Show Commands

This chapter describes the Cisco NX-OS TrustSec show commands.

show cts

To display the global Cisco TrustSec configuration, use the show cts command.

show cts

 
Syntax Description

This command has no arguments or keywords.

 
Command Default

None

 
Command Modes

Any command mode

 
Command History

Release
Modification

5.2(1)N1(1)

This command was introduced.

 
Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the Cisco TrustSec global configuration:

switch# show cts
CTS Global Configuration
==============================
CTS support : enabled
CTS device identity : not configured
SGT : 0
CTS caching support : disabled
 
Number of CTS interfaces in
DOT1X mode : 0
Manual mode : 1
 
switch#
 

 
Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature.

 

show cts credentials

To display the Cisco TrustSec device credentials configuration, use the show cts credentials command.

show cts credentials

 
Syntax Description

This command has no arguments or keywords.

 
Command Default

None

 
Command Modes

Any command mode

 
Command History

Release
Modification

5.2(1)N1(1)

This command was introduced.

 
Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the Cisco TrustSec credentials configuration:

switch# show cts credentials
 

 
Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature.

 

show cts environment-data

To display the global Cisco TrustSec environment data, use the show cts environment-data command.

show cts environment-data

 
Syntax Description

This command has no arguments or keywords.

 
Command Default

None

 
Command Modes

Any command mode

 
Command History

Release
Modification

5.2(1)N1(1)

This command was introduced.

 
Usage Guidelines

The Cisco NX-OS device downloads the Cisco TrustSec environment data from the ACS after you have configured the Cisco TrustSec credentials for the device and configured authentication, authorization, and accounting (AAA).

This command does not require a license.

Examples

This example shows how to display the Cisco TrustSec environment data:

switch# show cts environment-data
CTS Environment Data
==============================
Current State : CTS_ENV_DNLD_ST_INIT_STATE
Last Status : CTS_ENV_INCOMPLETE
Local Device SGT : 0x0000
Transport Type : CTS_ENV_TRANSPORT_DIRECT
Data loaded from cache : FALSE
Env Data Lifetime :
Last Update Time : Never
Server List :
AID: IP: Port:
 
switch#
 

 
Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature.

 

show cts interface

To display the Cisco TrustSec information for interfaces, use the show cts interface command.

show cts interface { all | ethernet slot /[QSFP-module/] port | vethernet veth-num }

 
Syntax Description

all

Displays Cisco TrustSec information for all interfaces.

ethernet slot /[QSFP-module/] port

Displays Cisco TrustSec information for the specific Ethernet interface. The slot number is from 1 to 255. The QSFP-module number is from 1 to 4. The port number is from 1 to 128.

Note The QSFP-module number applies only to the QSFP+ Generic Expansion Module (GEM).

vethernet veth-num

Displays Cisco TrustSec information for the specific virtual Ethernet (vEthe) interface. The virtual Ethernet interface number is from 1 to 1048575.

 
Command Default

None

 
Command Modes

Any command mode

 
Command History

Release
Modification

6.0(2)N1(2)

Support for the QSFP+ GEM was added.

5.2(1)N1(1)

This command was introduced.

 
Usage Guidelines

You must enable the Cisco Virtual Machine on the switch by using the feature-set virtualization command to see the vethernet keyword.

This command does not require a license.

Examples

This example shows how to display the Cisco TrustSec configuration for a specific interface:

switch# show cts interface ethernet 1/5
CTS Information for Interface Ethernet1/5:
CTS is enabled, mode: CTS_MODE_MANUAL
IFC state: Unknown
Authentication Status: CTS_AUTHC_INIT
Peer Identity:
Peer is: Unknown in manual mode
802.1X role: CTS_ROLE_UNKNOWN
Last Re-Authentication:
Authorization Status: CTS_AUTHZ_INIT
PEER SGT: 3
Peer SGT assignment: Not Trusted
SAP Status: CTS_SAP_INIT
Configured pairwise ciphers:
Replay protection:
Replay protection mode:
Selected cipher:
Current receive SPI:
Current transmit SPI:
Propagate SGT: Enabled
 
switch#
 

This example shows how to display the Cisco TrustSec configuration for all interfaces:

switch# show cts interface all
 

 
Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature.

feature-set virtualization

Enables the Cisco Virtual Machine features on the switch.

