keywords.
None
Any command mode
|
|
5.1(3)N1(1) |
This command was introduced. |
The Cisco NX-OS device downloads the Cisco TrustSec environment data from the ACS after you have configured the Cisco TrustSec credentials for the device and configured authentication, authorization, and accounting (AAA).
This command does not require a license.
This example shows how to display the Cisco TrustSec environment data:
switch# show cts environment-data
CTS Environment Data
==============================
Current State : CTS_ENV_DNLD_ST_INIT_STATE
Last Status : CTS_ENV_INCOMPLETE
Local Device SGT : 0x0000
Transport Type : CTS_ENV_TRANSPORT_DIRECT
Data loaded from cache : FALSE
Env Data Lifetime :
Last Update Time : Never
Server List :
AID: IP: Port:
switch#
|
|
---|---|
feature cts |
Enables the Cisco TrustSec feature. |
To display the Cisco TrustSec information for interfaces, use the show cts interface command.
show cts interface {all | ethernet slot/port | vethernet veth-num}
None
Any command mode
|
|
5.1(3)N1(1) |
This command was introduced. |
You must enable the Cisco Virtual Machine on the switch by using the feature-set virtualization command to see the vethernet keyword.
This command does not require a license.
This example shows how to display the Cisco TrustSec configuration for a specific interface:
switch# show cts interface ethernet 1/5
CTS Information for Interface Ethernet1/5:
CTS is enabled, mode: CTS_MODE_MANUAL
IFC state: Unknown
Authentication Status: CTS_AUTHC_INIT
Peer Identity:
Peer is: Unknown in manual mode
802.1X role: CTS_ROLE_UNKNOWN
Last Re-Authentication:
Authorization Status: CTS_AUTHZ_INIT
PEER SGT: 3
Peer SGT assignment: Not Trusted
SAP Status: CTS_SAP_INIT
Configured pairwise ciphers:
Replay protection:
Replay protection mode:
Selected cipher:
Current receive SPI:
Current transmit SPI:
Propagate SGT: Enabled
switch#
This example shows how to display the Cisco TrustSec configuration for all interfaces:
switch# show cts interface all
|
|
---|---|
feature cts |
Enables the Cisco TrustSec feature. |
feature-set virtualization |
Enables the Cisco Virtual Machine features on the switch. |
To display the Cisco TrustSec protect access credentials (PACs) provisioned by EAP-FAST, use the show cts pacs command.
show cts pacs
This command has no arguments or keywords.
None
Any command mode
|
|
5.1(3)N1(1) |
This command was introduced. |
This command does not require a license.
This example shows how to display the Cisco TrustSec global configuration:
switch# show cts pacs
|
|
---|---|
feature cts |
Enables the Cisco TrustSec feature. |
To display the global Cisco TrustSec security group access control list (SGACL) configuration, use the show cts role-based access-list command.
show cts role-based access-list [list-name]
list-name |
(Optional) SGACL name. |
None
Any command mode
|
|
5.1(3)N1(1) |
This command was introduced. |
This command does not require a license.
This example shows how to display the Cisco TrustSec SGACL configuration:
switch# show cts role-based access-list
|
|
---|---|
feature cts |
Enables the Cisco TrustSec feature. |
To display the configuration status of role-based access control list (RBACL) statistics and list the statistics for all RBACL policies, use the show cts role-based counters command.
show cts role-based counters
This command has no arguments or keywords.
None
Any command mode
|
|
5.1(3)N1(1) |
This command was introduced. |
To use this command, you must enable the Cisco TrustSec feature using the feature cts command. You must also enable Cisco TrustSec counters using the cts role-based counters enable command.
This command does not require a license.
This example shows how to display the configuration status of RBACL statistics:
switch# show cts role-based counters
RBACL policy counters enabled
Counters last cleared: Never
rbacl:ACS_1101_15
permit icmp log [0]
permit tcp log [0]
deny udp log [0]
switch#
To display the Cisco TrustSec security group access control list (SGACL) enable status for VLANs, use the show cts role-based enable command.
show cts role-based enable
This command has no arguments or keywords.
None
Any command mode
|
|
5.1(3)N1(1) |
This command was introduced. |
This command does not require a license.
This example shows how to display the Cisco TrustSec SGACL enforcement status:
switch# show cts role-based enable
vlan:102
switch#
|
|
---|---|
feature cts |
Enables the Cisco TrustSec feature. |
cts role-based enforcement |
Enables role-based access control list (RBACL) enforcement on VLANs. |
To display the global Cisco TrustSec security group access control list (SGACL) policies, use the show cts role-based policy command.
show cts role-based policy
This command has no arguments or keywords.