 

show cts pacs

To display the Cisco TrustSec protect access credentials (PACs) provisioned by EAP-FAST, use the show cts pacs command.

show cts pacs

 
Syntax Description

This command has no arguments or keywords.

 
Command Default

None

 
Command Modes

Any command mode

 
Command History

Release
Modification

5.2(1)N1(1)

This command was introduced.

 
Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the Cisco TrustSec global configuration:

switch# show cts pacs
 

 
Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature.

 

show cts role-based access-list

To display the global Cisco TrustSec security group access control list (SGACL) configuration, use the show cts role-based access-list command.

show cts role-based access-list [ list-name ]

 
Syntax Description

list-name

(Optional) SGACL name.

 
Command Default

None

 
Command Modes

Any command mode

 
Command History

Release
Modification

5.2(1)N1(1)

This command was introduced.

 
Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the Cisco TrustSec SGACL configuration:

switch# show cts role-based access-list
 

 
Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature.

 

show cts role-based counters

To display the configuration status of role-based access control list (RBACL) statistics and list the statistics for all RBACL policies, use the show cts role-based counters command.

show cts role-based counters

 
Syntax Description

This command has no arguments or keywords.

 
Command Default

None

 
Command Modes

Any command mode

 
Command History

Release
Modification

5.2(1)N1(1)

This command was introduced.

 
Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command. You must also enable Cisco TrustSec counters using the cts role-based counters enable command.

This command does not require a license.

Examples

This example shows how to display the configuration status of RBACL statistics:

switch# show cts role-based counters
 
RBACL policy counters enabled
Counters last cleared: Never
rbacl:ACS_1101_15
permit icmp log [0]
permit tcp log [0]
deny udp log [0]
 
switch#
 

 
Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature on the switch.

clear cts role-based counters

Clears the RBACL statistics so that all counters are reset to 0.

cts role-based counters enable

Enables the RBACL statistics.

 

show cts role-based enable

To display the Cisco TrustSec security group access control list (SGACL) enable status for VLANs, use the show cts role-based enable command.

show cts role-based enable

 
Syntax Description

This command has no arguments or keywords.

 
Command Default

None

 
Command Modes

Any command mode

 
Command History

Release
Modification

5.2(1)N1(1)

This command was introduced.

 
Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the Cisco TrustSec SGACL enforcement status:

switch# show cts role-based enable
vlan:102
switch#
 

 
Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature.

cts role-based enforcement

Enables role-based access control list (RBACL) enforcement on VLANs.

 

show cts role-based policy

To display the global Cisco TrustSec security group access control list (SGACL) policies, use the show cts role-based policy command.

show cts role-based policy

 
Syntax Description

This command has no arguments or keywords.

 
Command Default

None

 
Command Modes

Any command mode

 
Command History

Release
Modification

5.2(1)N1(1)

This command was introduced.

 
Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the Cisco TrustSec SGACL policies:

switch# show cts role-based policy
 

 
Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature.

 

show cts role-based sgt-map

To display the global Cisco TrustSec Security Group Tag (SGT) mapping configuration, use the show cts role-based sgt-map command.

show cts role-based sgt-map

 
Syntax Description

This command has no arguments or keywords.

 
Command Default

None

 
Command Modes

Any command mode

 
Command History

Release
Modification

5.2(1)N1(1)

This command was introduced.

 
Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the Cisco TrustSec SGT mapping configuration:

switch# show cts role-based sgt-map
 

 
Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature.

 

show cts sxp

To display the Cisco TrustSec Security Group Tag (SGT) Exchange Protocol (SXP) configuration, use the show cts sxp command.

show cts sxp

 
Syntax Description

This command has no arguments or keywords.

 
Command Default

None

 
Command Modes

Any command mode

 
Command History

Release
Modification

5.2(1)N1(1)

This command was introduced.

 
Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the Cisco TrustSec SXP configuration:

switch# show cts sxp
CTS SXP Configuration:
SXP enabled
SXP retry timeout:60
SXP reconcile timeout:120
switch#
 

 
Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature.

 

show cts sxp connection

To display the Cisco TrustSec Security Group Tag (SGT) Exchange Protocol (SXP) connections information, use the show cts sxp connection command.

show cts sxp connection

 
Syntax Description

This command has no arguments or keywords.

 
Command Default

None

 
Command Modes

Any command mode

 
Command History

Release
Modification

5.2(1)N1(1)

This command was introduced.

 
Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the Cisco TrustSec Security Group Tag (SGT) Exchange Protocol (SXP) connections information:

switch# show cts sxp connection
PEER_IP_ADDR VRF PEER_SXP_MODE SELF_SXP_MODE CONNECTION STATE
192.0.2.1 default listener speaker initializing
switch#
 

 
Related Commands

Command
Description

cts sxp connection peer

Configures a SXP peer connection.

feature cts

Enables the Cisco TrustSec feature.

 

show running-config cts

To display the Cisco TrustSec configuration in the running configuration, use the show running-config cts command.

show running-config cts

 
Syntax Description

This command has no arguments or keywords.

 
Command Default

None

 
Command Modes

Any command mode

 
Command History

Release
Modification

5.2(1)N1(1)

This command was introduced.

 
Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the Cisco TrustSec configuration in the running configuration:

switch# show running-config cts
 
!Command: show running-config cts
!Time: Thu Jan 1 05:33:03 2009
 
version 6.0(0)N1(1)
feature cts
cts role-based counters enable
cts sxp enable
cts sxp connection peer 192.0.2.1 password none mode listener
 
 
interface Ethernet1/5
cts manual
policy static sgt 0x3
 
switch#

 
Related Commands

Command
Description

copy running-config startup-config

Copies the running configuration information to the startup configuration file.

feature cts

Enables the Cisco TrustSec feature.

 

show running-config dot1x

To display 802.1X configuration information in the running configuration, use the show running-config dot1x command.

show running-config dotx1 [ all ]

 
Syntax Description

all

(Optional) Displays configured and default information.

 
Command Default

None

 
Command Modes

Any command mode

 
Command History

Release
Modification

5.2(1)N1(1)

This command was introduced.

 
Usage Guidelines

You must enable the 802.1X feature by using the feature dot1x command before using this command.

This command does not require a license.

Examples

This example shows how to display the configured 802.1X information in the running configuration:

switch# show running-config dot1x
 

 
Related Commands

Command
Description

copy running-config startup-config

Copies the running system configuration information to the startup configuration file.

feature cts

Enables the Cisco TrustSec feature on the switch.

feature dot1x

Enables the 802.1X feature on the switch.

 

show startup-config cts

To display the Cisco TrustSec configuration information in the startup configuration, use the show startup-config cts command.

show startup-config cts

 
Syntax Description

This command has no arguments or keywords.

 
Command Default

None

 
Command Modes

Any command mode

 
Command History

Release
Modification

5.2(1)N1(1)

This command was introduced.

 
Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the Cisco TrustSec information in the startup configuration:

switch# show startup-config cts
 

 
Related Commands

Command
Description

copy running-config startup-config

Copies the running configuration information to the startup configuration file.

 

show startup-config dot1x

To display 802.1X configuration information in the startup configuration, use the show startup-config dot1x command.

show startup-config dot1x

 
Syntax Description

This command has no arguments or keywords.

 
Command Default

None

 
Command Modes

Any command mode

 
Command History

Release
Modification

5.2(1)N1(1)5.2(1)N1(1)

This command was introduced.

 
Usage Guidelines

You must enable the 802.1X feature by using the feature dot1x command before using this command.

This command does not require a license.

Examples

This example shows how to display the 802.1X information in the startup configuration:

switch# show startup-config dot1x
 

 
Related Commands

Command
Description

copy running-config startup-config

Copies the running configuration information to the startup configuration file.