None
Any command mode
|
|
5.1(3)N1(1) |
This command was introduced. |
This command does not require a license.
This example shows how to display the Cisco TrustSec SGACL policies:
switch# show cts role-based policy
|
|
---|---|
feature cts |
Enables the Cisco TrustSec feature. |
To display the global Cisco TrustSec Security Group Tag (SGT) mapping configuration, use the show cts role-based sgt-map command.
show cts role-based sgt-map
This command has no arguments or keywords.
None
Any command mode
|
|
5.1(3)N1(1) |
This command was introduced. |
This command does not require a license.
This example shows how to display the Cisco TrustSec SGT mapping configuration:
switch# show cts role-based sgt-map
|
|
---|---|
feature cts |
Enables the Cisco TrustSec feature. |
To display the Cisco TrustSec Security Group Tag (SGT) Exchange Protocol (SXP) configuration, use the show cts sxp command.
show cts sxp
This command has no arguments or keywords.
None
Any command mode
|
|
5.1(3)N1(1) |
This command was introduced. |
This command does not require a license.
This example shows how to display the Cisco TrustSec SXP configuration:
switch# show cts sxp
CTS SXP Configuration:
SXP enabled
SXP retry timeout:60
SXP reconcile timeout:120
switch#
|
|
---|---|
feature cts |
Enables the Cisco TrustSec feature. |
To display the Cisco TrustSec Security Group Tag (SGT) Exchange Protocol (SXP) connections information, use the show cts sxp connection command.
show cts sxp connection
This command has no arguments or keywords.
None
Any command mode
|
|
5.1(3)N1(1) |
This command was introduced. |
This command does not require a license.
This example shows how to display the Cisco TrustSec Security Group Tag (SGT) Exchange Protocol (SXP) connections information:
switch# show cts sxp connection
PEER_IP_ADDR VRF PEER_SXP_MODE SELF_SXP_MODE CONNECTION STATE
192.0.2.1 default listener speaker initializing
switch#
|
|
---|---|
cts sxp connection peer |
Configures a SXP peer connection. |
feature cts |
Enables the Cisco TrustSec feature. |
To display the Cisco TrustSec configuration in the running configuration, use the show running-config cts command.
show running-config cts
This command has no arguments or keywords.
None
Any command mode
|
|
5.1(3)N1(1) |
This command was introduced. |
This command does not require a license.
This example shows how to display the Cisco TrustSec configuration in the running configuration:
switch# show running-config cts
!Command: show running-config cts
!Time: Thu Jan 1 05:33:03 2009
version 6.0(0)N1(1)
feature cts
cts role-based counters enable
cts sxp enable
cts sxp connection peer 192.0.2.1 password none mode listener
interface Ethernet1/5
cts manual
policy static sgt 0x3
switch#
|
|
---|---|
copy running-config startup-config |
Copies the running configuration information to the startup configuration file. |
feature cts |
Enables the Cisco TrustSec feature. |
To display 802.1X configuration information in the running configuration, use the show running-config dot1x command.
show running-config dotx1 [all]
all |
(Optional) Displays configured and default information. |
None
Any command mode
|
|
5.1(3)N1(1) |
This command was introduced. |
You must enable the 802.1X feature by using the feature dot1x command before using this command.
This command does not require a license.
This example shows how to display the configured 802.1X information in the running configuration:
switch# show running-config dot1x
To display the Cisco TrustSec configuration information in the startup configuration, use the show startup-config cts command.
show startup-config cts
This command has no arguments or keywords.
None
Any command mode
|
|
5.1(3)N1(1) |
This command was introduced. |
This command does not require a license.
This example shows how to display the Cisco TrustSec information in the startup configuration:
switch# show startup-config cts
|
|
---|---|
copy running-config startup-config |
Copies the running configuration information to the startup configuration file. |
To display 802.1X configuration information in the startup configuration, use the show startup-config dot1x command.
show startup-config dot1x
This command has no arguments or keywords.
None
Any command mode
|
|
5.1(3)N1(1) |
This command was introduced. |
You must enable the 802.1X feature by using the feature dot1x command before using this command.
This command does not require a license.
This example shows how to display the 802.1X information in the startup configuration:
switch# show startup-config dot1x
|
|
---|---|
copy running-config startup-config |
Copies the running configuration information to the startup configuration file. |